Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 15:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe
Resource
win7-20240729-en
7 signatures
120 seconds
General
-
Target
ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe
-
Size
455KB
-
MD5
c559eca3659a3eee10b29ef422cc0c80
-
SHA1
2d5039bf61c4014cd91d7c2517084e71e72d68a8
-
SHA256
ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65
-
SHA512
b11d13a4faa46a2cd6985458c19f6af49dff2968ba9fbb6895a4b2b49758ca3ddf2983c0e48c806ad18ef64f5d430210645c0363c6754b64fc707a6bc1b0ca29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTj:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4900-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-1237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-1830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-1951-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3176 7bbnbt.exe 4428 1djvj.exe 3340 lfxrfxr.exe 3112 lfxxxlr.exe 3680 nnnntn.exe 2028 7fxfxrf.exe 3056 bnhtnh.exe 3132 dpjvj.exe 4324 hbtbnh.exe 1124 vjdvv.exe 1592 pddpp.exe 4628 bthbnh.exe 948 pvvdp.exe 668 vdvjv.exe 3684 tnhhtn.exe 3252 vvppv.exe 1444 nnnhtn.exe 4140 9jdpd.exe 3852 xrlxlfr.exe 432 thbnbn.exe 3424 rxxlxrf.exe 4012 frrxlll.exe 1972 vvdvj.exe 640 frxllff.exe 1924 hbthhb.exe 2640 xlfrlrf.exe 928 lxfxlff.exe 2868 nbhhbh.exe 3988 rlxffrx.exe 1100 thbtnh.exe 4080 dddpd.exe 592 rflxlfx.exe 744 ntbhtn.exe 4132 7flxxxx.exe 512 tththt.exe 1236 lrrfrlf.exe 2328 1fxlfrl.exe 2896 7tthhb.exe 3472 jddpj.exe 2572 frlxxrf.exe 4692 7nnbnh.exe 2532 7ddpd.exe 2240 vpdvd.exe 3788 flfrrlx.exe 2760 nhhthb.exe 3952 pvpdj.exe 3720 lxxlxlx.exe 1264 hbtnhb.exe 4192 nbthtn.exe 4604 djdjv.exe 3324 nbbnhn.exe 5072 ttthnh.exe 2388 jvvpv.exe 4464 frlxlxl.exe 1596 tttnhb.exe 4900 vpjjv.exe 3176 5lxlxrf.exe 4524 bbbnbn.exe 4552 nhbttn.exe 5056 pdvjv.exe 2720 1rlflfr.exe 1432 htnbnh.exe 3112 5bhnbt.exe 4808 3vjpv.exe -
resource yara_rule behavioral2/memory/4900-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-716-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4900 wrote to memory of 3176 4900 ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe 82 PID 4900 wrote to memory of 3176 4900 ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe 82 PID 4900 wrote to memory of 3176 4900 ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe 82 PID 3176 wrote to memory of 4428 3176 7bbnbt.exe 83 PID 3176 wrote to memory of 4428 3176 7bbnbt.exe 83 PID 3176 wrote to memory of 4428 3176 7bbnbt.exe 83 PID 4428 wrote to memory of 3340 4428 1djvj.exe 84 PID 4428 wrote to memory of 3340 4428 1djvj.exe 84 PID 4428 wrote to memory of 3340 4428 1djvj.exe 84 PID 3340 wrote to memory of 3112 3340 lfxrfxr.exe 85 PID 3340 wrote to memory of 3112 3340 lfxrfxr.exe 85 PID 3340 wrote to memory of 3112 3340 lfxrfxr.exe 85 PID 3112 wrote to memory of 3680 3112 lfxxxlr.exe 86 PID 3112 wrote to memory of 3680 3112 lfxxxlr.exe 86 PID 3112 wrote to memory of 3680 3112 lfxxxlr.exe 86 PID 3680 wrote to memory of 2028 3680 nnnntn.exe 87 PID 3680 wrote to memory of 2028 3680 nnnntn.exe 87 PID 3680 wrote to memory of 2028 3680 nnnntn.exe 87 PID 2028 wrote to memory of 3056 2028 7fxfxrf.exe 88 PID 2028 wrote to memory of 3056 2028 7fxfxrf.exe 88 PID 2028 wrote to memory of 3056 2028 7fxfxrf.exe 88 PID 3056 wrote to memory of 3132 3056 bnhtnh.exe 89 PID 3056 wrote to memory of 3132 3056 bnhtnh.exe 89 PID 3056 wrote to memory of 3132 3056 bnhtnh.exe 89 PID 3132 wrote to memory of 4324 3132 dpjvj.exe 90 PID 3132 wrote to memory of 4324 3132 dpjvj.exe 90 PID 3132 wrote to memory of 4324 3132 dpjvj.exe 90 PID 4324 wrote to memory of 1124 4324 hbtbnh.exe 91 PID 4324 wrote to memory of 1124 4324 hbtbnh.exe 91 PID 4324 wrote to memory of 1124 4324 hbtbnh.exe 91 PID 1124 wrote to memory of 1592 1124 vjdvv.exe 92 PID 1124 wrote to memory of 1592 1124 vjdvv.exe 92 PID 1124 wrote to memory of 1592 1124 vjdvv.exe 92 PID 1592 wrote to memory of 4628 1592 pddpp.exe 93 PID 1592 wrote to memory of 4628 1592 pddpp.exe 93 PID 1592 wrote to memory of 4628 1592 pddpp.exe 93 PID 4628 wrote to memory of 948 4628 bthbnh.exe 94 PID 4628 wrote to memory of 948 4628 bthbnh.exe 94 PID 4628 wrote to memory of 948 4628 bthbnh.exe 94 PID 948 wrote to memory of 668 948 pvvdp.exe 95 PID 948 wrote to memory of 668 948 pvvdp.exe 95 PID 948 wrote to memory of 668 948 pvvdp.exe 95 PID 668 wrote to memory of 3684 668 vdvjv.exe 96 PID 668 wrote to memory of 3684 668 vdvjv.exe 96 PID 668 wrote to memory of 3684 668 vdvjv.exe 96 PID 3684 wrote to memory of 3252 3684 tnhhtn.exe 97 PID 3684 wrote to memory of 3252 3684 tnhhtn.exe 97 PID 3684 wrote to memory of 3252 3684 tnhhtn.exe 97 PID 3252 wrote to memory of 1444 3252 vvppv.exe 98 PID 3252 wrote to memory of 1444 3252 vvppv.exe 98 PID 3252 wrote to memory of 1444 3252 vvppv.exe 98 PID 1444 wrote to memory of 4140 1444 nnnhtn.exe 99 PID 1444 wrote to memory of 4140 1444 nnnhtn.exe 99 PID 1444 wrote to memory of 4140 1444 nnnhtn.exe 99 PID 4140 wrote to memory of 3852 4140 9jdpd.exe 100 PID 4140 wrote to memory of 3852 4140 9jdpd.exe 100 PID 4140 wrote to memory of 3852 4140 9jdpd.exe 100 PID 3852 wrote to memory of 432 3852 xrlxlfr.exe 101 PID 3852 wrote to memory of 432 3852 xrlxlfr.exe 101 PID 3852 wrote to memory of 432 3852 xrlxlfr.exe 101 PID 432 wrote to memory of 3424 432 thbnbn.exe 102 PID 432 wrote to memory of 3424 432 thbnbn.exe 102 PID 432 wrote to memory of 3424 432 thbnbn.exe 102 PID 3424 wrote to memory of 4012 3424 rxxlxrf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe"C:\Users\Admin\AppData\Local\Temp\ffd39bbedaee15e258931f10ffd180c3aa3345df44f4446bb6c659f017266b65N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\7bbnbt.exec:\7bbnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\1djvj.exec:\1djvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\lfxrfxr.exec:\lfxrfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\lfxxxlr.exec:\lfxxxlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\nnnntn.exec:\nnnntn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\7fxfxrf.exec:\7fxfxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\bnhtnh.exec:\bnhtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\dpjvj.exec:\dpjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\hbtbnh.exec:\hbtbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\vjdvv.exec:\vjdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124 -
\??\c:\pddpp.exec:\pddpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\bthbnh.exec:\bthbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\pvvdp.exec:\pvvdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\vdvjv.exec:\vdvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\tnhhtn.exec:\tnhhtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\vvppv.exec:\vvppv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\nnnhtn.exec:\nnnhtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\9jdpd.exec:\9jdpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\thbnbn.exec:\thbnbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\frrxlll.exec:\frrxlll.exe23⤵
- Executes dropped EXE
PID:4012 -
\??\c:\vvdvj.exec:\vvdvj.exe24⤵
- Executes dropped EXE
PID:1972 -
\??\c:\frxllff.exec:\frxllff.exe25⤵
- Executes dropped EXE
PID:640 -
\??\c:\hbthhb.exec:\hbthhb.exe26⤵
- Executes dropped EXE
PID:1924 -
\??\c:\xlfrlrf.exec:\xlfrlrf.exe27⤵
- Executes dropped EXE
PID:2640 -
\??\c:\lxfxlff.exec:\lxfxlff.exe28⤵
- Executes dropped EXE
PID:928 -
\??\c:\nbhhbh.exec:\nbhhbh.exe29⤵
- Executes dropped EXE
PID:2868 -
\??\c:\rlxffrx.exec:\rlxffrx.exe30⤵
- Executes dropped EXE
PID:3988 -
\??\c:\thbtnh.exec:\thbtnh.exe31⤵
- Executes dropped EXE
PID:1100 -
\??\c:\dddpd.exec:\dddpd.exe32⤵
- Executes dropped EXE
PID:4080 -
\??\c:\rflxlfx.exec:\rflxlfx.exe33⤵
- Executes dropped EXE
PID:592 -
\??\c:\ntbhtn.exec:\ntbhtn.exe34⤵
- Executes dropped EXE
PID:744 -
\??\c:\7flxxxx.exec:\7flxxxx.exe35⤵
- Executes dropped EXE
PID:4132 -
\??\c:\tththt.exec:\tththt.exe36⤵
- Executes dropped EXE
PID:512 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe37⤵
- Executes dropped EXE
PID:1236 -
\??\c:\1fxlfrl.exec:\1fxlfrl.exe38⤵
- Executes dropped EXE
PID:2328 -
\??\c:\7tthhb.exec:\7tthhb.exe39⤵
- Executes dropped EXE
PID:2896 -
\??\c:\jddpj.exec:\jddpj.exe40⤵
- Executes dropped EXE
PID:3472 -
\??\c:\frlxxrf.exec:\frlxxrf.exe41⤵
- Executes dropped EXE
PID:2572 -
\??\c:\7nnbnh.exec:\7nnbnh.exe42⤵
- Executes dropped EXE
PID:4692 -
\??\c:\7ddpd.exec:\7ddpd.exe43⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vpdvd.exec:\vpdvd.exe44⤵
- Executes dropped EXE
PID:2240 -
\??\c:\flfrrlx.exec:\flfrrlx.exe45⤵
- Executes dropped EXE
PID:3788 -
\??\c:\nhhthb.exec:\nhhthb.exe46⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pvpdj.exec:\pvpdj.exe47⤵
- Executes dropped EXE
PID:3952 -
\??\c:\lxxlxlx.exec:\lxxlxlx.exe48⤵
- Executes dropped EXE
PID:3720 -
\??\c:\hbtnhb.exec:\hbtnhb.exe49⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nbthtn.exec:\nbthtn.exe50⤵
- Executes dropped EXE
PID:4192 -
\??\c:\djdjv.exec:\djdjv.exe51⤵
- Executes dropped EXE
PID:4604 -
\??\c:\nbbnhn.exec:\nbbnhn.exe52⤵
- Executes dropped EXE
PID:3324 -
\??\c:\ttthnh.exec:\ttthnh.exe53⤵
- Executes dropped EXE
PID:5072 -
\??\c:\jvvpv.exec:\jvvpv.exe54⤵
- Executes dropped EXE
PID:2388 -
\??\c:\frlxlxl.exec:\frlxlxl.exe55⤵
- Executes dropped EXE
PID:4464 -
\??\c:\tttnhb.exec:\tttnhb.exe56⤵
- Executes dropped EXE
PID:1596 -
\??\c:\vpjjv.exec:\vpjjv.exe57⤵
- Executes dropped EXE
PID:4900 -
\??\c:\5lxlxrf.exec:\5lxlxrf.exe58⤵
- Executes dropped EXE
PID:3176 -
\??\c:\bbbnbn.exec:\bbbnbn.exe59⤵
- Executes dropped EXE
PID:4524 -
\??\c:\nhbttn.exec:\nhbttn.exe60⤵
- Executes dropped EXE
PID:4552 -
\??\c:\pdvjv.exec:\pdvjv.exe61⤵
- Executes dropped EXE
PID:5056 -
\??\c:\1rlflfr.exec:\1rlflfr.exe62⤵
- Executes dropped EXE
PID:2720 -
\??\c:\htnbnh.exec:\htnbnh.exe63⤵
- Executes dropped EXE
PID:1432 -
\??\c:\5bhnbt.exec:\5bhnbt.exe64⤵
- Executes dropped EXE
PID:3112 -
\??\c:\3vjpv.exec:\3vjpv.exe65⤵
- Executes dropped EXE
PID:4808 -
\??\c:\5flxrll.exec:\5flxrll.exe66⤵PID:1384
-
\??\c:\1hbbnt.exec:\1hbbnt.exe67⤵PID:1560
-
\??\c:\tbbtbt.exec:\tbbtbt.exe68⤵PID:2212
-
\??\c:\ppvjd.exec:\ppvjd.exe69⤵PID:5012
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe70⤵PID:4684
-
\??\c:\llrffxr.exec:\llrffxr.exe71⤵PID:3860
-
\??\c:\7hnhhh.exec:\7hnhhh.exe72⤵PID:4224
-
\??\c:\htthtn.exec:\htthtn.exe73⤵PID:4628
-
\??\c:\vjdvd.exec:\vjdvd.exe74⤵PID:1904
-
\??\c:\xrlxlfx.exec:\xrlxlfx.exe75⤵PID:948
-
\??\c:\3flrfxl.exec:\3flrfxl.exe76⤵PID:636
-
\??\c:\ththtn.exec:\ththtn.exe77⤵PID:3116
-
\??\c:\jjddv.exec:\jjddv.exe78⤵PID:1276
-
\??\c:\5rlfrfx.exec:\5rlfrfx.exe79⤵PID:1844
-
\??\c:\xrrfrrf.exec:\xrrfrrf.exe80⤵PID:3252
-
\??\c:\vpppp.exec:\vpppp.exe81⤵PID:1444
-
\??\c:\xfrfrlx.exec:\xfrfrlx.exe82⤵PID:4308
-
\??\c:\nhhthb.exec:\nhhthb.exe83⤵PID:2324
-
\??\c:\3ttnhh.exec:\3ttnhh.exe84⤵PID:1000
-
\??\c:\jddvp.exec:\jddvp.exe85⤵PID:432
-
\??\c:\xxrrrlr.exec:\xxrrrlr.exe86⤵PID:4276
-
\??\c:\7vvdp.exec:\7vvdp.exe87⤵PID:2360
-
\??\c:\rrffrrx.exec:\rrffrrx.exe88⤵PID:812
-
\??\c:\1xlfrfr.exec:\1xlfrfr.exe89⤵PID:5048
-
\??\c:\nhthhb.exec:\nhthhb.exe90⤵PID:1720
-
\??\c:\pvdpv.exec:\pvdpv.exe91⤵PID:696
-
\??\c:\rlrlxrl.exec:\rlrlxrl.exe92⤵PID:4084
-
\??\c:\lxxlxlf.exec:\lxxlxlf.exe93⤵PID:4832
-
\??\c:\hhnhbb.exec:\hhnhbb.exe94⤵PID:2500
-
\??\c:\jppdj.exec:\jppdj.exe95⤵PID:736
-
\??\c:\lllxlfl.exec:\lllxlfl.exe96⤵PID:2020
-
\??\c:\lxfxxrr.exec:\lxfxxrr.exe97⤵PID:4980
-
\??\c:\nhnbnh.exec:\nhnbnh.exe98⤵PID:4828
-
\??\c:\5nbtnt.exec:\5nbtnt.exe99⤵PID:592
-
\??\c:\pjpjp.exec:\pjpjp.exe100⤵PID:4112
-
\??\c:\llrlxrl.exec:\llrlxrl.exe101⤵PID:3492
-
\??\c:\htbthh.exec:\htbthh.exe102⤵PID:1468
-
\??\c:\7hthtt.exec:\7hthtt.exe103⤵PID:3600
-
\??\c:\7pjjd.exec:\7pjjd.exe104⤵PID:1304
-
\??\c:\xfrlxrf.exec:\xfrlxrf.exe105⤵
- System Location Discovery: System Language Discovery
PID:3272 -
\??\c:\hhnhtn.exec:\hhnhtn.exe106⤵PID:2896
-
\??\c:\nhnhbt.exec:\nhnhbt.exe107⤵PID:1756
-
\??\c:\ppvjv.exec:\ppvjv.exe108⤵PID:4540
-
\??\c:\xrxxxrf.exec:\xrxxxrf.exe109⤵PID:2320
-
\??\c:\tntbth.exec:\tntbth.exe110⤵PID:2164
-
\??\c:\pdvjv.exec:\pdvjv.exe111⤵PID:788
-
\??\c:\vpdpj.exec:\vpdpj.exe112⤵PID:3036
-
\??\c:\1llxllf.exec:\1llxllf.exe113⤵PID:436
-
\??\c:\tbtnbt.exec:\tbtnbt.exe114⤵PID:3420
-
\??\c:\3tnbbt.exec:\3tnbbt.exe115⤵PID:4708
-
\??\c:\dpjvj.exec:\dpjvj.exe116⤵PID:1504
-
\??\c:\jdpdd.exec:\jdpdd.exe117⤵PID:4520
-
\??\c:\rfxlrlr.exec:\rfxlrlr.exe118⤵PID:388
-
\??\c:\nnhthh.exec:\nnhthh.exe119⤵PID:3192
-
\??\c:\ddjdp.exec:\ddjdp.exe120⤵PID:1452
-
\??\c:\flxxxxr.exec:\flxxxxr.exe121⤵PID:3520
-
\??\c:\nnnbnt.exec:\nnnbnt.exe122⤵PID:4484
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-