Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 22:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7bN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7bN.exe
-
Size
453KB
-
MD5
e2a29ffc1cb3699f4814ce88df1d0610
-
SHA1
b2ce5b90ef737bf83945bd4941f70f199c941e8b
-
SHA256
368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7b
-
SHA512
0419dee8b25b2b19452dfaec8abd9a086c28d93401e75d58a07f4432f66278bb401ea9fd196fb7f77039687c5a642fc17b0dbd230a2ecbb0d83acef52912142c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4724-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-856-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1288 1jvpj.exe 3712 pjvpv.exe 3708 thnnnt.exe 5100 ttbbhn.exe 3604 1xrrxxf.exe 1264 7nnhhh.exe 4600 5nthbb.exe 3088 7pvvp.exe 3812 rlrlrlr.exe 3004 nhhhbb.exe 3836 dpjdd.exe 4644 rxfxrrl.exe 3560 pjdvp.exe 2352 xrfrlfr.exe 3516 7pdvj.exe 1796 lxlfxrx.exe 1016 5jdvv.exe 636 rrrrlll.exe 1816 xrrrllf.exe 3052 xxllfxl.exe 4248 dppjj.exe 2980 nhttnn.exe 2856 1vvpd.exe 1000 tttbbn.exe 4988 xxrlfxr.exe 2832 nhhthb.exe 740 vjjvv.exe 1680 ppvjv.exe 2000 htthtn.exe 2972 vvvvp.exe 5036 hhhbtn.exe 3404 lrxxxrf.exe 828 fxxrffr.exe 3164 dvvpj.exe 2432 1lxlrlr.exe 2952 bhtnhh.exe 4256 9dvjv.exe 4508 rlflrlr.exe 220 5hbthn.exe 2744 btbthn.exe 4544 jddpj.exe 964 fflxlrx.exe 552 thhthb.exe 1932 3btnnh.exe 4896 dvpjj.exe 2160 3llxffr.exe 1624 nttnnh.exe 4616 vjjjd.exe 3100 rflrfff.exe 412 tbthbt.exe 3708 bnthtt.exe 1068 5ppjd.exe 4824 7frlffx.exe 3436 tnhthb.exe 400 thhthb.exe 1084 vpvjd.exe 1524 xrlxrlx.exe 4968 xxfxrll.exe 1920 tnbtnn.exe 1576 vpppj.exe 4916 lxlxfxf.exe 620 htbbbt.exe 3176 htnhbt.exe 2352 fxllxrf.exe -
resource yara_rule behavioral2/memory/4724-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-640-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 1288 4724 368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7bN.exe 83 PID 4724 wrote to memory of 1288 4724 368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7bN.exe 83 PID 4724 wrote to memory of 1288 4724 368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7bN.exe 83 PID 1288 wrote to memory of 3712 1288 1jvpj.exe 84 PID 1288 wrote to memory of 3712 1288 1jvpj.exe 84 PID 1288 wrote to memory of 3712 1288 1jvpj.exe 84 PID 3712 wrote to memory of 3708 3712 pjvpv.exe 85 PID 3712 wrote to memory of 3708 3712 pjvpv.exe 85 PID 3712 wrote to memory of 3708 3712 pjvpv.exe 85 PID 3708 wrote to memory of 5100 3708 thnnnt.exe 86 PID 3708 wrote to memory of 5100 3708 thnnnt.exe 86 PID 3708 wrote to memory of 5100 3708 thnnnt.exe 86 PID 5100 wrote to memory of 3604 5100 ttbbhn.exe 87 PID 5100 wrote to memory of 3604 5100 ttbbhn.exe 87 PID 5100 wrote to memory of 3604 5100 ttbbhn.exe 87 PID 3604 wrote to memory of 1264 3604 1xrrxxf.exe 88 PID 3604 wrote to memory of 1264 3604 1xrrxxf.exe 88 PID 3604 wrote to memory of 1264 3604 1xrrxxf.exe 88 PID 1264 wrote to memory of 4600 1264 7nnhhh.exe 89 PID 1264 wrote to memory of 4600 1264 7nnhhh.exe 89 PID 1264 wrote to memory of 4600 1264 7nnhhh.exe 89 PID 4600 wrote to memory of 3088 4600 5nthbb.exe 90 PID 4600 wrote to memory of 3088 4600 5nthbb.exe 90 PID 4600 wrote to memory of 3088 4600 5nthbb.exe 90 PID 3088 wrote to memory of 3812 3088 7pvvp.exe 91 PID 3088 wrote to memory of 3812 3088 7pvvp.exe 91 PID 3088 wrote to memory of 3812 3088 7pvvp.exe 91 PID 3812 wrote to memory of 3004 3812 rlrlrlr.exe 92 PID 3812 wrote to memory of 3004 3812 rlrlrlr.exe 92 PID 3812 wrote to memory of 3004 3812 rlrlrlr.exe 92 PID 3004 wrote to memory of 3836 3004 nhhhbb.exe 93 PID 3004 wrote to memory of 3836 3004 nhhhbb.exe 93 PID 3004 wrote to memory of 3836 3004 nhhhbb.exe 93 PID 3836 wrote to memory of 4644 3836 dpjdd.exe 94 PID 3836 wrote to memory of 4644 3836 dpjdd.exe 94 PID 3836 wrote to memory of 4644 3836 dpjdd.exe 94 PID 4644 wrote to memory of 3560 4644 rxfxrrl.exe 95 PID 4644 wrote to memory of 3560 4644 rxfxrrl.exe 95 PID 4644 wrote to memory of 3560 4644 rxfxrrl.exe 95 PID 3560 wrote to memory of 2352 3560 pjdvp.exe 96 PID 3560 wrote to memory of 2352 3560 pjdvp.exe 96 PID 3560 wrote to memory of 2352 3560 pjdvp.exe 96 PID 2352 wrote to memory of 3516 2352 xrfrlfr.exe 97 PID 2352 wrote to memory of 3516 2352 xrfrlfr.exe 97 PID 2352 wrote to memory of 3516 2352 xrfrlfr.exe 97 PID 3516 wrote to memory of 1796 3516 7pdvj.exe 98 PID 3516 wrote to memory of 1796 3516 7pdvj.exe 98 PID 3516 wrote to memory of 1796 3516 7pdvj.exe 98 PID 1796 wrote to memory of 1016 1796 lxlfxrx.exe 99 PID 1796 wrote to memory of 1016 1796 lxlfxrx.exe 99 PID 1796 wrote to memory of 1016 1796 lxlfxrx.exe 99 PID 1016 wrote to memory of 636 1016 5jdvv.exe 100 PID 1016 wrote to memory of 636 1016 5jdvv.exe 100 PID 1016 wrote to memory of 636 1016 5jdvv.exe 100 PID 636 wrote to memory of 1816 636 rrrrlll.exe 101 PID 636 wrote to memory of 1816 636 rrrrlll.exe 101 PID 636 wrote to memory of 1816 636 rrrrlll.exe 101 PID 1816 wrote to memory of 3052 1816 xrrrllf.exe 102 PID 1816 wrote to memory of 3052 1816 xrrrllf.exe 102 PID 1816 wrote to memory of 3052 1816 xrrrllf.exe 102 PID 3052 wrote to memory of 4248 3052 xxllfxl.exe 103 PID 3052 wrote to memory of 4248 3052 xxllfxl.exe 103 PID 3052 wrote to memory of 4248 3052 xxllfxl.exe 103 PID 4248 wrote to memory of 2980 4248 dppjj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7bN.exe"C:\Users\Admin\AppData\Local\Temp\368a1d4a71a3060cc5374d61b50030d1eda2e9118a143f99e003923cbf9a5e7bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\1jvpj.exec:\1jvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\pjvpv.exec:\pjvpv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\thnnnt.exec:\thnnnt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\ttbbhn.exec:\ttbbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\1xrrxxf.exec:\1xrrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\7nnhhh.exec:\7nnhhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\5nthbb.exec:\5nthbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\7pvvp.exec:\7pvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\nhhhbb.exec:\nhhhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\dpjdd.exec:\dpjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\pjdvp.exec:\pjdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\xrfrlfr.exec:\xrfrlfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\7pdvj.exec:\7pdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\lxlfxrx.exec:\lxlfxrx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\5jdvv.exec:\5jdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\rrrrlll.exec:\rrrrlll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\xrrrllf.exec:\xrrrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\xxllfxl.exec:\xxllfxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\dppjj.exec:\dppjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\nhttnn.exec:\nhttnn.exe23⤵
- Executes dropped EXE
PID:2980 -
\??\c:\1vvpd.exec:\1vvpd.exe24⤵
- Executes dropped EXE
PID:2856 -
\??\c:\tttbbn.exec:\tttbbn.exe25⤵
- Executes dropped EXE
PID:1000 -
\??\c:\xxrlfxr.exec:\xxrlfxr.exe26⤵
- Executes dropped EXE
PID:4988 -
\??\c:\nhhthb.exec:\nhhthb.exe27⤵
- Executes dropped EXE
PID:2832 -
\??\c:\vjjvv.exec:\vjjvv.exe28⤵
- Executes dropped EXE
PID:740 -
\??\c:\ppvjv.exec:\ppvjv.exe29⤵
- Executes dropped EXE
PID:1680 -
\??\c:\htthtn.exec:\htthtn.exe30⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vvvvp.exec:\vvvvp.exe31⤵
- Executes dropped EXE
PID:2972 -
\??\c:\hhhbtn.exec:\hhhbtn.exe32⤵
- Executes dropped EXE
PID:5036 -
\??\c:\lrxxxrf.exec:\lrxxxrf.exe33⤵
- Executes dropped EXE
PID:3404 -
\??\c:\fxxrffr.exec:\fxxrffr.exe34⤵
- Executes dropped EXE
PID:828 -
\??\c:\dvvpj.exec:\dvvpj.exe35⤵
- Executes dropped EXE
PID:3164 -
\??\c:\1lxlrlr.exec:\1lxlrlr.exe36⤵
- Executes dropped EXE
PID:2432 -
\??\c:\bhtnhh.exec:\bhtnhh.exe37⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9dvjv.exec:\9dvjv.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4256 -
\??\c:\rlflrlr.exec:\rlflrlr.exe39⤵
- Executes dropped EXE
PID:4508 -
\??\c:\5hbthn.exec:\5hbthn.exe40⤵
- Executes dropped EXE
PID:220 -
\??\c:\btbthn.exec:\btbthn.exe41⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jddpj.exec:\jddpj.exe42⤵
- Executes dropped EXE
PID:4544 -
\??\c:\fflxlrx.exec:\fflxlrx.exe43⤵
- Executes dropped EXE
PID:964 -
\??\c:\thhthb.exec:\thhthb.exe44⤵
- Executes dropped EXE
PID:552 -
\??\c:\3btnnh.exec:\3btnnh.exe45⤵
- Executes dropped EXE
PID:1932 -
\??\c:\dvpjj.exec:\dvpjj.exe46⤵
- Executes dropped EXE
PID:4896 -
\??\c:\3llxffr.exec:\3llxffr.exe47⤵
- Executes dropped EXE
PID:2160 -
\??\c:\nttnnh.exec:\nttnnh.exe48⤵
- Executes dropped EXE
PID:1624 -
\??\c:\vjjjd.exec:\vjjjd.exe49⤵
- Executes dropped EXE
PID:4616 -
\??\c:\rflrfff.exec:\rflrfff.exe50⤵
- Executes dropped EXE
PID:3100 -
\??\c:\tbthbt.exec:\tbthbt.exe51⤵
- Executes dropped EXE
PID:412 -
\??\c:\bnthtt.exec:\bnthtt.exe52⤵
- Executes dropped EXE
PID:3708 -
\??\c:\5ppjd.exec:\5ppjd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1068 -
\??\c:\7frlffx.exec:\7frlffx.exe54⤵
- Executes dropped EXE
PID:4824 -
\??\c:\tnhthb.exec:\tnhthb.exe55⤵
- Executes dropped EXE
PID:3436 -
\??\c:\thhthb.exec:\thhthb.exe56⤵
- Executes dropped EXE
PID:400 -
\??\c:\vpvjd.exec:\vpvjd.exe57⤵
- Executes dropped EXE
PID:1084 -
\??\c:\xrlxrlx.exec:\xrlxrlx.exe58⤵
- Executes dropped EXE
PID:1524 -
\??\c:\xxfxrll.exec:\xxfxrll.exe59⤵
- Executes dropped EXE
PID:4968 -
\??\c:\tnbtnn.exec:\tnbtnn.exe60⤵
- Executes dropped EXE
PID:1920 -
\??\c:\vpppj.exec:\vpppj.exe61⤵
- Executes dropped EXE
PID:1576 -
\??\c:\lxlxfxf.exec:\lxlxfxf.exe62⤵
- Executes dropped EXE
PID:4916 -
\??\c:\htbbbt.exec:\htbbbt.exe63⤵
- Executes dropped EXE
PID:620 -
\??\c:\htnhbt.exec:\htnhbt.exe64⤵
- Executes dropped EXE
PID:3176 -
\??\c:\fxllxrf.exec:\fxllxrf.exe65⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ffrlfxx.exec:\ffrlfxx.exe66⤵PID:1848
-
\??\c:\hbthtn.exec:\hbthtn.exe67⤵PID:2692
-
\??\c:\9djdd.exec:\9djdd.exe68⤵PID:4072
-
\??\c:\7rlfrrr.exec:\7rlfrrr.exe69⤵PID:724
-
\??\c:\bhhthb.exec:\bhhthb.exe70⤵PID:1132
-
\??\c:\pjdvj.exec:\pjdvj.exe71⤵PID:1072
-
\??\c:\frfrfrl.exec:\frfrfrl.exe72⤵PID:816
-
\??\c:\thnbnn.exec:\thnbnn.exe73⤵PID:2328
-
\??\c:\bnnhhh.exec:\bnnhhh.exe74⤵PID:3052
-
\??\c:\djpjj.exec:\djpjj.exe75⤵PID:2600
-
\??\c:\3lfrffx.exec:\3lfrffx.exe76⤵PID:4432
-
\??\c:\htnbnn.exec:\htnbnn.exe77⤵PID:3992
-
\??\c:\dddvv.exec:\dddvv.exe78⤵PID:2948
-
\??\c:\rrxrllf.exec:\rrxrllf.exe79⤵PID:3984
-
\??\c:\9rlxrlf.exec:\9rlxrlf.exe80⤵PID:372
-
\??\c:\ntbtht.exec:\ntbtht.exe81⤵PID:752
-
\??\c:\pddpj.exec:\pddpj.exe82⤵PID:2832
-
\??\c:\frrfxrr.exec:\frrfxrr.exe83⤵PID:856
-
\??\c:\1rxrrlx.exec:\1rxrrlx.exe84⤵PID:756
-
\??\c:\nbhbhb.exec:\nbhbhb.exe85⤵PID:4532
-
\??\c:\5vppd.exec:\5vppd.exe86⤵PID:2584
-
\??\c:\1vdvp.exec:\1vdvp.exe87⤵PID:2972
-
\??\c:\xlrfrlr.exec:\xlrfrlr.exe88⤵PID:5036
-
\??\c:\3bhthh.exec:\3bhthh.exe89⤵PID:4344
-
\??\c:\3dvpd.exec:\3dvpd.exe90⤵PID:4876
-
\??\c:\5xrfrrl.exec:\5xrfrrl.exe91⤵PID:1104
-
\??\c:\bhhbnh.exec:\bhhbnh.exe92⤵PID:868
-
\??\c:\7tbnht.exec:\7tbnht.exe93⤵PID:516
-
\??\c:\5pvpj.exec:\5pvpj.exe94⤵PID:5056
-
\??\c:\lrxlxrl.exec:\lrxlxrl.exe95⤵PID:4840
-
\??\c:\5bhnhh.exec:\5bhnhh.exe96⤵PID:3892
-
\??\c:\tbnhbt.exec:\tbnhbt.exe97⤵PID:396
-
\??\c:\dvpjv.exec:\dvpjv.exe98⤵PID:1224
-
\??\c:\lxflfxl.exec:\lxflfxl.exe99⤵PID:4544
-
\??\c:\hbbnhb.exec:\hbbnhb.exe100⤵PID:4316
-
\??\c:\5bnthh.exec:\5bnthh.exe101⤵PID:5076
-
\??\c:\jjpjd.exec:\jjpjd.exe102⤵PID:4180
-
\??\c:\lrfrlfx.exec:\lrfrlfx.exe103⤵PID:1288
-
\??\c:\httnhb.exec:\httnhb.exe104⤵PID:4152
-
\??\c:\tnthhb.exec:\tnthhb.exe105⤵PID:3144
-
\??\c:\ppvpj.exec:\ppvpj.exe106⤵
- System Location Discovery: System Language Discovery
PID:4560 -
\??\c:\5vdvv.exec:\5vdvv.exe107⤵PID:3432
-
\??\c:\frllffx.exec:\frllffx.exe108⤵PID:2224
-
\??\c:\thhbnt.exec:\thhbnt.exe109⤵PID:1080
-
\??\c:\hnthtn.exec:\hnthtn.exe110⤵PID:2552
-
\??\c:\vdpdd.exec:\vdpdd.exe111⤵PID:4340
-
\??\c:\xxxrffx.exec:\xxxrffx.exe112⤵PID:2708
-
\??\c:\bbttbb.exec:\bbttbb.exe113⤵PID:780
-
\??\c:\7jjdp.exec:\7jjdp.exe114⤵PID:2228
-
\??\c:\5vvjv.exec:\5vvjv.exe115⤵PID:4036
-
\??\c:\rffxlfx.exec:\rffxlfx.exe116⤵PID:1424
-
\??\c:\nbtnbb.exec:\nbtnbb.exe117⤵PID:1940
-
\??\c:\vppdp.exec:\vppdp.exe118⤵PID:732
-
\??\c:\fffxlfx.exec:\fffxlfx.exe119⤵PID:1576
-
\??\c:\xflffxr.exec:\xflffxr.exe120⤵PID:1984
-
\??\c:\9hhbnh.exec:\9hhbnh.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-