Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe
-
Size
454KB
-
MD5
8e0c464984a43ff694affdee178e6330
-
SHA1
cd8b00ceafc63c4fbd3ad8c1158837f3f9762c7f
-
SHA256
f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163
-
SHA512
be7b8f028279f6189e31cb6116358900246df7d3626e0cc3f543a30e4d6bd1fd0c842dff2b93069b72ddb7105edcddb7645b5a5a7d7a8a1271d6e4f9e1f03531
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1704-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-1101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-1368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3112 dvvvp.exe 1220 jvvvp.exe 2612 xlrlxxf.exe 3352 nhhbbb.exe 3936 xxfxxxx.exe 212 hntttt.exe 4032 lrxxrxr.exe 3536 vvddv.exe 3168 ttbbhb.exe 1556 vdjjv.exe 3444 bbhnhb.exe 4548 vdjdv.exe 5036 rlfxrrl.exe 3556 rrrrxrf.exe 1340 bhtbhh.exe 2260 rfllfff.exe 5040 vjpjj.exe 4284 ffllllf.exe 2776 ffrlxxx.exe 3992 htbttt.exe 4160 3lxxflr.exe 2976 pjpjd.exe 4888 fxxfxrr.exe 1848 btbtnn.exe 2984 hnthbb.exe 4108 xxxrllr.exe 3100 5tnntb.exe 2124 bbttnn.exe 5072 fffxxxr.exe 5100 ppppj.exe 3116 fflrxxf.exe 4528 9pddv.exe 712 rxrlffx.exe 2564 hhnhhh.exe 2284 vpppj.exe 228 9rrrlll.exe 4484 hnbbtb.exe 1940 nthtnn.exe 2432 vdvpj.exe 4372 xxlfxxf.exe 1284 xlfxrlf.exe 3540 hhhhbb.exe 1440 ddvjd.exe 4640 jjpvp.exe 2412 xlrlflf.exe 1704 ttbnht.exe 1384 pdvdv.exe 2388 xrxrrrr.exe 4816 fxlxrfx.exe 4992 ttnhbn.exe 5076 ppjjv.exe 3352 5rxlxxl.exe 1716 7htnbb.exe 3832 pjvpp.exe 1028 1llxlfl.exe 4464 nnhbbb.exe 4032 jvdvp.exe 4900 pdpjv.exe 660 lffxrll.exe 2044 tbbhbn.exe 3464 bnnbtn.exe 4988 ddvjd.exe 4360 lxxrlfx.exe 4264 nhbthh.exe -
resource yara_rule behavioral2/memory/1704-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-778-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 3112 1704 f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe 84 PID 1704 wrote to memory of 3112 1704 f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe 84 PID 1704 wrote to memory of 3112 1704 f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe 84 PID 3112 wrote to memory of 1220 3112 dvvvp.exe 85 PID 3112 wrote to memory of 1220 3112 dvvvp.exe 85 PID 3112 wrote to memory of 1220 3112 dvvvp.exe 85 PID 1220 wrote to memory of 2612 1220 jvvvp.exe 86 PID 1220 wrote to memory of 2612 1220 jvvvp.exe 86 PID 1220 wrote to memory of 2612 1220 jvvvp.exe 86 PID 2612 wrote to memory of 3352 2612 xlrlxxf.exe 87 PID 2612 wrote to memory of 3352 2612 xlrlxxf.exe 87 PID 2612 wrote to memory of 3352 2612 xlrlxxf.exe 87 PID 3352 wrote to memory of 3936 3352 nhhbbb.exe 88 PID 3352 wrote to memory of 3936 3352 nhhbbb.exe 88 PID 3352 wrote to memory of 3936 3352 nhhbbb.exe 88 PID 3936 wrote to memory of 212 3936 xxfxxxx.exe 89 PID 3936 wrote to memory of 212 3936 xxfxxxx.exe 89 PID 3936 wrote to memory of 212 3936 xxfxxxx.exe 89 PID 212 wrote to memory of 4032 212 hntttt.exe 90 PID 212 wrote to memory of 4032 212 hntttt.exe 90 PID 212 wrote to memory of 4032 212 hntttt.exe 90 PID 4032 wrote to memory of 3536 4032 lrxxrxr.exe 91 PID 4032 wrote to memory of 3536 4032 lrxxrxr.exe 91 PID 4032 wrote to memory of 3536 4032 lrxxrxr.exe 91 PID 3536 wrote to memory of 3168 3536 vvddv.exe 92 PID 3536 wrote to memory of 3168 3536 vvddv.exe 92 PID 3536 wrote to memory of 3168 3536 vvddv.exe 92 PID 3168 wrote to memory of 1556 3168 ttbbhb.exe 93 PID 3168 wrote to memory of 1556 3168 ttbbhb.exe 93 PID 3168 wrote to memory of 1556 3168 ttbbhb.exe 93 PID 1556 wrote to memory of 3444 1556 vdjjv.exe 94 PID 1556 wrote to memory of 3444 1556 vdjjv.exe 94 PID 1556 wrote to memory of 3444 1556 vdjjv.exe 94 PID 3444 wrote to memory of 4548 3444 bbhnhb.exe 95 PID 3444 wrote to memory of 4548 3444 bbhnhb.exe 95 PID 3444 wrote to memory of 4548 3444 bbhnhb.exe 95 PID 4548 wrote to memory of 5036 4548 vdjdv.exe 96 PID 4548 wrote to memory of 5036 4548 vdjdv.exe 96 PID 4548 wrote to memory of 5036 4548 vdjdv.exe 96 PID 5036 wrote to memory of 3556 5036 rlfxrrl.exe 97 PID 5036 wrote to memory of 3556 5036 rlfxrrl.exe 97 PID 5036 wrote to memory of 3556 5036 rlfxrrl.exe 97 PID 3556 wrote to memory of 1340 3556 rrrrxrf.exe 98 PID 3556 wrote to memory of 1340 3556 rrrrxrf.exe 98 PID 3556 wrote to memory of 1340 3556 rrrrxrf.exe 98 PID 1340 wrote to memory of 2260 1340 bhtbhh.exe 99 PID 1340 wrote to memory of 2260 1340 bhtbhh.exe 99 PID 1340 wrote to memory of 2260 1340 bhtbhh.exe 99 PID 2260 wrote to memory of 5040 2260 rfllfff.exe 100 PID 2260 wrote to memory of 5040 2260 rfllfff.exe 100 PID 2260 wrote to memory of 5040 2260 rfllfff.exe 100 PID 5040 wrote to memory of 4284 5040 vjpjj.exe 101 PID 5040 wrote to memory of 4284 5040 vjpjj.exe 101 PID 5040 wrote to memory of 4284 5040 vjpjj.exe 101 PID 4284 wrote to memory of 2776 4284 ffllllf.exe 102 PID 4284 wrote to memory of 2776 4284 ffllllf.exe 102 PID 4284 wrote to memory of 2776 4284 ffllllf.exe 102 PID 2776 wrote to memory of 3992 2776 ffrlxxx.exe 103 PID 2776 wrote to memory of 3992 2776 ffrlxxx.exe 103 PID 2776 wrote to memory of 3992 2776 ffrlxxx.exe 103 PID 3992 wrote to memory of 4160 3992 htbttt.exe 104 PID 3992 wrote to memory of 4160 3992 htbttt.exe 104 PID 3992 wrote to memory of 4160 3992 htbttt.exe 104 PID 4160 wrote to memory of 2976 4160 3lxxflr.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe"C:\Users\Admin\AppData\Local\Temp\f4e00fdcf414bb3c2c09617102a4f08232c80eb9c439d1f1cc301007a9945163N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\dvvvp.exec:\dvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\jvvvp.exec:\jvvvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\xlrlxxf.exec:\xlrlxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\nhhbbb.exec:\nhhbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\hntttt.exec:\hntttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\lrxxrxr.exec:\lrxxrxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\vvddv.exec:\vvddv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\ttbbhb.exec:\ttbbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\vdjjv.exec:\vdjjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\bbhnhb.exec:\bbhnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\vdjdv.exec:\vdjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\rrrrxrf.exec:\rrrrxrf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\bhtbhh.exec:\bhtbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\rfllfff.exec:\rfllfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\vjpjj.exec:\vjpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\ffllllf.exec:\ffllllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\ffrlxxx.exec:\ffrlxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\htbttt.exec:\htbttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\3lxxflr.exec:\3lxxflr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\pjpjd.exec:\pjpjd.exe23⤵
- Executes dropped EXE
PID:2976 -
\??\c:\fxxfxrr.exec:\fxxfxrr.exe24⤵
- Executes dropped EXE
PID:4888 -
\??\c:\btbtnn.exec:\btbtnn.exe25⤵
- Executes dropped EXE
PID:1848 -
\??\c:\hnthbb.exec:\hnthbb.exe26⤵
- Executes dropped EXE
PID:2984 -
\??\c:\xxxrllr.exec:\xxxrllr.exe27⤵
- Executes dropped EXE
PID:4108 -
\??\c:\5tnntb.exec:\5tnntb.exe28⤵
- Executes dropped EXE
PID:3100 -
\??\c:\bbttnn.exec:\bbttnn.exe29⤵
- Executes dropped EXE
PID:2124 -
\??\c:\fffxxxr.exec:\fffxxxr.exe30⤵
- Executes dropped EXE
PID:5072 -
\??\c:\ppppj.exec:\ppppj.exe31⤵
- Executes dropped EXE
PID:5100 -
\??\c:\fflrxxf.exec:\fflrxxf.exe32⤵
- Executes dropped EXE
PID:3116 -
\??\c:\9pddv.exec:\9pddv.exe33⤵
- Executes dropped EXE
PID:4528 -
\??\c:\rxrlffx.exec:\rxrlffx.exe34⤵
- Executes dropped EXE
PID:712 -
\??\c:\hhnhhh.exec:\hhnhhh.exe35⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vpppj.exec:\vpppj.exe36⤵
- Executes dropped EXE
PID:2284 -
\??\c:\9rrrlll.exec:\9rrrlll.exe37⤵
- Executes dropped EXE
PID:228 -
\??\c:\hnbbtb.exec:\hnbbtb.exe38⤵
- Executes dropped EXE
PID:4484 -
\??\c:\nthtnn.exec:\nthtnn.exe39⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vdvpj.exec:\vdvpj.exe40⤵
- Executes dropped EXE
PID:2432 -
\??\c:\xxlfxxf.exec:\xxlfxxf.exe41⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xlfxrlf.exec:\xlfxrlf.exe42⤵
- Executes dropped EXE
PID:1284 -
\??\c:\hhhhbb.exec:\hhhhbb.exe43⤵
- Executes dropped EXE
PID:3540 -
\??\c:\ddvjd.exec:\ddvjd.exe44⤵
- Executes dropped EXE
PID:1440 -
\??\c:\jjpvp.exec:\jjpvp.exe45⤵
- Executes dropped EXE
PID:4640 -
\??\c:\xlrlflf.exec:\xlrlflf.exe46⤵
- Executes dropped EXE
PID:2412 -
\??\c:\ttbnht.exec:\ttbnht.exe47⤵
- Executes dropped EXE
PID:1704 -
\??\c:\pdvdv.exec:\pdvdv.exe48⤵
- Executes dropped EXE
PID:1384 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe49⤵
- Executes dropped EXE
PID:2388 -
\??\c:\fxlxrfx.exec:\fxlxrfx.exe50⤵
- Executes dropped EXE
PID:4816 -
\??\c:\ttnhbn.exec:\ttnhbn.exe51⤵
- Executes dropped EXE
PID:4992 -
\??\c:\ppjjv.exec:\ppjjv.exe52⤵
- Executes dropped EXE
PID:5076 -
\??\c:\5rxlxxl.exec:\5rxlxxl.exe53⤵
- Executes dropped EXE
PID:3352 -
\??\c:\7htnbb.exec:\7htnbb.exe54⤵
- Executes dropped EXE
PID:1716 -
\??\c:\pjvpp.exec:\pjvpp.exe55⤵
- Executes dropped EXE
PID:3832 -
\??\c:\1llxlfl.exec:\1llxlfl.exe56⤵
- Executes dropped EXE
PID:1028 -
\??\c:\nnhbbb.exec:\nnhbbb.exe57⤵
- Executes dropped EXE
PID:4464 -
\??\c:\jvdvp.exec:\jvdvp.exe58⤵
- Executes dropped EXE
PID:4032 -
\??\c:\pdpjv.exec:\pdpjv.exe59⤵
- Executes dropped EXE
PID:4900 -
\??\c:\lffxrll.exec:\lffxrll.exe60⤵
- Executes dropped EXE
PID:660 -
\??\c:\tbbhbn.exec:\tbbhbn.exe61⤵
- Executes dropped EXE
PID:2044 -
\??\c:\bnnbtn.exec:\bnnbtn.exe62⤵
- Executes dropped EXE
PID:3464 -
\??\c:\ddvjd.exec:\ddvjd.exe63⤵
- Executes dropped EXE
PID:4988 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe64⤵
- Executes dropped EXE
PID:4360 -
\??\c:\nhbthh.exec:\nhbthh.exe65⤵
- Executes dropped EXE
PID:4264 -
\??\c:\pdpvp.exec:\pdpvp.exe66⤵PID:1060
-
\??\c:\lfxxxxr.exec:\lfxxxxr.exe67⤵PID:4092
-
\??\c:\bthbtn.exec:\bthbtn.exe68⤵PID:4348
-
\??\c:\3pjpj.exec:\3pjpj.exe69⤵PID:2676
-
\??\c:\rllxrrr.exec:\rllxrrr.exe70⤵PID:4648
-
\??\c:\5lrrrrr.exec:\5lrrrrr.exe71⤵PID:3340
-
\??\c:\bnnhbt.exec:\bnnhbt.exe72⤵PID:2616
-
\??\c:\jdvpj.exec:\jdvpj.exe73⤵PID:3736
-
\??\c:\ddppd.exec:\ddppd.exe74⤵PID:2028
-
\??\c:\llfxlfx.exec:\llfxlfx.exe75⤵PID:4856
-
\??\c:\3hnhbb.exec:\3hnhbb.exe76⤵PID:3992
-
\??\c:\jddpj.exec:\jddpj.exe77⤵PID:4552
-
\??\c:\rrrlllf.exec:\rrrlllf.exe78⤵PID:3232
-
\??\c:\btbtnn.exec:\btbtnn.exe79⤵PID:4932
-
\??\c:\tnbthh.exec:\tnbthh.exe80⤵PID:2624
-
\??\c:\pdvpd.exec:\pdvpd.exe81⤵PID:2708
-
\??\c:\xfxrffr.exec:\xfxrffr.exe82⤵PID:1496
-
\??\c:\tnhtnh.exec:\tnhtnh.exe83⤵PID:4824
-
\??\c:\vvdvv.exec:\vvdvv.exe84⤵PID:2984
-
\??\c:\9ppdp.exec:\9ppdp.exe85⤵PID:4432
-
\??\c:\xffxfff.exec:\xffxfff.exe86⤵PID:3492
-
\??\c:\1nbbhh.exec:\1nbbhh.exe87⤵PID:316
-
\??\c:\7vppv.exec:\7vppv.exe88⤵PID:396
-
\??\c:\xxxrfxx.exec:\xxxrfxx.exe89⤵
- System Location Discovery: System Language Discovery
PID:4004 -
\??\c:\1bbtnh.exec:\1bbtnh.exe90⤵PID:4972
-
\??\c:\bbbbtt.exec:\bbbbtt.exe91⤵PID:4512
-
\??\c:\vvvjd.exec:\vvvjd.exe92⤵PID:1980
-
\??\c:\ffrlxxl.exec:\ffrlxxl.exe93⤵PID:1952
-
\??\c:\3bnhbb.exec:\3bnhbb.exe94⤵PID:4628
-
\??\c:\tttthb.exec:\tttthb.exe95⤵PID:1240
-
\??\c:\1jpjv.exec:\1jpjv.exe96⤵PID:2548
-
\??\c:\xflfxxr.exec:\xflfxxr.exe97⤵PID:712
-
\??\c:\flfrlfr.exec:\flfrlfr.exe98⤵PID:2464
-
\??\c:\3hhbnh.exec:\3hhbnh.exe99⤵PID:3860
-
\??\c:\vjjdp.exec:\vjjdp.exe100⤵PID:4588
-
\??\c:\rrxrrlf.exec:\rrxrrlf.exe101⤵PID:3360
-
\??\c:\frrlfxr.exec:\frrlfxr.exe102⤵PID:2748
-
\??\c:\nnbthb.exec:\nnbthb.exe103⤵PID:4712
-
\??\c:\vjdpj.exec:\vjdpj.exe104⤵PID:2204
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe105⤵PID:2656
-
\??\c:\bnhbnh.exec:\bnhbnh.exe106⤵
- System Location Discovery: System Language Discovery
PID:1284 -
\??\c:\5pppp.exec:\5pppp.exe107⤵PID:4448
-
\??\c:\dvvpd.exec:\dvvpd.exe108⤵PID:2492
-
\??\c:\rrfxrlf.exec:\rrfxrlf.exe109⤵PID:2452
-
\??\c:\bbtnnh.exec:\bbtnnh.exe110⤵PID:4644
-
\??\c:\bnnhtt.exec:\bnnhtt.exe111⤵PID:1704
-
\??\c:\1pjjd.exec:\1pjjd.exe112⤵PID:4304
-
\??\c:\5rllxrl.exec:\5rllxrl.exe113⤵PID:2612
-
\??\c:\9htnhh.exec:\9htnhh.exe114⤵PID:4816
-
\??\c:\hhtnhb.exec:\hhtnhb.exe115⤵PID:4992
-
\??\c:\5dvpd.exec:\5dvpd.exe116⤵PID:4812
-
\??\c:\ffrlfxr.exec:\ffrlfxr.exe117⤵PID:1216
-
\??\c:\9xxlxrr.exec:\9xxlxrr.exe118⤵PID:1716
-
\??\c:\1hhbnh.exec:\1hhbnh.exe119⤵PID:1604
-
\??\c:\pjdvj.exec:\pjdvj.exe120⤵PID:1028
-
\??\c:\llrlrlf.exec:\llrlrlf.exe121⤵PID:8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-