Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae.exe
-
Size
453KB
-
MD5
88199a7f4c17c2e559305311e9f76fe9
-
SHA1
94d99da3b801ec70bc3468aebd611af3d1e8ac5c
-
SHA256
e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae
-
SHA512
bdab424e62376d26962f59541d61986e83e1122541cbe9dde2a34b72e212ac353d27c2a1a3a554234df580f188257f30a0e86906cccbfb22fb4df6465eab6d55
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebF:q7Tc2NYHUrAwfMp3CDbF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3384-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-1212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-1216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-1743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4796 3vjdj.exe 5004 frfxrrr.exe 3264 thttnb.exe 4484 1jppp.exe 2700 vppdj.exe 2216 llrrrrr.exe 2476 nhnhbb.exe 404 pvpvd.exe 3016 rrfxllr.exe 4004 lxfxrrr.exe 5092 bhnbtn.exe 2748 bhhbtt.exe 1744 vppjd.exe 1048 pvddv.exe 2328 hbttnn.exe 4332 bthtnn.exe 828 nthhbb.exe 1188 vpdvj.exe 1864 3jvjv.exe 2864 bttnbb.exe 1896 vjpdv.exe 1132 nhnhhb.exe 2788 3nhbbt.exe 2032 9rxrxrx.exe 4660 vddvp.exe 1220 tthhhn.exe 880 jdvpp.exe 3296 5nnhht.exe 2892 pvvdv.exe 2672 9djdv.exe 4740 tttnhb.exe 2428 jdjvp.exe 876 rlrfxxr.exe 5076 nhbttt.exe 3916 tnthnn.exe 4992 xfxxffx.exe 364 7xxrllf.exe 3728 thtnhb.exe 1696 flffxrf.exe 4896 tntnhh.exe 1728 3vpjp.exe 3108 xrxrrll.exe 3156 xfrlllf.exe 3572 bnnhtb.exe 3012 dvvpj.exe 1264 1rrlfrl.exe 2536 bntnhb.exe 1980 vdpdv.exe 548 rlrlfrl.exe 4760 9rxrrxx.exe 2980 pjpjd.exe 4648 lrxxlfl.exe 1208 rrrlrxl.exe 512 vjpjd.exe 4484 xxxrrlf.exe 1524 hbnhbb.exe 4408 hbtnhb.exe 2164 5jjdv.exe 4264 rxlxlfr.exe 5100 lffxrrl.exe 1108 thhbtn.exe 456 9jpdj.exe 1888 fxlllrx.exe 4972 frxlffx.exe -
resource yara_rule behavioral2/memory/3384-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-780-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3384 wrote to memory of 4796 3384 e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae.exe 83 PID 3384 wrote to memory of 4796 3384 e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae.exe 83 PID 3384 wrote to memory of 4796 3384 e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae.exe 83 PID 4796 wrote to memory of 5004 4796 3vjdj.exe 84 PID 4796 wrote to memory of 5004 4796 3vjdj.exe 84 PID 4796 wrote to memory of 5004 4796 3vjdj.exe 84 PID 5004 wrote to memory of 3264 5004 frfxrrr.exe 85 PID 5004 wrote to memory of 3264 5004 frfxrrr.exe 85 PID 5004 wrote to memory of 3264 5004 frfxrrr.exe 85 PID 3264 wrote to memory of 4484 3264 thttnb.exe 86 PID 3264 wrote to memory of 4484 3264 thttnb.exe 86 PID 3264 wrote to memory of 4484 3264 thttnb.exe 86 PID 4484 wrote to memory of 2700 4484 1jppp.exe 87 PID 4484 wrote to memory of 2700 4484 1jppp.exe 87 PID 4484 wrote to memory of 2700 4484 1jppp.exe 87 PID 2700 wrote to memory of 2216 2700 vppdj.exe 88 PID 2700 wrote to memory of 2216 2700 vppdj.exe 88 PID 2700 wrote to memory of 2216 2700 vppdj.exe 88 PID 2216 wrote to memory of 2476 2216 llrrrrr.exe 89 PID 2216 wrote to memory of 2476 2216 llrrrrr.exe 89 PID 2216 wrote to memory of 2476 2216 llrrrrr.exe 89 PID 2476 wrote to memory of 404 2476 nhnhbb.exe 90 PID 2476 wrote to memory of 404 2476 nhnhbb.exe 90 PID 2476 wrote to memory of 404 2476 nhnhbb.exe 90 PID 404 wrote to memory of 3016 404 pvpvd.exe 91 PID 404 wrote to memory of 3016 404 pvpvd.exe 91 PID 404 wrote to memory of 3016 404 pvpvd.exe 91 PID 3016 wrote to memory of 4004 3016 rrfxllr.exe 92 PID 3016 wrote to memory of 4004 3016 rrfxllr.exe 92 PID 3016 wrote to memory of 4004 3016 rrfxllr.exe 92 PID 4004 wrote to memory of 5092 4004 lxfxrrr.exe 93 PID 4004 wrote to memory of 5092 4004 lxfxrrr.exe 93 PID 4004 wrote to memory of 5092 4004 lxfxrrr.exe 93 PID 5092 wrote to memory of 2748 5092 bhnbtn.exe 94 PID 5092 wrote to memory of 2748 5092 bhnbtn.exe 94 PID 5092 wrote to memory of 2748 5092 bhnbtn.exe 94 PID 2748 wrote to memory of 1744 2748 bhhbtt.exe 95 PID 2748 wrote to memory of 1744 2748 bhhbtt.exe 95 PID 2748 wrote to memory of 1744 2748 bhhbtt.exe 95 PID 1744 wrote to memory of 1048 1744 vppjd.exe 96 PID 1744 wrote to memory of 1048 1744 vppjd.exe 96 PID 1744 wrote to memory of 1048 1744 vppjd.exe 96 PID 1048 wrote to memory of 2328 1048 pvddv.exe 97 PID 1048 wrote to memory of 2328 1048 pvddv.exe 97 PID 1048 wrote to memory of 2328 1048 pvddv.exe 97 PID 2328 wrote to memory of 4332 2328 hbttnn.exe 98 PID 2328 wrote to memory of 4332 2328 hbttnn.exe 98 PID 2328 wrote to memory of 4332 2328 hbttnn.exe 98 PID 4332 wrote to memory of 828 4332 bthtnn.exe 99 PID 4332 wrote to memory of 828 4332 bthtnn.exe 99 PID 4332 wrote to memory of 828 4332 bthtnn.exe 99 PID 828 wrote to memory of 1188 828 nthhbb.exe 100 PID 828 wrote to memory of 1188 828 nthhbb.exe 100 PID 828 wrote to memory of 1188 828 nthhbb.exe 100 PID 1188 wrote to memory of 1864 1188 vpdvj.exe 101 PID 1188 wrote to memory of 1864 1188 vpdvj.exe 101 PID 1188 wrote to memory of 1864 1188 vpdvj.exe 101 PID 1864 wrote to memory of 2864 1864 3jvjv.exe 102 PID 1864 wrote to memory of 2864 1864 3jvjv.exe 102 PID 1864 wrote to memory of 2864 1864 3jvjv.exe 102 PID 2864 wrote to memory of 1896 2864 bttnbb.exe 103 PID 2864 wrote to memory of 1896 2864 bttnbb.exe 103 PID 2864 wrote to memory of 1896 2864 bttnbb.exe 103 PID 1896 wrote to memory of 1132 1896 vjpdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae.exe"C:\Users\Admin\AppData\Local\Temp\e0d7627e6d0a2d9fe1831716f85ec1984cd17f6df82a48f78eb11de9fc742eae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\3vjdj.exec:\3vjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\frfxrrr.exec:\frfxrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\thttnb.exec:\thttnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\1jppp.exec:\1jppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\vppdj.exec:\vppdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\llrrrrr.exec:\llrrrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\nhnhbb.exec:\nhnhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\pvpvd.exec:\pvpvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\rrfxllr.exec:\rrfxllr.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\bhnbtn.exec:\bhnbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\bhhbtt.exec:\bhhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\vppjd.exec:\vppjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\pvddv.exec:\pvddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\hbttnn.exec:\hbttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\bthtnn.exec:\bthtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\nthhbb.exec:\nthhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\vpdvj.exec:\vpdvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\3jvjv.exec:\3jvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\bttnbb.exec:\bttnbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\vjpdv.exec:\vjpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\nhnhhb.exec:\nhnhhb.exe23⤵
- Executes dropped EXE
PID:1132 -
\??\c:\3nhbbt.exec:\3nhbbt.exe24⤵
- Executes dropped EXE
PID:2788 -
\??\c:\9rxrxrx.exec:\9rxrxrx.exe25⤵
- Executes dropped EXE
PID:2032 -
\??\c:\vddvp.exec:\vddvp.exe26⤵
- Executes dropped EXE
PID:4660 -
\??\c:\tthhhn.exec:\tthhhn.exe27⤵
- Executes dropped EXE
PID:1220 -
\??\c:\jdvpp.exec:\jdvpp.exe28⤵
- Executes dropped EXE
PID:880 -
\??\c:\5nnhht.exec:\5nnhht.exe29⤵
- Executes dropped EXE
PID:3296 -
\??\c:\pvvdv.exec:\pvvdv.exe30⤵
- Executes dropped EXE
PID:2892 -
\??\c:\9djdv.exec:\9djdv.exe31⤵
- Executes dropped EXE
PID:2672 -
\??\c:\tttnhb.exec:\tttnhb.exe32⤵
- Executes dropped EXE
PID:4740 -
\??\c:\jdjvp.exec:\jdjvp.exe33⤵
- Executes dropped EXE
PID:2428 -
\??\c:\rlrfxxr.exec:\rlrfxxr.exe34⤵
- Executes dropped EXE
PID:876 -
\??\c:\nhbttt.exec:\nhbttt.exe35⤵
- Executes dropped EXE
PID:5076 -
\??\c:\tnthnn.exec:\tnthnn.exe36⤵
- Executes dropped EXE
PID:3916 -
\??\c:\xfxxffx.exec:\xfxxffx.exe37⤵
- Executes dropped EXE
PID:4992 -
\??\c:\7xxrllf.exec:\7xxrllf.exe38⤵
- Executes dropped EXE
PID:364 -
\??\c:\thtnhb.exec:\thtnhb.exe39⤵
- Executes dropped EXE
PID:3728 -
\??\c:\flffxrf.exec:\flffxrf.exe40⤵
- Executes dropped EXE
PID:1696 -
\??\c:\tntnhh.exec:\tntnhh.exe41⤵
- Executes dropped EXE
PID:4896 -
\??\c:\3vpjp.exec:\3vpjp.exe42⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xrxrrll.exec:\xrxrrll.exe43⤵
- Executes dropped EXE
PID:3108 -
\??\c:\xfrlllf.exec:\xfrlllf.exe44⤵
- Executes dropped EXE
PID:3156 -
\??\c:\bnnhtb.exec:\bnnhtb.exe45⤵
- Executes dropped EXE
PID:3572 -
\??\c:\dvvpj.exec:\dvvpj.exe46⤵
- Executes dropped EXE
PID:3012 -
\??\c:\1rrlfrl.exec:\1rrlfrl.exe47⤵
- Executes dropped EXE
PID:1264 -
\??\c:\bntnhb.exec:\bntnhb.exe48⤵
- Executes dropped EXE
PID:2536 -
\??\c:\vdpdv.exec:\vdpdv.exe49⤵
- Executes dropped EXE
PID:1980 -
\??\c:\rlrlfrl.exec:\rlrlfrl.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:548 -
\??\c:\9rxrrxx.exec:\9rxrrxx.exe51⤵
- Executes dropped EXE
PID:4760 -
\??\c:\bttnhb.exec:\bttnhb.exe52⤵PID:4328
-
\??\c:\pjpjd.exec:\pjpjd.exe53⤵
- Executes dropped EXE
PID:2980 -
\??\c:\lrxxlfl.exec:\lrxxlfl.exe54⤵
- Executes dropped EXE
PID:4648 -
\??\c:\rrrlrxl.exec:\rrrlrxl.exe55⤵
- Executes dropped EXE
PID:1208 -
\??\c:\vjpjd.exec:\vjpjd.exe56⤵
- Executes dropped EXE
PID:512 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe57⤵
- Executes dropped EXE
PID:4484 -
\??\c:\hbnhbb.exec:\hbnhbb.exe58⤵
- Executes dropped EXE
PID:1524 -
\??\c:\hbtnhb.exec:\hbtnhb.exe59⤵
- Executes dropped EXE
PID:4408 -
\??\c:\5jjdv.exec:\5jjdv.exe60⤵
- Executes dropped EXE
PID:2164 -
\??\c:\rxlxlfr.exec:\rxlxlfr.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4264 -
\??\c:\lffxrrl.exec:\lffxrrl.exe62⤵
- Executes dropped EXE
PID:5100 -
\??\c:\thhbtn.exec:\thhbtn.exe63⤵
- Executes dropped EXE
PID:1108 -
\??\c:\9jpdj.exec:\9jpdj.exe64⤵
- Executes dropped EXE
PID:456 -
\??\c:\fxlllrx.exec:\fxlllrx.exe65⤵
- Executes dropped EXE
PID:1888 -
\??\c:\frxlffx.exec:\frxlffx.exe66⤵
- Executes dropped EXE
PID:4972 -
\??\c:\hbtntn.exec:\hbtntn.exe67⤵PID:3016
-
\??\c:\jdjdd.exec:\jdjdd.exe68⤵PID:708
-
\??\c:\lfrlllr.exec:\lfrlllr.exe69⤵PID:2496
-
\??\c:\tntnhn.exec:\tntnhn.exe70⤵PID:3480
-
\??\c:\vvvpj.exec:\vvvpj.exe71⤵PID:1680
-
\??\c:\vppvp.exec:\vppvp.exe72⤵PID:3660
-
\??\c:\1flffff.exec:\1flffff.exe73⤵PID:4692
-
\??\c:\hbhhhn.exec:\hbhhhn.exe74⤵PID:1048
-
\??\c:\ppvpj.exec:\ppvpj.exe75⤵PID:2328
-
\??\c:\ddpdv.exec:\ddpdv.exe76⤵PID:4332
-
\??\c:\xfrlxxx.exec:\xfrlxxx.exe77⤵PID:2568
-
\??\c:\hthnbt.exec:\hthnbt.exe78⤵PID:828
-
\??\c:\pvdvp.exec:\pvdvp.exe79⤵PID:2352
-
\??\c:\dvvpj.exec:\dvvpj.exe80⤵PID:2240
-
\??\c:\7xxrrrl.exec:\7xxrrrl.exe81⤵PID:1528
-
\??\c:\ntbtnh.exec:\ntbtnh.exe82⤵PID:2864
-
\??\c:\jjjdp.exec:\jjjdp.exe83⤵PID:1928
-
\??\c:\vpppj.exec:\vpppj.exe84⤵PID:1428
-
\??\c:\xrxrxrx.exec:\xrxrxrx.exe85⤵PID:4032
-
\??\c:\hntnbt.exec:\hntnbt.exe86⤵PID:1684
-
\??\c:\ppvpv.exec:\ppvpv.exe87⤵PID:2032
-
\??\c:\xrfxrlf.exec:\xrfxrlf.exe88⤵PID:1800
-
\??\c:\hbnhtt.exec:\hbnhtt.exe89⤵PID:4624
-
\??\c:\5nttnn.exec:\5nttnn.exe90⤵PID:4900
-
\??\c:\9pjjd.exec:\9pjjd.exe91⤵PID:4220
-
\??\c:\lrfffff.exec:\lrfffff.exe92⤵PID:4064
-
\??\c:\hnnbbn.exec:\hnnbbn.exe93⤵PID:4056
-
\??\c:\7vvpv.exec:\7vvpv.exe94⤵PID:3736
-
\??\c:\dppjv.exec:\dppjv.exe95⤵PID:2672
-
\??\c:\lfrlxrr.exec:\lfrlxrr.exe96⤵PID:1328
-
\??\c:\nbtnhb.exec:\nbtnhb.exe97⤵PID:2384
-
\??\c:\9vpjd.exec:\9vpjd.exe98⤵PID:872
-
\??\c:\vjpjv.exec:\vjpjv.exe99⤵PID:1404
-
\??\c:\9rfxrrr.exec:\9rfxrrr.exe100⤵PID:3176
-
\??\c:\xrfxxxf.exec:\xrfxxxf.exe101⤵PID:3916
-
\??\c:\bbnntt.exec:\bbnntt.exe102⤵PID:2804
-
\??\c:\pdpjd.exec:\pdpjd.exe103⤵PID:3960
-
\??\c:\frrrlll.exec:\frrrlll.exe104⤵PID:2232
-
\??\c:\1ntnnn.exec:\1ntnnn.exe105⤵PID:4584
-
\??\c:\jjjdv.exec:\jjjdv.exe106⤵PID:2968
-
\??\c:\frxfxxx.exec:\frxfxxx.exe107⤵PID:2944
-
\??\c:\xflxrlf.exec:\xflxrlf.exe108⤵PID:4176
-
\??\c:\ththtn.exec:\ththtn.exe109⤵PID:4576
-
\??\c:\pdpjj.exec:\pdpjj.exe110⤵PID:4012
-
\??\c:\xflfxxr.exec:\xflfxxr.exe111⤵PID:1308
-
\??\c:\bhtnnn.exec:\bhtnnn.exe112⤵PID:2880
-
\??\c:\ddjjp.exec:\ddjjp.exe113⤵PID:852
-
\??\c:\7llfxxr.exec:\7llfxxr.exe114⤵PID:676
-
\??\c:\hhhbnn.exec:\hhhbnn.exe115⤵PID:4456
-
\??\c:\hbtnnh.exec:\hbtnnh.exe116⤵PID:4444
-
\??\c:\vvvdv.exec:\vvvdv.exe117⤵PID:60
-
\??\c:\frlfxrl.exec:\frlfxrl.exe118⤵PID:3368
-
\??\c:\1tnhbt.exec:\1tnhbt.exe119⤵PID:1200
-
\??\c:\7ttnbt.exec:\7ttnbt.exe120⤵PID:1852
-
\??\c:\vjpjv.exec:\vjpjv.exe121⤵PID:3780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-