Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:31
Behavioral task
behavioral1
Sample
b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc.exe
-
Size
97KB
-
MD5
a694fa185bf3a19436972af5873f957b
-
SHA1
dc474ce743b570abc3f7b98a1cc03442ac6f6c5a
-
SHA256
b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc
-
SHA512
1992b9e40a23a32e0437d2f561f380098e08d9dab3427ad492165991a8352eec8cb0d8955857d9b39f1b271e51eab8985e33c22f01d97da4b5192d7a978e43d6
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgR4:8cm4FmowdHoSgWrXUgC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3276-3-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4916-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-22-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1008-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1272-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1332-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3940-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1644-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2312-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/808-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/968-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3204-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-131-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4008-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4268-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-173-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3320-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-204-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3804-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3996-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1668-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-249-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2024-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3144-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-379-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3008-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-436-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-465-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/444-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-538-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-655-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-674-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2380-829-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4916 pdvpj.exe 3624 jddvj.exe 4400 7hbthh.exe 924 hthtnh.exe 1272 jvdvj.exe 1008 djvjd.exe 1332 fxxrffl.exe 4320 nhtnht.exe 3904 djpjv.exe 3940 rlxrfxr.exe 1644 nthhhb.exe 2312 vdddd.exe 3052 ffllfrl.exe 1964 tbbhbb.exe 4508 vdjdv.exe 2368 7rllllf.exe 3060 tntnnh.exe 808 jddvj.exe 1048 9xrxfrx.exe 2480 xrlfllx.exe 968 1tbttn.exe 4012 jppdd.exe 4740 dpddv.exe 3204 lxllxxx.exe 772 xrxrlrl.exe 4676 btnnhb.exe 4688 dvdjd.exe 4008 tbbbbt.exe 2996 tbnbnh.exe 4188 3llfffx.exe 4948 rlrrxxf.exe 4412 bnbttt.exe 3456 jjdvp.exe 4984 7rflfrr.exe 3144 lfrlxlx.exe 4268 3hbbnn.exe 3656 jvdvp.exe 4836 rfrrflf.exe 3320 htttnt.exe 4880 pdpdd.exe 2824 dvvpd.exe 2720 lfxrllr.exe 3468 hnbtnn.exe 1360 vdjpj.exe 920 fllfxrr.exe 1428 lfffxff.exe 4200 ddddd.exe 4316 vdjdv.exe 1896 frrxfll.exe 5060 nhhhhh.exe 836 tnhhnn.exe 3152 ddjdv.exe 3624 ppvjj.exe 3804 3xllffl.exe 3996 bbbnht.exe 2072 jjjjv.exe 1420 xrrlllx.exe 2400 nntnbb.exe 3016 xrffllx.exe 4176 pddjd.exe 4320 jpdvp.exe 4604 xfxlfff.exe 1668 btthnn.exe 4140 jjvvj.exe -
resource yara_rule behavioral2/memory/3276-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b10-4.dat upx behavioral2/memory/4916-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3276-3-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b68-9.dat upx behavioral2/memory/4916-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6e-12.dat upx behavioral2/memory/3624-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b6f-19.dat upx behavioral2/memory/924-22-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4400-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b70-25.dat upx behavioral2/files/0x000a000000023b71-29.dat upx behavioral2/files/0x000a000000023b72-34.dat upx behavioral2/memory/1008-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1272-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b73-39.dat upx behavioral2/memory/1332-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b74-43.dat upx behavioral2/memory/4320-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b75-49.dat upx behavioral2/memory/3904-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b76-54.dat upx behavioral2/memory/3940-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b77-59.dat upx behavioral2/memory/1644-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2312-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-64.dat upx behavioral2/files/0x000a000000023b79-69.dat upx behavioral2/memory/3052-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-74.dat upx behavioral2/files/0x000a000000023b7c-78.dat upx behavioral2/memory/4508-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-83.dat upx behavioral2/files/0x000c000000023b68-87.dat upx behavioral2/memory/3060-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/808-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-94.dat upx behavioral2/memory/1048-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-99.dat upx behavioral2/files/0x000a000000023b80-103.dat upx behavioral2/memory/2480-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-107.dat upx behavioral2/memory/968-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-113.dat upx behavioral2/files/0x000a000000023b83-118.dat upx behavioral2/memory/4012-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3204-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-123.dat upx behavioral2/memory/772-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-127.dat upx behavioral2/memory/4676-131-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b6a-132.dat upx behavioral2/files/0x000a000000023b86-136.dat upx behavioral2/memory/4008-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-141.dat upx behavioral2/files/0x000a000000023b88-145.dat upx behavioral2/files/0x000a000000023b89-149.dat upx behavioral2/memory/4188-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-154.dat upx behavioral2/memory/4412-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3456-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4984-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3144-167-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3276 wrote to memory of 4916 3276 b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc.exe 83 PID 3276 wrote to memory of 4916 3276 b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc.exe 83 PID 3276 wrote to memory of 4916 3276 b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc.exe 83 PID 4916 wrote to memory of 3624 4916 pdvpj.exe 84 PID 4916 wrote to memory of 3624 4916 pdvpj.exe 84 PID 4916 wrote to memory of 3624 4916 pdvpj.exe 84 PID 3624 wrote to memory of 4400 3624 jddvj.exe 85 PID 3624 wrote to memory of 4400 3624 jddvj.exe 85 PID 3624 wrote to memory of 4400 3624 jddvj.exe 85 PID 4400 wrote to memory of 924 4400 7hbthh.exe 86 PID 4400 wrote to memory of 924 4400 7hbthh.exe 86 PID 4400 wrote to memory of 924 4400 7hbthh.exe 86 PID 924 wrote to memory of 1272 924 hthtnh.exe 87 PID 924 wrote to memory of 1272 924 hthtnh.exe 87 PID 924 wrote to memory of 1272 924 hthtnh.exe 87 PID 1272 wrote to memory of 1008 1272 jvdvj.exe 88 PID 1272 wrote to memory of 1008 1272 jvdvj.exe 88 PID 1272 wrote to memory of 1008 1272 jvdvj.exe 88 PID 1008 wrote to memory of 1332 1008 djvjd.exe 89 PID 1008 wrote to memory of 1332 1008 djvjd.exe 89 PID 1008 wrote to memory of 1332 1008 djvjd.exe 89 PID 1332 wrote to memory of 4320 1332 fxxrffl.exe 90 PID 1332 wrote to memory of 4320 1332 fxxrffl.exe 90 PID 1332 wrote to memory of 4320 1332 fxxrffl.exe 90 PID 4320 wrote to memory of 3904 4320 nhtnht.exe 91 PID 4320 wrote to memory of 3904 4320 nhtnht.exe 91 PID 4320 wrote to memory of 3904 4320 nhtnht.exe 91 PID 3904 wrote to memory of 3940 3904 djpjv.exe 92 PID 3904 wrote to memory of 3940 3904 djpjv.exe 92 PID 3904 wrote to memory of 3940 3904 djpjv.exe 92 PID 3940 wrote to memory of 1644 3940 rlxrfxr.exe 93 PID 3940 wrote to memory of 1644 3940 rlxrfxr.exe 93 PID 3940 wrote to memory of 1644 3940 rlxrfxr.exe 93 PID 1644 wrote to memory of 2312 1644 nthhhb.exe 94 PID 1644 wrote to memory of 2312 1644 nthhhb.exe 94 PID 1644 wrote to memory of 2312 1644 nthhhb.exe 94 PID 2312 wrote to memory of 3052 2312 vdddd.exe 95 PID 2312 wrote to memory of 3052 2312 vdddd.exe 95 PID 2312 wrote to memory of 3052 2312 vdddd.exe 95 PID 3052 wrote to memory of 1964 3052 ffllfrl.exe 96 PID 3052 wrote to memory of 1964 3052 ffllfrl.exe 96 PID 3052 wrote to memory of 1964 3052 ffllfrl.exe 96 PID 1964 wrote to memory of 4508 1964 tbbhbb.exe 97 PID 1964 wrote to memory of 4508 1964 tbbhbb.exe 97 PID 1964 wrote to memory of 4508 1964 tbbhbb.exe 97 PID 4508 wrote to memory of 2368 4508 vdjdv.exe 98 PID 4508 wrote to memory of 2368 4508 vdjdv.exe 98 PID 4508 wrote to memory of 2368 4508 vdjdv.exe 98 PID 2368 wrote to memory of 3060 2368 7rllllf.exe 99 PID 2368 wrote to memory of 3060 2368 7rllllf.exe 99 PID 2368 wrote to memory of 3060 2368 7rllllf.exe 99 PID 3060 wrote to memory of 808 3060 tntnnh.exe 100 PID 3060 wrote to memory of 808 3060 tntnnh.exe 100 PID 3060 wrote to memory of 808 3060 tntnnh.exe 100 PID 808 wrote to memory of 1048 808 jddvj.exe 101 PID 808 wrote to memory of 1048 808 jddvj.exe 101 PID 808 wrote to memory of 1048 808 jddvj.exe 101 PID 1048 wrote to memory of 2480 1048 9xrxfrx.exe 102 PID 1048 wrote to memory of 2480 1048 9xrxfrx.exe 102 PID 1048 wrote to memory of 2480 1048 9xrxfrx.exe 102 PID 2480 wrote to memory of 968 2480 xrlfllx.exe 103 PID 2480 wrote to memory of 968 2480 xrlfllx.exe 103 PID 2480 wrote to memory of 968 2480 xrlfllx.exe 103 PID 968 wrote to memory of 4012 968 1tbttn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc.exe"C:\Users\Admin\AppData\Local\Temp\b4bfc77dc8bc28c9e760625aee7b311284165e8ff6cbd9aa23c86b0b1a0a91fc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\pdvpj.exec:\pdvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\jddvj.exec:\jddvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\7hbthh.exec:\7hbthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\hthtnh.exec:\hthtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\jvdvj.exec:\jvdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\djvjd.exec:\djvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\fxxrffl.exec:\fxxrffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\nhtnht.exec:\nhtnht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\djpjv.exec:\djpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\rlxrfxr.exec:\rlxrfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\nthhhb.exec:\nthhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\vdddd.exec:\vdddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\ffllfrl.exec:\ffllfrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\tbbhbb.exec:\tbbhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\vdjdv.exec:\vdjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\7rllllf.exec:\7rllllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\tntnnh.exec:\tntnnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\jddvj.exec:\jddvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\9xrxfrx.exec:\9xrxfrx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\xrlfllx.exec:\xrlfllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\1tbttn.exec:\1tbttn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\jppdd.exec:\jppdd.exe23⤵
- Executes dropped EXE
PID:4012 -
\??\c:\dpddv.exec:\dpddv.exe24⤵
- Executes dropped EXE
PID:4740 -
\??\c:\lxllxxx.exec:\lxllxxx.exe25⤵
- Executes dropped EXE
PID:3204 -
\??\c:\xrxrlrl.exec:\xrxrlrl.exe26⤵
- Executes dropped EXE
PID:772 -
\??\c:\btnnhb.exec:\btnnhb.exe27⤵
- Executes dropped EXE
PID:4676 -
\??\c:\dvdjd.exec:\dvdjd.exe28⤵
- Executes dropped EXE
PID:4688 -
\??\c:\tbbbbt.exec:\tbbbbt.exe29⤵
- Executes dropped EXE
PID:4008 -
\??\c:\tbnbnh.exec:\tbnbnh.exe30⤵
- Executes dropped EXE
PID:2996 -
\??\c:\3llfffx.exec:\3llfffx.exe31⤵
- Executes dropped EXE
PID:4188 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe32⤵
- Executes dropped EXE
PID:4948 -
\??\c:\bnbttt.exec:\bnbttt.exe33⤵
- Executes dropped EXE
PID:4412 -
\??\c:\jjdvp.exec:\jjdvp.exe34⤵
- Executes dropped EXE
PID:3456 -
\??\c:\7rflfrr.exec:\7rflfrr.exe35⤵
- Executes dropped EXE
PID:4984 -
\??\c:\lfrlxlx.exec:\lfrlxlx.exe36⤵
- Executes dropped EXE
PID:3144 -
\??\c:\3hbbnn.exec:\3hbbnn.exe37⤵
- Executes dropped EXE
PID:4268 -
\??\c:\jvdvp.exec:\jvdvp.exe38⤵
- Executes dropped EXE
PID:3656 -
\??\c:\rfrrflf.exec:\rfrrflf.exe39⤵
- Executes dropped EXE
PID:4836 -
\??\c:\htttnt.exec:\htttnt.exe40⤵
- Executes dropped EXE
PID:3320 -
\??\c:\pdpdd.exec:\pdpdd.exe41⤵
- Executes dropped EXE
PID:4880 -
\??\c:\dvvpd.exec:\dvvpd.exe42⤵
- Executes dropped EXE
PID:2824 -
\??\c:\lfxrllr.exec:\lfxrllr.exe43⤵
- Executes dropped EXE
PID:2720 -
\??\c:\hnbtnn.exec:\hnbtnn.exe44⤵
- Executes dropped EXE
PID:3468 -
\??\c:\vdjpj.exec:\vdjpj.exe45⤵
- Executes dropped EXE
PID:1360 -
\??\c:\fllfxrr.exec:\fllfxrr.exe46⤵
- Executes dropped EXE
PID:920 -
\??\c:\lfffxff.exec:\lfffxff.exe47⤵
- Executes dropped EXE
PID:1428 -
\??\c:\ddddd.exec:\ddddd.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4200 -
\??\c:\vdjdv.exec:\vdjdv.exe49⤵
- Executes dropped EXE
PID:4316 -
\??\c:\frrxfll.exec:\frrxfll.exe50⤵
- Executes dropped EXE
PID:1896 -
\??\c:\nhhhhh.exec:\nhhhhh.exe51⤵
- Executes dropped EXE
PID:5060 -
\??\c:\tnhhnn.exec:\tnhhnn.exe52⤵
- Executes dropped EXE
PID:836 -
\??\c:\ddjdv.exec:\ddjdv.exe53⤵
- Executes dropped EXE
PID:3152 -
\??\c:\ppvjj.exec:\ppvjj.exe54⤵
- Executes dropped EXE
PID:3624 -
\??\c:\3xllffl.exec:\3xllffl.exe55⤵
- Executes dropped EXE
PID:3804 -
\??\c:\bbbnht.exec:\bbbnht.exe56⤵
- Executes dropped EXE
PID:3996 -
\??\c:\jjjjv.exec:\jjjjv.exe57⤵
- Executes dropped EXE
PID:2072 -
\??\c:\xrrlllx.exec:\xrrlllx.exe58⤵
- Executes dropped EXE
PID:1420 -
\??\c:\nntnbb.exec:\nntnbb.exe59⤵
- Executes dropped EXE
PID:2400 -
\??\c:\xrffllx.exec:\xrffllx.exe60⤵
- Executes dropped EXE
PID:3016 -
\??\c:\pddjd.exec:\pddjd.exe61⤵
- Executes dropped EXE
PID:4176 -
\??\c:\jpdvp.exec:\jpdvp.exe62⤵
- Executes dropped EXE
PID:4320 -
\??\c:\xfxlfff.exec:\xfxlfff.exe63⤵
- Executes dropped EXE
PID:4604 -
\??\c:\btthnn.exec:\btthnn.exe64⤵
- Executes dropped EXE
PID:1668 -
\??\c:\jjvvj.exec:\jjvvj.exe65⤵
- Executes dropped EXE
PID:4140 -
\??\c:\llrlxfx.exec:\llrlxfx.exe66⤵PID:3776
-
\??\c:\bbnnnn.exec:\bbnnnn.exe67⤵PID:1064
-
\??\c:\tnnhbb.exec:\tnnhbb.exe68⤵PID:2140
-
\??\c:\1jppd.exec:\1jppd.exe69⤵PID:2980
-
\??\c:\pjjdd.exec:\pjjdd.exe70⤵PID:1416
-
\??\c:\xrlxxxx.exec:\xrlxxxx.exe71⤵PID:2076
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe72⤵PID:560
-
\??\c:\bbhntb.exec:\bbhntb.exe73⤵PID:1236
-
\??\c:\dddjj.exec:\dddjj.exe74⤵PID:3532
-
\??\c:\ppvpj.exec:\ppvpj.exe75⤵PID:2212
-
\??\c:\lllffff.exec:\lllffff.exe76⤵PID:5052
-
\??\c:\btthhh.exec:\btthhh.exe77⤵PID:808
-
\??\c:\ntbhtb.exec:\ntbhtb.exe78⤵PID:3012
-
\??\c:\jdvpv.exec:\jdvpv.exe79⤵PID:4160
-
\??\c:\5jpjj.exec:\5jpjj.exe80⤵PID:3948
-
\??\c:\9lxrllr.exec:\9lxrllr.exe81⤵PID:2888
-
\??\c:\bnhbtt.exec:\bnhbtt.exe82⤵PID:2024
-
\??\c:\btnhbb.exec:\btnhbb.exe83⤵PID:2756
-
\??\c:\5jpjd.exec:\5jpjd.exe84⤵PID:396
-
\??\c:\xflflll.exec:\xflflll.exe85⤵PID:3204
-
\??\c:\5bbbbb.exec:\5bbbbb.exe86⤵PID:2760
-
\??\c:\jvjdd.exec:\jvjdd.exe87⤵PID:4364
-
\??\c:\1dvvp.exec:\1dvvp.exe88⤵PID:1764
-
\??\c:\xrrlffr.exec:\xrrlffr.exe89⤵PID:1032
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe90⤵PID:4380
-
\??\c:\btbbtt.exec:\btbbtt.exe91⤵PID:4008
-
\??\c:\9pjjj.exec:\9pjjj.exe92⤵PID:2996
-
\??\c:\dvjjv.exec:\dvjjv.exe93⤵PID:2800
-
\??\c:\ffllfff.exec:\ffllfff.exe94⤵PID:4188
-
\??\c:\xxxlrrx.exec:\xxxlrrx.exe95⤵PID:1832
-
\??\c:\ntbhbh.exec:\ntbhbh.exe96⤵PID:2488
-
\??\c:\pdjjd.exec:\pdjjd.exe97⤵PID:4944
-
\??\c:\jpjjv.exec:\jpjjv.exe98⤵PID:3000
-
\??\c:\lfrrxxf.exec:\lfrrxxf.exe99⤵
- System Location Discovery: System Language Discovery
PID:116 -
\??\c:\1thbtb.exec:\1thbtb.exe100⤵PID:3144
-
\??\c:\nbhnnn.exec:\nbhnnn.exe101⤵PID:3652
-
\??\c:\pvvjd.exec:\pvvjd.exe102⤵PID:1532
-
\??\c:\xlllxxx.exec:\xlllxxx.exe103⤵PID:3408
-
\??\c:\nbtnnn.exec:\nbtnnn.exe104⤵PID:1976
-
\??\c:\btbtnt.exec:\btbtnt.exe105⤵PID:916
-
\??\c:\vvvvv.exec:\vvvvv.exe106⤵PID:3872
-
\??\c:\pjdvv.exec:\pjdvv.exe107⤵PID:3232
-
\??\c:\fxffxfx.exec:\fxffxfx.exe108⤵PID:3468
-
\??\c:\thnnhn.exec:\thnnhn.exe109⤵PID:4680
-
\??\c:\jvpvp.exec:\jvpvp.exe110⤵PID:1156
-
\??\c:\pjvvp.exec:\pjvvp.exe111⤵PID:4200
-
\??\c:\7frxlll.exec:\7frxlll.exe112⤵PID:4316
-
\??\c:\hhnttb.exec:\hhnttb.exe113⤵PID:1896
-
\??\c:\9tbbtt.exec:\9tbbtt.exe114⤵PID:4916
-
\??\c:\nhhnhh.exec:\nhhnhh.exe115⤵PID:1744
-
\??\c:\9ddvp.exec:\9ddvp.exe116⤵PID:5068
-
\??\c:\fffxrxr.exec:\fffxrxr.exe117⤵PID:3624
-
\??\c:\1lxlrrf.exec:\1lxlrrf.exe118⤵PID:924
-
\??\c:\7bhtnb.exec:\7bhtnb.exe119⤵PID:1432
-
\??\c:\ppppp.exec:\ppppp.exe120⤵PID:4332
-
\??\c:\dpvvp.exec:\dpvvp.exe121⤵PID:4432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-