Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2N.exe
-
Size
454KB
-
MD5
9ea2676640c48dd5356ec451c025f3d0
-
SHA1
a8851a78cf438f0df6ad261b4bc8d0274b4e298b
-
SHA256
d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2
-
SHA512
ebfbc4c6a75d981a1f5e77bcecd41cd06bf99af0c13e9447f266a5bee6bcc8be59ebc9d87faab60b3fe3b952dcb8ed195aae18bd428bff3d082882a8d435b256
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeh:q7Tc2NYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4308-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-1002-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-1366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4588 9vjdv.exe 916 9xlrlll.exe 1612 ddpjp.exe 3356 pvvpp.exe 4252 lllfxrr.exe 4476 xrllrll.exe 468 lfllffr.exe 4020 hnhbbt.exe 3740 jvvpj.exe 2180 hththn.exe 1116 dddjj.exe 3364 xrlfrrl.exe 4548 pjppj.exe 2400 fflfxrr.exe 5040 pvdvp.exe 2488 thhhbb.exe 1852 fxlfflf.exe 4676 xrfrlrl.exe 4880 vpvvd.exe 696 xrrllff.exe 5072 3ttbnn.exe 4488 vvdjj.exe 700 hbhbnn.exe 4756 pvvpj.exe 4680 9hnhhh.exe 4116 hthttt.exe 1772 pvjdv.exe 3348 tnhbtt.exe 5112 jjvjv.exe 3856 lxlfxrl.exe 4964 xrxrlrl.exe 5036 bnnntn.exe 3176 dvdvv.exe 1896 lflxxll.exe 1960 1tntnn.exe 4736 btnnbt.exe 1104 dvdvd.exe 4928 jddvv.exe 4832 fxrlffx.exe 3460 thnhbb.exe 1280 vvvpv.exe 5076 7rlfxxr.exe 4588 nnhhbb.exe 440 hbbtnb.exe 3636 pvdpd.exe 2056 lrxrlll.exe 4684 fxxxlfx.exe 3868 bbttbb.exe 2160 jdvpj.exe 3168 5vvpj.exe 412 5llffxl.exe 468 nhnhbt.exe 4856 3jjdd.exe 2924 vjppd.exe 4500 3xrflfr.exe 2996 btnhhb.exe 5064 jdjjj.exe 624 9pvvp.exe 3116 xrrrlll.exe 2156 nhhbbt.exe 2004 vpvpp.exe 4144 fxlfrlx.exe 3676 nnbtnn.exe 4396 3vpjv.exe -
resource yara_rule behavioral2/memory/4308-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-824-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4308 wrote to memory of 4588 4308 d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2N.exe 83 PID 4308 wrote to memory of 4588 4308 d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2N.exe 83 PID 4308 wrote to memory of 4588 4308 d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2N.exe 83 PID 4588 wrote to memory of 916 4588 9vjdv.exe 84 PID 4588 wrote to memory of 916 4588 9vjdv.exe 84 PID 4588 wrote to memory of 916 4588 9vjdv.exe 84 PID 916 wrote to memory of 1612 916 9xlrlll.exe 85 PID 916 wrote to memory of 1612 916 9xlrlll.exe 85 PID 916 wrote to memory of 1612 916 9xlrlll.exe 85 PID 1612 wrote to memory of 3356 1612 ddpjp.exe 86 PID 1612 wrote to memory of 3356 1612 ddpjp.exe 86 PID 1612 wrote to memory of 3356 1612 ddpjp.exe 86 PID 3356 wrote to memory of 4252 3356 pvvpp.exe 87 PID 3356 wrote to memory of 4252 3356 pvvpp.exe 87 PID 3356 wrote to memory of 4252 3356 pvvpp.exe 87 PID 4252 wrote to memory of 4476 4252 lllfxrr.exe 88 PID 4252 wrote to memory of 4476 4252 lllfxrr.exe 88 PID 4252 wrote to memory of 4476 4252 lllfxrr.exe 88 PID 4476 wrote to memory of 468 4476 xrllrll.exe 89 PID 4476 wrote to memory of 468 4476 xrllrll.exe 89 PID 4476 wrote to memory of 468 4476 xrllrll.exe 89 PID 468 wrote to memory of 4020 468 lfllffr.exe 90 PID 468 wrote to memory of 4020 468 lfllffr.exe 90 PID 468 wrote to memory of 4020 468 lfllffr.exe 90 PID 4020 wrote to memory of 3740 4020 hnhbbt.exe 91 PID 4020 wrote to memory of 3740 4020 hnhbbt.exe 91 PID 4020 wrote to memory of 3740 4020 hnhbbt.exe 91 PID 3740 wrote to memory of 2180 3740 jvvpj.exe 92 PID 3740 wrote to memory of 2180 3740 jvvpj.exe 92 PID 3740 wrote to memory of 2180 3740 jvvpj.exe 92 PID 2180 wrote to memory of 1116 2180 hththn.exe 93 PID 2180 wrote to memory of 1116 2180 hththn.exe 93 PID 2180 wrote to memory of 1116 2180 hththn.exe 93 PID 1116 wrote to memory of 3364 1116 dddjj.exe 94 PID 1116 wrote to memory of 3364 1116 dddjj.exe 94 PID 1116 wrote to memory of 3364 1116 dddjj.exe 94 PID 3364 wrote to memory of 4548 3364 xrlfrrl.exe 95 PID 3364 wrote to memory of 4548 3364 xrlfrrl.exe 95 PID 3364 wrote to memory of 4548 3364 xrlfrrl.exe 95 PID 4548 wrote to memory of 2400 4548 pjppj.exe 96 PID 4548 wrote to memory of 2400 4548 pjppj.exe 96 PID 4548 wrote to memory of 2400 4548 pjppj.exe 96 PID 2400 wrote to memory of 5040 2400 fflfxrr.exe 97 PID 2400 wrote to memory of 5040 2400 fflfxrr.exe 97 PID 2400 wrote to memory of 5040 2400 fflfxrr.exe 97 PID 5040 wrote to memory of 2488 5040 pvdvp.exe 98 PID 5040 wrote to memory of 2488 5040 pvdvp.exe 98 PID 5040 wrote to memory of 2488 5040 pvdvp.exe 98 PID 2488 wrote to memory of 1852 2488 thhhbb.exe 99 PID 2488 wrote to memory of 1852 2488 thhhbb.exe 99 PID 2488 wrote to memory of 1852 2488 thhhbb.exe 99 PID 1852 wrote to memory of 4676 1852 fxlfflf.exe 100 PID 1852 wrote to memory of 4676 1852 fxlfflf.exe 100 PID 1852 wrote to memory of 4676 1852 fxlfflf.exe 100 PID 4676 wrote to memory of 4880 4676 xrfrlrl.exe 101 PID 4676 wrote to memory of 4880 4676 xrfrlrl.exe 101 PID 4676 wrote to memory of 4880 4676 xrfrlrl.exe 101 PID 4880 wrote to memory of 696 4880 vpvvd.exe 102 PID 4880 wrote to memory of 696 4880 vpvvd.exe 102 PID 4880 wrote to memory of 696 4880 vpvvd.exe 102 PID 696 wrote to memory of 5072 696 xrrllff.exe 103 PID 696 wrote to memory of 5072 696 xrrllff.exe 103 PID 696 wrote to memory of 5072 696 xrrllff.exe 103 PID 5072 wrote to memory of 4488 5072 3ttbnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2N.exe"C:\Users\Admin\AppData\Local\Temp\d25911b4c69098a91d65895d460246309b9e39c547260336dee6ac17a1c9e3e2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\9vjdv.exec:\9vjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\9xlrlll.exec:\9xlrlll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\ddpjp.exec:\ddpjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\pvvpp.exec:\pvvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\lllfxrr.exec:\lllfxrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\xrllrll.exec:\xrllrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\lfllffr.exec:\lfllffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\hnhbbt.exec:\hnhbbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\jvvpj.exec:\jvvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\hththn.exec:\hththn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\dddjj.exec:\dddjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\xrlfrrl.exec:\xrlfrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
\??\c:\pjppj.exec:\pjppj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\fflfxrr.exec:\fflfxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\pvdvp.exec:\pvdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\thhhbb.exec:\thhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\fxlfflf.exec:\fxlfflf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\xrfrlrl.exec:\xrfrlrl.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\vpvvd.exec:\vpvvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\xrrllff.exec:\xrrllff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\3ttbnn.exec:\3ttbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\vvdjj.exec:\vvdjj.exe23⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hbhbnn.exec:\hbhbnn.exe24⤵
- Executes dropped EXE
PID:700 -
\??\c:\pvvpj.exec:\pvvpj.exe25⤵
- Executes dropped EXE
PID:4756 -
\??\c:\9hnhhh.exec:\9hnhhh.exe26⤵
- Executes dropped EXE
PID:4680 -
\??\c:\hthttt.exec:\hthttt.exe27⤵
- Executes dropped EXE
PID:4116 -
\??\c:\pvjdv.exec:\pvjdv.exe28⤵
- Executes dropped EXE
PID:1772 -
\??\c:\tnhbtt.exec:\tnhbtt.exe29⤵
- Executes dropped EXE
PID:3348 -
\??\c:\jjvjv.exec:\jjvjv.exe30⤵
- Executes dropped EXE
PID:5112 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe31⤵
- Executes dropped EXE
PID:3856 -
\??\c:\xrxrlrl.exec:\xrxrlrl.exe32⤵
- Executes dropped EXE
PID:4964 -
\??\c:\bnnntn.exec:\bnnntn.exe33⤵
- Executes dropped EXE
PID:5036 -
\??\c:\dvdvv.exec:\dvdvv.exe34⤵
- Executes dropped EXE
PID:3176 -
\??\c:\lflxxll.exec:\lflxxll.exe35⤵
- Executes dropped EXE
PID:1896 -
\??\c:\1tntnn.exec:\1tntnn.exe36⤵
- Executes dropped EXE
PID:1960 -
\??\c:\btnnbt.exec:\btnnbt.exe37⤵
- Executes dropped EXE
PID:4736 -
\??\c:\dvdvd.exec:\dvdvd.exe38⤵
- Executes dropped EXE
PID:1104 -
\??\c:\jddvv.exec:\jddvv.exe39⤵
- Executes dropped EXE
PID:4928 -
\??\c:\fxrlffx.exec:\fxrlffx.exe40⤵
- Executes dropped EXE
PID:4832 -
\??\c:\thnhbb.exec:\thnhbb.exe41⤵
- Executes dropped EXE
PID:3460 -
\??\c:\vvvpv.exec:\vvvpv.exe42⤵
- Executes dropped EXE
PID:1280 -
\??\c:\7rlfxxr.exec:\7rlfxxr.exe43⤵
- Executes dropped EXE
PID:5076 -
\??\c:\nnhhbb.exec:\nnhhbb.exe44⤵
- Executes dropped EXE
PID:4588 -
\??\c:\hbbtnb.exec:\hbbtnb.exe45⤵
- Executes dropped EXE
PID:440 -
\??\c:\pvdpd.exec:\pvdpd.exe46⤵
- Executes dropped EXE
PID:3636 -
\??\c:\lrxrlll.exec:\lrxrlll.exe47⤵
- Executes dropped EXE
PID:2056 -
\??\c:\fxxxlfx.exec:\fxxxlfx.exe48⤵
- Executes dropped EXE
PID:4684 -
\??\c:\bbttbb.exec:\bbttbb.exe49⤵
- Executes dropped EXE
PID:3868 -
\??\c:\jdvpj.exec:\jdvpj.exe50⤵
- Executes dropped EXE
PID:2160 -
\??\c:\5vvpj.exec:\5vvpj.exe51⤵
- Executes dropped EXE
PID:3168 -
\??\c:\5llffxl.exec:\5llffxl.exe52⤵
- Executes dropped EXE
PID:412 -
\??\c:\nhnhbt.exec:\nhnhbt.exe53⤵
- Executes dropped EXE
PID:468 -
\??\c:\3jjdd.exec:\3jjdd.exe54⤵
- Executes dropped EXE
PID:4856 -
\??\c:\vjppd.exec:\vjppd.exe55⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3xrflfr.exec:\3xrflfr.exe56⤵
- Executes dropped EXE
PID:4500 -
\??\c:\btnhhb.exec:\btnhhb.exe57⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jdjjj.exec:\jdjjj.exe58⤵
- Executes dropped EXE
PID:5064 -
\??\c:\9pvvp.exec:\9pvvp.exe59⤵
- Executes dropped EXE
PID:624 -
\??\c:\xrrrlll.exec:\xrrrlll.exe60⤵
- Executes dropped EXE
PID:3116 -
\??\c:\nhhbbt.exec:\nhhbbt.exe61⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vpvpp.exec:\vpvpp.exe62⤵
- Executes dropped EXE
PID:2004 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe63⤵
- Executes dropped EXE
PID:4144 -
\??\c:\nnbtnn.exec:\nnbtnn.exe64⤵
- Executes dropped EXE
PID:3676 -
\??\c:\3vpjv.exec:\3vpjv.exe65⤵
- Executes dropped EXE
PID:4396 -
\??\c:\vdjjj.exec:\vdjjj.exe66⤵PID:4012
-
\??\c:\xxxrfrl.exec:\xxxrfrl.exe67⤵PID:3108
-
\??\c:\3bhhnn.exec:\3bhhnn.exe68⤵PID:2276
-
\??\c:\5vvvv.exec:\5vvvv.exe69⤵PID:1852
-
\??\c:\xrrlflf.exec:\xrrlflf.exe70⤵PID:2420
-
\??\c:\htnhtn.exec:\htnhtn.exe71⤵PID:3660
-
\??\c:\pppjv.exec:\pppjv.exe72⤵PID:3252
-
\??\c:\1xrlxll.exec:\1xrlxll.exe73⤵PID:3988
-
\??\c:\bbhtht.exec:\bbhtht.exe74⤵PID:4972
-
\??\c:\thnbht.exec:\thnbht.exe75⤵PID:376
-
\??\c:\jdjdj.exec:\jdjdj.exe76⤵PID:960
-
\??\c:\1ffxlrl.exec:\1ffxlrl.exe77⤵PID:4956
-
\??\c:\bhhbth.exec:\bhhbth.exe78⤵PID:2660
-
\??\c:\7tnbnh.exec:\7tnbnh.exe79⤵PID:4576
-
\??\c:\pdjvd.exec:\pdjvd.exe80⤵PID:5008
-
\??\c:\frfrrlr.exec:\frfrrlr.exe81⤵PID:2368
-
\??\c:\htbttn.exec:\htbttn.exe82⤵PID:4680
-
\??\c:\ddpdj.exec:\ddpdj.exe83⤵PID:1304
-
\??\c:\1pvvd.exec:\1pvvd.exe84⤵PID:5000
-
\??\c:\5ffrfxx.exec:\5ffrfxx.exe85⤵PID:4900
-
\??\c:\5hbbtt.exec:\5hbbtt.exe86⤵PID:5088
-
\??\c:\djppv.exec:\djppv.exe87⤵PID:4580
-
\??\c:\xlxllll.exec:\xlxllll.exe88⤵PID:2192
-
\??\c:\bthbhh.exec:\bthbhh.exe89⤵PID:5112
-
\??\c:\djjpd.exec:\djjpd.exe90⤵PID:3924
-
\??\c:\ddvjv.exec:\ddvjv.exe91⤵PID:4844
-
\??\c:\5lrlxrr.exec:\5lrlxrr.exe92⤵PID:2104
-
\??\c:\hnhnhb.exec:\hnhnhb.exe93⤵PID:1584
-
\??\c:\vjvpj.exec:\vjvpj.exe94⤵PID:912
-
\??\c:\lffrffr.exec:\lffrffr.exe95⤵PID:1896
-
\??\c:\rrrflxr.exec:\rrrflxr.exe96⤵PID:3968
-
\??\c:\btttnn.exec:\btttnn.exe97⤵PID:100
-
\??\c:\5ppdp.exec:\5ppdp.exe98⤵PID:3744
-
\??\c:\rrrrfxl.exec:\rrrrfxl.exe99⤵PID:2240
-
\??\c:\htbtnh.exec:\htbtnh.exe100⤵PID:220
-
\??\c:\nhhtnh.exec:\nhhtnh.exe101⤵PID:532
-
\??\c:\pvjdv.exec:\pvjdv.exe102⤵PID:3796
-
\??\c:\llrlffx.exec:\llrlffx.exe103⤵PID:3832
-
\??\c:\bttnhb.exec:\bttnhb.exe104⤵PID:5076
-
\??\c:\jdpdv.exec:\jdpdv.exe105⤵PID:3172
-
\??\c:\dvdpp.exec:\dvdpp.exe106⤵PID:440
-
\??\c:\7lfrffl.exec:\7lfrffl.exe107⤵PID:212
-
\??\c:\nbbtht.exec:\nbbtht.exe108⤵PID:3340
-
\??\c:\3vpjd.exec:\3vpjd.exe109⤵PID:1416
-
\??\c:\xxfxrrf.exec:\xxfxrrf.exe110⤵PID:3868
-
\??\c:\hhnnnt.exec:\hhnnnt.exe111⤵PID:4896
-
\??\c:\1pvvj.exec:\1pvvj.exe112⤵PID:2876
-
\??\c:\vppvp.exec:\vppvp.exe113⤵PID:3756
-
\??\c:\lrxlxrf.exec:\lrxlxrf.exe114⤵PID:4088
-
\??\c:\dpddj.exec:\dpddj.exe115⤵PID:2536
-
\??\c:\1lfxrfx.exec:\1lfxrfx.exe116⤵PID:528
-
\??\c:\9rrxrrl.exec:\9rrxrrl.exe117⤵PID:4864
-
\??\c:\nnnbnn.exec:\nnnbnn.exe118⤵PID:4500
-
\??\c:\dvvjv.exec:\dvvjv.exe119⤵PID:2996
-
\??\c:\xlrllff.exec:\xlrllff.exe120⤵PID:3556
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe121⤵PID:3288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-