Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe
-
Size
454KB
-
MD5
be7921a406d588b299bd44790020616f
-
SHA1
be50e71289be2158afe8e30795722c0e7b43a477
-
SHA256
2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39
-
SHA512
4afabc0c7ec2102b9eb67401f326adc2394d341a102bedaa4304da208983b4719dfb48394a70372bf78c676584a6266a51323c6698ce66b1f7c99f628eecc248
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeVV:q7Tc2NYHUrAwfMp3CDVV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/592-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-777-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-814-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-912-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-1012-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-1025-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-1086-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-1253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-1311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-1402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-1597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 636 fxffrfr.exe 4936 bnbnbn.exe 4680 vddjv.exe 4224 3dpdp.exe 1920 3frlfxr.exe 4780 bbtnbt.exe 4684 jdvvj.exe 2344 1tthbh.exe 3876 7pjvj.exe 2992 1vvdp.exe 2028 3frlxxl.exe 1028 bthbtn.exe 232 vpvpv.exe 1020 ffxrlfx.exe 3100 nnbbnn.exe 3592 3vvjd.exe 2908 3jvvj.exe 1372 lxxlxrl.exe 1140 lrrlfff.exe 2828 bttnbt.exe 1908 xlfxrfr.exe 208 ntbnhb.exe 3400 xffrfxr.exe 1664 ttthbn.exe 2360 1vdpj.exe 2268 bbbtnh.exe 1052 jjvpv.exe 2156 nhnhbn.exe 1444 vdjdp.exe 3312 xrrrrfl.exe 3520 hnnhbt.exe 1088 9vpjd.exe 2504 xlxrrff.exe 336 vjdpd.exe 2012 lxxrfxl.exe 2324 thtnnh.exe 4796 pdvpj.exe 5056 fllxrlf.exe 4396 lrxlfxr.exe 2584 hbhthb.exe 4688 5dpvj.exe 4948 xfxrfxr.exe 3936 7tthnn.exe 2528 1jvvj.exe 4804 dpvjj.exe 2252 xllxllx.exe 2816 lrxlfxr.exe 4404 tbbthn.exe 2976 pdddp.exe 2192 jjppd.exe 3064 ffxrffr.exe 3544 ddvjv.exe 4360 vjpdd.exe 4344 lxrfrrl.exe 3120 hbnhtn.exe 396 pppdv.exe 4680 rffffxx.exe 3476 nnbntb.exe 4640 bhbtnb.exe 3792 5jdvj.exe 3656 fllfrrf.exe 2604 ntthbt.exe 3536 vjjjv.exe 2136 jjjpp.exe -
resource yara_rule behavioral2/memory/592-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-777-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-908-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-912-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-1025-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-1086-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 592 wrote to memory of 636 592 2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe 82 PID 592 wrote to memory of 636 592 2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe 82 PID 592 wrote to memory of 636 592 2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe 82 PID 636 wrote to memory of 4936 636 fxffrfr.exe 83 PID 636 wrote to memory of 4936 636 fxffrfr.exe 83 PID 636 wrote to memory of 4936 636 fxffrfr.exe 83 PID 4936 wrote to memory of 4680 4936 bnbnbn.exe 84 PID 4936 wrote to memory of 4680 4936 bnbnbn.exe 84 PID 4936 wrote to memory of 4680 4936 bnbnbn.exe 84 PID 4680 wrote to memory of 4224 4680 vddjv.exe 85 PID 4680 wrote to memory of 4224 4680 vddjv.exe 85 PID 4680 wrote to memory of 4224 4680 vddjv.exe 85 PID 4224 wrote to memory of 1920 4224 3dpdp.exe 86 PID 4224 wrote to memory of 1920 4224 3dpdp.exe 86 PID 4224 wrote to memory of 1920 4224 3dpdp.exe 86 PID 1920 wrote to memory of 4780 1920 3frlfxr.exe 87 PID 1920 wrote to memory of 4780 1920 3frlfxr.exe 87 PID 1920 wrote to memory of 4780 1920 3frlfxr.exe 87 PID 4780 wrote to memory of 4684 4780 bbtnbt.exe 88 PID 4780 wrote to memory of 4684 4780 bbtnbt.exe 88 PID 4780 wrote to memory of 4684 4780 bbtnbt.exe 88 PID 4684 wrote to memory of 2344 4684 jdvvj.exe 89 PID 4684 wrote to memory of 2344 4684 jdvvj.exe 89 PID 4684 wrote to memory of 2344 4684 jdvvj.exe 89 PID 2344 wrote to memory of 3876 2344 1tthbh.exe 90 PID 2344 wrote to memory of 3876 2344 1tthbh.exe 90 PID 2344 wrote to memory of 3876 2344 1tthbh.exe 90 PID 3876 wrote to memory of 2992 3876 7pjvj.exe 91 PID 3876 wrote to memory of 2992 3876 7pjvj.exe 91 PID 3876 wrote to memory of 2992 3876 7pjvj.exe 91 PID 2992 wrote to memory of 2028 2992 1vvdp.exe 92 PID 2992 wrote to memory of 2028 2992 1vvdp.exe 92 PID 2992 wrote to memory of 2028 2992 1vvdp.exe 92 PID 2028 wrote to memory of 1028 2028 3frlxxl.exe 93 PID 2028 wrote to memory of 1028 2028 3frlxxl.exe 93 PID 2028 wrote to memory of 1028 2028 3frlxxl.exe 93 PID 1028 wrote to memory of 232 1028 bthbtn.exe 94 PID 1028 wrote to memory of 232 1028 bthbtn.exe 94 PID 1028 wrote to memory of 232 1028 bthbtn.exe 94 PID 232 wrote to memory of 1020 232 vpvpv.exe 95 PID 232 wrote to memory of 1020 232 vpvpv.exe 95 PID 232 wrote to memory of 1020 232 vpvpv.exe 95 PID 1020 wrote to memory of 3100 1020 ffxrlfx.exe 96 PID 1020 wrote to memory of 3100 1020 ffxrlfx.exe 96 PID 1020 wrote to memory of 3100 1020 ffxrlfx.exe 96 PID 3100 wrote to memory of 3592 3100 nnbbnn.exe 97 PID 3100 wrote to memory of 3592 3100 nnbbnn.exe 97 PID 3100 wrote to memory of 3592 3100 nnbbnn.exe 97 PID 3592 wrote to memory of 2908 3592 3vvjd.exe 98 PID 3592 wrote to memory of 2908 3592 3vvjd.exe 98 PID 3592 wrote to memory of 2908 3592 3vvjd.exe 98 PID 2908 wrote to memory of 1372 2908 3jvvj.exe 99 PID 2908 wrote to memory of 1372 2908 3jvvj.exe 99 PID 2908 wrote to memory of 1372 2908 3jvvj.exe 99 PID 1372 wrote to memory of 1140 1372 lxxlxrl.exe 100 PID 1372 wrote to memory of 1140 1372 lxxlxrl.exe 100 PID 1372 wrote to memory of 1140 1372 lxxlxrl.exe 100 PID 1140 wrote to memory of 2828 1140 lrrlfff.exe 101 PID 1140 wrote to memory of 2828 1140 lrrlfff.exe 101 PID 1140 wrote to memory of 2828 1140 lrrlfff.exe 101 PID 2828 wrote to memory of 1908 2828 bttnbt.exe 102 PID 2828 wrote to memory of 1908 2828 bttnbt.exe 102 PID 2828 wrote to memory of 1908 2828 bttnbt.exe 102 PID 1908 wrote to memory of 208 1908 xlfxrfr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe"C:\Users\Admin\AppData\Local\Temp\2ad39224ce558f5943897b8f24faa88006edfd5c118e6a0792d501f23c1e7b39.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:592 -
\??\c:\fxffrfr.exec:\fxffrfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\bnbnbn.exec:\bnbnbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\vddjv.exec:\vddjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\3dpdp.exec:\3dpdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\3frlfxr.exec:\3frlfxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\bbtnbt.exec:\bbtnbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\jdvvj.exec:\jdvvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\1tthbh.exec:\1tthbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\7pjvj.exec:\7pjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\1vvdp.exec:\1vvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\3frlxxl.exec:\3frlxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\bthbtn.exec:\bthbtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\vpvpv.exec:\vpvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\nnbbnn.exec:\nnbbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\3vvjd.exec:\3vvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\3jvvj.exec:\3jvvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\lrrlfff.exec:\lrrlfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\bttnbt.exec:\bttnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\xlfxrfr.exec:\xlfxrfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\ntbnhb.exec:\ntbnhb.exe23⤵
- Executes dropped EXE
PID:208 -
\??\c:\xffrfxr.exec:\xffrfxr.exe24⤵
- Executes dropped EXE
PID:3400 -
\??\c:\ttthbn.exec:\ttthbn.exe25⤵
- Executes dropped EXE
PID:1664 -
\??\c:\1vdpj.exec:\1vdpj.exe26⤵
- Executes dropped EXE
PID:2360 -
\??\c:\bbbtnh.exec:\bbbtnh.exe27⤵
- Executes dropped EXE
PID:2268 -
\??\c:\jjvpv.exec:\jjvpv.exe28⤵
- Executes dropped EXE
PID:1052 -
\??\c:\nhnhbn.exec:\nhnhbn.exe29⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vdjdp.exec:\vdjdp.exe30⤵
- Executes dropped EXE
PID:1444 -
\??\c:\xrrrrfl.exec:\xrrrrfl.exe31⤵
- Executes dropped EXE
PID:3312 -
\??\c:\hnnhbt.exec:\hnnhbt.exe32⤵
- Executes dropped EXE
PID:3520 -
\??\c:\9vpjd.exec:\9vpjd.exe33⤵
- Executes dropped EXE
PID:1088 -
\??\c:\xlxrrff.exec:\xlxrrff.exe34⤵
- Executes dropped EXE
PID:2504 -
\??\c:\vjdpd.exec:\vjdpd.exe35⤵
- Executes dropped EXE
PID:336 -
\??\c:\lxxrfxl.exec:\lxxrfxl.exe36⤵
- Executes dropped EXE
PID:2012 -
\??\c:\thtnnh.exec:\thtnnh.exe37⤵
- Executes dropped EXE
PID:2324 -
\??\c:\pdvpj.exec:\pdvpj.exe38⤵
- Executes dropped EXE
PID:4796 -
\??\c:\fllxrlf.exec:\fllxrlf.exe39⤵
- Executes dropped EXE
PID:5056 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe40⤵
- Executes dropped EXE
PID:4396 -
\??\c:\hbhthb.exec:\hbhthb.exe41⤵
- Executes dropped EXE
PID:2584 -
\??\c:\5dpvj.exec:\5dpvj.exe42⤵
- Executes dropped EXE
PID:4688 -
\??\c:\xfxrfxr.exec:\xfxrfxr.exe43⤵
- Executes dropped EXE
PID:4948 -
\??\c:\7tthnn.exec:\7tthnn.exe44⤵
- Executes dropped EXE
PID:3936 -
\??\c:\1jvvj.exec:\1jvvj.exe45⤵
- Executes dropped EXE
PID:2528 -
\??\c:\dpvjj.exec:\dpvjj.exe46⤵
- Executes dropped EXE
PID:4804 -
\??\c:\xllxllx.exec:\xllxllx.exe47⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\tbbthn.exec:\tbbthn.exe49⤵
- Executes dropped EXE
PID:4404 -
\??\c:\pdddp.exec:\pdddp.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\jjppd.exec:\jjppd.exe51⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ffxrffr.exec:\ffxrffr.exe52⤵
- Executes dropped EXE
PID:3064 -
\??\c:\ddvjv.exec:\ddvjv.exe53⤵
- Executes dropped EXE
PID:3544 -
\??\c:\vjpdd.exec:\vjpdd.exe54⤵
- Executes dropped EXE
PID:4360 -
\??\c:\lxrfrrl.exec:\lxrfrrl.exe55⤵
- Executes dropped EXE
PID:4344 -
\??\c:\hbnhtn.exec:\hbnhtn.exe56⤵
- Executes dropped EXE
PID:3120 -
\??\c:\pppdv.exec:\pppdv.exe57⤵
- Executes dropped EXE
PID:396 -
\??\c:\rffffxx.exec:\rffffxx.exe58⤵
- Executes dropped EXE
PID:4680 -
\??\c:\nnbntb.exec:\nnbntb.exe59⤵
- Executes dropped EXE
PID:3476 -
\??\c:\bhbtnb.exec:\bhbtnb.exe60⤵
- Executes dropped EXE
PID:4640 -
\??\c:\5jdvj.exec:\5jdvj.exe61⤵
- Executes dropped EXE
PID:3792 -
\??\c:\fllfrrf.exec:\fllfrrf.exe62⤵
- Executes dropped EXE
PID:3656 -
\??\c:\ntthbt.exec:\ntthbt.exe63⤵
- Executes dropped EXE
PID:2604 -
\??\c:\vjjjv.exec:\vjjjv.exe64⤵
- Executes dropped EXE
PID:3536 -
\??\c:\jjjpp.exec:\jjjpp.exe65⤵
- Executes dropped EXE
PID:2136 -
\??\c:\rlrxrll.exec:\rlrxrll.exe66⤵PID:1208
-
\??\c:\btbnnh.exec:\btbnnh.exe67⤵PID:2344
-
\??\c:\htntht.exec:\htntht.exe68⤵PID:1012
-
\??\c:\vdvpd.exec:\vdvpd.exe69⤵PID:4976
-
\??\c:\xlfrfrf.exec:\xlfrfrf.exe70⤵PID:4544
-
\??\c:\btntnb.exec:\btntnb.exe71⤵PID:2304
-
\??\c:\ttnbnb.exec:\ttnbnb.exe72⤵PID:116
-
\??\c:\pvjdj.exec:\pvjdj.exe73⤵PID:1936
-
\??\c:\frrfxrf.exec:\frrfxrf.exe74⤵PID:232
-
\??\c:\bntttn.exec:\bntttn.exe75⤵PID:1916
-
\??\c:\bhhhhh.exec:\bhhhhh.exe76⤵PID:3364
-
\??\c:\vpdpd.exec:\vpdpd.exe77⤵PID:4216
-
\??\c:\lxxlfrl.exec:\lxxlfrl.exe78⤵PID:4176
-
\??\c:\hbhbtt.exec:\hbhbtt.exe79⤵PID:2296
-
\??\c:\dvvjv.exec:\dvvjv.exe80⤵PID:3000
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe81⤵PID:2908
-
\??\c:\hbbttt.exec:\hbbttt.exe82⤵PID:1372
-
\??\c:\nnttth.exec:\nnttth.exe83⤵PID:1288
-
\??\c:\ppdvd.exec:\ppdvd.exe84⤵PID:1076
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe85⤵PID:3844
-
\??\c:\7btnbb.exec:\7btnbb.exe86⤵PID:1908
-
\??\c:\7pdvj.exec:\7pdvj.exe87⤵
- System Location Discovery: System Language Discovery
PID:208 -
\??\c:\rllfxlf.exec:\rllfxlf.exe88⤵PID:1488
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe89⤵PID:2684
-
\??\c:\htbtnt.exec:\htbtnt.exe90⤵PID:3940
-
\??\c:\vpjdd.exec:\vpjdd.exe91⤵PID:4944
-
\??\c:\dvdvp.exec:\dvdvp.exe92⤵PID:4692
-
\??\c:\xfffrlf.exec:\xfffrlf.exe93⤵PID:3044
-
\??\c:\hbbthh.exec:\hbbthh.exe94⤵PID:2652
-
\??\c:\hbhbbb.exec:\hbhbbb.exe95⤵PID:4084
-
\??\c:\dpdpd.exec:\dpdpd.exe96⤵PID:3688
-
\??\c:\fxfrfxl.exec:\fxfrfxl.exe97⤵PID:4864
-
\??\c:\hbhhbh.exec:\hbhhbh.exe98⤵PID:1720
-
\??\c:\pjdvp.exec:\pjdvp.exe99⤵PID:3152
-
\??\c:\lrxlxrr.exec:\lrxlxrr.exe100⤵PID:2060
-
\??\c:\1xrfllx.exec:\1xrfllx.exe101⤵PID:1212
-
\??\c:\nnhbtt.exec:\nnhbtt.exe102⤵PID:2504
-
\??\c:\9ppjd.exec:\9ppjd.exe103⤵PID:2620
-
\??\c:\3vdvp.exec:\3vdvp.exe104⤵PID:4172
-
\??\c:\lxxrrll.exec:\lxxrrll.exe105⤵PID:3340
-
\??\c:\bhnhbt.exec:\bhnhbt.exe106⤵PID:1796
-
\??\c:\nttnnn.exec:\nttnnn.exe107⤵PID:1512
-
\??\c:\ddjdp.exec:\ddjdp.exe108⤵PID:456
-
\??\c:\xrxrxrl.exec:\xrxrxrl.exe109⤵PID:4232
-
\??\c:\tnbthb.exec:\tnbthb.exe110⤵PID:3144
-
\??\c:\bnnhtt.exec:\bnnhtt.exe111⤵PID:2784
-
\??\c:\jdjjj.exec:\jdjjj.exe112⤵PID:4412
-
\??\c:\xrrlrrx.exec:\xrrlrrx.exe113⤵PID:452
-
\??\c:\flrrllf.exec:\flrrllf.exe114⤵PID:1496
-
\??\c:\thnhbn.exec:\thnhbn.exe115⤵PID:4940
-
\??\c:\vvdpd.exec:\vvdpd.exe116⤵PID:2812
-
\??\c:\ffrlllr.exec:\ffrlllr.exe117⤵PID:3620
-
\??\c:\nhbtbt.exec:\nhbtbt.exe118⤵PID:60
-
\??\c:\5hhbnn.exec:\5hhbnn.exe119⤵PID:3048
-
\??\c:\xrlxfrl.exec:\xrlxfrl.exe120⤵PID:2820
-
\??\c:\5nbtnb.exec:\5nbtnb.exe121⤵PID:648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-