Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 20:07
Behavioral task
behavioral1
Sample
13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1.exe
-
Size
332KB
-
MD5
f66e32ae53325232d1d14d721fbc2f6b
-
SHA1
0686dc81ac94ace7db64d89e7eff3c847f01f036
-
SHA256
13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1
-
SHA512
55cff182fdfcd5c58a40fb92fcd91f8a7f91f749c109e4e14a1e0ae39896ff236eb3c386b00acbf520be2ab9970be8c99cfbeaaa1e2c3572358193f4b7177fde
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeR:R4wFHoSHYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/976-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2100-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-32-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1340-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4444-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/952-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2168-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/440-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1724-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3160-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3576-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1508-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1320-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4396-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4712-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4900-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4948-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4776-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3184-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2880-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-323-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-330-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1600-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-486-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1848-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-662-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-711-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-1102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2416-1123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2124 djpdp.exe 4472 9vvpd.exe 4512 nnhbnh.exe 4416 xrfxlll.exe 2100 pvvjd.exe 2552 rfffxrf.exe 4132 tnnbth.exe 2380 vjvvp.exe 1340 vvpdp.exe 4444 frxlxrl.exe 1460 bhntbn.exe 2332 7nbtbt.exe 756 dppdv.exe 4120 7rxlxrr.exe 952 hthtbb.exe 3864 nhhbnh.exe 4948 dvjdj.exe 2872 xrrlfrl.exe 4060 ntbnbb.exe 2356 7vvjv.exe 4712 lxrfrlx.exe 3184 bthnnt.exe 3672 1vdvp.exe 4168 9xfrlfr.exe 2088 lrlfrlx.exe 2168 thhhbh.exe 4052 9ppjv.exe 1588 fflfxfx.exe 2232 nnhbtn.exe 2428 pvpvp.exe 2696 pppdv.exe 440 xfllxrf.exe 208 hbtnbt.exe 4364 jjvjd.exe 1724 pppjd.exe 4396 ffrlxfx.exe 2372 bhhbhb.exe 1708 pjjpp.exe 2012 ppdvv.exe 804 fxffxxx.exe 1776 rrffllr.exe 1972 5bnhbb.exe 1320 pdjdd.exe 920 ddvjd.exe 4524 9pdvp.exe 4816 xxrxrlf.exe 1508 hbthth.exe 4320 3bhbnn.exe 4516 ddpjd.exe 1728 flxxlll.exe 2948 hbbttt.exe 692 hbhnhn.exe 3212 vvppj.exe 772 5jddv.exe 1700 ffxrlfx.exe 1380 nbhntt.exe 4144 bhnbnh.exe 3244 dvpdj.exe 4436 jppjd.exe 1672 lrfllxl.exe 1528 9flffrx.exe 2124 tbnhhn.exe 4860 nhhnnn.exe 3620 5pddv.exe -
resource yara_rule behavioral2/memory/976-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bac-3.dat upx behavioral2/memory/976-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2124-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c89-8.dat upx behavioral2/files/0x0007000000023c8b-11.dat upx behavioral2/memory/4472-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8c-18.dat upx behavioral2/files/0x0007000000023c8d-22.dat upx behavioral2/memory/4416-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-27.dat upx behavioral2/files/0x0007000000023c8f-33.dat upx behavioral2/memory/2100-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4132-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2552-32-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-44.dat upx behavioral2/memory/2380-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-39.dat upx behavioral2/memory/1340-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-49.dat upx behavioral2/memory/4444-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1460-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-53.dat upx behavioral2/files/0x0007000000023c95-64.dat upx behavioral2/memory/2332-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-59.dat upx behavioral2/files/0x0007000000023c97-71.dat upx behavioral2/memory/952-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-77.dat upx behavioral2/memory/3864-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4948-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-88.dat upx behavioral2/files/0x0007000000023c9b-92.dat upx behavioral2/files/0x0007000000023c9d-102.dat upx behavioral2/memory/2356-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-107.dat upx behavioral2/files/0x0007000000023c9f-116.dat upx behavioral2/files/0x0007000000023ca0-121.dat upx behavioral2/files/0x0007000000023ca2-129.dat upx behavioral2/memory/4052-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2168-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-125.dat upx behavioral2/files/0x0007000000023ca4-140.dat upx behavioral2/memory/2696-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-155.dat upx behavioral2/memory/440-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2088-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1724-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2012-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4816-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4320-201-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2948-208-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3212-213-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4144-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3160-248-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3576-255-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/464-258-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1508-220-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4524-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1320-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1972-183-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4396-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4364-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/208-161-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlflrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 976 wrote to memory of 2124 976 13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1.exe 83 PID 976 wrote to memory of 2124 976 13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1.exe 83 PID 976 wrote to memory of 2124 976 13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1.exe 83 PID 2124 wrote to memory of 4472 2124 djpdp.exe 84 PID 2124 wrote to memory of 4472 2124 djpdp.exe 84 PID 2124 wrote to memory of 4472 2124 djpdp.exe 84 PID 4472 wrote to memory of 4512 4472 9vvpd.exe 85 PID 4472 wrote to memory of 4512 4472 9vvpd.exe 85 PID 4472 wrote to memory of 4512 4472 9vvpd.exe 85 PID 4512 wrote to memory of 4416 4512 nnhbnh.exe 86 PID 4512 wrote to memory of 4416 4512 nnhbnh.exe 86 PID 4512 wrote to memory of 4416 4512 nnhbnh.exe 86 PID 4416 wrote to memory of 2100 4416 xrfxlll.exe 87 PID 4416 wrote to memory of 2100 4416 xrfxlll.exe 87 PID 4416 wrote to memory of 2100 4416 xrfxlll.exe 87 PID 2100 wrote to memory of 2552 2100 pvvjd.exe 88 PID 2100 wrote to memory of 2552 2100 pvvjd.exe 88 PID 2100 wrote to memory of 2552 2100 pvvjd.exe 88 PID 2552 wrote to memory of 4132 2552 rfffxrf.exe 153 PID 2552 wrote to memory of 4132 2552 rfffxrf.exe 153 PID 2552 wrote to memory of 4132 2552 rfffxrf.exe 153 PID 4132 wrote to memory of 2380 4132 tnnbth.exe 90 PID 4132 wrote to memory of 2380 4132 tnnbth.exe 90 PID 4132 wrote to memory of 2380 4132 tnnbth.exe 90 PID 2380 wrote to memory of 1340 2380 vjvvp.exe 91 PID 2380 wrote to memory of 1340 2380 vjvvp.exe 91 PID 2380 wrote to memory of 1340 2380 vjvvp.exe 91 PID 1340 wrote to memory of 4444 1340 vvpdp.exe 92 PID 1340 wrote to memory of 4444 1340 vvpdp.exe 92 PID 1340 wrote to memory of 4444 1340 vvpdp.exe 92 PID 4444 wrote to memory of 1460 4444 frxlxrl.exe 93 PID 4444 wrote to memory of 1460 4444 frxlxrl.exe 93 PID 4444 wrote to memory of 1460 4444 frxlxrl.exe 93 PID 1460 wrote to memory of 2332 1460 bhntbn.exe 94 PID 1460 wrote to memory of 2332 1460 bhntbn.exe 94 PID 1460 wrote to memory of 2332 1460 bhntbn.exe 94 PID 2332 wrote to memory of 756 2332 7nbtbt.exe 95 PID 2332 wrote to memory of 756 2332 7nbtbt.exe 95 PID 2332 wrote to memory of 756 2332 7nbtbt.exe 95 PID 756 wrote to memory of 4120 756 dppdv.exe 96 PID 756 wrote to memory of 4120 756 dppdv.exe 96 PID 756 wrote to memory of 4120 756 dppdv.exe 96 PID 4120 wrote to memory of 952 4120 7rxlxrr.exe 97 PID 4120 wrote to memory of 952 4120 7rxlxrr.exe 97 PID 4120 wrote to memory of 952 4120 7rxlxrr.exe 97 PID 952 wrote to memory of 3864 952 hthtbb.exe 98 PID 952 wrote to memory of 3864 952 hthtbb.exe 98 PID 952 wrote to memory of 3864 952 hthtbb.exe 98 PID 3864 wrote to memory of 4948 3864 nhhbnh.exe 99 PID 3864 wrote to memory of 4948 3864 nhhbnh.exe 99 PID 3864 wrote to memory of 4948 3864 nhhbnh.exe 99 PID 4948 wrote to memory of 2872 4948 dvjdj.exe 100 PID 4948 wrote to memory of 2872 4948 dvjdj.exe 100 PID 4948 wrote to memory of 2872 4948 dvjdj.exe 100 PID 2872 wrote to memory of 4060 2872 xrrlfrl.exe 101 PID 2872 wrote to memory of 4060 2872 xrrlfrl.exe 101 PID 2872 wrote to memory of 4060 2872 xrrlfrl.exe 101 PID 4060 wrote to memory of 2356 4060 ntbnbb.exe 102 PID 4060 wrote to memory of 2356 4060 ntbnbb.exe 102 PID 4060 wrote to memory of 2356 4060 ntbnbb.exe 102 PID 2356 wrote to memory of 4712 2356 7vvjv.exe 103 PID 2356 wrote to memory of 4712 2356 7vvjv.exe 103 PID 2356 wrote to memory of 4712 2356 7vvjv.exe 103 PID 4712 wrote to memory of 3184 4712 lxrfrlx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1.exe"C:\Users\Admin\AppData\Local\Temp\13c96d1e32de79d2a280712f67183e62f8dfd1b18e2fc609ed8e9da9a0e556e1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\djpdp.exec:\djpdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\9vvpd.exec:\9vvpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\nnhbnh.exec:\nnhbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\xrfxlll.exec:\xrfxlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\pvvjd.exec:\pvvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\rfffxrf.exec:\rfffxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\tnnbth.exec:\tnnbth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\vjvvp.exec:\vjvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\vvpdp.exec:\vvpdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\frxlxrl.exec:\frxlxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
\??\c:\bhntbn.exec:\bhntbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\7nbtbt.exec:\7nbtbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\dppdv.exec:\dppdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\7rxlxrr.exec:\7rxlxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\hthtbb.exec:\hthtbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\nhhbnh.exec:\nhhbnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\dvjdj.exec:\dvjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\xrrlfrl.exec:\xrrlfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\ntbnbb.exec:\ntbnbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\7vvjv.exec:\7vvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\bthnnt.exec:\bthnnt.exe23⤵
- Executes dropped EXE
PID:3184 -
\??\c:\1vdvp.exec:\1vdvp.exe24⤵
- Executes dropped EXE
PID:3672 -
\??\c:\9xfrlfr.exec:\9xfrlfr.exe25⤵
- Executes dropped EXE
PID:4168 -
\??\c:\lrlfrlx.exec:\lrlfrlx.exe26⤵
- Executes dropped EXE
PID:2088 -
\??\c:\thhhbh.exec:\thhhbh.exe27⤵
- Executes dropped EXE
PID:2168 -
\??\c:\9ppjv.exec:\9ppjv.exe28⤵
- Executes dropped EXE
PID:4052 -
\??\c:\fflfxfx.exec:\fflfxfx.exe29⤵
- Executes dropped EXE
PID:1588 -
\??\c:\nnhbtn.exec:\nnhbtn.exe30⤵
- Executes dropped EXE
PID:2232 -
\??\c:\pvpvp.exec:\pvpvp.exe31⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pppdv.exec:\pppdv.exe32⤵
- Executes dropped EXE
PID:2696 -
\??\c:\xfllxrf.exec:\xfllxrf.exe33⤵
- Executes dropped EXE
PID:440 -
\??\c:\hbtnbt.exec:\hbtnbt.exe34⤵
- Executes dropped EXE
PID:208 -
\??\c:\jjvjd.exec:\jjvjd.exe35⤵
- Executes dropped EXE
PID:4364 -
\??\c:\pppjd.exec:\pppjd.exe36⤵
- Executes dropped EXE
PID:1724 -
\??\c:\ffrlxfx.exec:\ffrlxfx.exe37⤵
- Executes dropped EXE
PID:4396 -
\??\c:\bhhbhb.exec:\bhhbhb.exe38⤵
- Executes dropped EXE
PID:2372 -
\??\c:\pjjpp.exec:\pjjpp.exe39⤵
- Executes dropped EXE
PID:1708 -
\??\c:\ppdvv.exec:\ppdvv.exe40⤵
- Executes dropped EXE
PID:2012 -
\??\c:\fxffxxx.exec:\fxffxxx.exe41⤵
- Executes dropped EXE
PID:804 -
\??\c:\rrffllr.exec:\rrffllr.exe42⤵
- Executes dropped EXE
PID:1776 -
\??\c:\5bnhbb.exec:\5bnhbb.exe43⤵
- Executes dropped EXE
PID:1972 -
\??\c:\pdjdd.exec:\pdjdd.exe44⤵
- Executes dropped EXE
PID:1320 -
\??\c:\ddvjd.exec:\ddvjd.exe45⤵
- Executes dropped EXE
PID:920 -
\??\c:\9pdvp.exec:\9pdvp.exe46⤵
- Executes dropped EXE
PID:4524 -
\??\c:\xxrxrlf.exec:\xxrxrlf.exe47⤵
- Executes dropped EXE
PID:4816 -
\??\c:\hbthth.exec:\hbthth.exe48⤵
- Executes dropped EXE
PID:1508 -
\??\c:\3bhbnn.exec:\3bhbnn.exe49⤵
- Executes dropped EXE
PID:4320 -
\??\c:\ddpjd.exec:\ddpjd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4516 -
\??\c:\flxxlll.exec:\flxxlll.exe51⤵
- Executes dropped EXE
PID:1728 -
\??\c:\hbbttt.exec:\hbbttt.exe52⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hbhnhn.exec:\hbhnhn.exe53⤵
- Executes dropped EXE
PID:692 -
\??\c:\vvppj.exec:\vvppj.exe54⤵
- Executes dropped EXE
PID:3212 -
\??\c:\5jddv.exec:\5jddv.exe55⤵
- Executes dropped EXE
PID:772 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe56⤵
- Executes dropped EXE
PID:1700 -
\??\c:\nbhntt.exec:\nbhntt.exe57⤵
- Executes dropped EXE
PID:1380 -
\??\c:\bhnbnh.exec:\bhnbnh.exe58⤵
- Executes dropped EXE
PID:4144 -
\??\c:\dvpdj.exec:\dvpdj.exe59⤵
- Executes dropped EXE
PID:3244 -
\??\c:\jppjd.exec:\jppjd.exe60⤵
- Executes dropped EXE
PID:4436 -
\??\c:\lrfllxl.exec:\lrfllxl.exe61⤵
- Executes dropped EXE
PID:1672 -
\??\c:\9flffrx.exec:\9flffrx.exe62⤵
- Executes dropped EXE
PID:1528 -
\??\c:\tbnhhn.exec:\tbnhhn.exe63⤵
- Executes dropped EXE
PID:2124 -
\??\c:\nhhnnn.exec:\nhhnnn.exe64⤵
- Executes dropped EXE
PID:4860 -
\??\c:\5pddv.exec:\5pddv.exe65⤵
- Executes dropped EXE
PID:3620 -
\??\c:\llrfrlf.exec:\llrfrlf.exe66⤵PID:4008
-
\??\c:\fffflrx.exec:\fffflrx.exe67⤵PID:2084
-
\??\c:\httnbt.exec:\httnbt.exe68⤵PID:400
-
\??\c:\hbbtnn.exec:\hbbtnn.exe69⤵PID:3580
-
\??\c:\pjppd.exec:\pjppd.exe70⤵PID:3160
-
\??\c:\djvpj.exec:\djvpj.exe71⤵PID:384
-
\??\c:\9rlxrlf.exec:\9rlxrlf.exe72⤵PID:4132
-
\??\c:\rxxrfxr.exec:\rxxrfxr.exe73⤵PID:3576
-
\??\c:\tntnnh.exec:\tntnnh.exe74⤵PID:464
-
\??\c:\thnhnn.exec:\thnhnn.exe75⤵PID:4932
-
\??\c:\rxxlfxl.exec:\rxxlfxl.exe76⤵PID:556
-
\??\c:\lrllfxr.exec:\lrllfxr.exe77⤵PID:2320
-
\??\c:\3bhbnn.exec:\3bhbnn.exe78⤵PID:2020
-
\??\c:\vdjdp.exec:\vdjdp.exe79⤵PID:4900
-
\??\c:\fllxrrl.exec:\fllxrrl.exe80⤵PID:1636
-
\??\c:\rlrrlxr.exec:\rlrrlxr.exe81⤵PID:1796
-
\??\c:\nhbttt.exec:\nhbttt.exe82⤵PID:1432
-
\??\c:\3djvd.exec:\3djvd.exe83⤵PID:1564
-
\??\c:\rlxrllr.exec:\rlxrllr.exe84⤵PID:968
-
\??\c:\lfrllfl.exec:\lfrllfl.exe85⤵
- System Location Discovery: System Language Discovery
PID:4948 -
\??\c:\jvdvp.exec:\jvdvp.exe86⤵PID:2872
-
\??\c:\pjpjv.exec:\pjpjv.exe87⤵PID:3152
-
\??\c:\lxfrxxl.exec:\lxfrxxl.exe88⤵PID:4984
-
\??\c:\hnthbt.exec:\hnthbt.exe89⤵PID:3404
-
\??\c:\vpjvp.exec:\vpjvp.exe90⤵PID:4116
-
\??\c:\xlxxfxx.exec:\xlxxfxx.exe91⤵PID:4776
-
\??\c:\xffxrlf.exec:\xffxrlf.exe92⤵PID:3184
-
\??\c:\nbhbnt.exec:\nbhbnt.exe93⤵PID:2880
-
\??\c:\hbbnnh.exec:\hbbnnh.exe94⤵PID:1200
-
\??\c:\jvvjd.exec:\jvvjd.exe95⤵PID:3628
-
\??\c:\xrrfrll.exec:\xrrfrll.exe96⤵PID:2168
-
\??\c:\3xxxrrr.exec:\3xxxrrr.exe97⤵PID:4928
-
\??\c:\thhhbt.exec:\thhhbt.exe98⤵PID:1744
-
\??\c:\dppjv.exec:\dppjv.exe99⤵PID:3476
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe100⤵PID:5048
-
\??\c:\lxrxrxr.exec:\lxrxrxr.exe101⤵PID:3544
-
\??\c:\nbbbtt.exec:\nbbbtt.exe102⤵PID:3188
-
\??\c:\pdpjv.exec:\pdpjv.exe103⤵PID:3708
-
\??\c:\dvvjp.exec:\dvvjp.exe104⤵PID:440
-
\??\c:\5xffrfx.exec:\5xffrfx.exe105⤵PID:208
-
\??\c:\hbbnhb.exec:\hbbnhb.exe106⤵PID:4528
-
\??\c:\dvvvv.exec:\dvvvv.exe107⤵PID:1152
-
\??\c:\jjvpp.exec:\jjvpp.exe108⤵PID:1272
-
\??\c:\xrffrll.exec:\xrffrll.exe109⤵PID:2504
-
\??\c:\rxllffx.exec:\rxllffx.exe110⤵PID:2372
-
\??\c:\tbhbth.exec:\tbhbth.exe111⤵PID:2028
-
\??\c:\djppp.exec:\djppp.exe112⤵PID:1600
-
\??\c:\dvvpj.exec:\dvvpj.exe113⤵PID:1696
-
\??\c:\xrxrxxx.exec:\xrxrxxx.exe114⤵PID:804
-
\??\c:\5btnhb.exec:\5btnhb.exe115⤵PID:1704
-
\??\c:\9ttbnn.exec:\9ttbnn.exe116⤵PID:4696
-
\??\c:\pvddp.exec:\pvddp.exe117⤵PID:4500
-
\??\c:\flxlffx.exec:\flxlffx.exe118⤵PID:2856
-
\??\c:\nnttnh.exec:\nnttnh.exe119⤵PID:2812
-
\??\c:\vdvpv.exec:\vdvpv.exe120⤵PID:3616
-
\??\c:\5vvpd.exec:\5vvpd.exe121⤵PID:3176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-