Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe
Resource
win7-20240708-en
7 signatures
120 seconds
General
-
Target
0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe
-
Size
454KB
-
MD5
4277192a52f6d58b02381afd9abde73f
-
SHA1
e04c984f44c4aaa4fa7098bdbdc533797f8daa3e
-
SHA256
0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f
-
SHA512
8a1570af7579a3cc004f63b89bf13bfafe02cce987398782965544d85585957b22f232734e3039f5dff1749164fc9d7f312761bdfabe450e1f0f89ffa44464bd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1Q6:q7Tc2NYHUrAwfMp3CD1r
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2848-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3332 jvdpv.exe 4692 1rxllff.exe 964 xffllll.exe 1624 vvpjv.exe 5000 3btthb.exe 4324 jvvjd.exe 4612 9pdpj.exe 2212 1jjvj.exe 1392 ntnbnb.exe 4472 vdjvj.exe 4976 hnbnhn.exe 3316 jdvjd.exe 1384 lxfrlfx.exe 320 bntnbh.exe 3560 pvpvp.exe 4032 1flxlfl.exe 1060 rlxrfrl.exe 1188 bnhtnh.exe 712 bththb.exe 4896 pvvpv.exe 2688 lffxrrl.exe 3748 nbthtn.exe 4780 7nhbnh.exe 2276 nttttt.exe 4708 vpvpp.exe 4092 flfrlfr.exe 1260 nbhttt.exe 3988 pjjdj.exe 5016 llxrlfx.exe 4460 pdjdd.exe 3196 lxrfrfr.exe 3616 hnhtnh.exe 4536 9pjdv.exe 1284 9rfffxr.exe 3484 btbbhb.exe 2784 5vvjj.exe 1768 5lrlflf.exe 4568 7pjdd.exe 1512 3flrxfx.exe 2464 7hhbtt.exe 512 5tnnhh.exe 2620 ddvjv.exe 4924 lxxrffr.exe 4908 tnnbtn.exe 3256 jjddv.exe 3996 tthbbt.exe 8 1bthnn.exe 3120 vpjpj.exe 412 pdvpd.exe 4768 lffxllf.exe 1828 9hbnbt.exe 4540 9vjvj.exe 2108 vjjdp.exe 4636 5xfrfff.exe 4552 hbtnbh.exe 216 bnnbtn.exe 2560 dpvpp.exe 2856 5rrlffx.exe 2196 bnthbt.exe 1624 9vpjv.exe 4048 xrrlllf.exe 4068 htbtnn.exe 4824 3vvpp.exe 2300 pddpj.exe -
resource yara_rule behavioral2/memory/2848-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-751-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 3332 2848 0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe 82 PID 2848 wrote to memory of 3332 2848 0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe 82 PID 2848 wrote to memory of 3332 2848 0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe 82 PID 3332 wrote to memory of 4692 3332 jvdpv.exe 83 PID 3332 wrote to memory of 4692 3332 jvdpv.exe 83 PID 3332 wrote to memory of 4692 3332 jvdpv.exe 83 PID 4692 wrote to memory of 964 4692 1rxllff.exe 84 PID 4692 wrote to memory of 964 4692 1rxllff.exe 84 PID 4692 wrote to memory of 964 4692 1rxllff.exe 84 PID 964 wrote to memory of 1624 964 xffllll.exe 85 PID 964 wrote to memory of 1624 964 xffllll.exe 85 PID 964 wrote to memory of 1624 964 xffllll.exe 85 PID 1624 wrote to memory of 5000 1624 vvpjv.exe 86 PID 1624 wrote to memory of 5000 1624 vvpjv.exe 86 PID 1624 wrote to memory of 5000 1624 vvpjv.exe 86 PID 5000 wrote to memory of 4324 5000 3btthb.exe 87 PID 5000 wrote to memory of 4324 5000 3btthb.exe 87 PID 5000 wrote to memory of 4324 5000 3btthb.exe 87 PID 4324 wrote to memory of 4612 4324 jvvjd.exe 88 PID 4324 wrote to memory of 4612 4324 jvvjd.exe 88 PID 4324 wrote to memory of 4612 4324 jvvjd.exe 88 PID 4612 wrote to memory of 2212 4612 9pdpj.exe 89 PID 4612 wrote to memory of 2212 4612 9pdpj.exe 89 PID 4612 wrote to memory of 2212 4612 9pdpj.exe 89 PID 2212 wrote to memory of 1392 2212 1jjvj.exe 90 PID 2212 wrote to memory of 1392 2212 1jjvj.exe 90 PID 2212 wrote to memory of 1392 2212 1jjvj.exe 90 PID 1392 wrote to memory of 4472 1392 ntnbnb.exe 91 PID 1392 wrote to memory of 4472 1392 ntnbnb.exe 91 PID 1392 wrote to memory of 4472 1392 ntnbnb.exe 91 PID 4472 wrote to memory of 4976 4472 vdjvj.exe 92 PID 4472 wrote to memory of 4976 4472 vdjvj.exe 92 PID 4472 wrote to memory of 4976 4472 vdjvj.exe 92 PID 4976 wrote to memory of 3316 4976 hnbnhn.exe 93 PID 4976 wrote to memory of 3316 4976 hnbnhn.exe 93 PID 4976 wrote to memory of 3316 4976 hnbnhn.exe 93 PID 3316 wrote to memory of 1384 3316 jdvjd.exe 94 PID 3316 wrote to memory of 1384 3316 jdvjd.exe 94 PID 3316 wrote to memory of 1384 3316 jdvjd.exe 94 PID 1384 wrote to memory of 320 1384 lxfrlfx.exe 95 PID 1384 wrote to memory of 320 1384 lxfrlfx.exe 95 PID 1384 wrote to memory of 320 1384 lxfrlfx.exe 95 PID 320 wrote to memory of 3560 320 bntnbh.exe 96 PID 320 wrote to memory of 3560 320 bntnbh.exe 96 PID 320 wrote to memory of 3560 320 bntnbh.exe 96 PID 3560 wrote to memory of 4032 3560 pvpvp.exe 97 PID 3560 wrote to memory of 4032 3560 pvpvp.exe 97 PID 3560 wrote to memory of 4032 3560 pvpvp.exe 97 PID 4032 wrote to memory of 1060 4032 1flxlfl.exe 98 PID 4032 wrote to memory of 1060 4032 1flxlfl.exe 98 PID 4032 wrote to memory of 1060 4032 1flxlfl.exe 98 PID 1060 wrote to memory of 1188 1060 rlxrfrl.exe 99 PID 1060 wrote to memory of 1188 1060 rlxrfrl.exe 99 PID 1060 wrote to memory of 1188 1060 rlxrfrl.exe 99 PID 1188 wrote to memory of 712 1188 bnhtnh.exe 100 PID 1188 wrote to memory of 712 1188 bnhtnh.exe 100 PID 1188 wrote to memory of 712 1188 bnhtnh.exe 100 PID 712 wrote to memory of 4896 712 bththb.exe 101 PID 712 wrote to memory of 4896 712 bththb.exe 101 PID 712 wrote to memory of 4896 712 bththb.exe 101 PID 4896 wrote to memory of 2688 4896 pvvpv.exe 102 PID 4896 wrote to memory of 2688 4896 pvvpv.exe 102 PID 4896 wrote to memory of 2688 4896 pvvpv.exe 102 PID 2688 wrote to memory of 3748 2688 lffxrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe"C:\Users\Admin\AppData\Local\Temp\0a5535a1edbc73f38b90a5ad40627551ca30569eec87924bf1042a28b16a080f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\jvdpv.exec:\jvdpv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\1rxllff.exec:\1rxllff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\xffllll.exec:\xffllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\vvpjv.exec:\vvpjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\3btthb.exec:\3btthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\jvvjd.exec:\jvvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\9pdpj.exec:\9pdpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\1jjvj.exec:\1jjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\ntnbnb.exec:\ntnbnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\vdjvj.exec:\vdjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\hnbnhn.exec:\hnbnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\jdvjd.exec:\jdvjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\bntnbh.exec:\bntnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\pvpvp.exec:\pvpvp.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\1flxlfl.exec:\1flxlfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\rlxrfrl.exec:\rlxrfrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\bnhtnh.exec:\bnhtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\bththb.exec:\bththb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\pvvpv.exec:\pvvpv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\lffxrrl.exec:\lffxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\nbthtn.exec:\nbthtn.exe23⤵
- Executes dropped EXE
PID:3748 -
\??\c:\7nhbnh.exec:\7nhbnh.exe24⤵
- Executes dropped EXE
PID:4780 -
\??\c:\nttttt.exec:\nttttt.exe25⤵
- Executes dropped EXE
PID:2276 -
\??\c:\vpvpp.exec:\vpvpp.exe26⤵
- Executes dropped EXE
PID:4708 -
\??\c:\flfrlfr.exec:\flfrlfr.exe27⤵
- Executes dropped EXE
PID:4092 -
\??\c:\nbhttt.exec:\nbhttt.exe28⤵
- Executes dropped EXE
PID:1260 -
\??\c:\pjjdj.exec:\pjjdj.exe29⤵
- Executes dropped EXE
PID:3988 -
\??\c:\llxrlfx.exec:\llxrlfx.exe30⤵
- Executes dropped EXE
PID:5016 -
\??\c:\pdjdd.exec:\pdjdd.exe31⤵
- Executes dropped EXE
PID:4460 -
\??\c:\lxrfrfr.exec:\lxrfrfr.exe32⤵
- Executes dropped EXE
PID:3196 -
\??\c:\hnhtnh.exec:\hnhtnh.exe33⤵
- Executes dropped EXE
PID:3616 -
\??\c:\9pjdv.exec:\9pjdv.exe34⤵
- Executes dropped EXE
PID:4536 -
\??\c:\9rfffxr.exec:\9rfffxr.exe35⤵
- Executes dropped EXE
PID:1284 -
\??\c:\btbbhb.exec:\btbbhb.exe36⤵
- Executes dropped EXE
PID:3484 -
\??\c:\5vvjj.exec:\5vvjj.exe37⤵
- Executes dropped EXE
PID:2784 -
\??\c:\5lrlflf.exec:\5lrlflf.exe38⤵
- Executes dropped EXE
PID:1768 -
\??\c:\7pjdd.exec:\7pjdd.exe39⤵
- Executes dropped EXE
PID:4568 -
\??\c:\3flrxfx.exec:\3flrxfx.exe40⤵
- Executes dropped EXE
PID:1512 -
\??\c:\7hhbtt.exec:\7hhbtt.exe41⤵
- Executes dropped EXE
PID:2464 -
\??\c:\5tnnhh.exec:\5tnnhh.exe42⤵
- Executes dropped EXE
PID:512 -
\??\c:\ddvjv.exec:\ddvjv.exe43⤵
- Executes dropped EXE
PID:2620 -
\??\c:\lxxrffr.exec:\lxxrffr.exe44⤵
- Executes dropped EXE
PID:4924 -
\??\c:\tnnbtn.exec:\tnnbtn.exe45⤵
- Executes dropped EXE
PID:4908 -
\??\c:\jjddv.exec:\jjddv.exe46⤵
- Executes dropped EXE
PID:3256 -
\??\c:\tthbbt.exec:\tthbbt.exe47⤵
- Executes dropped EXE
PID:3996 -
\??\c:\1bthnn.exec:\1bthnn.exe48⤵
- Executes dropped EXE
PID:8 -
\??\c:\vpjpj.exec:\vpjpj.exe49⤵
- Executes dropped EXE
PID:3120 -
\??\c:\pdvpd.exec:\pdvpd.exe50⤵
- Executes dropped EXE
PID:412 -
\??\c:\lffxllf.exec:\lffxllf.exe51⤵
- Executes dropped EXE
PID:4768 -
\??\c:\9hbnbt.exec:\9hbnbt.exe52⤵
- Executes dropped EXE
PID:1828 -
\??\c:\9vjvj.exec:\9vjvj.exe53⤵
- Executes dropped EXE
PID:4540 -
\??\c:\vjjdp.exec:\vjjdp.exe54⤵
- Executes dropped EXE
PID:2108 -
\??\c:\5xfrfff.exec:\5xfrfff.exe55⤵
- Executes dropped EXE
PID:4636 -
\??\c:\hbtnbh.exec:\hbtnbh.exe56⤵
- Executes dropped EXE
PID:4552 -
\??\c:\bnnbtn.exec:\bnnbtn.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:216 -
\??\c:\dpvpp.exec:\dpvpp.exe58⤵
- Executes dropped EXE
PID:2560 -
\??\c:\5rrlffx.exec:\5rrlffx.exe59⤵
- Executes dropped EXE
PID:2856 -
\??\c:\bnthbt.exec:\bnthbt.exe60⤵
- Executes dropped EXE
PID:2196 -
\??\c:\9vpjv.exec:\9vpjv.exe61⤵
- Executes dropped EXE
PID:1624 -
\??\c:\xrrlllf.exec:\xrrlllf.exe62⤵
- Executes dropped EXE
PID:4048 -
\??\c:\htbtnn.exec:\htbtnn.exe63⤵
- Executes dropped EXE
PID:4068 -
\??\c:\3vvpp.exec:\3vvpp.exe64⤵
- Executes dropped EXE
PID:4824 -
\??\c:\pddpj.exec:\pddpj.exe65⤵
- Executes dropped EXE
PID:2300 -
\??\c:\xflfrrf.exec:\xflfrrf.exe66⤵PID:2008
-
\??\c:\nhbttt.exec:\nhbttt.exe67⤵PID:1224
-
\??\c:\jvddv.exec:\jvddv.exe68⤵PID:1840
-
\??\c:\3rrlffx.exec:\3rrlffx.exe69⤵PID:1416
-
\??\c:\bbtnbt.exec:\bbtnbt.exe70⤵PID:4472
-
\??\c:\vvvpd.exec:\vvvpd.exe71⤵PID:3836
-
\??\c:\pjjvj.exec:\pjjvj.exe72⤵PID:3124
-
\??\c:\fflfflf.exec:\fflfflf.exe73⤵PID:2948
-
\??\c:\1tbttt.exec:\1tbttt.exe74⤵PID:2704
-
\??\c:\djdpj.exec:\djdpj.exe75⤵PID:3228
-
\??\c:\rfrllxr.exec:\rfrllxr.exe76⤵PID:4296
-
\??\c:\nnbtnh.exec:\nnbtnh.exe77⤵PID:4500
-
\??\c:\djjdv.exec:\djjdv.exe78⤵PID:1060
-
\??\c:\fffrflx.exec:\fffrflx.exe79⤵PID:212
-
\??\c:\lffrfxl.exec:\lffrfxl.exe80⤵PID:5040
-
\??\c:\dppjv.exec:\dppjv.exe81⤵PID:1552
-
\??\c:\pvdvp.exec:\pvdvp.exe82⤵PID:4896
-
\??\c:\rfxrlxx.exec:\rfxrlxx.exe83⤵PID:4992
-
\??\c:\7ntnhh.exec:\7ntnhh.exe84⤵PID:1996
-
\??\c:\9ppjd.exec:\9ppjd.exe85⤵PID:4644
-
\??\c:\fxflrrr.exec:\fxflrrr.exe86⤵PID:860
-
\??\c:\5nhhtb.exec:\5nhhtb.exe87⤵PID:4912
-
\??\c:\3nnhbb.exec:\3nnhbb.exe88⤵PID:2276
-
\??\c:\jjjdv.exec:\jjjdv.exe89⤵PID:5048
-
\??\c:\rfrlrlr.exec:\rfrlrlr.exe90⤵PID:3672
-
\??\c:\btbtth.exec:\btbtth.exe91⤵PID:372
-
\??\c:\5ddvp.exec:\5ddvp.exe92⤵PID:5012
-
\??\c:\5xllrrf.exec:\5xllrrf.exe93⤵PID:3924
-
\??\c:\lxlfxxr.exec:\lxlfxxr.exe94⤵PID:3176
-
\??\c:\hbhbhh.exec:\hbhbhh.exe95⤵PID:4016
-
\??\c:\dvdpv.exec:\dvdpv.exe96⤵PID:3164
-
\??\c:\vvdvp.exec:\vvdvp.exe97⤵PID:2844
-
\??\c:\frxrllf.exec:\frxrllf.exe98⤵PID:2988
-
\??\c:\hnhbtb.exec:\hnhbtb.exe99⤵PID:1128
-
\??\c:\hbbbtb.exec:\hbbbtb.exe100⤵PID:4240
-
\??\c:\pvvpp.exec:\pvvpp.exe101⤵PID:4996
-
\??\c:\dvdvp.exec:\dvdvp.exe102⤵PID:3184
-
\??\c:\fxrxrrl.exec:\fxrxrrl.exe103⤵PID:4936
-
\??\c:\htbhth.exec:\htbhth.exe104⤵PID:3224
-
\??\c:\jvvvj.exec:\jvvvj.exe105⤵PID:4252
-
\??\c:\5flrrlr.exec:\5flrrlr.exe106⤵PID:2156
-
\??\c:\3llfrrl.exec:\3llfrrl.exe107⤵PID:1352
-
\??\c:\5hhhbt.exec:\5hhhbt.exe108⤵PID:512
-
\??\c:\pjjpj.exec:\pjjpj.exe109⤵PID:4620
-
\??\c:\1xfxxxx.exec:\1xfxxxx.exe110⤵PID:4924
-
\??\c:\tbbbtt.exec:\tbbbtt.exe111⤵PID:968
-
\??\c:\pvjdp.exec:\pvjdp.exe112⤵PID:4808
-
\??\c:\frrlffx.exec:\frrlffx.exe113⤵PID:2180
-
\??\c:\tbhbtt.exec:\tbhbtt.exe114⤵PID:8
-
\??\c:\jjpdv.exec:\jjpdv.exe115⤵PID:4956
-
\??\c:\9dvjv.exec:\9dvjv.exe116⤵PID:3948
-
\??\c:\fxlfffl.exec:\fxlfffl.exe117⤵PID:4768
-
\??\c:\7bbnbt.exec:\7bbnbt.exe118⤵PID:708
-
\??\c:\vdjvp.exec:\vdjvp.exe119⤵PID:4672
-
\??\c:\pjjvp.exec:\pjjvp.exe120⤵PID:3156
-
\??\c:\llrlflf.exec:\llrlflf.exe121⤵PID:228
-
\??\c:\htbnbb.exec:\htbnbb.exe122⤵PID:4232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-