Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97.exe
-
Size
454KB
-
MD5
e882a5b551a224d50ac38dc99a864c97
-
SHA1
ebdb5a9ccf31d506f62f26552a906a18ce44a731
-
SHA256
c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97
-
SHA512
c0cc29ea60c686fb479df0f70d0f3e3da16eba0ce860b1e2d5ab2eaa047ade19725dbdbedcdb3feb52cb02004e6d164d3086ae9136aa75e21d7aaaa2d692f140
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2924-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-837-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 648 fxxlflr.exe 336 dvdvv.exe 2360 xxxlxlx.exe 628 fxxxfrl.exe 4480 tbhthb.exe 1896 vvvjd.exe 2736 tnnbnh.exe 4800 9dvjv.exe 3424 lllflfr.exe 2540 pdddd.exe 956 nnthtn.exe 1624 pvvvj.exe 4756 fxlxffl.exe 3688 tbbtnh.exe 4832 vddvj.exe 4032 lxrlrff.exe 2676 jvvjd.exe 2536 dvpdj.exe 4300 frrfrfx.exe 60 pjpjv.exe 3772 pvdvj.exe 4872 3rlxrlx.exe 1700 thbnbb.exe 1852 rlfrrfx.exe 3944 xllfrrf.exe 1312 vjjdp.exe 2932 xrllrlx.exe 1468 thnbnh.exe 3888 tbbthb.exe 2104 rlfrlfr.exe 3588 9xlfxxx.exe 1536 hbbntn.exe 1264 1lfxlfr.exe 4072 vvdjd.exe 1256 nbbnnn.exe 2356 thbtnh.exe 676 jdjvj.exe 4132 1dpdp.exe 4600 7ffrlfr.exe 4040 bnnhtt.exe 1072 1ddpd.exe 4948 rllxlfr.exe 1620 lfxfxfx.exe 3120 tnntnh.exe 1276 frlxrlx.exe 4812 hnhtnh.exe 1968 jvjdp.exe 3908 pjdjv.exe 1500 lxrfrrf.exe 4860 tbbthb.exe 3716 1ntnht.exe 4396 5rlxrlf.exe 4488 lrllflf.exe 2924 nnnbbn.exe 2708 vddvj.exe 3724 lxfrlfx.exe 2372 fxrlxlf.exe 1336 bttnbb.exe 1744 pvpdv.exe 1884 lxrfrlx.exe 1084 lllxlfx.exe 3972 nbbtnh.exe 876 bthbnn.exe 2412 jpvpp.exe -
resource yara_rule behavioral2/memory/2924-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-901-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xxxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1htnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rfxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 648 2924 c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97.exe 82 PID 2924 wrote to memory of 648 2924 c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97.exe 82 PID 2924 wrote to memory of 648 2924 c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97.exe 82 PID 648 wrote to memory of 336 648 fxxlflr.exe 83 PID 648 wrote to memory of 336 648 fxxlflr.exe 83 PID 648 wrote to memory of 336 648 fxxlflr.exe 83 PID 336 wrote to memory of 2360 336 dvdvv.exe 84 PID 336 wrote to memory of 2360 336 dvdvv.exe 84 PID 336 wrote to memory of 2360 336 dvdvv.exe 84 PID 2360 wrote to memory of 628 2360 xxxlxlx.exe 85 PID 2360 wrote to memory of 628 2360 xxxlxlx.exe 85 PID 2360 wrote to memory of 628 2360 xxxlxlx.exe 85 PID 628 wrote to memory of 4480 628 fxxxfrl.exe 86 PID 628 wrote to memory of 4480 628 fxxxfrl.exe 86 PID 628 wrote to memory of 4480 628 fxxxfrl.exe 86 PID 4480 wrote to memory of 1896 4480 tbhthb.exe 87 PID 4480 wrote to memory of 1896 4480 tbhthb.exe 87 PID 4480 wrote to memory of 1896 4480 tbhthb.exe 87 PID 1896 wrote to memory of 2736 1896 vvvjd.exe 88 PID 1896 wrote to memory of 2736 1896 vvvjd.exe 88 PID 1896 wrote to memory of 2736 1896 vvvjd.exe 88 PID 2736 wrote to memory of 4800 2736 tnnbnh.exe 89 PID 2736 wrote to memory of 4800 2736 tnnbnh.exe 89 PID 2736 wrote to memory of 4800 2736 tnnbnh.exe 89 PID 4800 wrote to memory of 3424 4800 9dvjv.exe 90 PID 4800 wrote to memory of 3424 4800 9dvjv.exe 90 PID 4800 wrote to memory of 3424 4800 9dvjv.exe 90 PID 3424 wrote to memory of 2540 3424 lllflfr.exe 91 PID 3424 wrote to memory of 2540 3424 lllflfr.exe 91 PID 3424 wrote to memory of 2540 3424 lllflfr.exe 91 PID 2540 wrote to memory of 956 2540 pdddd.exe 92 PID 2540 wrote to memory of 956 2540 pdddd.exe 92 PID 2540 wrote to memory of 956 2540 pdddd.exe 92 PID 956 wrote to memory of 1624 956 nnthtn.exe 93 PID 956 wrote to memory of 1624 956 nnthtn.exe 93 PID 956 wrote to memory of 1624 956 nnthtn.exe 93 PID 1624 wrote to memory of 4756 1624 pvvvj.exe 94 PID 1624 wrote to memory of 4756 1624 pvvvj.exe 94 PID 1624 wrote to memory of 4756 1624 pvvvj.exe 94 PID 4756 wrote to memory of 3688 4756 fxlxffl.exe 95 PID 4756 wrote to memory of 3688 4756 fxlxffl.exe 95 PID 4756 wrote to memory of 3688 4756 fxlxffl.exe 95 PID 3688 wrote to memory of 4832 3688 tbbtnh.exe 96 PID 3688 wrote to memory of 4832 3688 tbbtnh.exe 96 PID 3688 wrote to memory of 4832 3688 tbbtnh.exe 96 PID 4832 wrote to memory of 4032 4832 vddvj.exe 97 PID 4832 wrote to memory of 4032 4832 vddvj.exe 97 PID 4832 wrote to memory of 4032 4832 vddvj.exe 97 PID 4032 wrote to memory of 2676 4032 lxrlrff.exe 98 PID 4032 wrote to memory of 2676 4032 lxrlrff.exe 98 PID 4032 wrote to memory of 2676 4032 lxrlrff.exe 98 PID 2676 wrote to memory of 2536 2676 jvvjd.exe 99 PID 2676 wrote to memory of 2536 2676 jvvjd.exe 99 PID 2676 wrote to memory of 2536 2676 jvvjd.exe 99 PID 2536 wrote to memory of 4300 2536 dvpdj.exe 100 PID 2536 wrote to memory of 4300 2536 dvpdj.exe 100 PID 2536 wrote to memory of 4300 2536 dvpdj.exe 100 PID 4300 wrote to memory of 60 4300 frrfrfx.exe 101 PID 4300 wrote to memory of 60 4300 frrfrfx.exe 101 PID 4300 wrote to memory of 60 4300 frrfrfx.exe 101 PID 60 wrote to memory of 3772 60 pjpjv.exe 102 PID 60 wrote to memory of 3772 60 pjpjv.exe 102 PID 60 wrote to memory of 3772 60 pjpjv.exe 102 PID 3772 wrote to memory of 4872 3772 pvdvj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97.exe"C:\Users\Admin\AppData\Local\Temp\c7f8ea140e161d9bd8e06de18d6a6d3a7534a4a0a0d8ba470935a6416fc44e97.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\fxxlflr.exec:\fxxlflr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\dvdvv.exec:\dvdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
\??\c:\xxxlxlx.exec:\xxxlxlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\fxxxfrl.exec:\fxxxfrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\tbhthb.exec:\tbhthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\vvvjd.exec:\vvvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\tnnbnh.exec:\tnnbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\9dvjv.exec:\9dvjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\lllflfr.exec:\lllflfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\pdddd.exec:\pdddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\nnthtn.exec:\nnthtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\pvvvj.exec:\pvvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\fxlxffl.exec:\fxlxffl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\tbbtnh.exec:\tbbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\vddvj.exec:\vddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\lxrlrff.exec:\lxrlrff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\jvvjd.exec:\jvvjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\dvpdj.exec:\dvpdj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\frrfrfx.exec:\frrfrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\pjpjv.exec:\pjpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\pvdvj.exec:\pvdvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\3rlxrlx.exec:\3rlxrlx.exe23⤵
- Executes dropped EXE
PID:4872 -
\??\c:\thbnbb.exec:\thbnbb.exe24⤵
- Executes dropped EXE
PID:1700 -
\??\c:\rlfrrfx.exec:\rlfrrfx.exe25⤵
- Executes dropped EXE
PID:1852 -
\??\c:\xllfrrf.exec:\xllfrrf.exe26⤵
- Executes dropped EXE
PID:3944 -
\??\c:\vjjdp.exec:\vjjdp.exe27⤵
- Executes dropped EXE
PID:1312 -
\??\c:\xrllrlx.exec:\xrllrlx.exe28⤵
- Executes dropped EXE
PID:2932 -
\??\c:\thnbnh.exec:\thnbnh.exe29⤵
- Executes dropped EXE
PID:1468 -
\??\c:\tbbthb.exec:\tbbthb.exe30⤵
- Executes dropped EXE
PID:3888 -
\??\c:\rlfrlfr.exec:\rlfrlfr.exe31⤵
- Executes dropped EXE
PID:2104 -
\??\c:\9xlfxxx.exec:\9xlfxxx.exe32⤵
- Executes dropped EXE
PID:3588 -
\??\c:\hbbntn.exec:\hbbntn.exe33⤵
- Executes dropped EXE
PID:1536 -
\??\c:\1lfxlfr.exec:\1lfxlfr.exe34⤵
- Executes dropped EXE
PID:1264 -
\??\c:\vvdjd.exec:\vvdjd.exe35⤵
- Executes dropped EXE
PID:4072 -
\??\c:\nbbnnn.exec:\nbbnnn.exe36⤵
- Executes dropped EXE
PID:1256 -
\??\c:\thbtnh.exec:\thbtnh.exe37⤵
- Executes dropped EXE
PID:2356 -
\??\c:\jdjvj.exec:\jdjvj.exe38⤵
- Executes dropped EXE
PID:676 -
\??\c:\1dpdp.exec:\1dpdp.exe39⤵
- Executes dropped EXE
PID:4132 -
\??\c:\7ffrlfr.exec:\7ffrlfr.exe40⤵
- Executes dropped EXE
PID:4600 -
\??\c:\bnnhtt.exec:\bnnhtt.exe41⤵
- Executes dropped EXE
PID:4040 -
\??\c:\1ddpd.exec:\1ddpd.exe42⤵
- Executes dropped EXE
PID:1072 -
\??\c:\rllxlfr.exec:\rllxlfr.exe43⤵
- Executes dropped EXE
PID:4948 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe44⤵
- Executes dropped EXE
PID:1620 -
\??\c:\tnntnh.exec:\tnntnh.exe45⤵
- Executes dropped EXE
PID:3120 -
\??\c:\frlxrlx.exec:\frlxrlx.exe46⤵
- Executes dropped EXE
PID:1276 -
\??\c:\hnhtnh.exec:\hnhtnh.exe47⤵
- Executes dropped EXE
PID:4812 -
\??\c:\jvjdp.exec:\jvjdp.exe48⤵
- Executes dropped EXE
PID:1968 -
\??\c:\pjdjv.exec:\pjdjv.exe49⤵
- Executes dropped EXE
PID:3908 -
\??\c:\lxrfrrf.exec:\lxrfrrf.exe50⤵
- Executes dropped EXE
PID:1500 -
\??\c:\tbbthb.exec:\tbbthb.exe51⤵
- Executes dropped EXE
PID:4860 -
\??\c:\1ntnht.exec:\1ntnht.exe52⤵
- Executes dropped EXE
PID:3716 -
\??\c:\5rlxrlf.exec:\5rlxrlf.exe53⤵
- Executes dropped EXE
PID:4396 -
\??\c:\lrllflf.exec:\lrllflf.exe54⤵
- Executes dropped EXE
PID:4488 -
\??\c:\nnnbbn.exec:\nnnbbn.exe55⤵
- Executes dropped EXE
PID:2924 -
\??\c:\vddvj.exec:\vddvj.exe56⤵
- Executes dropped EXE
PID:2708 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe57⤵
- Executes dropped EXE
PID:3724 -
\??\c:\fxrlxlf.exec:\fxrlxlf.exe58⤵
- Executes dropped EXE
PID:2372 -
\??\c:\bttnbb.exec:\bttnbb.exe59⤵
- Executes dropped EXE
PID:1336 -
\??\c:\pvpdv.exec:\pvpdv.exe60⤵
- Executes dropped EXE
PID:1744 -
\??\c:\lxrfrlx.exec:\lxrfrlx.exe61⤵
- Executes dropped EXE
PID:1884 -
\??\c:\lllxlfx.exec:\lllxlfx.exe62⤵
- Executes dropped EXE
PID:1084 -
\??\c:\nbbtnh.exec:\nbbtnh.exe63⤵
- Executes dropped EXE
PID:3972 -
\??\c:\bthbnn.exec:\bthbnn.exe64⤵
- Executes dropped EXE
PID:876 -
\??\c:\jpvpp.exec:\jpvpp.exe65⤵
- Executes dropped EXE
PID:2412 -
\??\c:\xxxlxxl.exec:\xxxlxxl.exe66⤵PID:1484
-
\??\c:\tnbtht.exec:\tnbtht.exe67⤵PID:4080
-
\??\c:\ppjvd.exec:\ppjvd.exe68⤵PID:3892
-
\??\c:\7vjdp.exec:\7vjdp.exe69⤵PID:1004
-
\??\c:\fffrfxr.exec:\fffrfxr.exe70⤵PID:4956
-
\??\c:\5nbnbb.exec:\5nbnbb.exe71⤵PID:4980
-
\??\c:\jvvjd.exec:\jvvjd.exe72⤵PID:4768
-
\??\c:\pjvpj.exec:\pjvpj.exe73⤵PID:1624
-
\??\c:\lfxlxfx.exec:\lfxlxfx.exe74⤵PID:3004
-
\??\c:\tttnhb.exec:\tttnhb.exe75⤵PID:32
-
\??\c:\dppdv.exec:\dppdv.exe76⤵PID:2636
-
\??\c:\pvvpd.exec:\pvvpd.exe77⤵
- System Location Discovery: System Language Discovery
PID:224 -
\??\c:\lrrfxrr.exec:\lrrfxrr.exe78⤵PID:5112
-
\??\c:\ntbtht.exec:\ntbtht.exe79⤵PID:3676
-
\??\c:\pddpd.exec:\pddpd.exe80⤵PID:1120
-
\??\c:\rffxffr.exec:\rffxffr.exe81⤵PID:3356
-
\??\c:\rlrfxrl.exec:\rlrfxrl.exe82⤵PID:1492
-
\??\c:\tnhbtn.exec:\tnhbtn.exe83⤵PID:1608
-
\??\c:\bnthbt.exec:\bnthbt.exe84⤵PID:2808
-
\??\c:\dpddd.exec:\dpddd.exe85⤵PID:3736
-
\??\c:\thhtnb.exec:\thhtnb.exe86⤵PID:4028
-
\??\c:\jdvdp.exec:\jdvdp.exe87⤵PID:440
-
\??\c:\fxxlxrl.exec:\fxxlxrl.exe88⤵PID:2632
-
\??\c:\nhbtnh.exec:\nhbtnh.exe89⤵PID:728
-
\??\c:\pjddv.exec:\pjddv.exe90⤵PID:64
-
\??\c:\5ddpj.exec:\5ddpj.exe91⤵PID:1496
-
\??\c:\lfxlflx.exec:\lfxlflx.exe92⤵PID:2208
-
\??\c:\bnnbnh.exec:\bnnbnh.exe93⤵PID:4916
-
\??\c:\jjjdp.exec:\jjjdp.exe94⤵PID:3300
-
\??\c:\1pvjp.exec:\1pvjp.exe95⤵PID:1468
-
\??\c:\lxxlfrl.exec:\lxxlfrl.exe96⤵PID:5048
-
\??\c:\3rrfrlx.exec:\3rrfrlx.exe97⤵PID:4688
-
\??\c:\nthbtn.exec:\nthbtn.exe98⤵PID:3080
-
\??\c:\dvpdp.exec:\dvpdp.exe99⤵PID:1296
-
\??\c:\lllxlfx.exec:\lllxlfx.exe100⤵PID:1536
-
\??\c:\1lllllf.exec:\1lllllf.exe101⤵PID:1672
-
\??\c:\5tnbtn.exec:\5tnbtn.exe102⤵PID:2780
-
\??\c:\pdvjp.exec:\pdvjp.exe103⤵PID:892
-
\??\c:\xllxlfr.exec:\xllxlfr.exe104⤵PID:2688
-
\??\c:\rfxlxlf.exec:\rfxlxlf.exe105⤵PID:976
-
\??\c:\bbbnhb.exec:\bbbnhb.exe106⤵PID:1628
-
\??\c:\7ppdp.exec:\7ppdp.exe107⤵PID:1684
-
\??\c:\dpvpj.exec:\dpvpj.exe108⤵PID:2800
-
\??\c:\fxfxxrr.exec:\fxfxxrr.exe109⤵PID:2464
-
\??\c:\rxxlfrr.exec:\rxxlfrr.exe110⤵PID:960
-
\??\c:\hnnbnh.exec:\hnnbnh.exe111⤵PID:3460
-
\??\c:\7vvdd.exec:\7vvdd.exe112⤵PID:1620
-
\??\c:\rffxrlf.exec:\rffxrlf.exe113⤵PID:3120
-
\??\c:\nbhbbb.exec:\nbhbbb.exe114⤵PID:3960
-
\??\c:\vddvv.exec:\vddvv.exe115⤵PID:4932
-
\??\c:\vpdvp.exec:\vpdvp.exe116⤵PID:1308
-
\??\c:\lxflrlr.exec:\lxflrlr.exe117⤵PID:3920
-
\??\c:\9tthbt.exec:\9tthbt.exe118⤵PID:3928
-
\??\c:\3pjdv.exec:\3pjdv.exe119⤵
- System Location Discovery: System Language Discovery
PID:4760 -
\??\c:\pdvjd.exec:\pdvjd.exe120⤵PID:4076
-
\??\c:\rflrlrf.exec:\rflrlrf.exe121⤵PID:4240
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-