Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98eN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98eN.exe
-
Size
454KB
-
MD5
d827f3de086e0b07fd833612293e94b0
-
SHA1
02bc4a481d6e0164784fe5302275c424569962ea
-
SHA256
9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98e
-
SHA512
d4f10480878c3221e7cf87f0ce176eee6d629d3169777caf04cc0710207f1a57a5e027daee59489fa2263ba766440b65b26d649790bba56e799174c3a82539af
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeqi:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1344-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-1376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-1728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1344 vjdpv.exe 1268 3fxlfxr.exe 3048 xrrfxrf.exe 1968 nbbnbt.exe 3380 7jdvd.exe 2192 3lfrfxl.exe 1768 lrxlxrf.exe 4440 hbbnbt.exe 2944 5jvjp.exe 4204 dpjvd.exe 2600 lxxfrfr.exe 4948 frfrlrf.exe 4904 htnbnh.exe 4728 vpjdj.exe 1320 9ththt.exe 4752 5ddvj.exe 3512 xxlffxf.exe 4028 jvvjv.exe 1060 lrxlxlx.exe 4476 bhnbth.exe 720 xffrfxl.exe 3924 1tthhh.exe 3084 1lfrfxl.exe 3260 bnhtnn.exe 3076 nnhbnb.exe 4488 dddpj.exe 4740 htthtn.exe 2492 djdpv.exe 2284 vvdjp.exe 4852 lxrxflx.exe 4572 lxfrxrf.exe 880 7frlxrl.exe 1860 7btnhb.exe 3404 ntbntn.exe 3644 ddjdd.exe 3516 xxxlxrf.exe 412 bnhhbb.exe 4348 djjvj.exe 1960 rffxflx.exe 4732 ntthtn.exe 2004 dppvj.exe 3804 lllxrxl.exe 4888 tnbtbn.exe 4268 9htnbt.exe 4584 dvdpv.exe 4384 lfrfxfr.exe 1808 thtnhb.exe 452 pdjvv.exe 4456 flxllxf.exe 4484 5bbhtn.exe 4396 nhbbtt.exe 1720 jjpdp.exe 396 5rlfxxx.exe 5016 bhhthb.exe 2368 7nnhnh.exe 3276 1jvdd.exe 4124 lxxlxrf.exe 440 btnhtt.exe 1456 jvvpd.exe 2920 ppvjd.exe 1380 lxxrlfx.exe 872 7hbnbn.exe 4628 vppdv.exe 448 dpjvj.exe -
resource yara_rule behavioral2/memory/1344-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-886-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-908-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 1344 4128 9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98eN.exe 83 PID 4128 wrote to memory of 1344 4128 9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98eN.exe 83 PID 4128 wrote to memory of 1344 4128 9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98eN.exe 83 PID 1344 wrote to memory of 1268 1344 vjdpv.exe 84 PID 1344 wrote to memory of 1268 1344 vjdpv.exe 84 PID 1344 wrote to memory of 1268 1344 vjdpv.exe 84 PID 1268 wrote to memory of 3048 1268 3fxlfxr.exe 85 PID 1268 wrote to memory of 3048 1268 3fxlfxr.exe 85 PID 1268 wrote to memory of 3048 1268 3fxlfxr.exe 85 PID 3048 wrote to memory of 1968 3048 xrrfxrf.exe 86 PID 3048 wrote to memory of 1968 3048 xrrfxrf.exe 86 PID 3048 wrote to memory of 1968 3048 xrrfxrf.exe 86 PID 1968 wrote to memory of 3380 1968 nbbnbt.exe 87 PID 1968 wrote to memory of 3380 1968 nbbnbt.exe 87 PID 1968 wrote to memory of 3380 1968 nbbnbt.exe 87 PID 3380 wrote to memory of 2192 3380 7jdvd.exe 88 PID 3380 wrote to memory of 2192 3380 7jdvd.exe 88 PID 3380 wrote to memory of 2192 3380 7jdvd.exe 88 PID 2192 wrote to memory of 1768 2192 3lfrfxl.exe 89 PID 2192 wrote to memory of 1768 2192 3lfrfxl.exe 89 PID 2192 wrote to memory of 1768 2192 3lfrfxl.exe 89 PID 1768 wrote to memory of 4440 1768 lrxlxrf.exe 90 PID 1768 wrote to memory of 4440 1768 lrxlxrf.exe 90 PID 1768 wrote to memory of 4440 1768 lrxlxrf.exe 90 PID 4440 wrote to memory of 2944 4440 hbbnbt.exe 91 PID 4440 wrote to memory of 2944 4440 hbbnbt.exe 91 PID 4440 wrote to memory of 2944 4440 hbbnbt.exe 91 PID 2944 wrote to memory of 4204 2944 5jvjp.exe 92 PID 2944 wrote to memory of 4204 2944 5jvjp.exe 92 PID 2944 wrote to memory of 4204 2944 5jvjp.exe 92 PID 4204 wrote to memory of 2600 4204 dpjvd.exe 93 PID 4204 wrote to memory of 2600 4204 dpjvd.exe 93 PID 4204 wrote to memory of 2600 4204 dpjvd.exe 93 PID 2600 wrote to memory of 4948 2600 lxxfrfr.exe 94 PID 2600 wrote to memory of 4948 2600 lxxfrfr.exe 94 PID 2600 wrote to memory of 4948 2600 lxxfrfr.exe 94 PID 4948 wrote to memory of 4904 4948 frfrlrf.exe 95 PID 4948 wrote to memory of 4904 4948 frfrlrf.exe 95 PID 4948 wrote to memory of 4904 4948 frfrlrf.exe 95 PID 4904 wrote to memory of 4728 4904 htnbnh.exe 96 PID 4904 wrote to memory of 4728 4904 htnbnh.exe 96 PID 4904 wrote to memory of 4728 4904 htnbnh.exe 96 PID 4728 wrote to memory of 1320 4728 vpjdj.exe 97 PID 4728 wrote to memory of 1320 4728 vpjdj.exe 97 PID 4728 wrote to memory of 1320 4728 vpjdj.exe 97 PID 1320 wrote to memory of 4752 1320 9ththt.exe 98 PID 1320 wrote to memory of 4752 1320 9ththt.exe 98 PID 1320 wrote to memory of 4752 1320 9ththt.exe 98 PID 4752 wrote to memory of 3512 4752 5ddvj.exe 99 PID 4752 wrote to memory of 3512 4752 5ddvj.exe 99 PID 4752 wrote to memory of 3512 4752 5ddvj.exe 99 PID 3512 wrote to memory of 4028 3512 xxlffxf.exe 100 PID 3512 wrote to memory of 4028 3512 xxlffxf.exe 100 PID 3512 wrote to memory of 4028 3512 xxlffxf.exe 100 PID 4028 wrote to memory of 1060 4028 jvvjv.exe 101 PID 4028 wrote to memory of 1060 4028 jvvjv.exe 101 PID 4028 wrote to memory of 1060 4028 jvvjv.exe 101 PID 1060 wrote to memory of 4476 1060 lrxlxlx.exe 102 PID 1060 wrote to memory of 4476 1060 lrxlxlx.exe 102 PID 1060 wrote to memory of 4476 1060 lrxlxlx.exe 102 PID 4476 wrote to memory of 720 4476 bhnbth.exe 103 PID 4476 wrote to memory of 720 4476 bhnbth.exe 103 PID 4476 wrote to memory of 720 4476 bhnbth.exe 103 PID 720 wrote to memory of 3924 720 xffrfxl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98eN.exe"C:\Users\Admin\AppData\Local\Temp\9422d25001d2c78da94d02e0ece1f35af370b0787833be5d183b44ba42aef98eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\vjdpv.exec:\vjdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\3fxlfxr.exec:\3fxlfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
\??\c:\xrrfxrf.exec:\xrrfxrf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\nbbnbt.exec:\nbbnbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\7jdvd.exec:\7jdvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\3lfrfxl.exec:\3lfrfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\lrxlxrf.exec:\lrxlxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\hbbnbt.exec:\hbbnbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\5jvjp.exec:\5jvjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\dpjvd.exec:\dpjvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\lxxfrfr.exec:\lxxfrfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\frfrlrf.exec:\frfrlrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\htnbnh.exec:\htnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\vpjdj.exec:\vpjdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\9ththt.exec:\9ththt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\5ddvj.exec:\5ddvj.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\xxlffxf.exec:\xxlffxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\jvvjv.exec:\jvvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\lrxlxlx.exec:\lrxlxlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\bhnbth.exec:\bhnbth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\xffrfxl.exec:\xffrfxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\1tthhh.exec:\1tthhh.exe23⤵
- Executes dropped EXE
PID:3924 -
\??\c:\1lfrfxl.exec:\1lfrfxl.exe24⤵
- Executes dropped EXE
PID:3084 -
\??\c:\bnhtnn.exec:\bnhtnn.exe25⤵
- Executes dropped EXE
PID:3260 -
\??\c:\nnhbnb.exec:\nnhbnb.exe26⤵
- Executes dropped EXE
PID:3076 -
\??\c:\dddpj.exec:\dddpj.exe27⤵
- Executes dropped EXE
PID:4488 -
\??\c:\htthtn.exec:\htthtn.exe28⤵
- Executes dropped EXE
PID:4740 -
\??\c:\djdpv.exec:\djdpv.exe29⤵
- Executes dropped EXE
PID:2492 -
\??\c:\vvdjp.exec:\vvdjp.exe30⤵
- Executes dropped EXE
PID:2284 -
\??\c:\lxrxflx.exec:\lxrxflx.exe31⤵
- Executes dropped EXE
PID:4852 -
\??\c:\lxfrxrf.exec:\lxfrxrf.exe32⤵
- Executes dropped EXE
PID:4572 -
\??\c:\7frlxrl.exec:\7frlxrl.exe33⤵
- Executes dropped EXE
PID:880 -
\??\c:\7btnhb.exec:\7btnhb.exe34⤵
- Executes dropped EXE
PID:1860 -
\??\c:\ntbntn.exec:\ntbntn.exe35⤵
- Executes dropped EXE
PID:3404 -
\??\c:\ddjdd.exec:\ddjdd.exe36⤵
- Executes dropped EXE
PID:3644 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe37⤵
- Executes dropped EXE
PID:3516 -
\??\c:\bnhhbb.exec:\bnhhbb.exe38⤵
- Executes dropped EXE
PID:412 -
\??\c:\djjvj.exec:\djjvj.exe39⤵
- Executes dropped EXE
PID:4348 -
\??\c:\rffxflx.exec:\rffxflx.exe40⤵
- Executes dropped EXE
PID:1960 -
\??\c:\ntthtn.exec:\ntthtn.exe41⤵
- Executes dropped EXE
PID:4732 -
\??\c:\dppvj.exec:\dppvj.exe42⤵
- Executes dropped EXE
PID:2004 -
\??\c:\lllxrxl.exec:\lllxrxl.exe43⤵
- Executes dropped EXE
PID:3804 -
\??\c:\tnbtbn.exec:\tnbtbn.exe44⤵
- Executes dropped EXE
PID:4888 -
\??\c:\9htnbt.exec:\9htnbt.exe45⤵
- Executes dropped EXE
PID:4268 -
\??\c:\dvdpv.exec:\dvdpv.exe46⤵
- Executes dropped EXE
PID:4584 -
\??\c:\lfrfxfr.exec:\lfrfxfr.exe47⤵
- Executes dropped EXE
PID:4384 -
\??\c:\thtnhb.exec:\thtnhb.exe48⤵
- Executes dropped EXE
PID:1808 -
\??\c:\pdjvv.exec:\pdjvv.exe49⤵
- Executes dropped EXE
PID:452 -
\??\c:\flxllxf.exec:\flxllxf.exe50⤵
- Executes dropped EXE
PID:4456 -
\??\c:\5bbhtn.exec:\5bbhtn.exe51⤵
- Executes dropped EXE
PID:4484 -
\??\c:\nhbbtt.exec:\nhbbtt.exe52⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jjpdp.exec:\jjpdp.exe53⤵
- Executes dropped EXE
PID:1720 -
\??\c:\5rlfxxx.exec:\5rlfxxx.exe54⤵
- Executes dropped EXE
PID:396 -
\??\c:\bhhthb.exec:\bhhthb.exe55⤵
- Executes dropped EXE
PID:5016 -
\??\c:\7nnhnh.exec:\7nnhnh.exe56⤵
- Executes dropped EXE
PID:2368 -
\??\c:\1jvdd.exec:\1jvdd.exe57⤵
- Executes dropped EXE
PID:3276 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe58⤵
- Executes dropped EXE
PID:4124 -
\??\c:\btnhtt.exec:\btnhtt.exe59⤵
- Executes dropped EXE
PID:440 -
\??\c:\jvvpd.exec:\jvvpd.exe60⤵
- Executes dropped EXE
PID:1456 -
\??\c:\ppvjd.exec:\ppvjd.exe61⤵
- Executes dropped EXE
PID:2920 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe62⤵
- Executes dropped EXE
PID:1380 -
\??\c:\7hbnbn.exec:\7hbnbn.exe63⤵
- Executes dropped EXE
PID:872 -
\??\c:\vppdv.exec:\vppdv.exe64⤵
- Executes dropped EXE
PID:4628 -
\??\c:\dpjvj.exec:\dpjvj.exe65⤵
- Executes dropped EXE
PID:448 -
\??\c:\9frfrlx.exec:\9frfrlx.exe66⤵PID:4816
-
\??\c:\htnbhb.exec:\htnbhb.exe67⤵PID:428
-
\??\c:\thnhhn.exec:\thnhhn.exe68⤵PID:4140
-
\??\c:\1vdpp.exec:\1vdpp.exe69⤵PID:1284
-
\??\c:\3lfxllx.exec:\3lfxllx.exe70⤵PID:3088
-
\??\c:\xffxlfx.exec:\xffxlfx.exe71⤵PID:5044
-
\??\c:\htnnht.exec:\htnnht.exe72⤵PID:2564
-
\??\c:\dppjv.exec:\dppjv.exe73⤵PID:1060
-
\??\c:\rrllflf.exec:\rrllflf.exe74⤵PID:1164
-
\??\c:\xrxllff.exec:\xrxllff.exe75⤵PID:4332
-
\??\c:\thhbbb.exec:\thhbbb.exe76⤵PID:720
-
\??\c:\3vvvv.exec:\3vvvv.exe77⤵PID:3732
-
\??\c:\ffxfxll.exec:\ffxfxll.exe78⤵PID:3840
-
\??\c:\tbnhbt.exec:\tbnhbt.exe79⤵PID:1168
-
\??\c:\hbbttb.exec:\hbbttb.exe80⤵PID:3580
-
\??\c:\vjjdp.exec:\vjjdp.exe81⤵PID:1520
-
\??\c:\xllfrll.exec:\xllfrll.exe82⤵PID:2824
-
\??\c:\nhhhhh.exec:\nhhhhh.exe83⤵PID:4252
-
\??\c:\nthhnt.exec:\nthhnt.exe84⤵PID:4488
-
\??\c:\djdjv.exec:\djdjv.exe85⤵PID:4860
-
\??\c:\rlxfrlx.exec:\rlxfrlx.exe86⤵PID:3156
-
\??\c:\5bthtt.exec:\5bthtt.exe87⤵PID:4132
-
\??\c:\jdvdd.exec:\jdvdd.exe88⤵PID:2820
-
\??\c:\vpvjv.exec:\vpvjv.exe89⤵PID:2704
-
\??\c:\frxllfl.exec:\frxllfl.exe90⤵PID:1104
-
\??\c:\bhthht.exec:\bhthht.exe91⤵PID:984
-
\??\c:\vppjd.exec:\vppjd.exe92⤵PID:3320
-
\??\c:\xxxlrfx.exec:\xxxlrfx.exe93⤵PID:1844
-
\??\c:\hnbtnh.exec:\hnbtnh.exe94⤵PID:5020
-
\??\c:\jdvpd.exec:\jdvpd.exe95⤵PID:740
-
\??\c:\vvvjp.exec:\vvvjp.exe96⤵PID:2724
-
\??\c:\3xlxrll.exec:\3xlxrll.exe97⤵PID:2664
-
\??\c:\httnhb.exec:\httnhb.exe98⤵PID:2964
-
\??\c:\jdpjj.exec:\jdpjj.exe99⤵PID:816
-
\??\c:\jddpd.exec:\jddpd.exe100⤵PID:2004
-
\??\c:\lrxrxrr.exec:\lrxrxrr.exe101⤵PID:3112
-
\??\c:\htttnb.exec:\htttnb.exe102⤵PID:4888
-
\??\c:\9vppd.exec:\9vppd.exe103⤵PID:1908
-
\??\c:\frrfxrf.exec:\frrfxrf.exe104⤵PID:4600
-
\??\c:\9llffxl.exec:\9llffxl.exe105⤵PID:2896
-
\??\c:\bnhthn.exec:\bnhthn.exe106⤵PID:3384
-
\??\c:\vppvj.exec:\vppvj.exe107⤵PID:4364
-
\??\c:\ddjdj.exec:\ddjdj.exe108⤵PID:4708
-
\??\c:\fffffxx.exec:\fffffxx.exe109⤵PID:2300
-
\??\c:\bbhhnn.exec:\bbhhnn.exe110⤵PID:2244
-
\??\c:\bnhtbt.exec:\bnhtbt.exe111⤵PID:3888
-
\??\c:\jdvjd.exec:\jdvjd.exe112⤵PID:4380
-
\??\c:\5llfrrl.exec:\5llfrrl.exe113⤵PID:4804
-
\??\c:\xflxlfx.exec:\xflxlfx.exe114⤵PID:1260
-
\??\c:\bbnhbt.exec:\bbnhbt.exe115⤵PID:4276
-
\??\c:\5dpjv.exec:\5dpjv.exe116⤵PID:1748
-
\??\c:\flrfrlf.exec:\flrfrlf.exe117⤵PID:3944
-
\??\c:\htthth.exec:\htthth.exe118⤵PID:3272
-
\??\c:\dvjvd.exec:\dvjvd.exe119⤵PID:3872
-
\??\c:\5ppjd.exec:\5ppjd.exe120⤵PID:812
-
\??\c:\7frrxrf.exec:\7frrxrf.exe121⤵PID:3348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-