Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6.exe
-
Size
456KB
-
MD5
a7578d4f7c8dfb72df0100fae741b3fc
-
SHA1
931add9de76cb6551b46da3dd7fd153b86891aa8
-
SHA256
9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6
-
SHA512
81f30529ff5512b938d0b24a88ab26ffeff3c38b55830dcd48b4a2088590fa6352d354aca21dfc7cbc64e1b611a9e1dab372c4e44063309daecf8fd6ebced9a7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRw:q7Tc2NYHUrAwfMp3CDRw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2988-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-855-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-1080-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 3dvpd.exe 4736 9dvpj.exe 2064 jvpdj.exe 2352 jdddv.exe 4568 lffrlfx.exe 2584 vdddv.exe 3520 5ntnht.exe 2948 fxlffxx.exe 4540 tbntnb.exe 2060 1djdv.exe 852 1xrfxxr.exe 4428 pppjd.exe 4156 xlrlxxx.exe 1476 bntnnn.exe 1964 1vpjp.exe 2252 xxxlfxx.exe 4252 nhhbnn.exe 1656 bbhthh.exe 1040 1jpjd.exe 3924 lxfxrxr.exe 1224 frxrllf.exe 3680 5hbhbt.exe 2008 9vvvp.exe 1640 7rlfxlf.exe 4724 fllfxxl.exe 3220 httnnn.exe 4992 3pppj.exe 2024 dpppj.exe 1560 1rfxrrl.exe 4716 7fxrllf.exe 4672 tbhbbt.exe 4032 jpvpj.exe 4732 jvdvv.exe 1940 rffrlfx.exe 680 tnnnnn.exe 3528 tnbtnn.exe 2304 pjdvj.exe 916 xfffxxr.exe 4972 xrxxrrr.exe 3468 bnhnhh.exe 4620 7tbnbb.exe 208 pvdpj.exe 5108 lfffxxx.exe 1060 lxllfxr.exe 2296 tntnhh.exe 4660 thhbnn.exe 2124 vppjd.exe 5112 fxfxrlx.exe 4188 pdvpv.exe 3556 1xrrrrl.exe 812 ddvvp.exe 1116 hbhbtt.exe 3536 1hnhhh.exe 1368 7xfxxxf.exe 1952 bttnnn.exe 1384 djpjv.exe 4584 xlrfflf.exe 4312 jjpjd.exe 4680 7fffxrl.exe 216 btbtbt.exe 3444 jddvp.exe 4844 1lxrffx.exe 4428 lxrlfxr.exe 4228 thhbtt.exe -
resource yara_rule behavioral2/memory/2988-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-836-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-855-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-865-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-938-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-1080-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4188 2988 9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6.exe 82 PID 2988 wrote to memory of 4188 2988 9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6.exe 82 PID 2988 wrote to memory of 4188 2988 9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6.exe 82 PID 4188 wrote to memory of 4736 4188 3dvpd.exe 83 PID 4188 wrote to memory of 4736 4188 3dvpd.exe 83 PID 4188 wrote to memory of 4736 4188 3dvpd.exe 83 PID 4736 wrote to memory of 2064 4736 9dvpj.exe 84 PID 4736 wrote to memory of 2064 4736 9dvpj.exe 84 PID 4736 wrote to memory of 2064 4736 9dvpj.exe 84 PID 2064 wrote to memory of 2352 2064 jvpdj.exe 85 PID 2064 wrote to memory of 2352 2064 jvpdj.exe 85 PID 2064 wrote to memory of 2352 2064 jvpdj.exe 85 PID 2352 wrote to memory of 4568 2352 jdddv.exe 86 PID 2352 wrote to memory of 4568 2352 jdddv.exe 86 PID 2352 wrote to memory of 4568 2352 jdddv.exe 86 PID 4568 wrote to memory of 2584 4568 lffrlfx.exe 87 PID 4568 wrote to memory of 2584 4568 lffrlfx.exe 87 PID 4568 wrote to memory of 2584 4568 lffrlfx.exe 87 PID 2584 wrote to memory of 3520 2584 vdddv.exe 88 PID 2584 wrote to memory of 3520 2584 vdddv.exe 88 PID 2584 wrote to memory of 3520 2584 vdddv.exe 88 PID 3520 wrote to memory of 2948 3520 5ntnht.exe 89 PID 3520 wrote to memory of 2948 3520 5ntnht.exe 89 PID 3520 wrote to memory of 2948 3520 5ntnht.exe 89 PID 2948 wrote to memory of 4540 2948 fxlffxx.exe 90 PID 2948 wrote to memory of 4540 2948 fxlffxx.exe 90 PID 2948 wrote to memory of 4540 2948 fxlffxx.exe 90 PID 4540 wrote to memory of 2060 4540 tbntnb.exe 91 PID 4540 wrote to memory of 2060 4540 tbntnb.exe 91 PID 4540 wrote to memory of 2060 4540 tbntnb.exe 91 PID 2060 wrote to memory of 852 2060 1djdv.exe 92 PID 2060 wrote to memory of 852 2060 1djdv.exe 92 PID 2060 wrote to memory of 852 2060 1djdv.exe 92 PID 852 wrote to memory of 4428 852 1xrfxxr.exe 93 PID 852 wrote to memory of 4428 852 1xrfxxr.exe 93 PID 852 wrote to memory of 4428 852 1xrfxxr.exe 93 PID 4428 wrote to memory of 4156 4428 pppjd.exe 94 PID 4428 wrote to memory of 4156 4428 pppjd.exe 94 PID 4428 wrote to memory of 4156 4428 pppjd.exe 94 PID 4156 wrote to memory of 1476 4156 xlrlxxx.exe 95 PID 4156 wrote to memory of 1476 4156 xlrlxxx.exe 95 PID 4156 wrote to memory of 1476 4156 xlrlxxx.exe 95 PID 1476 wrote to memory of 1964 1476 bntnnn.exe 96 PID 1476 wrote to memory of 1964 1476 bntnnn.exe 96 PID 1476 wrote to memory of 1964 1476 bntnnn.exe 96 PID 1964 wrote to memory of 2252 1964 1vpjp.exe 97 PID 1964 wrote to memory of 2252 1964 1vpjp.exe 97 PID 1964 wrote to memory of 2252 1964 1vpjp.exe 97 PID 2252 wrote to memory of 4252 2252 xxxlfxx.exe 98 PID 2252 wrote to memory of 4252 2252 xxxlfxx.exe 98 PID 2252 wrote to memory of 4252 2252 xxxlfxx.exe 98 PID 4252 wrote to memory of 1656 4252 nhhbnn.exe 99 PID 4252 wrote to memory of 1656 4252 nhhbnn.exe 99 PID 4252 wrote to memory of 1656 4252 nhhbnn.exe 99 PID 1656 wrote to memory of 1040 1656 bbhthh.exe 100 PID 1656 wrote to memory of 1040 1656 bbhthh.exe 100 PID 1656 wrote to memory of 1040 1656 bbhthh.exe 100 PID 1040 wrote to memory of 3924 1040 1jpjd.exe 101 PID 1040 wrote to memory of 3924 1040 1jpjd.exe 101 PID 1040 wrote to memory of 3924 1040 1jpjd.exe 101 PID 3924 wrote to memory of 1224 3924 lxfxrxr.exe 102 PID 3924 wrote to memory of 1224 3924 lxfxrxr.exe 102 PID 3924 wrote to memory of 1224 3924 lxfxrxr.exe 102 PID 1224 wrote to memory of 3680 1224 frxrllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6.exe"C:\Users\Admin\AppData\Local\Temp\9656255856587b5f72579181f5fe8ef5d050823903aa87b2808b5aa317e705a6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\3dvpd.exec:\3dvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\9dvpj.exec:\9dvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\jvpdj.exec:\jvpdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\jdddv.exec:\jdddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\lffrlfx.exec:\lffrlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\vdddv.exec:\vdddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\5ntnht.exec:\5ntnht.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\fxlffxx.exec:\fxlffxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\tbntnb.exec:\tbntnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\1djdv.exec:\1djdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\1xrfxxr.exec:\1xrfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\pppjd.exec:\pppjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\xlrlxxx.exec:\xlrlxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\bntnnn.exec:\bntnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1476 -
\??\c:\1vpjp.exec:\1vpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\xxxlfxx.exec:\xxxlfxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\nhhbnn.exec:\nhhbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\bbhthh.exec:\bbhthh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\1jpjd.exec:\1jpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\lxfxrxr.exec:\lxfxrxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\frxrllf.exec:\frxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\5hbhbt.exec:\5hbhbt.exe23⤵
- Executes dropped EXE
PID:3680 -
\??\c:\9vvvp.exec:\9vvvp.exe24⤵
- Executes dropped EXE
PID:2008 -
\??\c:\7rlfxlf.exec:\7rlfxlf.exe25⤵
- Executes dropped EXE
PID:1640 -
\??\c:\fllfxxl.exec:\fllfxxl.exe26⤵
- Executes dropped EXE
PID:4724 -
\??\c:\httnnn.exec:\httnnn.exe27⤵
- Executes dropped EXE
PID:3220 -
\??\c:\3pppj.exec:\3pppj.exe28⤵
- Executes dropped EXE
PID:4992 -
\??\c:\dpppj.exec:\dpppj.exe29⤵
- Executes dropped EXE
PID:2024 -
\??\c:\1rfxrrl.exec:\1rfxrrl.exe30⤵
- Executes dropped EXE
PID:1560 -
\??\c:\7fxrllf.exec:\7fxrllf.exe31⤵
- Executes dropped EXE
PID:4716 -
\??\c:\tbhbbt.exec:\tbhbbt.exe32⤵
- Executes dropped EXE
PID:4672 -
\??\c:\jpvpj.exec:\jpvpj.exe33⤵
- Executes dropped EXE
PID:4032 -
\??\c:\jvdvv.exec:\jvdvv.exe34⤵
- Executes dropped EXE
PID:4732 -
\??\c:\rffrlfx.exec:\rffrlfx.exe35⤵
- Executes dropped EXE
PID:1940 -
\??\c:\tnnnnn.exec:\tnnnnn.exe36⤵
- Executes dropped EXE
PID:680 -
\??\c:\tnbtnn.exec:\tnbtnn.exe37⤵
- Executes dropped EXE
PID:3528 -
\??\c:\pjdvj.exec:\pjdvj.exe38⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xfffxxr.exec:\xfffxxr.exe39⤵
- Executes dropped EXE
PID:916 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe40⤵
- Executes dropped EXE
PID:4972 -
\??\c:\bnhnhh.exec:\bnhnhh.exe41⤵
- Executes dropped EXE
PID:3468 -
\??\c:\7tbnbb.exec:\7tbnbb.exe42⤵
- Executes dropped EXE
PID:4620 -
\??\c:\pvdpj.exec:\pvdpj.exe43⤵
- Executes dropped EXE
PID:208 -
\??\c:\lfffxxx.exec:\lfffxxx.exe44⤵
- Executes dropped EXE
PID:5108 -
\??\c:\lxllfxr.exec:\lxllfxr.exe45⤵
- Executes dropped EXE
PID:1060 -
\??\c:\tntnhh.exec:\tntnhh.exe46⤵
- Executes dropped EXE
PID:2296 -
\??\c:\thhbnn.exec:\thhbnn.exe47⤵
- Executes dropped EXE
PID:4660 -
\??\c:\vppjd.exec:\vppjd.exe48⤵
- Executes dropped EXE
PID:2124 -
\??\c:\rrlffxx.exec:\rrlffxx.exe49⤵
- System Location Discovery: System Language Discovery
PID:4528 -
\??\c:\fxfxrlx.exec:\fxfxrlx.exe50⤵
- Executes dropped EXE
PID:5112 -
\??\c:\pdvpv.exec:\pdvpv.exe51⤵
- Executes dropped EXE
PID:4188 -
\??\c:\1xrrrrl.exec:\1xrrrrl.exe52⤵
- Executes dropped EXE
PID:3556 -
\??\c:\ddvvp.exec:\ddvvp.exe53⤵
- Executes dropped EXE
PID:812 -
\??\c:\hbhbtt.exec:\hbhbtt.exe54⤵
- Executes dropped EXE
PID:1116 -
\??\c:\1hnhhh.exec:\1hnhhh.exe55⤵
- Executes dropped EXE
PID:3536 -
\??\c:\7xfxxxf.exec:\7xfxxxf.exe56⤵
- Executes dropped EXE
PID:1368 -
\??\c:\bttnnn.exec:\bttnnn.exe57⤵
- Executes dropped EXE
PID:1952 -
\??\c:\djpjv.exec:\djpjv.exe58⤵
- Executes dropped EXE
PID:1384 -
\??\c:\xlrfflf.exec:\xlrfflf.exe59⤵
- Executes dropped EXE
PID:4584 -
\??\c:\jjpjd.exec:\jjpjd.exe60⤵
- Executes dropped EXE
PID:4312 -
\??\c:\7fffxrl.exec:\7fffxrl.exe61⤵
- Executes dropped EXE
PID:4680 -
\??\c:\btbtbt.exec:\btbtbt.exe62⤵
- Executes dropped EXE
PID:216 -
\??\c:\jddvp.exec:\jddvp.exe63⤵
- Executes dropped EXE
PID:3444 -
\??\c:\1lxrffx.exec:\1lxrffx.exe64⤵
- Executes dropped EXE
PID:4844 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe65⤵
- Executes dropped EXE
PID:4428 -
\??\c:\thhbtt.exec:\thhbtt.exe66⤵
- Executes dropped EXE
PID:4228 -
\??\c:\dddvp.exec:\dddvp.exe67⤵PID:4156
-
\??\c:\frlfrlf.exec:\frlfrlf.exe68⤵PID:824
-
\??\c:\bbtbtt.exec:\bbtbtt.exe69⤵PID:3264
-
\??\c:\7jjvj.exec:\7jjvj.exe70⤵PID:1684
-
\??\c:\9vppd.exec:\9vppd.exe71⤵PID:2056
-
\??\c:\frllfxr.exec:\frllfxr.exe72⤵PID:2872
-
\??\c:\nbbtnn.exec:\nbbtnn.exe73⤵PID:1776
-
\??\c:\pjpjp.exec:\pjpjp.exe74⤵PID:3824
-
\??\c:\dpvjj.exec:\dpvjj.exe75⤵PID:3208
-
\??\c:\5llxrlf.exec:\5llxrlf.exe76⤵PID:3148
-
\??\c:\7bhbtt.exec:\7bhbtt.exe77⤵PID:3052
-
\??\c:\vjppj.exec:\vjppj.exe78⤵PID:4848
-
\??\c:\pjdvj.exec:\pjdvj.exe79⤵PID:4724
-
\??\c:\3xrlllf.exec:\3xrlllf.exe80⤵PID:2228
-
\??\c:\thbhnt.exec:\thbhnt.exe81⤵PID:1064
-
\??\c:\3bbnhb.exec:\3bbnhb.exe82⤵PID:4080
-
\??\c:\9pvvp.exec:\9pvvp.exe83⤵PID:2628
-
\??\c:\flflxfl.exec:\flflxfl.exe84⤵PID:4192
-
\??\c:\btnhbb.exec:\btnhbb.exe85⤵PID:884
-
\??\c:\vpjdd.exec:\vpjdd.exe86⤵PID:1512
-
\??\c:\pjpdd.exec:\pjpdd.exe87⤵PID:4284
-
\??\c:\7llxfrx.exec:\7llxfrx.exe88⤵PID:3272
-
\??\c:\tttnnn.exec:\tttnnn.exe89⤵PID:668
-
\??\c:\vpjvv.exec:\vpjvv.exe90⤵PID:2936
-
\??\c:\5lffrxr.exec:\5lffrxr.exe91⤵PID:1044
-
\??\c:\3tbbtn.exec:\3tbbtn.exe92⤵PID:2944
-
\??\c:\tnhbbt.exec:\tnhbbt.exe93⤵PID:4972
-
\??\c:\ddddv.exec:\ddddv.exe94⤵PID:4412
-
\??\c:\llrlffr.exec:\llrlffr.exe95⤵PID:3236
-
\??\c:\httnhh.exec:\httnhh.exe96⤵PID:3448
-
\??\c:\bnnbnh.exec:\bnnbnh.exe97⤵PID:1456
-
\??\c:\1vdvp.exec:\1vdvp.exe98⤵PID:2440
-
\??\c:\rlffxrr.exec:\rlffxrr.exe99⤵PID:872
-
\??\c:\fxrrffx.exec:\fxrrffx.exe100⤵PID:1592
-
\??\c:\3bbnhh.exec:\3bbnhh.exe101⤵PID:2964
-
\??\c:\7vjdd.exec:\7vjdd.exe102⤵PID:4564
-
\??\c:\rfrlllr.exec:\rfrlllr.exe103⤵PID:1968
-
\??\c:\1hnthh.exec:\1hnthh.exe104⤵PID:556
-
\??\c:\htnnhb.exec:\htnnhb.exe105⤵PID:4548
-
\??\c:\jddvj.exec:\jddvj.exe106⤵PID:1088
-
\??\c:\rrxrxxf.exec:\rrxrxxf.exe107⤵PID:4624
-
\??\c:\lrfxrll.exec:\lrfxrll.exe108⤵
- System Location Discovery: System Language Discovery
PID:112 -
\??\c:\bhnhnt.exec:\bhnhnt.exe109⤵PID:4736
-
\??\c:\jvvpp.exec:\jvvpp.exe110⤵PID:1336
-
\??\c:\xfxllrf.exec:\xfxllrf.exe111⤵PID:2356
-
\??\c:\nhbbtt.exec:\nhbbtt.exe112⤵PID:4372
-
\??\c:\tnnhtt.exec:\tnnhtt.exe113⤵PID:1504
-
\??\c:\9pvpp.exec:\9pvpp.exe114⤵PID:2320
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe115⤵PID:3916
-
\??\c:\ntbtbb.exec:\ntbtbb.exe116⤵PID:2804
-
\??\c:\dvjdp.exec:\dvjdp.exe117⤵PID:3060
-
\??\c:\jdjdv.exec:\jdjdv.exe118⤵PID:3212
-
\??\c:\1xrlxfx.exec:\1xrlxfx.exe119⤵PID:2060
-
\??\c:\nttbtt.exec:\nttbtt.exe120⤵PID:4680
-
\??\c:\vjjjv.exec:\vjjjv.exe121⤵PID:852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-