Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:22
Behavioral task
behavioral1
Sample
1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe
-
Size
345KB
-
MD5
c0c039dfa8493e272642c82a1b233e70
-
SHA1
387c4921bd5463561b1b0bc3cc84edd85e7710f9
-
SHA256
1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310
-
SHA512
13afd2af4d8a843d5446444ae16b9e0e92571ea32cc382f0d8522d7ccd47470d07320ce5623ebf3a244a6d984bb2949309b0c7dc7718dc809ed85cc9f9f9ec0a
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYA8:R4wFHoS3WXZshJX2VGd8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2124-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3112-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2180-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1060-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1988-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1208-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2108-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1100-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1824-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2808-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1520-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3712-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4184-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4932-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2012-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4612-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/916-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/904-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4524-143-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2284-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5040-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1884-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2576-265-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/740-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1456-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1700-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2756-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2952-378-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3132-416-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2856-441-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-454-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2976-521-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2232-632-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4808-667-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-752-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4492-1305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2948 thtnnn.exe 3112 lffxrrl.exe 2180 fxfxrff.exe 1060 vvvvp.exe 1988 thhbbb.exe 3216 vpdvv.exe 2732 nhbbbb.exe 2588 xlxrrll.exe 3412 pjvvd.exe 1612 1rfxfff.exe 1208 jvjjp.exe 2816 bbhttb.exe 2108 3djjj.exe 1100 thtnhh.exe 2148 5ppjd.exe 2084 3hhhbh.exe 1824 jvdjj.exe 2808 xflrrxx.exe 3316 ttbbtt.exe 216 jdppv.exe 2540 lfllfff.exe 1520 hthbbb.exe 3624 9djjd.exe 628 lxlfxxx.exe 372 5lxrxfx.exe 4532 nbhbhh.exe 4436 ttbbtt.exe 2284 jdvpv.exe 4524 pjvvv.exe 1248 xxxrlll.exe 904 fxxrrxx.exe 916 hbhbbb.exe 3620 vjpvp.exe 2396 jdvvj.exe 2356 xrxfxxx.exe 1616 xrxrlll.exe 4612 htnhbb.exe 3508 nbbttb.exe 2012 vvjjd.exe 2104 rlxfxfx.exe 4932 lxffxfr.exe 4184 nthhbb.exe 3940 nhbtbb.exe 3712 dvjdd.exe 2376 dpvpp.exe 2024 1lrfxrr.exe 2360 xxrrllx.exe 4540 nhbbhn.exe 4164 jjpvp.exe 1832 vvppp.exe 2340 xxlfffx.exe 3440 rxlffxr.exe 4396 nnhbnb.exe 2336 ppjdj.exe 2324 dvjdd.exe 5000 9lxxxxf.exe 3132 xfrrxfl.exe 1224 5tnnbh.exe 4432 rxfllxf.exe 4644 rrlxxxf.exe 5104 thhnnn.exe 5040 dvvjd.exe 3404 bntnhh.exe 1636 pppjj.exe -
resource yara_rule behavioral2/memory/2124-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b40-3.dat upx behavioral2/memory/2124-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2948-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9c-8.dat upx behavioral2/files/0x000a000000023b9e-11.dat upx behavioral2/memory/3112-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9f-19.dat upx behavioral2/memory/2180-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba0-23.dat upx behavioral2/memory/1060-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1988-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba1-28.dat upx behavioral2/files/0x000a000000023ba2-34.dat upx behavioral2/memory/2732-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3216-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba3-40.dat upx behavioral2/files/0x000a000000023ba4-43.dat upx behavioral2/memory/2588-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba5-48.dat upx behavioral2/memory/3412-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba6-53.dat upx behavioral2/memory/1208-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba7-57.dat upx behavioral2/files/0x000b000000023b9a-62.dat upx behavioral2/memory/2816-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba8-67.dat upx behavioral2/memory/2108-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-72.dat upx behavioral2/memory/1100-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baa-77.dat upx behavioral2/files/0x000a000000023bac-81.dat upx behavioral2/files/0x000a000000023bad-85.dat upx behavioral2/memory/1824-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bae-91.dat upx behavioral2/files/0x000a000000023bb0-100.dat upx behavioral2/memory/2540-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb1-106.dat upx behavioral2/memory/216-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baf-95.dat upx behavioral2/memory/2808-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bb2-111.dat upx behavioral2/memory/1520-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3440-206-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2360-195-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2376-190-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3712-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4184-182-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4932-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/5000-215-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2012-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4612-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3620-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/916-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd3-154.dat upx behavioral2/memory/904-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bd2-149.dat upx behavioral2/files/0x0009000000023bd1-145.dat upx behavioral2/memory/4524-143-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bcc-140.dat upx behavioral2/memory/2284-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bc3-135.dat upx behavioral2/memory/4436-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bae-130.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrxfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2948 2124 1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe 82 PID 2124 wrote to memory of 2948 2124 1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe 82 PID 2124 wrote to memory of 2948 2124 1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe 82 PID 2948 wrote to memory of 3112 2948 thtnnn.exe 83 PID 2948 wrote to memory of 3112 2948 thtnnn.exe 83 PID 2948 wrote to memory of 3112 2948 thtnnn.exe 83 PID 3112 wrote to memory of 2180 3112 lffxrrl.exe 84 PID 3112 wrote to memory of 2180 3112 lffxrrl.exe 84 PID 3112 wrote to memory of 2180 3112 lffxrrl.exe 84 PID 2180 wrote to memory of 1060 2180 fxfxrff.exe 85 PID 2180 wrote to memory of 1060 2180 fxfxrff.exe 85 PID 2180 wrote to memory of 1060 2180 fxfxrff.exe 85 PID 1060 wrote to memory of 1988 1060 vvvvp.exe 86 PID 1060 wrote to memory of 1988 1060 vvvvp.exe 86 PID 1060 wrote to memory of 1988 1060 vvvvp.exe 86 PID 1988 wrote to memory of 3216 1988 thhbbb.exe 87 PID 1988 wrote to memory of 3216 1988 thhbbb.exe 87 PID 1988 wrote to memory of 3216 1988 thhbbb.exe 87 PID 3216 wrote to memory of 2732 3216 vpdvv.exe 88 PID 3216 wrote to memory of 2732 3216 vpdvv.exe 88 PID 3216 wrote to memory of 2732 3216 vpdvv.exe 88 PID 2732 wrote to memory of 2588 2732 nhbbbb.exe 89 PID 2732 wrote to memory of 2588 2732 nhbbbb.exe 89 PID 2732 wrote to memory of 2588 2732 nhbbbb.exe 89 PID 2588 wrote to memory of 3412 2588 xlxrrll.exe 90 PID 2588 wrote to memory of 3412 2588 xlxrrll.exe 90 PID 2588 wrote to memory of 3412 2588 xlxrrll.exe 90 PID 3412 wrote to memory of 1612 3412 pjvvd.exe 91 PID 3412 wrote to memory of 1612 3412 pjvvd.exe 91 PID 3412 wrote to memory of 1612 3412 pjvvd.exe 91 PID 1612 wrote to memory of 1208 1612 1rfxfff.exe 92 PID 1612 wrote to memory of 1208 1612 1rfxfff.exe 92 PID 1612 wrote to memory of 1208 1612 1rfxfff.exe 92 PID 1208 wrote to memory of 2816 1208 jvjjp.exe 93 PID 1208 wrote to memory of 2816 1208 jvjjp.exe 93 PID 1208 wrote to memory of 2816 1208 jvjjp.exe 93 PID 2816 wrote to memory of 2108 2816 bbhttb.exe 94 PID 2816 wrote to memory of 2108 2816 bbhttb.exe 94 PID 2816 wrote to memory of 2108 2816 bbhttb.exe 94 PID 2108 wrote to memory of 1100 2108 3djjj.exe 95 PID 2108 wrote to memory of 1100 2108 3djjj.exe 95 PID 2108 wrote to memory of 1100 2108 3djjj.exe 95 PID 1100 wrote to memory of 2148 1100 thtnhh.exe 96 PID 1100 wrote to memory of 2148 1100 thtnhh.exe 96 PID 1100 wrote to memory of 2148 1100 thtnhh.exe 96 PID 2148 wrote to memory of 2084 2148 5ppjd.exe 97 PID 2148 wrote to memory of 2084 2148 5ppjd.exe 97 PID 2148 wrote to memory of 2084 2148 5ppjd.exe 97 PID 2084 wrote to memory of 1824 2084 3hhhbh.exe 98 PID 2084 wrote to memory of 1824 2084 3hhhbh.exe 98 PID 2084 wrote to memory of 1824 2084 3hhhbh.exe 98 PID 1824 wrote to memory of 2808 1824 jvdjj.exe 99 PID 1824 wrote to memory of 2808 1824 jvdjj.exe 99 PID 1824 wrote to memory of 2808 1824 jvdjj.exe 99 PID 2808 wrote to memory of 3316 2808 xflrrxx.exe 100 PID 2808 wrote to memory of 3316 2808 xflrrxx.exe 100 PID 2808 wrote to memory of 3316 2808 xflrrxx.exe 100 PID 3316 wrote to memory of 216 3316 ttbbtt.exe 101 PID 3316 wrote to memory of 216 3316 ttbbtt.exe 101 PID 3316 wrote to memory of 216 3316 ttbbtt.exe 101 PID 216 wrote to memory of 2540 216 jdppv.exe 102 PID 216 wrote to memory of 2540 216 jdppv.exe 102 PID 216 wrote to memory of 2540 216 jdppv.exe 102 PID 2540 wrote to memory of 1520 2540 lfllfff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe"C:\Users\Admin\AppData\Local\Temp\1494dcde7788df01c3d779545801695d147991f9bfb030465913bfb7f41e6310N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\thtnnn.exec:\thtnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\lffxrrl.exec:\lffxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\fxfxrff.exec:\fxfxrff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\vvvvp.exec:\vvvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\thhbbb.exec:\thhbbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\vpdvv.exec:\vpdvv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\nhbbbb.exec:\nhbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\xlxrrll.exec:\xlxrrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\pjvvd.exec:\pjvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\1rfxfff.exec:\1rfxfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\jvjjp.exec:\jvjjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208 -
\??\c:\bbhttb.exec:\bbhttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\3djjj.exec:\3djjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\thtnhh.exec:\thtnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\5ppjd.exec:\5ppjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\3hhhbh.exec:\3hhhbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
\??\c:\jvdjj.exec:\jvdjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\xflrrxx.exec:\xflrrxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\ttbbtt.exec:\ttbbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\jdppv.exec:\jdppv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\lfllfff.exec:\lfllfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\hthbbb.exec:\hthbbb.exe23⤵
- Executes dropped EXE
PID:1520 -
\??\c:\9djjd.exec:\9djjd.exe24⤵
- Executes dropped EXE
PID:3624 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe25⤵
- Executes dropped EXE
PID:628 -
\??\c:\5lxrxfx.exec:\5lxrxfx.exe26⤵
- Executes dropped EXE
PID:372 -
\??\c:\nbhbhh.exec:\nbhbhh.exe27⤵
- Executes dropped EXE
PID:4532 -
\??\c:\ttbbtt.exec:\ttbbtt.exe28⤵
- Executes dropped EXE
PID:4436 -
\??\c:\jdvpv.exec:\jdvpv.exe29⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pjvvv.exec:\pjvvv.exe30⤵
- Executes dropped EXE
PID:4524 -
\??\c:\xxxrlll.exec:\xxxrlll.exe31⤵
- Executes dropped EXE
PID:1248 -
\??\c:\fxxrrxx.exec:\fxxrrxx.exe32⤵
- Executes dropped EXE
PID:904 -
\??\c:\hbhbbb.exec:\hbhbbb.exe33⤵
- Executes dropped EXE
PID:916 -
\??\c:\vjpvp.exec:\vjpvp.exe34⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jdvvj.exec:\jdvvj.exe35⤵
- Executes dropped EXE
PID:2396 -
\??\c:\xrxfxxx.exec:\xrxfxxx.exe36⤵
- Executes dropped EXE
PID:2356 -
\??\c:\xrxrlll.exec:\xrxrlll.exe37⤵
- Executes dropped EXE
PID:1616 -
\??\c:\htnhbb.exec:\htnhbb.exe38⤵
- Executes dropped EXE
PID:4612 -
\??\c:\nbbttb.exec:\nbbttb.exe39⤵
- Executes dropped EXE
PID:3508 -
\??\c:\vvjjd.exec:\vvjjd.exe40⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rlxfxfx.exec:\rlxfxfx.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
\??\c:\lxffxfr.exec:\lxffxfr.exe42⤵
- Executes dropped EXE
PID:4932 -
\??\c:\nthhbb.exec:\nthhbb.exe43⤵
- Executes dropped EXE
PID:4184 -
\??\c:\nhbtbb.exec:\nhbtbb.exe44⤵
- Executes dropped EXE
PID:3940 -
\??\c:\dvjdd.exec:\dvjdd.exe45⤵
- Executes dropped EXE
PID:3712 -
\??\c:\dpvpp.exec:\dpvpp.exe46⤵
- Executes dropped EXE
PID:2376 -
\??\c:\1lrfxrr.exec:\1lrfxrr.exe47⤵
- Executes dropped EXE
PID:2024 -
\??\c:\xxrrllx.exec:\xxrrllx.exe48⤵
- Executes dropped EXE
PID:2360 -
\??\c:\nhbbhn.exec:\nhbbhn.exe49⤵
- Executes dropped EXE
PID:4540 -
\??\c:\jjpvp.exec:\jjpvp.exe50⤵
- Executes dropped EXE
PID:4164 -
\??\c:\vvppp.exec:\vvppp.exe51⤵
- Executes dropped EXE
PID:1832 -
\??\c:\xxlfffx.exec:\xxlfffx.exe52⤵
- Executes dropped EXE
PID:2340 -
\??\c:\rxlffxr.exec:\rxlffxr.exe53⤵
- Executes dropped EXE
PID:3440 -
\??\c:\nnhbnb.exec:\nnhbnb.exe54⤵
- Executes dropped EXE
PID:4396 -
\??\c:\ppjdj.exec:\ppjdj.exe55⤵
- Executes dropped EXE
PID:2336 -
\??\c:\dvjdd.exec:\dvjdd.exe56⤵
- Executes dropped EXE
PID:2324 -
\??\c:\9lxxxxf.exec:\9lxxxxf.exe57⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xfrrxfl.exec:\xfrrxfl.exe58⤵
- Executes dropped EXE
PID:3132 -
\??\c:\5tnnbh.exec:\5tnnbh.exe59⤵
- Executes dropped EXE
PID:1224 -
\??\c:\rxfllxf.exec:\rxfllxf.exe60⤵
- Executes dropped EXE
PID:4432 -
\??\c:\rrlxxxf.exec:\rrlxxxf.exe61⤵
- Executes dropped EXE
PID:4644 -
\??\c:\thhnnn.exec:\thhnnn.exe62⤵
- Executes dropped EXE
PID:5104 -
\??\c:\dvvjd.exec:\dvvjd.exe63⤵
- Executes dropped EXE
PID:5040 -
\??\c:\bntnhh.exec:\bntnhh.exe64⤵
- Executes dropped EXE
PID:3404 -
\??\c:\pppjj.exec:\pppjj.exe65⤵
- Executes dropped EXE
PID:1636 -
\??\c:\vjvpj.exec:\vjvpj.exe66⤵PID:3684
-
\??\c:\djpjj.exec:\djpjj.exe67⤵PID:4816
-
\??\c:\lrllxrr.exec:\lrllxrr.exe68⤵PID:2400
-
\??\c:\vvvvd.exec:\vvvvd.exe69⤵PID:3520
-
\??\c:\fflfxff.exec:\fflfxff.exe70⤵PID:4344
-
\??\c:\jvvvp.exec:\jvvvp.exe71⤵PID:4412
-
\??\c:\rfrrlll.exec:\rfrrlll.exe72⤵PID:1884
-
\??\c:\5pvvd.exec:\5pvvd.exe73⤵PID:2948
-
\??\c:\hbbbbb.exec:\hbbbbb.exe74⤵PID:2672
-
\??\c:\llxxfff.exec:\llxxfff.exe75⤵PID:3184
-
\??\c:\hnbttt.exec:\hnbttt.exe76⤵PID:2008
-
\??\c:\ppvdp.exec:\ppvdp.exe77⤵
- System Location Discovery: System Language Discovery
PID:868 -
\??\c:\lxxrlrx.exec:\lxxrlrx.exe78⤵PID:2576
-
\??\c:\tbhttn.exec:\tbhttn.exe79⤵PID:3584
-
\??\c:\jpdvd.exec:\jpdvd.exe80⤵PID:740
-
\??\c:\rflfxxf.exec:\rflfxxf.exe81⤵PID:4564
-
\??\c:\pdjpd.exec:\pdjpd.exe82⤵PID:2736
-
\??\c:\xxrrxfl.exec:\xxrrxfl.exe83⤵PID:3984
-
\??\c:\nhhtnh.exec:\nhhtnh.exe84⤵PID:840
-
\??\c:\nhtbtb.exec:\nhtbtb.exe85⤵PID:1456
-
\??\c:\pvddv.exec:\pvddv.exe86⤵PID:4704
-
\??\c:\rffffll.exec:\rffffll.exe87⤵PID:3080
-
\??\c:\thntbb.exec:\thntbb.exe88⤵PID:3612
-
\??\c:\nbtntb.exec:\nbtntb.exe89⤵PID:4444
-
\??\c:\ddvjv.exec:\ddvjv.exe90⤵PID:4776
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe91⤵PID:2204
-
\??\c:\nnnnhn.exec:\nnnnhn.exe92⤵PID:2036
-
\??\c:\7vvpj.exec:\7vvpj.exe93⤵PID:440
-
\??\c:\lrffxff.exec:\lrffxff.exe94⤵PID:2876
-
\??\c:\nnnbbb.exec:\nnnbbb.exe95⤵PID:3936
-
\??\c:\tthhhh.exec:\tthhhh.exe96⤵PID:1080
-
\??\c:\7pddj.exec:\7pddj.exe97⤵PID:1824
-
\??\c:\fxfrxxl.exec:\fxfrxxl.exe98⤵PID:1640
-
\??\c:\bhbbtb.exec:\bhbbtb.exe99⤵PID:1700
-
\??\c:\jjjdp.exec:\jjjdp.exe100⤵PID:4024
-
\??\c:\rxfxrxx.exec:\rxfxrxx.exe101⤵PID:4168
-
\??\c:\5fxrllf.exec:\5fxrllf.exe102⤵PID:1576
-
\??\c:\tnhhtb.exec:\tnhhtb.exe103⤵PID:4440
-
\??\c:\pvvpj.exec:\pvvpj.exe104⤵PID:2756
-
\??\c:\fxfrlfr.exec:\fxfrlfr.exe105⤵PID:2412
-
\??\c:\hnttnn.exec:\hnttnn.exe106⤵PID:2700
-
\??\c:\hhnttn.exec:\hhnttn.exe107⤵PID:3856
-
\??\c:\jjjdv.exec:\jjjdv.exe108⤵PID:1248
-
\??\c:\xrfxffr.exec:\xrfxffr.exe109⤵PID:4472
-
\??\c:\lfrlfff.exec:\lfrlfff.exe110⤵PID:4620
-
\??\c:\tnttht.exec:\tnttht.exe111⤵PID:392
-
\??\c:\djpdv.exec:\djpdv.exe112⤵PID:4868
-
\??\c:\xxflffr.exec:\xxflffr.exe113⤵PID:1580
-
\??\c:\xxxxxxf.exec:\xxxxxxf.exe114⤵PID:2236
-
\??\c:\hnbbnn.exec:\hnbbnn.exe115⤵PID:4276
-
\??\c:\hhnttt.exec:\hhnttt.exe116⤵PID:2012
-
\??\c:\dvddj.exec:\dvddj.exe117⤵PID:3252
-
\??\c:\7ffrlxr.exec:\7ffrlxr.exe118⤵PID:4932
-
\??\c:\1btttt.exec:\1btttt.exe119⤵PID:512
-
\??\c:\9jvpj.exec:\9jvpj.exe120⤵PID:4296
-
\??\c:\5lxllfr.exec:\5lxllfr.exe121⤵PID:4248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-