Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20N.exe
-
Size
454KB
-
MD5
f6d5bdad0f49c775d89c6b7b650e62d0
-
SHA1
14de41804df99b9068a1ec7d60a672fbf79d7761
-
SHA256
595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20
-
SHA512
d32f08bd6d451a72d554196997b35c92e86b3eb83eabc17eb781571acc5bb99f3f4bcbc5bdea3a37af0f6f08f73847eb2f426f355a049bad556d860533b891b9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4072-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-1376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-1815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-1860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 844 5vjjj.exe 616 pvjdd.exe 4644 vdvdv.exe 1512 bhnhbt.exe 2588 nnhhbt.exe 2428 jpvpv.exe 536 xflfxxx.exe 3720 jjddj.exe 3876 thnntn.exe 3048 3llrrrl.exe 5004 pdvpp.exe 3200 llxxxfx.exe 2148 1btnnn.exe 116 vjpjj.exe 3420 btbbbt.exe 4060 3ppjv.exe 2708 7xxrlxf.exe 2028 htbtnn.exe 4108 bntnhb.exe 3756 rffxfxl.exe 1868 pjdvj.exe 1556 htbtnb.exe 3544 3pvvp.exe 808 rlrlfxr.exe 1608 1pjdd.exe 3552 3xrfxxr.exe 412 jvdjv.exe 2816 lllffxr.exe 4568 hbnthb.exe 2236 frlrlxr.exe 3988 7nhhtt.exe 760 fffrlll.exe 2876 9rxfxrf.exe 3780 5tntnb.exe 5056 dpjvj.exe 3248 xflfxrl.exe 880 nhhbbt.exe 2524 jvdvp.exe 2820 1fxrlff.exe 1160 tbtnbt.exe 1848 bhnhbb.exe 2004 pvvpj.exe 3924 fffxlfx.exe 2928 hntnhh.exe 1876 jpvpj.exe 3216 3jvpd.exe 2944 5fxrffx.exe 1096 7hnhhh.exe 4448 pjjdv.exe 440 dvpjv.exe 4380 rrlfxxf.exe 844 5nhbbt.exe 316 vjjjd.exe 2864 djddv.exe 1380 rlrflfx.exe 4536 bnnhbt.exe 756 tntbtn.exe 3208 jpvpj.exe 3488 rfxlflr.exe 4640 bhhbtt.exe 4220 btnhnn.exe 4872 pjdvj.exe 3140 fxxrxxr.exe 3600 5hbbtt.exe -
resource yara_rule behavioral2/memory/4072-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-658-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-836-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4072 wrote to memory of 844 4072 595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20N.exe 82 PID 4072 wrote to memory of 844 4072 595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20N.exe 82 PID 4072 wrote to memory of 844 4072 595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20N.exe 82 PID 844 wrote to memory of 616 844 5vjjj.exe 83 PID 844 wrote to memory of 616 844 5vjjj.exe 83 PID 844 wrote to memory of 616 844 5vjjj.exe 83 PID 616 wrote to memory of 4644 616 pvjdd.exe 84 PID 616 wrote to memory of 4644 616 pvjdd.exe 84 PID 616 wrote to memory of 4644 616 pvjdd.exe 84 PID 4644 wrote to memory of 1512 4644 vdvdv.exe 85 PID 4644 wrote to memory of 1512 4644 vdvdv.exe 85 PID 4644 wrote to memory of 1512 4644 vdvdv.exe 85 PID 1512 wrote to memory of 2588 1512 bhnhbt.exe 86 PID 1512 wrote to memory of 2588 1512 bhnhbt.exe 86 PID 1512 wrote to memory of 2588 1512 bhnhbt.exe 86 PID 2588 wrote to memory of 2428 2588 nnhhbt.exe 87 PID 2588 wrote to memory of 2428 2588 nnhhbt.exe 87 PID 2588 wrote to memory of 2428 2588 nnhhbt.exe 87 PID 2428 wrote to memory of 536 2428 jpvpv.exe 88 PID 2428 wrote to memory of 536 2428 jpvpv.exe 88 PID 2428 wrote to memory of 536 2428 jpvpv.exe 88 PID 536 wrote to memory of 3720 536 xflfxxx.exe 89 PID 536 wrote to memory of 3720 536 xflfxxx.exe 89 PID 536 wrote to memory of 3720 536 xflfxxx.exe 89 PID 3720 wrote to memory of 3876 3720 jjddj.exe 90 PID 3720 wrote to memory of 3876 3720 jjddj.exe 90 PID 3720 wrote to memory of 3876 3720 jjddj.exe 90 PID 3876 wrote to memory of 3048 3876 thnntn.exe 91 PID 3876 wrote to memory of 3048 3876 thnntn.exe 91 PID 3876 wrote to memory of 3048 3876 thnntn.exe 91 PID 3048 wrote to memory of 5004 3048 3llrrrl.exe 92 PID 3048 wrote to memory of 5004 3048 3llrrrl.exe 92 PID 3048 wrote to memory of 5004 3048 3llrrrl.exe 92 PID 5004 wrote to memory of 3200 5004 pdvpp.exe 93 PID 5004 wrote to memory of 3200 5004 pdvpp.exe 93 PID 5004 wrote to memory of 3200 5004 pdvpp.exe 93 PID 3200 wrote to memory of 2148 3200 llxxxfx.exe 94 PID 3200 wrote to memory of 2148 3200 llxxxfx.exe 94 PID 3200 wrote to memory of 2148 3200 llxxxfx.exe 94 PID 2148 wrote to memory of 116 2148 1btnnn.exe 95 PID 2148 wrote to memory of 116 2148 1btnnn.exe 95 PID 2148 wrote to memory of 116 2148 1btnnn.exe 95 PID 116 wrote to memory of 3420 116 vjpjj.exe 96 PID 116 wrote to memory of 3420 116 vjpjj.exe 96 PID 116 wrote to memory of 3420 116 vjpjj.exe 96 PID 3420 wrote to memory of 4060 3420 btbbbt.exe 97 PID 3420 wrote to memory of 4060 3420 btbbbt.exe 97 PID 3420 wrote to memory of 4060 3420 btbbbt.exe 97 PID 4060 wrote to memory of 2708 4060 3ppjv.exe 98 PID 4060 wrote to memory of 2708 4060 3ppjv.exe 98 PID 4060 wrote to memory of 2708 4060 3ppjv.exe 98 PID 2708 wrote to memory of 2028 2708 7xxrlxf.exe 99 PID 2708 wrote to memory of 2028 2708 7xxrlxf.exe 99 PID 2708 wrote to memory of 2028 2708 7xxrlxf.exe 99 PID 2028 wrote to memory of 4108 2028 htbtnn.exe 100 PID 2028 wrote to memory of 4108 2028 htbtnn.exe 100 PID 2028 wrote to memory of 4108 2028 htbtnn.exe 100 PID 4108 wrote to memory of 3756 4108 bntnhb.exe 101 PID 4108 wrote to memory of 3756 4108 bntnhb.exe 101 PID 4108 wrote to memory of 3756 4108 bntnhb.exe 101 PID 3756 wrote to memory of 1868 3756 rffxfxl.exe 102 PID 3756 wrote to memory of 1868 3756 rffxfxl.exe 102 PID 3756 wrote to memory of 1868 3756 rffxfxl.exe 102 PID 1868 wrote to memory of 1556 1868 pjdvj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20N.exe"C:\Users\Admin\AppData\Local\Temp\595af82e0d222a19b91997d7b1fdad875ee6ae7d8efd28b52c70a06fa3b75f20N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\5vjjj.exec:\5vjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\pvjdd.exec:\pvjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:616 -
\??\c:\vdvdv.exec:\vdvdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\bhnhbt.exec:\bhnhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\nnhhbt.exec:\nnhhbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\jpvpv.exec:\jpvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\xflfxxx.exec:\xflfxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\jjddj.exec:\jjddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\thnntn.exec:\thnntn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\3llrrrl.exec:\3llrrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
\??\c:\pdvpp.exec:\pdvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\llxxxfx.exec:\llxxxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\1btnnn.exec:\1btnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\vjpjj.exec:\vjpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\btbbbt.exec:\btbbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\3ppjv.exec:\3ppjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\7xxrlxf.exec:\7xxrlxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\htbtnn.exec:\htbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\bntnhb.exec:\bntnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\rffxfxl.exec:\rffxfxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\pjdvj.exec:\pjdvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\htbtnb.exec:\htbtnb.exe23⤵
- Executes dropped EXE
PID:1556 -
\??\c:\3pvvp.exec:\3pvvp.exe24⤵
- Executes dropped EXE
PID:3544 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe25⤵
- Executes dropped EXE
PID:808 -
\??\c:\1pjdd.exec:\1pjdd.exe26⤵
- Executes dropped EXE
PID:1608 -
\??\c:\3xrfxxr.exec:\3xrfxxr.exe27⤵
- Executes dropped EXE
PID:3552 -
\??\c:\jvdjv.exec:\jvdjv.exe28⤵
- Executes dropped EXE
PID:412 -
\??\c:\lllffxr.exec:\lllffxr.exe29⤵
- Executes dropped EXE
PID:2816 -
\??\c:\hbnthb.exec:\hbnthb.exe30⤵
- Executes dropped EXE
PID:4568 -
\??\c:\frlrlxr.exec:\frlrlxr.exe31⤵
- Executes dropped EXE
PID:2236 -
\??\c:\7nhhtt.exec:\7nhhtt.exe32⤵
- Executes dropped EXE
PID:3988 -
\??\c:\fffrlll.exec:\fffrlll.exe33⤵
- Executes dropped EXE
PID:760 -
\??\c:\9rxfxrf.exec:\9rxfxrf.exe34⤵
- Executes dropped EXE
PID:2876 -
\??\c:\5tntnb.exec:\5tntnb.exe35⤵
- Executes dropped EXE
PID:3780 -
\??\c:\dpjvj.exec:\dpjvj.exe36⤵
- Executes dropped EXE
PID:5056 -
\??\c:\xflfxrl.exec:\xflfxrl.exe37⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nhhbbt.exec:\nhhbbt.exe38⤵
- Executes dropped EXE
PID:880 -
\??\c:\jvdvp.exec:\jvdvp.exe39⤵
- Executes dropped EXE
PID:2524 -
\??\c:\1fxrlff.exec:\1fxrlff.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\tbtnbt.exec:\tbtnbt.exe41⤵
- Executes dropped EXE
PID:1160 -
\??\c:\bhnhbb.exec:\bhnhbb.exe42⤵
- Executes dropped EXE
PID:1848 -
\??\c:\pvvpj.exec:\pvvpj.exe43⤵
- Executes dropped EXE
PID:2004 -
\??\c:\fffxlfx.exec:\fffxlfx.exe44⤵
- Executes dropped EXE
PID:3924 -
\??\c:\hntnhh.exec:\hntnhh.exe45⤵
- Executes dropped EXE
PID:2928 -
\??\c:\jpvpj.exec:\jpvpj.exe46⤵
- Executes dropped EXE
PID:1876 -
\??\c:\3jvpd.exec:\3jvpd.exe47⤵
- Executes dropped EXE
PID:3216 -
\??\c:\5fxrffx.exec:\5fxrffx.exe48⤵
- Executes dropped EXE
PID:2944 -
\??\c:\7hnhhh.exec:\7hnhhh.exe49⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pjjdv.exec:\pjjdv.exe50⤵
- Executes dropped EXE
PID:4448 -
\??\c:\dvpjv.exec:\dvpjv.exe51⤵
- Executes dropped EXE
PID:440 -
\??\c:\rrlfxxf.exec:\rrlfxxf.exe52⤵
- Executes dropped EXE
PID:4380 -
\??\c:\5nhbbt.exec:\5nhbbt.exe53⤵
- Executes dropped EXE
PID:844 -
\??\c:\vjjjd.exec:\vjjjd.exe54⤵
- Executes dropped EXE
PID:316 -
\??\c:\djddv.exec:\djddv.exe55⤵
- Executes dropped EXE
PID:2864 -
\??\c:\rlrflfx.exec:\rlrflfx.exe56⤵
- Executes dropped EXE
PID:1380 -
\??\c:\bnnhbt.exec:\bnnhbt.exe57⤵
- Executes dropped EXE
PID:4536 -
\??\c:\tntbtn.exec:\tntbtn.exe58⤵
- Executes dropped EXE
PID:756 -
\??\c:\jpvpj.exec:\jpvpj.exe59⤵
- Executes dropped EXE
PID:3208 -
\??\c:\rfxlflr.exec:\rfxlflr.exe60⤵
- Executes dropped EXE
PID:3488 -
\??\c:\bhhbtt.exec:\bhhbtt.exe61⤵
- Executes dropped EXE
PID:4640 -
\??\c:\btnhnn.exec:\btnhnn.exe62⤵
- Executes dropped EXE
PID:4220 -
\??\c:\pjdvj.exec:\pjdvj.exe63⤵
- Executes dropped EXE
PID:4872 -
\??\c:\fxxrxxr.exec:\fxxrxxr.exe64⤵
- Executes dropped EXE
PID:3140 -
\??\c:\5hbbtt.exec:\5hbbtt.exe65⤵
- Executes dropped EXE
PID:3600 -
\??\c:\vppdv.exec:\vppdv.exe66⤵PID:2352
-
\??\c:\7vvjd.exec:\7vvjd.exe67⤵PID:2972
-
\??\c:\lllxlfx.exec:\lllxlfx.exe68⤵PID:3664
-
\??\c:\tbhhnn.exec:\tbhhnn.exe69⤵PID:3412
-
\??\c:\rffrfxr.exec:\rffrfxr.exe70⤵PID:3672
-
\??\c:\httnhb.exec:\httnhb.exe71⤵PID:3696
-
\??\c:\jppdv.exec:\jppdv.exe72⤵PID:4668
-
\??\c:\9rxlxrx.exec:\9rxlxrx.exe73⤵PID:3676
-
\??\c:\9hbthb.exec:\9hbthb.exe74⤵PID:896
-
\??\c:\nhnbhb.exec:\nhnbhb.exe75⤵PID:3028
-
\??\c:\9pjvj.exec:\9pjvj.exe76⤵PID:1364
-
\??\c:\5xfrfxl.exec:\5xfrfxl.exe77⤵PID:2208
-
\??\c:\btbnhh.exec:\btbnhh.exe78⤵PID:1508
-
\??\c:\dpvpj.exec:\dpvpj.exe79⤵PID:3056
-
\??\c:\lfrlxxr.exec:\lfrlxxr.exe80⤵PID:3164
-
\??\c:\lxxlfrl.exec:\lxxlfrl.exe81⤵PID:3192
-
\??\c:\bthbbt.exec:\bthbbt.exe82⤵PID:2476
-
\??\c:\dvvvd.exec:\dvvvd.exe83⤵PID:4052
-
\??\c:\rrxrfxr.exec:\rrxrfxr.exe84⤵PID:3068
-
\??\c:\7nnbtt.exec:\7nnbtt.exe85⤵PID:2224
-
\??\c:\nhhbnh.exec:\nhhbnh.exe86⤵PID:1948
-
\??\c:\pjvdv.exec:\pjvdv.exe87⤵PID:3328
-
\??\c:\llxflll.exec:\llxflll.exe88⤵PID:1492
-
\??\c:\btbtnn.exec:\btbtnn.exe89⤵PID:1268
-
\??\c:\vvdvp.exec:\vvdvp.exe90⤵PID:3228
-
\??\c:\llxlxxf.exec:\llxlxxf.exe91⤵PID:3768
-
\??\c:\xllfxrl.exec:\xllfxrl.exe92⤵PID:1932
-
\??\c:\hbbhtn.exec:\hbbhtn.exe93⤵PID:3520
-
\??\c:\ddjvj.exec:\ddjvj.exe94⤵PID:2372
-
\??\c:\9vdvp.exec:\9vdvp.exe95⤵PID:1924
-
\??\c:\lfxrflf.exec:\lfxrflf.exe96⤵PID:2424
-
\??\c:\nnbtnb.exec:\nnbtnb.exe97⤵PID:2560
-
\??\c:\pvddp.exec:\pvddp.exe98⤵PID:3616
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe99⤵PID:4972
-
\??\c:\fffrfxl.exec:\fffrfxl.exe100⤵PID:760
-
\??\c:\1ttnhh.exec:\1ttnhh.exe101⤵PID:2876
-
\??\c:\7dpdv.exec:\7dpdv.exe102⤵PID:3780
-
\??\c:\rfxlxlf.exec:\rfxlxlf.exe103⤵PID:2648
-
\??\c:\tntnnh.exec:\tntnnh.exe104⤵PID:3248
-
\??\c:\nbbnbt.exec:\nbbnbt.exe105⤵PID:3212
-
\??\c:\dpvpj.exec:\dpvpj.exe106⤵PID:4724
-
\??\c:\frrfrlf.exec:\frrfrlf.exe107⤵PID:2820
-
\??\c:\bnthtn.exec:\bnthtn.exe108⤵PID:4472
-
\??\c:\3pjdv.exec:\3pjdv.exe109⤵PID:3976
-
\??\c:\fxrfxrl.exec:\fxrfxrl.exe110⤵PID:4128
-
\??\c:\nhbtnh.exec:\nhbtnh.exe111⤵PID:4512
-
\??\c:\1vppd.exec:\1vppd.exe112⤵PID:1136
-
\??\c:\7ppjv.exec:\7ppjv.exe113⤵PID:4532
-
\??\c:\frlxrlx.exec:\frlxrlx.exe114⤵PID:2668
-
\??\c:\1nhhth.exec:\1nhhth.exe115⤵PID:3216
-
\??\c:\jpvjv.exec:\jpvjv.exe116⤵PID:2012
-
\??\c:\3rxrlff.exec:\3rxrlff.exe117⤵PID:1320
-
\??\c:\hhhtnt.exec:\hhhtnt.exe118⤵PID:4448
-
\??\c:\bnbtnh.exec:\bnbtnh.exe119⤵PID:3896
-
\??\c:\ppjvj.exec:\ppjvj.exe120⤵PID:1036
-
\??\c:\fxxxllx.exec:\fxxxllx.exe121⤵PID:4232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-