Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56N.exe
-
Size
456KB
-
MD5
84ce0b4573e6eae484e4bdce36437ea0
-
SHA1
f1a33eba6ca3552df7e33e484b47e6b73946714e
-
SHA256
3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56
-
SHA512
88485372ecacb0244a94e7380e2df9b8a6cb3e5909947da55c2f676385d75916af9c2ad01a5dfcf6638fc0ef878f1c9a1e2c3f93fcdfc0f269c0763f89128fe7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRW:q7Tc2NYHUrAwfMp3CDRW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3240-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-973-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-1499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-1656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3080 3hbnbb.exe 5000 pvvpj.exe 840 frxlflf.exe 3768 fffrxfr.exe 3548 ntnhbb.exe 3784 dvddd.exe 3860 1lfxlxx.exe 4988 tbhbnn.exe 2644 1djdd.exe 4368 1xrlffx.exe 4680 1jvpv.exe 4852 7bbbtt.exe 184 vjjjd.exe 4412 7vvpj.exe 4604 lfxrffx.exe 1992 vddvp.exe 3152 rrxrllf.exe 2260 3jddd.exe 4316 llrfrrl.exe 8 ntbtht.exe 2992 llflxxr.exe 3176 bntnhn.exe 3316 pdjdv.exe 380 bbtbnt.exe 2316 rlllfll.exe 4844 9tbbtb.exe 552 rfrfrfr.exe 1056 ppjdj.exe 1828 9xrlfxr.exe 3276 bbbbtt.exe 112 vppjj.exe 4568 hbbnhh.exe 4024 7hnhbt.exe 5048 dpjdv.exe 3124 xxxlrlx.exe 1104 tttnbt.exe 2708 7vpdp.exe 3128 rrrlrxx.exe 4308 nbnbnb.exe 3964 jvvvp.exe 2024 7rfxrrl.exe 2012 bhhbnh.exe 2784 ddjjj.exe 3500 vpdjv.exe 5016 rffrfxx.exe 516 5pjjv.exe 1220 dppjj.exe 2428 rffxrlf.exe 3580 nhhhbb.exe 3068 vvpvj.exe 4196 rllxlfl.exe 3032 lfxfrlf.exe 4420 tntnhn.exe 3996 djpjv.exe 4204 frrfxrr.exe 2900 3bbhbh.exe 5044 9vppv.exe 1716 vjpdv.exe 728 fxxrxrl.exe 4468 bhbthb.exe 1548 tththt.exe 1388 7dvpj.exe 3784 rfflxrx.exe 3544 3bbttt.exe -
resource yara_rule behavioral2/memory/3240-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-664-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-942-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrflxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3240 wrote to memory of 3080 3240 3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56N.exe 82 PID 3240 wrote to memory of 3080 3240 3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56N.exe 82 PID 3240 wrote to memory of 3080 3240 3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56N.exe 82 PID 3080 wrote to memory of 5000 3080 3hbnbb.exe 83 PID 3080 wrote to memory of 5000 3080 3hbnbb.exe 83 PID 3080 wrote to memory of 5000 3080 3hbnbb.exe 83 PID 5000 wrote to memory of 840 5000 pvvpj.exe 84 PID 5000 wrote to memory of 840 5000 pvvpj.exe 84 PID 5000 wrote to memory of 840 5000 pvvpj.exe 84 PID 840 wrote to memory of 3768 840 frxlflf.exe 85 PID 840 wrote to memory of 3768 840 frxlflf.exe 85 PID 840 wrote to memory of 3768 840 frxlflf.exe 85 PID 3768 wrote to memory of 3548 3768 fffrxfr.exe 86 PID 3768 wrote to memory of 3548 3768 fffrxfr.exe 86 PID 3768 wrote to memory of 3548 3768 fffrxfr.exe 86 PID 3548 wrote to memory of 3784 3548 ntnhbb.exe 87 PID 3548 wrote to memory of 3784 3548 ntnhbb.exe 87 PID 3548 wrote to memory of 3784 3548 ntnhbb.exe 87 PID 3784 wrote to memory of 3860 3784 dvddd.exe 88 PID 3784 wrote to memory of 3860 3784 dvddd.exe 88 PID 3784 wrote to memory of 3860 3784 dvddd.exe 88 PID 3860 wrote to memory of 4988 3860 1lfxlxx.exe 89 PID 3860 wrote to memory of 4988 3860 1lfxlxx.exe 89 PID 3860 wrote to memory of 4988 3860 1lfxlxx.exe 89 PID 4988 wrote to memory of 2644 4988 tbhbnn.exe 90 PID 4988 wrote to memory of 2644 4988 tbhbnn.exe 90 PID 4988 wrote to memory of 2644 4988 tbhbnn.exe 90 PID 2644 wrote to memory of 4368 2644 1djdd.exe 91 PID 2644 wrote to memory of 4368 2644 1djdd.exe 91 PID 2644 wrote to memory of 4368 2644 1djdd.exe 91 PID 4368 wrote to memory of 4680 4368 1xrlffx.exe 92 PID 4368 wrote to memory of 4680 4368 1xrlffx.exe 92 PID 4368 wrote to memory of 4680 4368 1xrlffx.exe 92 PID 4680 wrote to memory of 4852 4680 1jvpv.exe 93 PID 4680 wrote to memory of 4852 4680 1jvpv.exe 93 PID 4680 wrote to memory of 4852 4680 1jvpv.exe 93 PID 4852 wrote to memory of 184 4852 7bbbtt.exe 94 PID 4852 wrote to memory of 184 4852 7bbbtt.exe 94 PID 4852 wrote to memory of 184 4852 7bbbtt.exe 94 PID 184 wrote to memory of 4412 184 vjjjd.exe 95 PID 184 wrote to memory of 4412 184 vjjjd.exe 95 PID 184 wrote to memory of 4412 184 vjjjd.exe 95 PID 4412 wrote to memory of 4604 4412 7vvpj.exe 96 PID 4412 wrote to memory of 4604 4412 7vvpj.exe 96 PID 4412 wrote to memory of 4604 4412 7vvpj.exe 96 PID 4604 wrote to memory of 1992 4604 lfxrffx.exe 97 PID 4604 wrote to memory of 1992 4604 lfxrffx.exe 97 PID 4604 wrote to memory of 1992 4604 lfxrffx.exe 97 PID 1992 wrote to memory of 3152 1992 vddvp.exe 98 PID 1992 wrote to memory of 3152 1992 vddvp.exe 98 PID 1992 wrote to memory of 3152 1992 vddvp.exe 98 PID 3152 wrote to memory of 2260 3152 rrxrllf.exe 99 PID 3152 wrote to memory of 2260 3152 rrxrllf.exe 99 PID 3152 wrote to memory of 2260 3152 rrxrllf.exe 99 PID 2260 wrote to memory of 4316 2260 3jddd.exe 100 PID 2260 wrote to memory of 4316 2260 3jddd.exe 100 PID 2260 wrote to memory of 4316 2260 3jddd.exe 100 PID 4316 wrote to memory of 8 4316 llrfrrl.exe 101 PID 4316 wrote to memory of 8 4316 llrfrrl.exe 101 PID 4316 wrote to memory of 8 4316 llrfrrl.exe 101 PID 8 wrote to memory of 2992 8 ntbtht.exe 102 PID 8 wrote to memory of 2992 8 ntbtht.exe 102 PID 8 wrote to memory of 2992 8 ntbtht.exe 102 PID 2992 wrote to memory of 3176 2992 llflxxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56N.exe"C:\Users\Admin\AppData\Local\Temp\3197a6b246a95e8ccdf239712c21fabcea0c981d7980a7762f6b1ac017357c56N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\3hbnbb.exec:\3hbnbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\pvvpj.exec:\pvvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\frxlflf.exec:\frxlflf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\fffrxfr.exec:\fffrxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\ntnhbb.exec:\ntnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\dvddd.exec:\dvddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\1lfxlxx.exec:\1lfxlxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\tbhbnn.exec:\tbhbnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\1djdd.exec:\1djdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\1xrlffx.exec:\1xrlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\1jvpv.exec:\1jvpv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\7bbbtt.exec:\7bbbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\vjjjd.exec:\vjjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\7vvpj.exec:\7vvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\lfxrffx.exec:\lfxrffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\vddvp.exec:\vddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\rrxrllf.exec:\rrxrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\3jddd.exec:\3jddd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\llrfrrl.exec:\llrfrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\ntbtht.exec:\ntbtht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\llflxxr.exec:\llflxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\bntnhn.exec:\bntnhn.exe23⤵
- Executes dropped EXE
PID:3176 -
\??\c:\pdjdv.exec:\pdjdv.exe24⤵
- Executes dropped EXE
PID:3316 -
\??\c:\bbtbnt.exec:\bbtbnt.exe25⤵
- Executes dropped EXE
PID:380 -
\??\c:\rlllfll.exec:\rlllfll.exe26⤵
- Executes dropped EXE
PID:2316 -
\??\c:\9tbbtb.exec:\9tbbtb.exe27⤵
- Executes dropped EXE
PID:4844 -
\??\c:\rfrfrfr.exec:\rfrfrfr.exe28⤵
- Executes dropped EXE
PID:552 -
\??\c:\ppjdj.exec:\ppjdj.exe29⤵
- Executes dropped EXE
PID:1056 -
\??\c:\9xrlfxr.exec:\9xrlfxr.exe30⤵
- Executes dropped EXE
PID:1828 -
\??\c:\bbbbtt.exec:\bbbbtt.exe31⤵
- Executes dropped EXE
PID:3276 -
\??\c:\vppjj.exec:\vppjj.exe32⤵
- Executes dropped EXE
PID:112 -
\??\c:\hbbnhh.exec:\hbbnhh.exe33⤵
- Executes dropped EXE
PID:4568 -
\??\c:\7hnhbt.exec:\7hnhbt.exe34⤵
- Executes dropped EXE
PID:4024 -
\??\c:\dpjdv.exec:\dpjdv.exe35⤵
- Executes dropped EXE
PID:5048 -
\??\c:\xxxlrlx.exec:\xxxlrlx.exe36⤵
- Executes dropped EXE
PID:3124 -
\??\c:\tttnbt.exec:\tttnbt.exe37⤵
- Executes dropped EXE
PID:1104 -
\??\c:\7vpdp.exec:\7vpdp.exe38⤵
- Executes dropped EXE
PID:2708 -
\??\c:\rrrlrxx.exec:\rrrlrxx.exe39⤵
- Executes dropped EXE
PID:3128 -
\??\c:\nbnbnb.exec:\nbnbnb.exe40⤵
- Executes dropped EXE
PID:4308 -
\??\c:\jvvvp.exec:\jvvvp.exe41⤵
- Executes dropped EXE
PID:3964 -
\??\c:\7rfxrrl.exec:\7rfxrrl.exe42⤵
- Executes dropped EXE
PID:2024 -
\??\c:\bhhbnh.exec:\bhhbnh.exe43⤵
- Executes dropped EXE
PID:2012 -
\??\c:\ddjjj.exec:\ddjjj.exe44⤵
- Executes dropped EXE
PID:2784 -
\??\c:\vpdjv.exec:\vpdjv.exe45⤵
- Executes dropped EXE
PID:3500 -
\??\c:\rffrfxx.exec:\rffrfxx.exe46⤵
- Executes dropped EXE
PID:5016 -
\??\c:\5pjjv.exec:\5pjjv.exe47⤵
- Executes dropped EXE
PID:516 -
\??\c:\dppjj.exec:\dppjj.exe48⤵
- Executes dropped EXE
PID:1220 -
\??\c:\rffxrlf.exec:\rffxrlf.exe49⤵
- Executes dropped EXE
PID:2428 -
\??\c:\nhhhbb.exec:\nhhhbb.exe50⤵
- Executes dropped EXE
PID:3580 -
\??\c:\vvpvj.exec:\vvpvj.exe51⤵
- Executes dropped EXE
PID:3068 -
\??\c:\rllxlfl.exec:\rllxlfl.exe52⤵
- Executes dropped EXE
PID:4196 -
\??\c:\lfxfrlf.exec:\lfxfrlf.exe53⤵
- Executes dropped EXE
PID:3032 -
\??\c:\tntnhn.exec:\tntnhn.exe54⤵
- Executes dropped EXE
PID:4420 -
\??\c:\djpjv.exec:\djpjv.exe55⤵
- Executes dropped EXE
PID:3996 -
\??\c:\frrfxrr.exec:\frrfxrr.exe56⤵
- Executes dropped EXE
PID:4204 -
\??\c:\3bbhbh.exec:\3bbhbh.exe57⤵
- Executes dropped EXE
PID:2900 -
\??\c:\9vppv.exec:\9vppv.exe58⤵
- Executes dropped EXE
PID:5044 -
\??\c:\vjpdv.exec:\vjpdv.exe59⤵
- Executes dropped EXE
PID:1716 -
\??\c:\fxxrxrl.exec:\fxxrxrl.exe60⤵
- Executes dropped EXE
PID:728 -
\??\c:\bhbthb.exec:\bhbthb.exe61⤵
- Executes dropped EXE
PID:4468 -
\??\c:\tththt.exec:\tththt.exe62⤵
- Executes dropped EXE
PID:1548 -
\??\c:\7dvpj.exec:\7dvpj.exe63⤵
- Executes dropped EXE
PID:1388 -
\??\c:\rfflxrx.exec:\rfflxrx.exe64⤵
- Executes dropped EXE
PID:3784 -
\??\c:\3bbttt.exec:\3bbttt.exe65⤵
- Executes dropped EXE
PID:3544 -
\??\c:\9pvjv.exec:\9pvjv.exe66⤵PID:1308
-
\??\c:\ddvjv.exec:\ddvjv.exe67⤵PID:1484
-
\??\c:\7ffxrlx.exec:\7ffxrlx.exe68⤵PID:1648
-
\??\c:\nhbhth.exec:\nhbhth.exe69⤵PID:3796
-
\??\c:\dpvjv.exec:\dpvjv.exe70⤵PID:1936
-
\??\c:\9rfrxrl.exec:\9rfrxrl.exe71⤵PID:4100
-
\??\c:\nbbthh.exec:\nbbthh.exe72⤵PID:2028
-
\??\c:\bnbnbt.exec:\bnbnbt.exe73⤵PID:3488
-
\??\c:\dppjv.exec:\dppjv.exe74⤵PID:3556
-
\??\c:\xxxllfx.exec:\xxxllfx.exe75⤵PID:4360
-
\??\c:\bhhthh.exec:\bhhthh.exe76⤵PID:1528
-
\??\c:\hntnhb.exec:\hntnhb.exe77⤵PID:1372
-
\??\c:\vpdjd.exec:\vpdjd.exe78⤵PID:4960
-
\??\c:\rrfrfxl.exec:\rrfrfxl.exe79⤵PID:2620
-
\??\c:\nbnnnt.exec:\nbnnnt.exe80⤵PID:512
-
\??\c:\5ddvj.exec:\5ddvj.exe81⤵PID:4904
-
\??\c:\fxfrrfr.exec:\fxfrrfr.exe82⤵PID:3792
-
\??\c:\rlxrffx.exec:\rlxrffx.exe83⤵PID:4316
-
\??\c:\7hhtnh.exec:\7hhtnh.exe84⤵PID:4528
-
\??\c:\jpppd.exec:\jpppd.exe85⤵PID:1620
-
\??\c:\fflxrll.exec:\fflxrll.exe86⤵PID:1176
-
\??\c:\lfrllfl.exec:\lfrllfl.exe87⤵PID:3216
-
\??\c:\1tnhbt.exec:\1tnhbt.exe88⤵PID:2076
-
\??\c:\dvjvp.exec:\dvjvp.exe89⤵PID:4432
-
\??\c:\xffrfxf.exec:\xffrfxf.exe90⤵PID:1260
-
\??\c:\xfllfxr.exec:\xfllfxr.exe91⤵PID:3024
-
\??\c:\hnhnnh.exec:\hnhnnh.exe92⤵PID:1188
-
\??\c:\1jvpd.exec:\1jvpd.exe93⤵PID:2300
-
\??\c:\vvvjp.exec:\vvvjp.exe94⤵PID:2056
-
\??\c:\1fxlxxl.exec:\1fxlxxl.exe95⤵PID:64
-
\??\c:\htnhtt.exec:\htnhtt.exe96⤵PID:3944
-
\??\c:\pppjp.exec:\pppjp.exe97⤵PID:3276
-
\??\c:\djjvj.exec:\djjvj.exe98⤵PID:972
-
\??\c:\rllfxrl.exec:\rllfxrl.exe99⤵PID:4864
-
\??\c:\thhnbt.exec:\thhnbt.exe100⤵PID:2880
-
\??\c:\bhhtht.exec:\bhhtht.exe101⤵PID:4024
-
\??\c:\vjdpv.exec:\vjdpv.exe102⤵PID:2232
-
\??\c:\fxxrxrx.exec:\fxxrxrx.exe103⤵PID:3124
-
\??\c:\nhnhbb.exec:\nhnhbb.exe104⤵PID:1104
-
\??\c:\jjjpd.exec:\jjjpd.exe105⤵PID:3872
-
\??\c:\rxlxlxr.exec:\rxlxlxr.exe106⤵PID:2760
-
\??\c:\fflxlfr.exec:\fflxlfr.exe107⤵PID:4244
-
\??\c:\5thtbt.exec:\5thtbt.exe108⤵PID:5068
-
\??\c:\pdvjv.exec:\pdvjv.exe109⤵PID:2292
-
\??\c:\lxrlffl.exec:\lxrlffl.exe110⤵PID:4928
-
\??\c:\htnbnh.exec:\htnbnh.exe111⤵PID:2784
-
\??\c:\1jjjd.exec:\1jjjd.exe112⤵PID:436
-
\??\c:\7lxlxrr.exec:\7lxlxrr.exe113⤵PID:5016
-
\??\c:\rffxrlf.exec:\rffxrlf.exe114⤵
- System Location Discovery: System Language Discovery
PID:1332 -
\??\c:\tthbbb.exec:\tthbbb.exe115⤵PID:2180
-
\??\c:\pjddv.exec:\pjddv.exe116⤵PID:2764
-
\??\c:\lrrxfrx.exec:\lrrxfrx.exe117⤵PID:748
-
\??\c:\hnhbnt.exec:\hnhbnt.exe118⤵PID:2276
-
\??\c:\pdjdj.exec:\pdjdj.exe119⤵PID:5116
-
\??\c:\xxfxrfx.exec:\xxfxrfx.exe120⤵PID:2216
-
\??\c:\tbbnth.exec:\tbbnth.exe121⤵PID:3880
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-