Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da.exe
-
Size
495KB
-
MD5
4d29fedebc0c63f2062d9a253486bed6
-
SHA1
351511dcb6fb8e2d55199e371305d45d672bb0e3
-
SHA256
d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da
-
SHA512
1943146a46d472bf020deb281e9055b876ae6152c435fc1ac994cd4586f02de15c84cb6d2b1d10e7e6ee6e9985c63f91c393432f1c13defe3c85e2932c04f1f7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2CfNnkymTwaJ3o8K31OU:q7Tc2NYHUrAwfMHNnpls48I1OU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4984-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-633-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-940-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-1458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4576 3pvpv.exe 1544 xrrlffx.exe 464 vjvvd.exe 2956 pdjjp.exe 2980 bbhbbb.exe 1148 1dvpj.exe 4116 thhnnn.exe 2936 ffrlxxr.exe 3684 hbnnnn.exe 4892 9rlllll.exe 2168 vjpjd.exe 2320 xxxxrxr.exe 1816 hbhnhh.exe 4580 jvpdp.exe 2628 lrfxrlf.exe 632 hbnnnn.exe 2988 7pvpp.exe 3772 7nnhhn.exe 3088 dvddd.exe 4768 rrxfllx.exe 1048 3nhbtt.exe 1384 1nnbtt.exe 316 ddvpj.exe 2440 rrxrxrx.exe 3048 rflrxrx.exe 392 vjdvd.exe 2496 jdpjj.exe 4448 fllfxxr.exe 1592 lrffllr.exe 5000 rxfrflx.exe 2568 nhbthh.exe 1812 rlrlffx.exe 1660 3ffrffr.exe 2144 jpvdv.exe 3060 jjpdp.exe 2208 5fffxxr.exe 2608 ttnhbh.exe 3716 vppjp.exe 4552 rlxxxxf.exe 1644 1thbtb.exe 3184 9hhbtb.exe 2120 5pjvp.exe 4920 5llxlxl.exe 4128 nnnhnh.exe 2392 9jpdv.exe 3044 xffrffx.exe 2136 thbnbh.exe 4816 htbtbh.exe 4928 dvvvp.exe 3056 xlrllrr.exe 972 9hbtnn.exe 640 jjjjd.exe 4444 3rlfrll.exe 3432 tbnhtt.exe 1780 3bttnh.exe 1292 7vvjv.exe 3024 lrrlxxl.exe 4596 bntthh.exe 1616 pjdpp.exe 3152 fxllxxx.exe 3532 lflfffl.exe 868 btnhtb.exe 3576 dvpdd.exe 3480 xxrfxxr.exe -
resource yara_rule behavioral2/memory/4984-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-740-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbthb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4984 wrote to memory of 4576 4984 d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da.exe 84 PID 4984 wrote to memory of 4576 4984 d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da.exe 84 PID 4984 wrote to memory of 4576 4984 d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da.exe 84 PID 4576 wrote to memory of 1544 4576 3pvpv.exe 85 PID 4576 wrote to memory of 1544 4576 3pvpv.exe 85 PID 4576 wrote to memory of 1544 4576 3pvpv.exe 85 PID 1544 wrote to memory of 464 1544 xrrlffx.exe 86 PID 1544 wrote to memory of 464 1544 xrrlffx.exe 86 PID 1544 wrote to memory of 464 1544 xrrlffx.exe 86 PID 464 wrote to memory of 2956 464 vjvvd.exe 87 PID 464 wrote to memory of 2956 464 vjvvd.exe 87 PID 464 wrote to memory of 2956 464 vjvvd.exe 87 PID 2956 wrote to memory of 2980 2956 pdjjp.exe 88 PID 2956 wrote to memory of 2980 2956 pdjjp.exe 88 PID 2956 wrote to memory of 2980 2956 pdjjp.exe 88 PID 2980 wrote to memory of 1148 2980 bbhbbb.exe 89 PID 2980 wrote to memory of 1148 2980 bbhbbb.exe 89 PID 2980 wrote to memory of 1148 2980 bbhbbb.exe 89 PID 1148 wrote to memory of 4116 1148 1dvpj.exe 90 PID 1148 wrote to memory of 4116 1148 1dvpj.exe 90 PID 1148 wrote to memory of 4116 1148 1dvpj.exe 90 PID 4116 wrote to memory of 2936 4116 thhnnn.exe 91 PID 4116 wrote to memory of 2936 4116 thhnnn.exe 91 PID 4116 wrote to memory of 2936 4116 thhnnn.exe 91 PID 2936 wrote to memory of 3684 2936 ffrlxxr.exe 92 PID 2936 wrote to memory of 3684 2936 ffrlxxr.exe 92 PID 2936 wrote to memory of 3684 2936 ffrlxxr.exe 92 PID 3684 wrote to memory of 4892 3684 hbnnnn.exe 93 PID 3684 wrote to memory of 4892 3684 hbnnnn.exe 93 PID 3684 wrote to memory of 4892 3684 hbnnnn.exe 93 PID 4892 wrote to memory of 2168 4892 9rlllll.exe 94 PID 4892 wrote to memory of 2168 4892 9rlllll.exe 94 PID 4892 wrote to memory of 2168 4892 9rlllll.exe 94 PID 2168 wrote to memory of 2320 2168 vjpjd.exe 95 PID 2168 wrote to memory of 2320 2168 vjpjd.exe 95 PID 2168 wrote to memory of 2320 2168 vjpjd.exe 95 PID 2320 wrote to memory of 1816 2320 xxxxrxr.exe 96 PID 2320 wrote to memory of 1816 2320 xxxxrxr.exe 96 PID 2320 wrote to memory of 1816 2320 xxxxrxr.exe 96 PID 1816 wrote to memory of 4580 1816 hbhnhh.exe 97 PID 1816 wrote to memory of 4580 1816 hbhnhh.exe 97 PID 1816 wrote to memory of 4580 1816 hbhnhh.exe 97 PID 4580 wrote to memory of 2628 4580 jvpdp.exe 98 PID 4580 wrote to memory of 2628 4580 jvpdp.exe 98 PID 4580 wrote to memory of 2628 4580 jvpdp.exe 98 PID 2628 wrote to memory of 632 2628 lrfxrlf.exe 99 PID 2628 wrote to memory of 632 2628 lrfxrlf.exe 99 PID 2628 wrote to memory of 632 2628 lrfxrlf.exe 99 PID 632 wrote to memory of 2988 632 hbnnnn.exe 100 PID 632 wrote to memory of 2988 632 hbnnnn.exe 100 PID 632 wrote to memory of 2988 632 hbnnnn.exe 100 PID 2988 wrote to memory of 3772 2988 7pvpp.exe 101 PID 2988 wrote to memory of 3772 2988 7pvpp.exe 101 PID 2988 wrote to memory of 3772 2988 7pvpp.exe 101 PID 3772 wrote to memory of 3088 3772 7nnhhn.exe 102 PID 3772 wrote to memory of 3088 3772 7nnhhn.exe 102 PID 3772 wrote to memory of 3088 3772 7nnhhn.exe 102 PID 3088 wrote to memory of 4768 3088 dvddd.exe 103 PID 3088 wrote to memory of 4768 3088 dvddd.exe 103 PID 3088 wrote to memory of 4768 3088 dvddd.exe 103 PID 4768 wrote to memory of 1048 4768 rrxfllx.exe 104 PID 4768 wrote to memory of 1048 4768 rrxfllx.exe 104 PID 4768 wrote to memory of 1048 4768 rrxfllx.exe 104 PID 1048 wrote to memory of 1384 1048 3nhbtt.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da.exe"C:\Users\Admin\AppData\Local\Temp\d38b7878c6b6593e2a7225fb9bda060657ff4a1dde9d57b178c858b0016994da.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\3pvpv.exec:\3pvpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\xrrlffx.exec:\xrrlffx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\vjvvd.exec:\vjvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\pdjjp.exec:\pdjjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\bbhbbb.exec:\bbhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\1dvpj.exec:\1dvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\thhnnn.exec:\thhnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\hbnnnn.exec:\hbnnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\9rlllll.exec:\9rlllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\vjpjd.exec:\vjpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\xxxxrxr.exec:\xxxxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\hbhnhh.exec:\hbhnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\jvpdp.exec:\jvpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\lrfxrlf.exec:\lrfxrlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\hbnnnn.exec:\hbnnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\7pvpp.exec:\7pvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\7nnhhn.exec:\7nnhhn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\dvddd.exec:\dvddd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\rrxfllx.exec:\rrxfllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\3nhbtt.exec:\3nhbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\1nnbtt.exec:\1nnbtt.exe23⤵
- Executes dropped EXE
PID:1384 -
\??\c:\ddvpj.exec:\ddvpj.exe24⤵
- Executes dropped EXE
PID:316 -
\??\c:\rrxrxrx.exec:\rrxrxrx.exe25⤵
- Executes dropped EXE
PID:2440 -
\??\c:\rflrxrx.exec:\rflrxrx.exe26⤵
- Executes dropped EXE
PID:3048 -
\??\c:\vjdvd.exec:\vjdvd.exe27⤵
- Executes dropped EXE
PID:392 -
\??\c:\jdpjj.exec:\jdpjj.exe28⤵
- Executes dropped EXE
PID:2496 -
\??\c:\fllfxxr.exec:\fllfxxr.exe29⤵
- Executes dropped EXE
PID:4448 -
\??\c:\lrffllr.exec:\lrffllr.exe30⤵
- Executes dropped EXE
PID:1592 -
\??\c:\rxfrflx.exec:\rxfrflx.exe31⤵
- Executes dropped EXE
PID:5000 -
\??\c:\nhbthh.exec:\nhbthh.exe32⤵
- Executes dropped EXE
PID:2568 -
\??\c:\rlrlffx.exec:\rlrlffx.exe33⤵
- Executes dropped EXE
PID:1812 -
\??\c:\3ffrffr.exec:\3ffrffr.exe34⤵
- Executes dropped EXE
PID:1660 -
\??\c:\jpvdv.exec:\jpvdv.exe35⤵
- Executes dropped EXE
PID:2144 -
\??\c:\jjpdp.exec:\jjpdp.exe36⤵
- Executes dropped EXE
PID:3060 -
\??\c:\5fffxxr.exec:\5fffxxr.exe37⤵
- Executes dropped EXE
PID:2208 -
\??\c:\ttnhbh.exec:\ttnhbh.exe38⤵
- Executes dropped EXE
PID:2608 -
\??\c:\vppjp.exec:\vppjp.exe39⤵
- Executes dropped EXE
PID:3716 -
\??\c:\rlxxxxf.exec:\rlxxxxf.exe40⤵
- Executes dropped EXE
PID:4552 -
\??\c:\1thbtb.exec:\1thbtb.exe41⤵
- Executes dropped EXE
PID:1644 -
\??\c:\9hhbtb.exec:\9hhbtb.exe42⤵
- Executes dropped EXE
PID:3184 -
\??\c:\5pjvp.exec:\5pjvp.exe43⤵
- Executes dropped EXE
PID:2120 -
\??\c:\5llxlxl.exec:\5llxlxl.exe44⤵
- Executes dropped EXE
PID:4920 -
\??\c:\nnnhnh.exec:\nnnhnh.exe45⤵
- Executes dropped EXE
PID:4128 -
\??\c:\9jpdv.exec:\9jpdv.exe46⤵
- Executes dropped EXE
PID:2392 -
\??\c:\xffrffx.exec:\xffrffx.exe47⤵
- Executes dropped EXE
PID:3044 -
\??\c:\thbnbh.exec:\thbnbh.exe48⤵
- Executes dropped EXE
PID:2136 -
\??\c:\htbtbh.exec:\htbtbh.exe49⤵
- Executes dropped EXE
PID:4816 -
\??\c:\dvvvp.exec:\dvvvp.exe50⤵
- Executes dropped EXE
PID:4928 -
\??\c:\xlrllrr.exec:\xlrllrr.exe51⤵
- Executes dropped EXE
PID:3056 -
\??\c:\9hbtnn.exec:\9hbtnn.exe52⤵
- Executes dropped EXE
PID:972 -
\??\c:\jjjjd.exec:\jjjjd.exe53⤵
- Executes dropped EXE
PID:640 -
\??\c:\3rlfrll.exec:\3rlfrll.exe54⤵
- Executes dropped EXE
PID:4444 -
\??\c:\tbnhtt.exec:\tbnhtt.exe55⤵
- Executes dropped EXE
PID:3432 -
\??\c:\3bttnh.exec:\3bttnh.exe56⤵
- Executes dropped EXE
PID:1780 -
\??\c:\7vvjv.exec:\7vvjv.exe57⤵
- Executes dropped EXE
PID:1292 -
\??\c:\lrrlxxl.exec:\lrrlxxl.exe58⤵
- Executes dropped EXE
PID:3024 -
\??\c:\bntthh.exec:\bntthh.exe59⤵
- Executes dropped EXE
PID:4596 -
\??\c:\pjdpp.exec:\pjdpp.exe60⤵
- Executes dropped EXE
PID:1616 -
\??\c:\fxllxxx.exec:\fxllxxx.exe61⤵
- Executes dropped EXE
PID:3152 -
\??\c:\lflfffl.exec:\lflfffl.exe62⤵
- Executes dropped EXE
PID:3532 -
\??\c:\btnhtb.exec:\btnhtb.exe63⤵
- Executes dropped EXE
PID:868 -
\??\c:\dvpdd.exec:\dvpdd.exe64⤵
- Executes dropped EXE
PID:3576 -
\??\c:\xxrfxxr.exec:\xxrfxxr.exe65⤵
- Executes dropped EXE
PID:3480 -
\??\c:\9xfrfrf.exec:\9xfrfrf.exe66⤵PID:5080
-
\??\c:\5thbnt.exec:\5thbnt.exe67⤵PID:1392
-
\??\c:\jvppj.exec:\jvppj.exe68⤵PID:4056
-
\??\c:\rlfrlxl.exec:\rlfrlxl.exe69⤵PID:1816
-
\??\c:\hbttnn.exec:\hbttnn.exe70⤵PID:668
-
\??\c:\ntntbh.exec:\ntntbh.exe71⤵PID:2628
-
\??\c:\jdjvp.exec:\jdjvp.exe72⤵PID:4408
-
\??\c:\xrrlrrf.exec:\xrrlrrf.exe73⤵PID:4896
-
\??\c:\httnhb.exec:\httnhb.exe74⤵PID:2988
-
\??\c:\nnnnhn.exec:\nnnnhn.exe75⤵PID:4808
-
\??\c:\dvjdv.exec:\dvjdv.exe76⤵PID:5036
-
\??\c:\rlrllff.exec:\rlrllff.exe77⤵PID:3872
-
\??\c:\bnbttt.exec:\bnbttt.exe78⤵PID:2676
-
\??\c:\ppjdj.exec:\ppjdj.exe79⤵PID:1048
-
\??\c:\xxxxrrr.exec:\xxxxrrr.exe80⤵PID:1716
-
\??\c:\nbtttb.exec:\nbtttb.exe81⤵PID:448
-
\??\c:\bthbtt.exec:\bthbtt.exe82⤵PID:2440
-
\??\c:\vpvvp.exec:\vpvvp.exe83⤵PID:3276
-
\??\c:\fllfffx.exec:\fllfffx.exe84⤵PID:3048
-
\??\c:\3bnhbb.exec:\3bnhbb.exe85⤵PID:3688
-
\??\c:\1pvvp.exec:\1pvvp.exe86⤵PID:1344
-
\??\c:\pdvjp.exec:\pdvjp.exe87⤵PID:5112
-
\??\c:\rrrfrll.exec:\rrrfrll.exe88⤵PID:2256
-
\??\c:\tthbhh.exec:\tthbhh.exe89⤵PID:4448
-
\??\c:\7vpjv.exec:\7vpjv.exe90⤵PID:3116
-
\??\c:\vdpjd.exec:\vdpjd.exe91⤵PID:3284
-
\??\c:\rlfxrfx.exec:\rlfxrfx.exe92⤵PID:3952
-
\??\c:\3thbbb.exec:\3thbbb.exe93⤵PID:2552
-
\??\c:\dvdvd.exec:\dvdvd.exe94⤵PID:2420
-
\??\c:\jdvvp.exec:\jdvvp.exe95⤵PID:2588
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe96⤵PID:1660
-
\??\c:\tnbtnn.exec:\tnbtnn.exe97⤵PID:2144
-
\??\c:\pdjdd.exec:\pdjdd.exe98⤵PID:716
-
\??\c:\ppvvv.exec:\ppvvv.exe99⤵PID:2208
-
\??\c:\frlfxxr.exec:\frlfxxr.exe100⤵
- System Location Discovery: System Language Discovery
PID:2608 -
\??\c:\nnhhhh.exec:\nnhhhh.exe101⤵PID:1580
-
\??\c:\ppppj.exec:\ppppj.exe102⤵PID:1240
-
\??\c:\9fxrrff.exec:\9fxrrff.exe103⤵PID:3936
-
\??\c:\fllffxx.exec:\fllffxx.exe104⤵PID:1196
-
\??\c:\7bhhnb.exec:\7bhhnb.exe105⤵PID:220
-
\??\c:\3vvpp.exec:\3vvpp.exe106⤵PID:5072
-
\??\c:\fxxxxxr.exec:\fxxxxxr.exe107⤵PID:5100
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe108⤵PID:1704
-
\??\c:\htbnnn.exec:\htbnnn.exe109⤵PID:3144
-
\??\c:\ddpjp.exec:\ddpjp.exe110⤵PID:3044
-
\??\c:\llxfxrx.exec:\llxfxrx.exe111⤵PID:2136
-
\??\c:\tthbhh.exec:\tthbhh.exe112⤵PID:4604
-
\??\c:\nnnhhh.exec:\nnnhhh.exe113⤵PID:3468
-
\??\c:\frrrlll.exec:\frrrlll.exe114⤵PID:1008
-
\??\c:\nnbbhh.exec:\nnbbhh.exe115⤵PID:3016
-
\??\c:\5nbnbn.exec:\5nbnbn.exe116⤵PID:724
-
\??\c:\9pvvv.exec:\9pvvv.exe117⤵PID:3624
-
\??\c:\1lrfffx.exec:\1lrfffx.exe118⤵PID:3036
-
\??\c:\rlflrxf.exec:\rlflrxf.exe119⤵PID:2980
-
\??\c:\bnnnhh.exec:\bnnnhh.exe120⤵PID:2800
-
\??\c:\3pvpj.exec:\3pvpj.exe121⤵PID:4872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-