Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 10:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0N.exe
-
Size
454KB
-
MD5
8396849b39aef5bc862af7d508fa0f70
-
SHA1
38ad689db5b7305549832e9bbf278c2a1c4c05ce
-
SHA256
b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0
-
SHA512
c31797c9e64bc4a1806e19f38a02c76707fe5c183666db314487b8b2b2e035faeb0697e677104bd48e312cc4c96954b2582b1e418a302dde9bfac2317f4f83a9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2956-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-1022-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-1182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-1267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4516 dvdvj.exe 3032 xrflxlx.exe 3584 pdvjp.exe 4932 7nnbnh.exe 4632 7rrlxxr.exe 4556 bthbnn.exe 4864 3vvjv.exe 224 frxrffx.exe 4056 djpjd.exe 4340 tnhthb.exe 2088 pvvjd.exe 4104 lxlxxrr.exe 4076 9nnhtn.exe 2708 rlxxlfr.exe 4316 bthhtn.exe 4140 3hnbnn.exe 2996 1flxlfr.exe 4744 3hhbtb.exe 1020 ppjvj.exe 2844 1rllfrx.exe 5080 flfxllf.exe 3760 bhbhtt.exe 4196 hbbthb.exe 456 pjdvp.exe 2064 nhtthn.exe 1628 rflxxlf.exe 2556 hnnbtn.exe 1980 dpvjj.exe 4912 lrllrfx.exe 3764 dpvvp.exe 740 3ffllrx.exe 4440 tntbnh.exe 888 5llrfxl.exe 3220 tbnntb.exe 3896 pddvv.exe 1692 fxxlxfr.exe 3388 9hhtnb.exe 2612 dpvjj.exe 3124 dpdvv.exe 2284 ntbnbt.exe 948 nhnhnh.exe 1476 jvdpd.exe 3944 dpvjj.exe 1872 fxfrfxr.exe 408 ntthtn.exe 2952 vdjdp.exe 60 frlfrlx.exe 3880 5nhthb.exe 1028 dppdv.exe 4544 jdvjv.exe 2572 nhbtth.exe 1656 ntbttn.exe 3536 1jjpd.exe 3580 xlfrfxr.exe 4620 tbntbh.exe 2004 hbtbtt.exe 3956 3vdpd.exe 4632 dpjvj.exe 4556 5fllxlr.exe 264 nnnnnb.exe 3448 jvvjd.exe 3692 frfrrll.exe 1672 ntnhnh.exe 1284 dvpjd.exe -
resource yara_rule behavioral2/memory/2956-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-918-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tththb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 4516 2956 b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0N.exe 83 PID 2956 wrote to memory of 4516 2956 b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0N.exe 83 PID 2956 wrote to memory of 4516 2956 b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0N.exe 83 PID 4516 wrote to memory of 3032 4516 dvdvj.exe 84 PID 4516 wrote to memory of 3032 4516 dvdvj.exe 84 PID 4516 wrote to memory of 3032 4516 dvdvj.exe 84 PID 3032 wrote to memory of 3584 3032 xrflxlx.exe 85 PID 3032 wrote to memory of 3584 3032 xrflxlx.exe 85 PID 3032 wrote to memory of 3584 3032 xrflxlx.exe 85 PID 3584 wrote to memory of 4932 3584 pdvjp.exe 86 PID 3584 wrote to memory of 4932 3584 pdvjp.exe 86 PID 3584 wrote to memory of 4932 3584 pdvjp.exe 86 PID 4932 wrote to memory of 4632 4932 7nnbnh.exe 87 PID 4932 wrote to memory of 4632 4932 7nnbnh.exe 87 PID 4932 wrote to memory of 4632 4932 7nnbnh.exe 87 PID 4632 wrote to memory of 4556 4632 7rrlxxr.exe 88 PID 4632 wrote to memory of 4556 4632 7rrlxxr.exe 88 PID 4632 wrote to memory of 4556 4632 7rrlxxr.exe 88 PID 4556 wrote to memory of 4864 4556 bthbnn.exe 89 PID 4556 wrote to memory of 4864 4556 bthbnn.exe 89 PID 4556 wrote to memory of 4864 4556 bthbnn.exe 89 PID 4864 wrote to memory of 224 4864 3vvjv.exe 90 PID 4864 wrote to memory of 224 4864 3vvjv.exe 90 PID 4864 wrote to memory of 224 4864 3vvjv.exe 90 PID 224 wrote to memory of 4056 224 frxrffx.exe 91 PID 224 wrote to memory of 4056 224 frxrffx.exe 91 PID 224 wrote to memory of 4056 224 frxrffx.exe 91 PID 4056 wrote to memory of 4340 4056 djpjd.exe 92 PID 4056 wrote to memory of 4340 4056 djpjd.exe 92 PID 4056 wrote to memory of 4340 4056 djpjd.exe 92 PID 4340 wrote to memory of 2088 4340 tnhthb.exe 93 PID 4340 wrote to memory of 2088 4340 tnhthb.exe 93 PID 4340 wrote to memory of 2088 4340 tnhthb.exe 93 PID 2088 wrote to memory of 4104 2088 pvvjd.exe 94 PID 2088 wrote to memory of 4104 2088 pvvjd.exe 94 PID 2088 wrote to memory of 4104 2088 pvvjd.exe 94 PID 4104 wrote to memory of 4076 4104 lxlxxrr.exe 95 PID 4104 wrote to memory of 4076 4104 lxlxxrr.exe 95 PID 4104 wrote to memory of 4076 4104 lxlxxrr.exe 95 PID 4076 wrote to memory of 2708 4076 9nnhtn.exe 96 PID 4076 wrote to memory of 2708 4076 9nnhtn.exe 96 PID 4076 wrote to memory of 2708 4076 9nnhtn.exe 96 PID 2708 wrote to memory of 4316 2708 rlxxlfr.exe 97 PID 2708 wrote to memory of 4316 2708 rlxxlfr.exe 97 PID 2708 wrote to memory of 4316 2708 rlxxlfr.exe 97 PID 4316 wrote to memory of 4140 4316 bthhtn.exe 98 PID 4316 wrote to memory of 4140 4316 bthhtn.exe 98 PID 4316 wrote to memory of 4140 4316 bthhtn.exe 98 PID 4140 wrote to memory of 2996 4140 3hnbnn.exe 99 PID 4140 wrote to memory of 2996 4140 3hnbnn.exe 99 PID 4140 wrote to memory of 2996 4140 3hnbnn.exe 99 PID 2996 wrote to memory of 4744 2996 1flxlfr.exe 100 PID 2996 wrote to memory of 4744 2996 1flxlfr.exe 100 PID 2996 wrote to memory of 4744 2996 1flxlfr.exe 100 PID 4744 wrote to memory of 1020 4744 3hhbtb.exe 101 PID 4744 wrote to memory of 1020 4744 3hhbtb.exe 101 PID 4744 wrote to memory of 1020 4744 3hhbtb.exe 101 PID 1020 wrote to memory of 2844 1020 ppjvj.exe 102 PID 1020 wrote to memory of 2844 1020 ppjvj.exe 102 PID 1020 wrote to memory of 2844 1020 ppjvj.exe 102 PID 2844 wrote to memory of 5080 2844 1rllfrx.exe 103 PID 2844 wrote to memory of 5080 2844 1rllfrx.exe 103 PID 2844 wrote to memory of 5080 2844 1rllfrx.exe 103 PID 5080 wrote to memory of 3760 5080 flfxllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0N.exe"C:\Users\Admin\AppData\Local\Temp\b9646029abe38f001bed7ace1d5083621b7d5328d0cb8736fdc9075d12d00cf0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\dvdvj.exec:\dvdvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\xrflxlx.exec:\xrflxlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\pdvjp.exec:\pdvjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\7nnbnh.exec:\7nnbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\7rrlxxr.exec:\7rrlxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\bthbnn.exec:\bthbnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\3vvjv.exec:\3vvjv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\frxrffx.exec:\frxrffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\djpjd.exec:\djpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\tnhthb.exec:\tnhthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\pvvjd.exec:\pvvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\lxlxxrr.exec:\lxlxxrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\9nnhtn.exec:\9nnhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\rlxxlfr.exec:\rlxxlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\bthhtn.exec:\bthhtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\3hnbnn.exec:\3hnbnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\1flxlfr.exec:\1flxlfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\3hhbtb.exec:\3hhbtb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\ppjvj.exec:\ppjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\1rllfrx.exec:\1rllfrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\flfxllf.exec:\flfxllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\bhbhtt.exec:\bhbhtt.exe23⤵
- Executes dropped EXE
PID:3760 -
\??\c:\hbbthb.exec:\hbbthb.exe24⤵
- Executes dropped EXE
PID:4196 -
\??\c:\pjdvp.exec:\pjdvp.exe25⤵
- Executes dropped EXE
PID:456 -
\??\c:\nhtthn.exec:\nhtthn.exe26⤵
- Executes dropped EXE
PID:2064 -
\??\c:\rflxxlf.exec:\rflxxlf.exe27⤵
- Executes dropped EXE
PID:1628 -
\??\c:\hnnbtn.exec:\hnnbtn.exe28⤵
- Executes dropped EXE
PID:2556 -
\??\c:\dpvjj.exec:\dpvjj.exe29⤵
- Executes dropped EXE
PID:1980 -
\??\c:\lrllrfx.exec:\lrllrfx.exe30⤵
- Executes dropped EXE
PID:4912 -
\??\c:\dpvvp.exec:\dpvvp.exe31⤵
- Executes dropped EXE
PID:3764 -
\??\c:\3ffllrx.exec:\3ffllrx.exe32⤵
- Executes dropped EXE
PID:740 -
\??\c:\tntbnh.exec:\tntbnh.exe33⤵
- Executes dropped EXE
PID:4440 -
\??\c:\5llrfxl.exec:\5llrfxl.exe34⤵
- Executes dropped EXE
PID:888 -
\??\c:\tbnntb.exec:\tbnntb.exe35⤵
- Executes dropped EXE
PID:3220 -
\??\c:\pddvv.exec:\pddvv.exe36⤵
- Executes dropped EXE
PID:3896 -
\??\c:\fxxlxfr.exec:\fxxlxfr.exe37⤵
- Executes dropped EXE
PID:1692 -
\??\c:\9hhtnb.exec:\9hhtnb.exe38⤵
- Executes dropped EXE
PID:3388 -
\??\c:\dpvjj.exec:\dpvjj.exe39⤵
- Executes dropped EXE
PID:2612 -
\??\c:\dpdvv.exec:\dpdvv.exe40⤵
- Executes dropped EXE
PID:3124 -
\??\c:\ntbnbt.exec:\ntbnbt.exe41⤵
- Executes dropped EXE
PID:2284 -
\??\c:\nhnhnh.exec:\nhnhnh.exe42⤵
- Executes dropped EXE
PID:948 -
\??\c:\jvdpd.exec:\jvdpd.exe43⤵
- Executes dropped EXE
PID:1476 -
\??\c:\dpvjj.exec:\dpvjj.exe44⤵
- Executes dropped EXE
PID:3944 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe45⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ntthtn.exec:\ntthtn.exe46⤵
- Executes dropped EXE
PID:408 -
\??\c:\vdjdp.exec:\vdjdp.exe47⤵
- Executes dropped EXE
PID:2952 -
\??\c:\frlfrlx.exec:\frlfrlx.exe48⤵
- Executes dropped EXE
PID:60 -
\??\c:\5nhthb.exec:\5nhthb.exe49⤵
- Executes dropped EXE
PID:3880 -
\??\c:\dppdv.exec:\dppdv.exe50⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jdvjv.exec:\jdvjv.exe51⤵
- Executes dropped EXE
PID:4544 -
\??\c:\3llxllx.exec:\3llxllx.exe52⤵PID:4644
-
\??\c:\nhbtth.exec:\nhbtth.exe53⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ntbttn.exec:\ntbttn.exe54⤵
- Executes dropped EXE
PID:1656 -
\??\c:\1jjpd.exec:\1jjpd.exe55⤵
- Executes dropped EXE
PID:3536 -
\??\c:\xlfrfxr.exec:\xlfrfxr.exe56⤵
- Executes dropped EXE
PID:3580 -
\??\c:\tbntbh.exec:\tbntbh.exe57⤵
- Executes dropped EXE
PID:4620 -
\??\c:\hbtbtt.exec:\hbtbtt.exe58⤵
- Executes dropped EXE
PID:2004 -
\??\c:\3vdpd.exec:\3vdpd.exe59⤵
- Executes dropped EXE
PID:3956 -
\??\c:\dpjvj.exec:\dpjvj.exe60⤵
- Executes dropped EXE
PID:4632 -
\??\c:\5fllxlr.exec:\5fllxlr.exe61⤵
- Executes dropped EXE
PID:4556 -
\??\c:\nnnnnb.exec:\nnnnnb.exe62⤵
- Executes dropped EXE
PID:264 -
\??\c:\jvvjd.exec:\jvvjd.exe63⤵
- Executes dropped EXE
PID:3448 -
\??\c:\frfrrll.exec:\frfrrll.exe64⤵
- Executes dropped EXE
PID:3692 -
\??\c:\ntnhnh.exec:\ntnhnh.exe65⤵
- Executes dropped EXE
PID:1672 -
\??\c:\dvpjd.exec:\dvpjd.exe66⤵
- Executes dropped EXE
PID:1284 -
\??\c:\lllxrfx.exec:\lllxrfx.exe67⤵PID:216
-
\??\c:\1nbthh.exec:\1nbthh.exe68⤵PID:3208
-
\??\c:\vjppj.exec:\vjppj.exe69⤵PID:2404
-
\??\c:\vpjvd.exec:\vpjvd.exe70⤵PID:4576
-
\??\c:\rlxrflf.exec:\rlxrflf.exe71⤵PID:1484
-
\??\c:\hbnhtb.exec:\hbnhtb.exe72⤵PID:1900
-
\??\c:\9pjdp.exec:\9pjdp.exe73⤵PID:2716
-
\??\c:\xrxrfxr.exec:\xrxrfxr.exe74⤵PID:3404
-
\??\c:\hbbtth.exec:\hbbtth.exe75⤵PID:2736
-
\??\c:\btnhnh.exec:\btnhnh.exe76⤵PID:4176
-
\??\c:\pjdpd.exec:\pjdpd.exe77⤵PID:2012
-
\??\c:\xrrfrxl.exec:\xrrfrxl.exe78⤵PID:404
-
\??\c:\bnhhhn.exec:\bnhhhn.exe79⤵PID:1128
-
\??\c:\ppjvj.exec:\ppjvj.exe80⤵PID:3252
-
\??\c:\vvvjp.exec:\vvvjp.exe81⤵PID:3168
-
\??\c:\ffxlfxl.exec:\ffxlfxl.exe82⤵PID:2844
-
\??\c:\htbtbt.exec:\htbtbt.exe83⤵PID:2024
-
\??\c:\jdvdd.exec:\jdvdd.exe84⤵PID:2936
-
\??\c:\lxflfrl.exec:\lxflfrl.exe85⤵PID:2516
-
\??\c:\lxxlxlf.exec:\lxxlxlf.exe86⤵PID:2840
-
\??\c:\3tthnh.exec:\3tthnh.exe87⤵PID:4652
-
\??\c:\5djvv.exec:\5djvv.exe88⤵PID:4500
-
\??\c:\fxfrlfx.exec:\fxfrlfx.exe89⤵PID:1676
-
\??\c:\hbbnbt.exec:\hbbnbt.exe90⤵PID:4224
-
\??\c:\hbbnbt.exec:\hbbnbt.exe91⤵PID:3928
-
\??\c:\3jvjp.exec:\3jvjp.exe92⤵PID:3020
-
\??\c:\dpjvj.exec:\dpjvj.exe93⤵PID:2784
-
\??\c:\lxxxfxr.exec:\lxxxfxr.exe94⤵PID:1980
-
\??\c:\3nhbhb.exec:\3nhbhb.exe95⤵PID:3460
-
\??\c:\djddp.exec:\djddp.exe96⤵PID:4668
-
\??\c:\pjjvd.exec:\pjjvd.exe97⤵PID:4968
-
\??\c:\xlfrfxl.exec:\xlfrfxl.exe98⤵PID:3908
-
\??\c:\nhnhhb.exec:\nhnhhb.exe99⤵PID:1784
-
\??\c:\hhnbnh.exec:\hhnbnh.exe100⤵PID:2180
-
\??\c:\9vpdv.exec:\9vpdv.exe101⤵PID:968
-
\??\c:\7xxlfxx.exec:\7xxlfxx.exe102⤵
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\tbbbnb.exec:\tbbbnb.exe103⤵PID:1616
-
\??\c:\5nnbhb.exec:\5nnbhb.exe104⤵PID:4948
-
\??\c:\dpvjd.exec:\dpvjd.exe105⤵PID:4012
-
\??\c:\xllfrlf.exec:\xllfrlf.exe106⤵PID:2356
-
\??\c:\bhhthb.exec:\bhhthb.exe107⤵PID:2244
-
\??\c:\vjppv.exec:\vjppv.exe108⤵PID:468
-
\??\c:\9llxlff.exec:\9llxlff.exe109⤵PID:2432
-
\??\c:\hhtttb.exec:\hhtttb.exe110⤵PID:636
-
\??\c:\tnthtt.exec:\tnthtt.exe111⤵PID:3452
-
\??\c:\vjjdp.exec:\vjjdp.exe112⤵PID:1872
-
\??\c:\tntnhb.exec:\tntnhb.exe113⤵PID:2892
-
\??\c:\jdvdv.exec:\jdvdv.exe114⤵PID:2952
-
\??\c:\vdjdv.exec:\vdjdv.exe115⤵PID:3424
-
\??\c:\5lxfffx.exec:\5lxfffx.exe116⤵PID:2756
-
\??\c:\ththhb.exec:\ththhb.exe117⤵PID:4708
-
\??\c:\pddpj.exec:\pddpj.exe118⤵PID:1816
-
\??\c:\pjjdp.exec:\pjjdp.exe119⤵PID:4644
-
\??\c:\frrlffr.exec:\frrlffr.exe120⤵PID:3740
-
\??\c:\hntnbt.exec:\hntnbt.exe121⤵PID:1656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-