Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 03:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5.exe
-
Size
456KB
-
MD5
dc96d6a7edaefc3e2a9326960717e0a5
-
SHA1
c4dc229899816846fea37cb43050c58986d68e56
-
SHA256
b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5
-
SHA512
f22ade96126e35d2a11caaaf380670d23b5c0e3b3eea74acf89d9dd245ce31e8c463bd095278c58599198a8a08cc5c2127a629c9992c56e6d2fb43da780371fa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRwB:q7Tc2NYHUrAwfMp3CDRwB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3584-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-872-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3584 vdddv.exe 696 frlflrl.exe 2396 rrfxrxl.exe 1896 hhnhht.exe 3744 bntttb.exe 2372 vdpdd.exe 1452 1rxrrlf.exe 4908 bhntbt.exe 1800 vdddp.exe 1376 nhtntn.exe 4992 7vppj.exe 2064 3nnnnn.exe 3100 nhhhtn.exe 1900 jvvpd.exe 216 bnbbbb.exe 2956 7vppj.exe 2036 vdjjd.exe 3996 ffrflxx.exe 1156 9ntttb.exe 3588 ddvvp.exe 3580 pjvvv.exe 2516 lxlfxfx.exe 4816 pdpdv.exe 1348 lxfxxll.exe 5072 tnntht.exe 3400 3vdvj.exe 1548 rfrrlrr.exe 1168 5bhhhb.exe 2308 7pvdd.exe 4272 jdjdv.exe 1588 btbbbb.exe 3596 1hbthb.exe 3268 jddvp.exe 3172 jpppj.exe 1880 7fxlllr.exe 2216 bhhnbt.exe 1600 vvdvj.exe 2356 rlrlrrx.exe 1448 3htnbt.exe 4496 vpvpv.exe 4024 rxlrlll.exe 792 bbnhtt.exe 1336 7tnbtn.exe 912 jdvpd.exe 4364 fffxxrl.exe 2816 thnhhn.exe 4864 vpvjd.exe 2032 pjpdv.exe 4396 ffxxrff.exe 696 bnbtnn.exe 1396 dvvpj.exe 3896 vjvdp.exe 4904 ffrxxlx.exe 3760 vppjp.exe 1652 lflrrrf.exe 516 nnthhb.exe 4908 fxrlrff.exe 2192 bttnhb.exe 1724 9hbtnn.exe 2140 dppdv.exe 4288 1hnhtn.exe 1104 5rxrrrl.exe 2272 xfxlfxr.exe 2352 nhbtnh.exe -
resource yara_rule behavioral2/memory/3584-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-719-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3084 wrote to memory of 3584 3084 b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5.exe 82 PID 3084 wrote to memory of 3584 3084 b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5.exe 82 PID 3084 wrote to memory of 3584 3084 b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5.exe 82 PID 3584 wrote to memory of 696 3584 vdddv.exe 83 PID 3584 wrote to memory of 696 3584 vdddv.exe 83 PID 3584 wrote to memory of 696 3584 vdddv.exe 83 PID 696 wrote to memory of 2396 696 frlflrl.exe 84 PID 696 wrote to memory of 2396 696 frlflrl.exe 84 PID 696 wrote to memory of 2396 696 frlflrl.exe 84 PID 2396 wrote to memory of 1896 2396 rrfxrxl.exe 85 PID 2396 wrote to memory of 1896 2396 rrfxrxl.exe 85 PID 2396 wrote to memory of 1896 2396 rrfxrxl.exe 85 PID 1896 wrote to memory of 3744 1896 hhnhht.exe 86 PID 1896 wrote to memory of 3744 1896 hhnhht.exe 86 PID 1896 wrote to memory of 3744 1896 hhnhht.exe 86 PID 3744 wrote to memory of 2372 3744 bntttb.exe 87 PID 3744 wrote to memory of 2372 3744 bntttb.exe 87 PID 3744 wrote to memory of 2372 3744 bntttb.exe 87 PID 2372 wrote to memory of 1452 2372 vdpdd.exe 88 PID 2372 wrote to memory of 1452 2372 vdpdd.exe 88 PID 2372 wrote to memory of 1452 2372 vdpdd.exe 88 PID 1452 wrote to memory of 4908 1452 1rxrrlf.exe 89 PID 1452 wrote to memory of 4908 1452 1rxrrlf.exe 89 PID 1452 wrote to memory of 4908 1452 1rxrrlf.exe 89 PID 4908 wrote to memory of 1800 4908 bhntbt.exe 90 PID 4908 wrote to memory of 1800 4908 bhntbt.exe 90 PID 4908 wrote to memory of 1800 4908 bhntbt.exe 90 PID 1800 wrote to memory of 1376 1800 vdddp.exe 91 PID 1800 wrote to memory of 1376 1800 vdddp.exe 91 PID 1800 wrote to memory of 1376 1800 vdddp.exe 91 PID 1376 wrote to memory of 4992 1376 nhtntn.exe 92 PID 1376 wrote to memory of 4992 1376 nhtntn.exe 92 PID 1376 wrote to memory of 4992 1376 nhtntn.exe 92 PID 4992 wrote to memory of 2064 4992 7vppj.exe 93 PID 4992 wrote to memory of 2064 4992 7vppj.exe 93 PID 4992 wrote to memory of 2064 4992 7vppj.exe 93 PID 2064 wrote to memory of 3100 2064 3nnnnn.exe 94 PID 2064 wrote to memory of 3100 2064 3nnnnn.exe 94 PID 2064 wrote to memory of 3100 2064 3nnnnn.exe 94 PID 3100 wrote to memory of 1900 3100 nhhhtn.exe 95 PID 3100 wrote to memory of 1900 3100 nhhhtn.exe 95 PID 3100 wrote to memory of 1900 3100 nhhhtn.exe 95 PID 1900 wrote to memory of 216 1900 jvvpd.exe 96 PID 1900 wrote to memory of 216 1900 jvvpd.exe 96 PID 1900 wrote to memory of 216 1900 jvvpd.exe 96 PID 216 wrote to memory of 2956 216 bnbbbb.exe 97 PID 216 wrote to memory of 2956 216 bnbbbb.exe 97 PID 216 wrote to memory of 2956 216 bnbbbb.exe 97 PID 2956 wrote to memory of 2036 2956 7vppj.exe 98 PID 2956 wrote to memory of 2036 2956 7vppj.exe 98 PID 2956 wrote to memory of 2036 2956 7vppj.exe 98 PID 2036 wrote to memory of 3996 2036 vdjjd.exe 99 PID 2036 wrote to memory of 3996 2036 vdjjd.exe 99 PID 2036 wrote to memory of 3996 2036 vdjjd.exe 99 PID 3996 wrote to memory of 1156 3996 ffrflxx.exe 100 PID 3996 wrote to memory of 1156 3996 ffrflxx.exe 100 PID 3996 wrote to memory of 1156 3996 ffrflxx.exe 100 PID 1156 wrote to memory of 3588 1156 9ntttb.exe 101 PID 1156 wrote to memory of 3588 1156 9ntttb.exe 101 PID 1156 wrote to memory of 3588 1156 9ntttb.exe 101 PID 3588 wrote to memory of 3580 3588 ddvvp.exe 102 PID 3588 wrote to memory of 3580 3588 ddvvp.exe 102 PID 3588 wrote to memory of 3580 3588 ddvvp.exe 102 PID 3580 wrote to memory of 2516 3580 pjvvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5.exe"C:\Users\Admin\AppData\Local\Temp\b4c3f8518c27782ae53a3e03f1b613f76f48b0e09386b9cac57a1745233a71a5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\vdddv.exec:\vdddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\frlflrl.exec:\frlflrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\rrfxrxl.exec:\rrfxrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\hhnhht.exec:\hhnhht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\bntttb.exec:\bntttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\vdpdd.exec:\vdpdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\1rxrrlf.exec:\1rxrrlf.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\bhntbt.exec:\bhntbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\vdddp.exec:\vdddp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\nhtntn.exec:\nhtntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\7vppj.exec:\7vppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\3nnnnn.exec:\3nnnnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\nhhhtn.exec:\nhhhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\jvvpd.exec:\jvvpd.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\bnbbbb.exec:\bnbbbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\7vppj.exec:\7vppj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\vdjjd.exec:\vdjjd.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\ffrflxx.exec:\ffrflxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\9ntttb.exec:\9ntttb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\ddvvp.exec:\ddvvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\pjvvv.exec:\pjvvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\lxlfxfx.exec:\lxlfxfx.exe23⤵
- Executes dropped EXE
PID:2516 -
\??\c:\pdpdv.exec:\pdpdv.exe24⤵
- Executes dropped EXE
PID:4816 -
\??\c:\lxfxxll.exec:\lxfxxll.exe25⤵
- Executes dropped EXE
PID:1348 -
\??\c:\tnntht.exec:\tnntht.exe26⤵
- Executes dropped EXE
PID:5072 -
\??\c:\3vdvj.exec:\3vdvj.exe27⤵
- Executes dropped EXE
PID:3400 -
\??\c:\rfrrlrr.exec:\rfrrlrr.exe28⤵
- Executes dropped EXE
PID:1548 -
\??\c:\5bhhhb.exec:\5bhhhb.exe29⤵
- Executes dropped EXE
PID:1168 -
\??\c:\7pvdd.exec:\7pvdd.exe30⤵
- Executes dropped EXE
PID:2308 -
\??\c:\jdjdv.exec:\jdjdv.exe31⤵
- Executes dropped EXE
PID:4272 -
\??\c:\btbbbb.exec:\btbbbb.exe32⤵
- Executes dropped EXE
PID:1588 -
\??\c:\1hbthb.exec:\1hbthb.exe33⤵
- Executes dropped EXE
PID:3596 -
\??\c:\jddvp.exec:\jddvp.exe34⤵
- Executes dropped EXE
PID:3268 -
\??\c:\jpppj.exec:\jpppj.exe35⤵
- Executes dropped EXE
PID:3172 -
\??\c:\7fxlllr.exec:\7fxlllr.exe36⤵
- Executes dropped EXE
PID:1880 -
\??\c:\bhhnbt.exec:\bhhnbt.exe37⤵
- Executes dropped EXE
PID:2216 -
\??\c:\vvdvj.exec:\vvdvj.exe38⤵
- Executes dropped EXE
PID:1600 -
\??\c:\rlrlrrx.exec:\rlrlrrx.exe39⤵
- Executes dropped EXE
PID:2356 -
\??\c:\3htnbt.exec:\3htnbt.exe40⤵
- Executes dropped EXE
PID:1448 -
\??\c:\vpvpv.exec:\vpvpv.exe41⤵
- Executes dropped EXE
PID:4496 -
\??\c:\rxlrlll.exec:\rxlrlll.exe42⤵
- Executes dropped EXE
PID:4024 -
\??\c:\bbnhtt.exec:\bbnhtt.exe43⤵
- Executes dropped EXE
PID:792 -
\??\c:\7tnbtn.exec:\7tnbtn.exe44⤵
- Executes dropped EXE
PID:1336 -
\??\c:\jdvpd.exec:\jdvpd.exe45⤵
- Executes dropped EXE
PID:912 -
\??\c:\fffxxrl.exec:\fffxxrl.exe46⤵
- Executes dropped EXE
PID:4364 -
\??\c:\thnhhn.exec:\thnhhn.exe47⤵
- Executes dropped EXE
PID:2816 -
\??\c:\vpvjd.exec:\vpvjd.exe48⤵
- Executes dropped EXE
PID:4864 -
\??\c:\pjpdv.exec:\pjpdv.exe49⤵
- Executes dropped EXE
PID:2032 -
\??\c:\ffxxrff.exec:\ffxxrff.exe50⤵
- Executes dropped EXE
PID:4396 -
\??\c:\bnbtnn.exec:\bnbtnn.exe51⤵
- Executes dropped EXE
PID:696 -
\??\c:\dvvpj.exec:\dvvpj.exe52⤵
- Executes dropped EXE
PID:1396 -
\??\c:\vjvdp.exec:\vjvdp.exe53⤵
- Executes dropped EXE
PID:3896 -
\??\c:\ffrxxlx.exec:\ffrxxlx.exe54⤵
- Executes dropped EXE
PID:4904 -
\??\c:\vppjp.exec:\vppjp.exe55⤵
- Executes dropped EXE
PID:3760 -
\??\c:\lflrrrf.exec:\lflrrrf.exe56⤵
- Executes dropped EXE
PID:1652 -
\??\c:\nnthhb.exec:\nnthhb.exe57⤵
- Executes dropped EXE
PID:516 -
\??\c:\fxrlrff.exec:\fxrlrff.exe58⤵
- Executes dropped EXE
PID:4908 -
\??\c:\bttnhb.exec:\bttnhb.exe59⤵
- Executes dropped EXE
PID:2192 -
\??\c:\9hbtnn.exec:\9hbtnn.exe60⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dppdv.exec:\dppdv.exe61⤵
- Executes dropped EXE
PID:2140 -
\??\c:\1hnhtn.exec:\1hnhtn.exe62⤵
- Executes dropped EXE
PID:4288 -
\??\c:\5rxrrrl.exec:\5rxrrrl.exe63⤵
- Executes dropped EXE
PID:1104 -
\??\c:\xfxlfxr.exec:\xfxlfxr.exe64⤵
- Executes dropped EXE
PID:2272 -
\??\c:\nhbtnh.exec:\nhbtnh.exe65⤵
- Executes dropped EXE
PID:2352 -
\??\c:\pdpdp.exec:\pdpdp.exe66⤵PID:952
-
\??\c:\vpdvp.exec:\vpdvp.exe67⤵PID:3436
-
\??\c:\rrxlflx.exec:\rrxlflx.exe68⤵PID:2664
-
\??\c:\bhthtb.exec:\bhthtb.exe69⤵PID:3944
-
\??\c:\ddddv.exec:\ddddv.exe70⤵PID:2036
-
\??\c:\7lrllll.exec:\7lrllll.exe71⤵PID:688
-
\??\c:\1hnhbb.exec:\1hnhbb.exe72⤵PID:544
-
\??\c:\7djdj.exec:\7djdj.exe73⤵PID:2924
-
\??\c:\fxfffll.exec:\fxfffll.exe74⤵PID:2104
-
\??\c:\bbbtnt.exec:\bbbtnt.exe75⤵PID:4824
-
\??\c:\1ddvp.exec:\1ddvp.exe76⤵PID:5068
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe77⤵PID:2812
-
\??\c:\nbbbbb.exec:\nbbbbb.exe78⤵PID:3020
-
\??\c:\jdjjd.exec:\jdjjd.exe79⤵PID:4384
-
\??\c:\lxllflf.exec:\lxllflf.exe80⤵PID:2784
-
\??\c:\7bbhhh.exec:\7bbhhh.exe81⤵PID:1500
-
\??\c:\vvpvd.exec:\vvpvd.exe82⤵PID:1168
-
\??\c:\flrrfxl.exec:\flrrfxl.exe83⤵PID:812
-
\??\c:\hththh.exec:\hththh.exe84⤵PID:4232
-
\??\c:\ttbttb.exec:\ttbttb.exe85⤵PID:1080
-
\??\c:\dvdvj.exec:\dvdvj.exe86⤵PID:4164
-
\??\c:\lxxfrfl.exec:\lxxfrfl.exe87⤵PID:3836
-
\??\c:\nhtnbb.exec:\nhtnbb.exe88⤵PID:448
-
\??\c:\pdddp.exec:\pdddp.exe89⤵PID:3960
-
\??\c:\flxrlfx.exec:\flxrlfx.exe90⤵PID:1876
-
\??\c:\nnnhtb.exec:\nnnhtb.exe91⤵PID:1068
-
\??\c:\pddvj.exec:\pddvj.exe92⤵PID:3080
-
\??\c:\lxfxxxl.exec:\lxfxxxl.exe93⤵PID:2124
-
\??\c:\ntnbbt.exec:\ntnbbt.exe94⤵PID:1600
-
\??\c:\pdvjp.exec:\pdvjp.exe95⤵PID:1864
-
\??\c:\1xrxllx.exec:\1xrxllx.exe96⤵PID:3980
-
\??\c:\nbhtnn.exec:\nbhtnn.exe97⤵PID:3040
-
\??\c:\vvdvd.exec:\vvdvd.exe98⤵PID:4332
-
\??\c:\pddvd.exec:\pddvd.exe99⤵PID:1912
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe100⤵PID:724
-
\??\c:\1thbth.exec:\1thbth.exe101⤵PID:912
-
\??\c:\7vddv.exec:\7vddv.exe102⤵PID:4956
-
\??\c:\jvjvj.exec:\jvjvj.exe103⤵PID:4864
-
\??\c:\xlfxxxl.exec:\xlfxxxl.exe104⤵PID:2692
-
\??\c:\tbhbbh.exec:\tbhbbh.exe105⤵PID:4484
-
\??\c:\pjppv.exec:\pjppv.exe106⤵PID:1172
-
\??\c:\3jjvj.exec:\3jjvj.exe107⤵PID:1872
-
\??\c:\rxlfrrf.exec:\rxlfrrf.exe108⤵PID:4848
-
\??\c:\nbtnht.exec:\nbtnht.exe109⤵PID:4404
-
\??\c:\jdjdp.exec:\jdjdp.exe110⤵PID:3736
-
\??\c:\flffllr.exec:\flffllr.exe111⤵PID:2068
-
\??\c:\nthbtt.exec:\nthbtt.exe112⤵PID:3740
-
\??\c:\pppdv.exec:\pppdv.exe113⤵PID:3092
-
\??\c:\rrffxfx.exec:\rrffxfx.exe114⤵PID:4672
-
\??\c:\9bttbt.exec:\9bttbt.exe115⤵PID:3816
-
\??\c:\jjjpp.exec:\jjjpp.exe116⤵PID:1196
-
\??\c:\3jdpj.exec:\3jdpj.exe117⤵PID:2352
-
\??\c:\rxllfll.exec:\rxllfll.exe118⤵PID:952
-
\??\c:\bhhtnb.exec:\bhhtnb.exe119⤵PID:3436
-
\??\c:\dvdjj.exec:\dvdjj.exe120⤵PID:1088
-
\??\c:\5vpjv.exec:\5vpjv.exe121⤵PID:884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-