Analysis
-
max time kernel
117s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe
-
Size
455KB
-
MD5
fdcb0d1c35362790c47d3496a73ae170
-
SHA1
b12e29a4bff892a257ac112af499888eadfeb77d
-
SHA256
faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7
-
SHA512
b84ee16844220c5b6969465ffa5fd53ee775c262ff1449ecee628b85bd1f5bddcea86b2e5aaddc9ca1cbabd29d8802e0888de6663194c05ce31127cbaaa3223a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRIJ:q7Tc2NYHUrAwfMp3CDRQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5032-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-976-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-1049-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-1146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-1219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-1235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-1350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4712 djvpd.exe 3060 lfffrrx.exe 3964 nnnbhb.exe 5032 ntnhhh.exe 4808 7pdvp.exe 676 nnnnnt.exe 1144 pjdpv.exe 2252 bhnhbt.exe 2148 dvddv.exe 5112 bttnbb.exe 4288 pdjdv.exe 2376 xrxxrrl.exe 3208 bbntbt.exe 1784 pddvp.exe 1992 hnnhbb.exe 4872 vdjdv.exe 400 llxrllf.exe 540 tnnhbt.exe 412 lxlfxxr.exe 1108 9nnhbb.exe 3624 ddddp.exe 4064 rrxrxxl.exe 1348 9hbttt.exe 1900 ffxrfff.exe 1660 tbbnhh.exe 2548 7vvjd.exe 968 bhhbbb.exe 4536 vvdvj.exe 4196 3jdvv.exe 2628 vjjdp.exe 5044 hnbntn.exe 2092 vjjvp.exe 408 7xrfrlx.exe 4320 nbhbbb.exe 3544 pjdpj.exe 1516 3xrflfx.exe 2840 tnnbnh.exe 3604 pdjdv.exe 2268 rrrlfff.exe 1924 1pdpd.exe 4264 lfrfxrf.exe 4172 htthtb.exe 4228 5tthtn.exe 3120 jjpjp.exe 3688 xrrffxx.exe 2440 tbhnnt.exe 2392 vvvjp.exe 4952 3rlfrxl.exe 2808 thhthb.exe 3704 7vvjv.exe 3652 lxrlxrl.exe 456 lrrfrlx.exe 4984 ntbnbb.exe 1600 pppdv.exe 4904 dvjvp.exe 4272 rrlxlfr.exe 1548 nnthhb.exe 4288 ppvjd.exe 2376 rxxrfrl.exe 3208 7ffxllx.exe 636 3bthbt.exe 1784 jvdjj.exe 4868 5lxrxxr.exe 1952 7ffxlfr.exe -
resource yara_rule behavioral2/memory/5032-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-663-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-976-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-1049-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4932 wrote to memory of 4712 4932 faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe 83 PID 4932 wrote to memory of 4712 4932 faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe 83 PID 4932 wrote to memory of 4712 4932 faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe 83 PID 4712 wrote to memory of 3060 4712 djvpd.exe 84 PID 4712 wrote to memory of 3060 4712 djvpd.exe 84 PID 4712 wrote to memory of 3060 4712 djvpd.exe 84 PID 3060 wrote to memory of 3964 3060 lfffrrx.exe 85 PID 3060 wrote to memory of 3964 3060 lfffrrx.exe 85 PID 3060 wrote to memory of 3964 3060 lfffrrx.exe 85 PID 3964 wrote to memory of 5032 3964 nnnbhb.exe 86 PID 3964 wrote to memory of 5032 3964 nnnbhb.exe 86 PID 3964 wrote to memory of 5032 3964 nnnbhb.exe 86 PID 5032 wrote to memory of 4808 5032 ntnhhh.exe 87 PID 5032 wrote to memory of 4808 5032 ntnhhh.exe 87 PID 5032 wrote to memory of 4808 5032 ntnhhh.exe 87 PID 4808 wrote to memory of 676 4808 7pdvp.exe 88 PID 4808 wrote to memory of 676 4808 7pdvp.exe 88 PID 4808 wrote to memory of 676 4808 7pdvp.exe 88 PID 676 wrote to memory of 1144 676 nnnnnt.exe 89 PID 676 wrote to memory of 1144 676 nnnnnt.exe 89 PID 676 wrote to memory of 1144 676 nnnnnt.exe 89 PID 1144 wrote to memory of 2252 1144 pjdpv.exe 90 PID 1144 wrote to memory of 2252 1144 pjdpv.exe 90 PID 1144 wrote to memory of 2252 1144 pjdpv.exe 90 PID 2252 wrote to memory of 2148 2252 bhnhbt.exe 91 PID 2252 wrote to memory of 2148 2252 bhnhbt.exe 91 PID 2252 wrote to memory of 2148 2252 bhnhbt.exe 91 PID 2148 wrote to memory of 5112 2148 dvddv.exe 92 PID 2148 wrote to memory of 5112 2148 dvddv.exe 92 PID 2148 wrote to memory of 5112 2148 dvddv.exe 92 PID 5112 wrote to memory of 4288 5112 bttnbb.exe 93 PID 5112 wrote to memory of 4288 5112 bttnbb.exe 93 PID 5112 wrote to memory of 4288 5112 bttnbb.exe 93 PID 4288 wrote to memory of 2376 4288 pdjdv.exe 94 PID 4288 wrote to memory of 2376 4288 pdjdv.exe 94 PID 4288 wrote to memory of 2376 4288 pdjdv.exe 94 PID 2376 wrote to memory of 3208 2376 xrxxrrl.exe 95 PID 2376 wrote to memory of 3208 2376 xrxxrrl.exe 95 PID 2376 wrote to memory of 3208 2376 xrxxrrl.exe 95 PID 3208 wrote to memory of 1784 3208 bbntbt.exe 96 PID 3208 wrote to memory of 1784 3208 bbntbt.exe 96 PID 3208 wrote to memory of 1784 3208 bbntbt.exe 96 PID 1784 wrote to memory of 1992 1784 pddvp.exe 97 PID 1784 wrote to memory of 1992 1784 pddvp.exe 97 PID 1784 wrote to memory of 1992 1784 pddvp.exe 97 PID 1992 wrote to memory of 4872 1992 hnnhbb.exe 98 PID 1992 wrote to memory of 4872 1992 hnnhbb.exe 98 PID 1992 wrote to memory of 4872 1992 hnnhbb.exe 98 PID 4872 wrote to memory of 400 4872 vdjdv.exe 99 PID 4872 wrote to memory of 400 4872 vdjdv.exe 99 PID 4872 wrote to memory of 400 4872 vdjdv.exe 99 PID 400 wrote to memory of 540 400 llxrllf.exe 100 PID 400 wrote to memory of 540 400 llxrllf.exe 100 PID 400 wrote to memory of 540 400 llxrllf.exe 100 PID 540 wrote to memory of 412 540 tnnhbt.exe 101 PID 540 wrote to memory of 412 540 tnnhbt.exe 101 PID 540 wrote to memory of 412 540 tnnhbt.exe 101 PID 412 wrote to memory of 1108 412 lxlfxxr.exe 102 PID 412 wrote to memory of 1108 412 lxlfxxr.exe 102 PID 412 wrote to memory of 1108 412 lxlfxxr.exe 102 PID 1108 wrote to memory of 3624 1108 9nnhbb.exe 103 PID 1108 wrote to memory of 3624 1108 9nnhbb.exe 103 PID 1108 wrote to memory of 3624 1108 9nnhbb.exe 103 PID 3624 wrote to memory of 4064 3624 ddddp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe"C:\Users\Admin\AppData\Local\Temp\faf668ba2ea6c5bd170e74e497d9f32a0ae38a94f9d4dd44e4eab2bb56e4a0a7N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\djvpd.exec:\djvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\lfffrrx.exec:\lfffrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\nnnbhb.exec:\nnnbhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\ntnhhh.exec:\ntnhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\7pdvp.exec:\7pdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\nnnnnt.exec:\nnnnnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\pjdpv.exec:\pjdpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\bhnhbt.exec:\bhnhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\dvddv.exec:\dvddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\bttnbb.exec:\bttnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\pdjdv.exec:\pdjdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\bbntbt.exec:\bbntbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\pddvp.exec:\pddvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\hnnhbb.exec:\hnnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\vdjdv.exec:\vdjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\llxrllf.exec:\llxrllf.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\tnnhbt.exec:\tnnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\9nnhbb.exec:\9nnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\ddddp.exec:\ddddp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\rrxrxxl.exec:\rrxrxxl.exe23⤵
- Executes dropped EXE
PID:4064 -
\??\c:\9hbttt.exec:\9hbttt.exe24⤵
- Executes dropped EXE
PID:1348 -
\??\c:\ffxrfff.exec:\ffxrfff.exe25⤵
- Executes dropped EXE
PID:1900 -
\??\c:\tbbnhh.exec:\tbbnhh.exe26⤵
- Executes dropped EXE
PID:1660 -
\??\c:\7vvjd.exec:\7vvjd.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2548 -
\??\c:\bhhbbb.exec:\bhhbbb.exe28⤵
- Executes dropped EXE
PID:968 -
\??\c:\vvdvj.exec:\vvdvj.exe29⤵
- Executes dropped EXE
PID:4536 -
\??\c:\3jdvv.exec:\3jdvv.exe30⤵
- Executes dropped EXE
PID:4196 -
\??\c:\vjjdp.exec:\vjjdp.exe31⤵
- Executes dropped EXE
PID:2628 -
\??\c:\hnbntn.exec:\hnbntn.exe32⤵
- Executes dropped EXE
PID:5044 -
\??\c:\vjjvp.exec:\vjjvp.exe33⤵
- Executes dropped EXE
PID:2092 -
\??\c:\7xrfrlx.exec:\7xrfrlx.exe34⤵
- Executes dropped EXE
PID:408 -
\??\c:\nbhbbb.exec:\nbhbbb.exe35⤵
- Executes dropped EXE
PID:4320 -
\??\c:\pjdpj.exec:\pjdpj.exe36⤵
- Executes dropped EXE
PID:3544 -
\??\c:\3xrflfx.exec:\3xrflfx.exe37⤵
- Executes dropped EXE
PID:1516 -
\??\c:\tnnbnh.exec:\tnnbnh.exe38⤵
- Executes dropped EXE
PID:2840 -
\??\c:\pdjdv.exec:\pdjdv.exe39⤵
- Executes dropped EXE
PID:3604 -
\??\c:\rrrlfff.exec:\rrrlfff.exe40⤵
- Executes dropped EXE
PID:2268 -
\??\c:\1pdpd.exec:\1pdpd.exe41⤵
- Executes dropped EXE
PID:1924 -
\??\c:\lfrfxrf.exec:\lfrfxrf.exe42⤵
- Executes dropped EXE
PID:4264 -
\??\c:\htthtb.exec:\htthtb.exe43⤵
- Executes dropped EXE
PID:4172 -
\??\c:\5tthtn.exec:\5tthtn.exe44⤵
- Executes dropped EXE
PID:4228 -
\??\c:\jjpjp.exec:\jjpjp.exe45⤵
- Executes dropped EXE
PID:3120 -
\??\c:\xrrffxx.exec:\xrrffxx.exe46⤵
- Executes dropped EXE
PID:3688 -
\??\c:\tbhnnt.exec:\tbhnnt.exe47⤵
- Executes dropped EXE
PID:2440 -
\??\c:\vvvjp.exec:\vvvjp.exe48⤵
- Executes dropped EXE
PID:2392 -
\??\c:\3rlfrxl.exec:\3rlfrxl.exe49⤵
- Executes dropped EXE
PID:4952 -
\??\c:\thhthb.exec:\thhthb.exe50⤵
- Executes dropped EXE
PID:2808 -
\??\c:\7vvjv.exec:\7vvjv.exe51⤵
- Executes dropped EXE
PID:3704 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe52⤵
- Executes dropped EXE
PID:3652 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe53⤵
- Executes dropped EXE
PID:456 -
\??\c:\ntbnbb.exec:\ntbnbb.exe54⤵
- Executes dropped EXE
PID:4984 -
\??\c:\pppdv.exec:\pppdv.exe55⤵
- Executes dropped EXE
PID:1600 -
\??\c:\dvjvp.exec:\dvjvp.exe56⤵
- Executes dropped EXE
PID:4904 -
\??\c:\rrlxlfr.exec:\rrlxlfr.exe57⤵
- Executes dropped EXE
PID:4272 -
\??\c:\nnthhb.exec:\nnthhb.exe58⤵
- Executes dropped EXE
PID:1548 -
\??\c:\ppvjd.exec:\ppvjd.exe59⤵
- Executes dropped EXE
PID:4288 -
\??\c:\rxxrfrl.exec:\rxxrfrl.exe60⤵
- Executes dropped EXE
PID:2376 -
\??\c:\7ffxllx.exec:\7ffxllx.exe61⤵
- Executes dropped EXE
PID:3208 -
\??\c:\3bthbt.exec:\3bthbt.exe62⤵
- Executes dropped EXE
PID:636 -
\??\c:\jvdjj.exec:\jvdjj.exe63⤵
- Executes dropped EXE
PID:1784 -
\??\c:\5lxrxxr.exec:\5lxrxxr.exe64⤵
- Executes dropped EXE
PID:4868 -
\??\c:\7ffxlfr.exec:\7ffxlfr.exe65⤵
- Executes dropped EXE
PID:1952 -
\??\c:\3nhbtb.exec:\3nhbtb.exe66⤵PID:1068
-
\??\c:\vvvpp.exec:\vvvpp.exe67⤵PID:5040
-
\??\c:\xfflflf.exec:\xfflflf.exe68⤵PID:1584
-
\??\c:\btbttn.exec:\btbttn.exe69⤵PID:3368
-
\??\c:\pjjdp.exec:\pjjdp.exe70⤵PID:1736
-
\??\c:\rlfxxrl.exec:\rlfxxrl.exe71⤵PID:2984
-
\??\c:\9ttnnh.exec:\9ttnnh.exe72⤵PID:1620
-
\??\c:\nbbttn.exec:\nbbttn.exe73⤵PID:4948
-
\??\c:\jvdvd.exec:\jvdvd.exe74⤵PID:4676
-
\??\c:\7fxfrrf.exec:\7fxfrrf.exe75⤵PID:3996
-
\??\c:\flfxxll.exec:\flfxxll.exe76⤵PID:1676
-
\??\c:\thhthb.exec:\thhthb.exe77⤵PID:3592
-
\??\c:\dvvpv.exec:\dvvpv.exe78⤵PID:4304
-
\??\c:\dpvpd.exec:\dpvpd.exe79⤵PID:2276
-
\??\c:\xxfrxfl.exec:\xxfrxfl.exe80⤵PID:1552
-
\??\c:\htnhtn.exec:\htnhtn.exe81⤵PID:1140
-
\??\c:\jvvpj.exec:\jvvpj.exe82⤵PID:3916
-
\??\c:\3xlxlfr.exec:\3xlxlfr.exe83⤵PID:3320
-
\??\c:\9nnbnh.exec:\9nnbnh.exe84⤵PID:464
-
\??\c:\ttbntn.exec:\ttbntn.exe85⤵PID:2040
-
\??\c:\dvpdp.exec:\dvpdp.exe86⤵PID:4488
-
\??\c:\lrrlrxf.exec:\lrrlrxf.exe87⤵PID:3220
-
\??\c:\ntnbbt.exec:\ntnbbt.exe88⤵PID:4668
-
\??\c:\pjdpv.exec:\pjdpv.exe89⤵PID:2248
-
\??\c:\ddjvd.exec:\ddjvd.exe90⤵PID:4784
-
\??\c:\9lxrfxl.exec:\9lxrfxl.exe91⤵PID:1296
-
\??\c:\3nthtn.exec:\3nthtn.exe92⤵PID:3492
-
\??\c:\3nhbhb.exec:\3nhbhb.exe93⤵PID:1048
-
\??\c:\pdppj.exec:\pdppj.exe94⤵PID:2800
-
\??\c:\rlrfrfl.exec:\rlrfrfl.exe95⤵PID:5104
-
\??\c:\bnhnhn.exec:\bnhnhn.exe96⤵PID:1616
-
\??\c:\ttbtnh.exec:\ttbtnh.exe97⤵PID:5052
-
\??\c:\jdvvj.exec:\jdvvj.exe98⤵PID:116
-
\??\c:\7rlrxrf.exec:\7rlrxrf.exe99⤵PID:2608
-
\??\c:\thbthb.exec:\thbthb.exe100⤵PID:3964
-
\??\c:\vvvjv.exec:\vvvjv.exe101⤵PID:4200
-
\??\c:\1ppjv.exec:\1ppjv.exe102⤵PID:3560
-
\??\c:\xxrlxrl.exec:\xxrlxrl.exe103⤵PID:4660
-
\??\c:\lxxlflr.exec:\lxxlflr.exe104⤵PID:4584
-
\??\c:\thhtnt.exec:\thhtnt.exe105⤵PID:3456
-
\??\c:\1pdvj.exec:\1pdvj.exe106⤵PID:4916
-
\??\c:\lflxfxr.exec:\lflxfxr.exe107⤵PID:2896
-
\??\c:\7hhbnh.exec:\7hhbnh.exe108⤵PID:3728
-
\??\c:\vpjdp.exec:\vpjdp.exe109⤵PID:32
-
\??\c:\djpdp.exec:\djpdp.exe110⤵PID:4696
-
\??\c:\rxlxlfr.exec:\rxlxlfr.exe111⤵PID:2264
-
\??\c:\nbnbnh.exec:\nbnbnh.exe112⤵PID:4736
-
\??\c:\vpvdv.exec:\vpvdv.exe113⤵PID:1284
-
\??\c:\flrflfr.exec:\flrflfr.exe114⤵PID:3184
-
\??\c:\tbbtnh.exec:\tbbtnh.exe115⤵PID:3644
-
\??\c:\7bbntn.exec:\7bbntn.exe116⤵PID:1156
-
\??\c:\xxrlrlf.exec:\xxrlrlf.exe117⤵PID:4000
-
\??\c:\tbhbtt.exec:\tbhbtt.exe118⤵PID:3356
-
\??\c:\3hntnh.exec:\3hntnh.exe119⤵PID:620
-
\??\c:\djjpd.exec:\djjpd.exe120⤵PID:4112
-
\??\c:\rrrfrlx.exec:\rrrfrlx.exe121⤵PID:3364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-