Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe
-
Size
453KB
-
MD5
dd7649c02baf244834491bc6bbd2f640
-
SHA1
be2956ceb4d09374fdbeb52ae8cca20847d1063f
-
SHA256
a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000
-
SHA512
9b97924f241d736953fab5209d78da09bfd461e3407277a6ca43f4ac1d1008f6f38f0646c675fc9018684db94c94961c88ac761bd29df9573918d631a0541747
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeUQ:q7Tc2NYHUrAwfMp3CDUQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1100-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-1005-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-1602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4168 dvvpd.exe 1984 fxfxrrl.exe 220 rfxxxxf.exe 4828 3lllffx.exe 4520 xxxrlll.exe 2732 ppppj.exe 820 flrrrrr.exe 232 lrrlffx.exe 940 9tbhnt.exe 2096 rxfrrxx.exe 2212 nnbbhb.exe 3432 xxlfffl.exe 1304 hhhbbt.exe 616 fxffxll.exe 1696 xlrllll.exe 3904 tbnhbb.exe 1492 pvdvp.exe 3448 rrrffll.exe 1220 rxxrllf.exe 2628 vjppp.exe 1368 rrrlfff.exe 2224 bhtttt.exe 1328 nnnnhh.exe 4596 djjjj.exe 2800 rlllfff.exe 4188 lxllfxx.exe 4960 fxffxrr.exe 1224 bhtnnn.exe 1244 9rfxffr.exe 1552 dpppp.exe 2412 vjppj.exe 212 7lfxrll.exe 2764 bbhhnh.exe 1412 7hnhhh.exe 4716 xlfrlfx.exe 1836 thtnhb.exe 2304 jpvdv.exe 5048 xxlxrlx.exe 2112 xrfxffl.exe 2576 tbhhbn.exe 2580 5pvpj.exe 3924 5vppj.exe 4396 tthbbb.exe 4604 ddjjv.exe 4408 pjpvp.exe 4380 lllfffx.exe 2840 nhhhhh.exe 2700 9flfrxr.exe 4572 thnntt.exe 884 vddpj.exe 1744 rlfxxxr.exe 4288 tttnhh.exe 3688 5dppj.exe 3888 vpppd.exe 1612 nthbtt.exe 2240 bhnbtn.exe 1348 rllffxx.exe 3496 tthhtt.exe 1320 jjvpv.exe 5024 dddvp.exe 2468 frfxrlf.exe 4228 bnnhbb.exe 1968 5jvjj.exe 2100 pdjvv.exe -
resource yara_rule behavioral2/memory/1100-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-688-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9htnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlfrrf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 4168 1100 a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe 82 PID 1100 wrote to memory of 4168 1100 a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe 82 PID 1100 wrote to memory of 4168 1100 a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe 82 PID 4168 wrote to memory of 1984 4168 dvvpd.exe 83 PID 4168 wrote to memory of 1984 4168 dvvpd.exe 83 PID 4168 wrote to memory of 1984 4168 dvvpd.exe 83 PID 1984 wrote to memory of 220 1984 fxfxrrl.exe 84 PID 1984 wrote to memory of 220 1984 fxfxrrl.exe 84 PID 1984 wrote to memory of 220 1984 fxfxrrl.exe 84 PID 220 wrote to memory of 4828 220 rfxxxxf.exe 85 PID 220 wrote to memory of 4828 220 rfxxxxf.exe 85 PID 220 wrote to memory of 4828 220 rfxxxxf.exe 85 PID 4828 wrote to memory of 4520 4828 3lllffx.exe 86 PID 4828 wrote to memory of 4520 4828 3lllffx.exe 86 PID 4828 wrote to memory of 4520 4828 3lllffx.exe 86 PID 4520 wrote to memory of 2732 4520 xxxrlll.exe 87 PID 4520 wrote to memory of 2732 4520 xxxrlll.exe 87 PID 4520 wrote to memory of 2732 4520 xxxrlll.exe 87 PID 2732 wrote to memory of 820 2732 ppppj.exe 88 PID 2732 wrote to memory of 820 2732 ppppj.exe 88 PID 2732 wrote to memory of 820 2732 ppppj.exe 88 PID 820 wrote to memory of 232 820 flrrrrr.exe 89 PID 820 wrote to memory of 232 820 flrrrrr.exe 89 PID 820 wrote to memory of 232 820 flrrrrr.exe 89 PID 232 wrote to memory of 940 232 lrrlffx.exe 90 PID 232 wrote to memory of 940 232 lrrlffx.exe 90 PID 232 wrote to memory of 940 232 lrrlffx.exe 90 PID 940 wrote to memory of 2096 940 9tbhnt.exe 91 PID 940 wrote to memory of 2096 940 9tbhnt.exe 91 PID 940 wrote to memory of 2096 940 9tbhnt.exe 91 PID 2096 wrote to memory of 2212 2096 rxfrrxx.exe 92 PID 2096 wrote to memory of 2212 2096 rxfrrxx.exe 92 PID 2096 wrote to memory of 2212 2096 rxfrrxx.exe 92 PID 2212 wrote to memory of 3432 2212 nnbbhb.exe 93 PID 2212 wrote to memory of 3432 2212 nnbbhb.exe 93 PID 2212 wrote to memory of 3432 2212 nnbbhb.exe 93 PID 3432 wrote to memory of 1304 3432 xxlfffl.exe 94 PID 3432 wrote to memory of 1304 3432 xxlfffl.exe 94 PID 3432 wrote to memory of 1304 3432 xxlfffl.exe 94 PID 1304 wrote to memory of 616 1304 hhhbbt.exe 95 PID 1304 wrote to memory of 616 1304 hhhbbt.exe 95 PID 1304 wrote to memory of 616 1304 hhhbbt.exe 95 PID 616 wrote to memory of 1696 616 fxffxll.exe 96 PID 616 wrote to memory of 1696 616 fxffxll.exe 96 PID 616 wrote to memory of 1696 616 fxffxll.exe 96 PID 1696 wrote to memory of 3904 1696 xlrllll.exe 97 PID 1696 wrote to memory of 3904 1696 xlrllll.exe 97 PID 1696 wrote to memory of 3904 1696 xlrllll.exe 97 PID 3904 wrote to memory of 1492 3904 tbnhbb.exe 98 PID 3904 wrote to memory of 1492 3904 tbnhbb.exe 98 PID 3904 wrote to memory of 1492 3904 tbnhbb.exe 98 PID 1492 wrote to memory of 3448 1492 pvdvp.exe 99 PID 1492 wrote to memory of 3448 1492 pvdvp.exe 99 PID 1492 wrote to memory of 3448 1492 pvdvp.exe 99 PID 3448 wrote to memory of 1220 3448 rrrffll.exe 100 PID 3448 wrote to memory of 1220 3448 rrrffll.exe 100 PID 3448 wrote to memory of 1220 3448 rrrffll.exe 100 PID 1220 wrote to memory of 2628 1220 rxxrllf.exe 101 PID 1220 wrote to memory of 2628 1220 rxxrllf.exe 101 PID 1220 wrote to memory of 2628 1220 rxxrllf.exe 101 PID 2628 wrote to memory of 1368 2628 vjppp.exe 102 PID 2628 wrote to memory of 1368 2628 vjppp.exe 102 PID 2628 wrote to memory of 1368 2628 vjppp.exe 102 PID 1368 wrote to memory of 2224 1368 rrrlfff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe"C:\Users\Admin\AppData\Local\Temp\a397f607575490d21adcfc758d8d72035c5170a998ead56f9c4d36eb5bd6b000N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\dvvpd.exec:\dvvpd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\rfxxxxf.exec:\rfxxxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\3lllffx.exec:\3lllffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\xxxrlll.exec:\xxxrlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\ppppj.exec:\ppppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\flrrrrr.exec:\flrrrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\lrrlffx.exec:\lrrlffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\9tbhnt.exec:\9tbhnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\rxfrrxx.exec:\rxfrrxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\nnbbhb.exec:\nnbbhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\xxlfffl.exec:\xxlfffl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\hhhbbt.exec:\hhhbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\fxffxll.exec:\fxffxll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\xlrllll.exec:\xlrllll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\tbnhbb.exec:\tbnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\pvdvp.exec:\pvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\rrrffll.exec:\rrrffll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\rxxrllf.exec:\rxxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\vjppp.exec:\vjppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\rrrlfff.exec:\rrrlfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\bhtttt.exec:\bhtttt.exe23⤵
- Executes dropped EXE
PID:2224 -
\??\c:\nnnnhh.exec:\nnnnhh.exe24⤵
- Executes dropped EXE
PID:1328 -
\??\c:\djjjj.exec:\djjjj.exe25⤵
- Executes dropped EXE
PID:4596 -
\??\c:\rlllfff.exec:\rlllfff.exe26⤵
- Executes dropped EXE
PID:2800 -
\??\c:\lxllfxx.exec:\lxllfxx.exe27⤵
- Executes dropped EXE
PID:4188 -
\??\c:\fxffxrr.exec:\fxffxrr.exe28⤵
- Executes dropped EXE
PID:4960 -
\??\c:\bhtnnn.exec:\bhtnnn.exe29⤵
- Executes dropped EXE
PID:1224 -
\??\c:\9rfxffr.exec:\9rfxffr.exe30⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dpppp.exec:\dpppp.exe31⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vjppj.exec:\vjppj.exe32⤵
- Executes dropped EXE
PID:2412 -
\??\c:\7lfxrll.exec:\7lfxrll.exe33⤵
- Executes dropped EXE
PID:212 -
\??\c:\bbhhnh.exec:\bbhhnh.exe34⤵
- Executes dropped EXE
PID:2764 -
\??\c:\7hnhhh.exec:\7hnhhh.exe35⤵
- Executes dropped EXE
PID:1412 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe36⤵
- Executes dropped EXE
PID:4716 -
\??\c:\thtnhb.exec:\thtnhb.exe37⤵
- Executes dropped EXE
PID:1836 -
\??\c:\jpvdv.exec:\jpvdv.exe38⤵
- Executes dropped EXE
PID:2304 -
\??\c:\xxlxrlx.exec:\xxlxrlx.exe39⤵
- Executes dropped EXE
PID:5048 -
\??\c:\xrfxffl.exec:\xrfxffl.exe40⤵
- Executes dropped EXE
PID:2112 -
\??\c:\tbhhbn.exec:\tbhhbn.exe41⤵
- Executes dropped EXE
PID:2576 -
\??\c:\5pvpj.exec:\5pvpj.exe42⤵
- Executes dropped EXE
PID:2580 -
\??\c:\5vppj.exec:\5vppj.exe43⤵
- Executes dropped EXE
PID:3924 -
\??\c:\tthbbb.exec:\tthbbb.exe44⤵
- Executes dropped EXE
PID:4396 -
\??\c:\ddjjv.exec:\ddjjv.exe45⤵
- Executes dropped EXE
PID:4604 -
\??\c:\pjpvp.exec:\pjpvp.exe46⤵
- Executes dropped EXE
PID:4408 -
\??\c:\lllfffx.exec:\lllfffx.exe47⤵
- Executes dropped EXE
PID:4380 -
\??\c:\nhhhhh.exec:\nhhhhh.exe48⤵
- Executes dropped EXE
PID:2840 -
\??\c:\9flfrxr.exec:\9flfrxr.exe49⤵
- Executes dropped EXE
PID:2700 -
\??\c:\thnntt.exec:\thnntt.exe50⤵
- Executes dropped EXE
PID:4572 -
\??\c:\vddpj.exec:\vddpj.exe51⤵
- Executes dropped EXE
PID:884 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe52⤵
- Executes dropped EXE
PID:1744 -
\??\c:\tttnhh.exec:\tttnhh.exe53⤵
- Executes dropped EXE
PID:4288 -
\??\c:\5dppj.exec:\5dppj.exe54⤵
- Executes dropped EXE
PID:3688 -
\??\c:\vpppd.exec:\vpppd.exe55⤵
- Executes dropped EXE
PID:3888 -
\??\c:\nthbtt.exec:\nthbtt.exe56⤵
- Executes dropped EXE
PID:1612 -
\??\c:\bhnbtn.exec:\bhnbtn.exe57⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rllffxx.exec:\rllffxx.exe58⤵
- Executes dropped EXE
PID:1348 -
\??\c:\tthhtt.exec:\tthhtt.exe59⤵
- Executes dropped EXE
PID:3496 -
\??\c:\jjvpv.exec:\jjvpv.exe60⤵
- Executes dropped EXE
PID:1320 -
\??\c:\dddvp.exec:\dddvp.exe61⤵
- Executes dropped EXE
PID:5024 -
\??\c:\frfxrlf.exec:\frfxrlf.exe62⤵
- Executes dropped EXE
PID:2468 -
\??\c:\bnnhbb.exec:\bnnhbb.exe63⤵
- Executes dropped EXE
PID:4228 -
\??\c:\5jvjj.exec:\5jvjj.exe64⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pdjvv.exec:\pdjvv.exe65⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xllffxr.exec:\xllffxr.exe66⤵PID:4660
-
\??\c:\bnnhbb.exec:\bnnhbb.exe67⤵PID:1928
-
\??\c:\thnbtn.exec:\thnbtn.exe68⤵PID:616
-
\??\c:\5jjjd.exec:\5jjjd.exe69⤵PID:1696
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe70⤵PID:1632
-
\??\c:\hhttbh.exec:\hhttbh.exe71⤵PID:3396
-
\??\c:\pddpj.exec:\pddpj.exe72⤵PID:4156
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe73⤵PID:4144
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe74⤵PID:1480
-
\??\c:\jdjjv.exec:\jdjjv.exe75⤵PID:5072
-
\??\c:\pjdvd.exec:\pjdvd.exe76⤵PID:1488
-
\??\c:\lxxxrff.exec:\lxxxrff.exe77⤵PID:2188
-
\??\c:\tntnnn.exec:\tntnnn.exe78⤵PID:448
-
\??\c:\vjdvv.exec:\vjdvv.exe79⤵PID:3700
-
\??\c:\rrrlffl.exec:\rrrlffl.exe80⤵PID:1044
-
\??\c:\thhtnb.exec:\thhtnb.exe81⤵PID:3668
-
\??\c:\tnbhhh.exec:\tnbhhh.exe82⤵PID:2200
-
\??\c:\9ppjv.exec:\9ppjv.exe83⤵PID:3148
-
\??\c:\3xxrfxr.exec:\3xxrfxr.exe84⤵PID:1544
-
\??\c:\btbbnb.exec:\btbbnb.exe85⤵PID:2376
-
\??\c:\vjjdp.exec:\vjjdp.exe86⤵PID:4872
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe87⤵PID:3564
-
\??\c:\bntnnh.exec:\bntnnh.exe88⤵PID:2036
-
\??\c:\vvdvd.exec:\vvdvd.exe89⤵PID:3188
-
\??\c:\pdjdj.exec:\pdjdj.exe90⤵PID:216
-
\??\c:\rflfrrl.exec:\rflfrrl.exe91⤵PID:212
-
\??\c:\bbhbnh.exec:\bbhbnh.exe92⤵PID:1548
-
\??\c:\dpdvp.exec:\dpdvp.exe93⤵PID:5104
-
\??\c:\xrffxrr.exec:\xrffxrr.exe94⤵PID:4712
-
\??\c:\bbtttn.exec:\bbtttn.exe95⤵PID:432
-
\??\c:\bbhbnt.exec:\bbhbnt.exe96⤵PID:1780
-
\??\c:\jdvdd.exec:\jdvdd.exe97⤵PID:2796
-
\??\c:\llrlxfx.exec:\llrlxfx.exe98⤵PID:4628
-
\??\c:\bnnnnn.exec:\bnnnnn.exe99⤵PID:320
-
\??\c:\hbtnbb.exec:\hbtnbb.exe100⤵PID:3620
-
\??\c:\pppvv.exec:\pppvv.exe101⤵PID:1476
-
\??\c:\frxlxrl.exec:\frxlxrl.exe102⤵PID:1720
-
\??\c:\tthhtt.exec:\tthhtt.exe103⤵PID:4140
-
\??\c:\9pdvv.exec:\9pdvv.exe104⤵PID:4540
-
\??\c:\llrlffr.exec:\llrlffr.exe105⤵PID:428
-
\??\c:\rflffxl.exec:\rflffxl.exe106⤵PID:392
-
\??\c:\tthhhh.exec:\tthhhh.exe107⤵PID:3368
-
\??\c:\jjppj.exec:\jjppj.exe108⤵PID:1540
-
\??\c:\tbhtnn.exec:\tbhtnn.exe109⤵PID:2960
-
\??\c:\9tbnhb.exec:\9tbnhb.exe110⤵PID:4016
-
\??\c:\dddpp.exec:\dddpp.exe111⤵PID:1236
-
\??\c:\djpjd.exec:\djpjd.exe112⤵PID:2936
-
\??\c:\3rlxllx.exec:\3rlxllx.exe113⤵PID:4400
-
\??\c:\nbhbtn.exec:\nbhbtn.exe114⤵PID:1792
-
\??\c:\bnnbnn.exec:\bnnbnn.exe115⤵PID:4348
-
\??\c:\3djdj.exec:\3djdj.exe116⤵PID:1008
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe117⤵PID:2424
-
\??\c:\hhhtnn.exec:\hhhtnn.exe118⤵PID:3376
-
\??\c:\dvddd.exec:\dvddd.exe119⤵PID:2976
-
\??\c:\vjjdv.exec:\vjjdv.exe120⤵PID:2040
-
\??\c:\xffxlfx.exec:\xffxlfx.exe121⤵PID:1404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-