Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3aN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3aN.exe
-
Size
455KB
-
MD5
fde5e265ba6cdbb0270cbaddc3993a10
-
SHA1
f4d328bb4f667389b248f6e2509c04e153e2e87e
-
SHA256
ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3a
-
SHA512
055f22c437be2c63ae28d3bd567ca4801d2e537e9c827627d0f5003c3b21c8546abcd6e0e4b065914e5b5acc869e91e5006f2e7a70c948b40fc97221f52bd814
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4680-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-781-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-887-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-1787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4680 9pvvp.exe 1644 rrrllfx.exe 4920 ffffrxl.exe 4864 nhnbtb.exe 4536 7xxrllf.exe 820 xfxxrff.exe 3580 llrllfx.exe 2864 hhhhhh.exe 244 jddvd.exe 2408 nnnnnn.exe 2348 xlfffxl.exe 4744 bhbbbh.exe 1500 jjvpj.exe 2560 xxllffx.exe 4772 9vpjd.exe 3396 rxxxrll.exe 1404 tnbttt.exe 1972 jjjjd.exe 3048 nnbbnn.exe 4848 3flllrr.exe 3972 7hnnnt.exe 1880 nbnbbb.exe 632 vvddd.exe 2332 5lfffll.exe 540 pdvdp.exe 1460 9thbht.exe 884 llfrfxl.exe 3240 nhnnht.exe 4640 9hthht.exe 4008 rrxrflf.exe 3952 dvpdp.exe 3412 fllfxxx.exe 4488 5dvvv.exe 5052 7flrlxx.exe 1820 hbhhhh.exe 1572 jdppp.exe 4892 frflxrl.exe 2796 nntbbb.exe 4276 9htnth.exe 396 1xlfrfr.exe 3588 ddvvd.exe 1440 ffflfff.exe 3204 hhbbnn.exe 1584 pdvjd.exe 3836 jpdjd.exe 4916 xxfllfl.exe 1608 tbhhhb.exe 1080 djjdv.exe 4328 fxfffff.exe 4332 1fxrrxr.exe 1512 nttbbh.exe 4680 jjjvv.exe 4120 rxxlfxf.exe 2884 xrlfxrl.exe 5064 ntnhnh.exe 4936 llllflf.exe 4080 llrxflr.exe 3472 nbhhtt.exe 3932 jjjjv.exe 3956 jdddd.exe 1872 xffxrrl.exe 4844 bbhhhh.exe 2364 vvpvj.exe 2292 llffffx.exe -
resource yara_rule behavioral2/memory/4680-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-781-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 448 wrote to memory of 4680 448 ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3aN.exe 83 PID 448 wrote to memory of 4680 448 ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3aN.exe 83 PID 448 wrote to memory of 4680 448 ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3aN.exe 83 PID 4680 wrote to memory of 1644 4680 9pvvp.exe 84 PID 4680 wrote to memory of 1644 4680 9pvvp.exe 84 PID 4680 wrote to memory of 1644 4680 9pvvp.exe 84 PID 1644 wrote to memory of 4920 1644 rrrllfx.exe 85 PID 1644 wrote to memory of 4920 1644 rrrllfx.exe 85 PID 1644 wrote to memory of 4920 1644 rrrllfx.exe 85 PID 4920 wrote to memory of 4864 4920 ffffrxl.exe 86 PID 4920 wrote to memory of 4864 4920 ffffrxl.exe 86 PID 4920 wrote to memory of 4864 4920 ffffrxl.exe 86 PID 4864 wrote to memory of 4536 4864 nhnbtb.exe 87 PID 4864 wrote to memory of 4536 4864 nhnbtb.exe 87 PID 4864 wrote to memory of 4536 4864 nhnbtb.exe 87 PID 4536 wrote to memory of 820 4536 7xxrllf.exe 88 PID 4536 wrote to memory of 820 4536 7xxrllf.exe 88 PID 4536 wrote to memory of 820 4536 7xxrllf.exe 88 PID 820 wrote to memory of 3580 820 xfxxrff.exe 89 PID 820 wrote to memory of 3580 820 xfxxrff.exe 89 PID 820 wrote to memory of 3580 820 xfxxrff.exe 89 PID 3580 wrote to memory of 2864 3580 llrllfx.exe 90 PID 3580 wrote to memory of 2864 3580 llrllfx.exe 90 PID 3580 wrote to memory of 2864 3580 llrllfx.exe 90 PID 2864 wrote to memory of 244 2864 hhhhhh.exe 91 PID 2864 wrote to memory of 244 2864 hhhhhh.exe 91 PID 2864 wrote to memory of 244 2864 hhhhhh.exe 91 PID 244 wrote to memory of 2408 244 jddvd.exe 92 PID 244 wrote to memory of 2408 244 jddvd.exe 92 PID 244 wrote to memory of 2408 244 jddvd.exe 92 PID 2408 wrote to memory of 2348 2408 nnnnnn.exe 93 PID 2408 wrote to memory of 2348 2408 nnnnnn.exe 93 PID 2408 wrote to memory of 2348 2408 nnnnnn.exe 93 PID 2348 wrote to memory of 4744 2348 xlfffxl.exe 94 PID 2348 wrote to memory of 4744 2348 xlfffxl.exe 94 PID 2348 wrote to memory of 4744 2348 xlfffxl.exe 94 PID 4744 wrote to memory of 1500 4744 bhbbbh.exe 95 PID 4744 wrote to memory of 1500 4744 bhbbbh.exe 95 PID 4744 wrote to memory of 1500 4744 bhbbbh.exe 95 PID 1500 wrote to memory of 2560 1500 jjvpj.exe 96 PID 1500 wrote to memory of 2560 1500 jjvpj.exe 96 PID 1500 wrote to memory of 2560 1500 jjvpj.exe 96 PID 2560 wrote to memory of 4772 2560 xxllffx.exe 97 PID 2560 wrote to memory of 4772 2560 xxllffx.exe 97 PID 2560 wrote to memory of 4772 2560 xxllffx.exe 97 PID 4772 wrote to memory of 3396 4772 9vpjd.exe 98 PID 4772 wrote to memory of 3396 4772 9vpjd.exe 98 PID 4772 wrote to memory of 3396 4772 9vpjd.exe 98 PID 3396 wrote to memory of 1404 3396 rxxxrll.exe 99 PID 3396 wrote to memory of 1404 3396 rxxxrll.exe 99 PID 3396 wrote to memory of 1404 3396 rxxxrll.exe 99 PID 1404 wrote to memory of 1972 1404 tnbttt.exe 100 PID 1404 wrote to memory of 1972 1404 tnbttt.exe 100 PID 1404 wrote to memory of 1972 1404 tnbttt.exe 100 PID 1972 wrote to memory of 3048 1972 jjjjd.exe 101 PID 1972 wrote to memory of 3048 1972 jjjjd.exe 101 PID 1972 wrote to memory of 3048 1972 jjjjd.exe 101 PID 3048 wrote to memory of 4848 3048 nnbbnn.exe 102 PID 3048 wrote to memory of 4848 3048 nnbbnn.exe 102 PID 3048 wrote to memory of 4848 3048 nnbbnn.exe 102 PID 4848 wrote to memory of 3972 4848 3flllrr.exe 103 PID 4848 wrote to memory of 3972 4848 3flllrr.exe 103 PID 4848 wrote to memory of 3972 4848 3flllrr.exe 103 PID 3972 wrote to memory of 1880 3972 7hnnnt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3aN.exe"C:\Users\Admin\AppData\Local\Temp\ebf18c1982c1ceec0f808a2e8a8b1fc11970a2483e2c92dc121d38292141ab3aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\9pvvp.exec:\9pvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\rrrllfx.exec:\rrrllfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\ffffrxl.exec:\ffffrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\nhnbtb.exec:\nhnbtb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\7xxrllf.exec:\7xxrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\xfxxrff.exec:\xfxxrff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\llrllfx.exec:\llrllfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\hhhhhh.exec:\hhhhhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\jddvd.exec:\jddvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\nnnnnn.exec:\nnnnnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\xlfffxl.exec:\xlfffxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\bhbbbh.exec:\bhbbbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\jjvpj.exec:\jjvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\xxllffx.exec:\xxllffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\9vpjd.exec:\9vpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\rxxxrll.exec:\rxxxrll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\tnbttt.exec:\tnbttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\jjjjd.exec:\jjjjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\nnbbnn.exec:\nnbbnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\3flllrr.exec:\3flllrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\7hnnnt.exec:\7hnnnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\nbnbbb.exec:\nbnbbb.exe23⤵
- Executes dropped EXE
PID:1880 -
\??\c:\vvddd.exec:\vvddd.exe24⤵
- Executes dropped EXE
PID:632 -
\??\c:\5lfffll.exec:\5lfffll.exe25⤵
- Executes dropped EXE
PID:2332 -
\??\c:\pdvdp.exec:\pdvdp.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
\??\c:\9thbht.exec:\9thbht.exe27⤵
- Executes dropped EXE
PID:1460 -
\??\c:\llfrfxl.exec:\llfrfxl.exe28⤵
- Executes dropped EXE
PID:884 -
\??\c:\nhnnht.exec:\nhnnht.exe29⤵
- Executes dropped EXE
PID:3240 -
\??\c:\9hthht.exec:\9hthht.exe30⤵
- Executes dropped EXE
PID:4640 -
\??\c:\rrxrflf.exec:\rrxrflf.exe31⤵
- Executes dropped EXE
PID:4008 -
\??\c:\dvpdp.exec:\dvpdp.exe32⤵
- Executes dropped EXE
PID:3952 -
\??\c:\fllfxxx.exec:\fllfxxx.exe33⤵
- Executes dropped EXE
PID:3412 -
\??\c:\5dvvv.exec:\5dvvv.exe34⤵
- Executes dropped EXE
PID:4488 -
\??\c:\7flrlxx.exec:\7flrlxx.exe35⤵
- Executes dropped EXE
PID:5052 -
\??\c:\hbhhhh.exec:\hbhhhh.exe36⤵
- Executes dropped EXE
PID:1820 -
\??\c:\jdppp.exec:\jdppp.exe37⤵
- Executes dropped EXE
PID:1572 -
\??\c:\frflxrl.exec:\frflxrl.exe38⤵
- Executes dropped EXE
PID:4892 -
\??\c:\nntbbb.exec:\nntbbb.exe39⤵
- Executes dropped EXE
PID:2796 -
\??\c:\9htnth.exec:\9htnth.exe40⤵
- Executes dropped EXE
PID:4276 -
\??\c:\1xlfrfr.exec:\1xlfrfr.exe41⤵
- Executes dropped EXE
PID:396 -
\??\c:\ddvvd.exec:\ddvvd.exe42⤵
- Executes dropped EXE
PID:3588 -
\??\c:\ffflfff.exec:\ffflfff.exe43⤵
- Executes dropped EXE
PID:1440 -
\??\c:\hhbbnn.exec:\hhbbnn.exe44⤵
- Executes dropped EXE
PID:3204 -
\??\c:\pdvjd.exec:\pdvjd.exe45⤵
- Executes dropped EXE
PID:1584 -
\??\c:\jpdjd.exec:\jpdjd.exe46⤵
- Executes dropped EXE
PID:3836 -
\??\c:\xxfllfl.exec:\xxfllfl.exe47⤵
- Executes dropped EXE
PID:4916 -
\??\c:\tbhhhb.exec:\tbhhhb.exe48⤵
- Executes dropped EXE
PID:1608 -
\??\c:\djjdv.exec:\djjdv.exe49⤵
- Executes dropped EXE
PID:1080 -
\??\c:\fxfffff.exec:\fxfffff.exe50⤵
- Executes dropped EXE
PID:4328 -
\??\c:\1fxrrxr.exec:\1fxrrxr.exe51⤵
- Executes dropped EXE
PID:4332 -
\??\c:\nttbbh.exec:\nttbbh.exe52⤵
- Executes dropped EXE
PID:1512 -
\??\c:\jjjvv.exec:\jjjvv.exe53⤵
- Executes dropped EXE
PID:4680 -
\??\c:\rxxlfxf.exec:\rxxlfxf.exe54⤵
- Executes dropped EXE
PID:4120 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe55⤵
- Executes dropped EXE
PID:2884 -
\??\c:\ntnhnh.exec:\ntnhnh.exe56⤵
- Executes dropped EXE
PID:5064 -
\??\c:\llllflf.exec:\llllflf.exe57⤵
- Executes dropped EXE
PID:4936 -
\??\c:\llrxflr.exec:\llrxflr.exe58⤵
- Executes dropped EXE
PID:4080 -
\??\c:\nbhhtt.exec:\nbhhtt.exe59⤵
- Executes dropped EXE
PID:3472 -
\??\c:\jjjjv.exec:\jjjjv.exe60⤵
- Executes dropped EXE
PID:3932 -
\??\c:\jdddd.exec:\jdddd.exe61⤵
- Executes dropped EXE
PID:3956 -
\??\c:\xffxrrl.exec:\xffxrrl.exe62⤵
- Executes dropped EXE
PID:1872 -
\??\c:\bbhhhh.exec:\bbhhhh.exe63⤵
- Executes dropped EXE
PID:4844 -
\??\c:\vvpvj.exec:\vvpvj.exe64⤵
- Executes dropped EXE
PID:2364 -
\??\c:\llffffx.exec:\llffffx.exe65⤵
- Executes dropped EXE
PID:2292 -
\??\c:\3bhhbt.exec:\3bhhbt.exe66⤵PID:2704
-
\??\c:\nntttt.exec:\nntttt.exe67⤵PID:4516
-
\??\c:\djddv.exec:\djddv.exe68⤵PID:4448
-
\??\c:\xrxxrrl.exec:\xrxxrrl.exe69⤵PID:1692
-
\??\c:\frllfff.exec:\frllfff.exe70⤵PID:2504
-
\??\c:\bnttbh.exec:\bnttbh.exe71⤵PID:2840
-
\??\c:\9dppp.exec:\9dppp.exe72⤵PID:4104
-
\??\c:\djjdv.exec:\djjdv.exe73⤵PID:3208
-
\??\c:\rxrrrrr.exec:\rxrrrrr.exe74⤵PID:2660
-
\??\c:\nnnttb.exec:\nnnttb.exe75⤵PID:3468
-
\??\c:\7tnhhh.exec:\7tnhhh.exe76⤵PID:2936
-
\??\c:\jvdvv.exec:\jvdvv.exe77⤵PID:1040
-
\??\c:\flfrrrl.exec:\flfrrrl.exe78⤵PID:1888
-
\??\c:\5thhbb.exec:\5thhbb.exe79⤵PID:4848
-
\??\c:\dpvpp.exec:\dpvpp.exe80⤵PID:2184
-
\??\c:\xxrlxrr.exec:\xxrlxrr.exe81⤵PID:1856
-
\??\c:\hbbtnh.exec:\hbbtnh.exe82⤵PID:4036
-
\??\c:\dvvpj.exec:\dvvpj.exe83⤵PID:2940
-
\??\c:\rrlllxx.exec:\rrlllxx.exe84⤵PID:4108
-
\??\c:\rrfxrrr.exec:\rrfxrrr.exe85⤵PID:2920
-
\??\c:\bhhbtt.exec:\bhhbtt.exe86⤵PID:4396
-
\??\c:\5pdjd.exec:\5pdjd.exe87⤵PID:2244
-
\??\c:\lllfxxr.exec:\lllfxxr.exe88⤵PID:1712
-
\??\c:\ffrrxfl.exec:\ffrrxfl.exe89⤵PID:884
-
\??\c:\htbbtb.exec:\htbbtb.exe90⤵PID:4616
-
\??\c:\9vvpj.exec:\9vvpj.exe91⤵PID:3268
-
\??\c:\rrrlffr.exec:\rrrlffr.exe92⤵PID:408
-
\??\c:\tbbttb.exec:\tbbttb.exe93⤵PID:724
-
\??\c:\jppjj.exec:\jppjj.exe94⤵PID:740
-
\??\c:\9vjdd.exec:\9vjdd.exe95⤵PID:1396
-
\??\c:\rlrllll.exec:\rlrllll.exe96⤵PID:1408
-
\??\c:\nnhttt.exec:\nnhttt.exe97⤵PID:2384
-
\??\c:\jpdpj.exec:\jpdpj.exe98⤵PID:1820
-
\??\c:\xxrlxxx.exec:\xxrlxxx.exe99⤵PID:1572
-
\??\c:\lflfrff.exec:\lflfrff.exe100⤵PID:4892
-
\??\c:\nhnhhh.exec:\nhnhhh.exe101⤵PID:4600
-
\??\c:\dvdpv.exec:\dvdpv.exe102⤵PID:536
-
\??\c:\rrffxxr.exec:\rrffxxr.exe103⤵PID:2892
-
\??\c:\nnnnhh.exec:\nnnnhh.exe104⤵PID:1184
-
\??\c:\dvjjj.exec:\dvjjj.exe105⤵PID:2780
-
\??\c:\dpddd.exec:\dpddd.exe106⤵PID:1228
-
\??\c:\llrxrxl.exec:\llrxrxl.exe107⤵PID:2052
-
\??\c:\nbbnht.exec:\nbbnht.exe108⤵PID:2604
-
\??\c:\pvvvj.exec:\pvvvj.exe109⤵PID:3060
-
\??\c:\lflfrrl.exec:\lflfrrl.exe110⤵PID:5048
-
\??\c:\xxlfrrf.exec:\xxlfrrf.exe111⤵PID:1332
-
\??\c:\5tbthn.exec:\5tbthn.exe112⤵PID:4312
-
\??\c:\vvddj.exec:\vvddj.exe113⤵PID:4328
-
\??\c:\frxlrlx.exec:\frxlrlx.exe114⤵PID:448
-
\??\c:\bbbbtt.exec:\bbbbtt.exe115⤵PID:1512
-
\??\c:\vvvpj.exec:\vvvpj.exe116⤵PID:2692
-
\??\c:\jpjdd.exec:\jpjdd.exe117⤵PID:4120
-
\??\c:\5lrrllf.exec:\5lrrllf.exe118⤵PID:3592
-
\??\c:\ntnntb.exec:\ntnntb.exe119⤵PID:216
-
\??\c:\bbtnhb.exec:\bbtnhb.exe120⤵PID:1764
-
\??\c:\1pjpp.exec:\1pjpp.exe121⤵PID:1432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-