Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47N.exe
-
Size
454KB
-
MD5
9391c98765adc62ca676a2e7b6d4ff00
-
SHA1
82574b6a3cc12f63cde3ef92210c2557f7eeeb65
-
SHA256
cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47
-
SHA512
943256e6f619b0cb849e1c730126b3acd50288321b117d8b9631d2674da48c671dfb819d4cb24a52b53756dd1d61db73203e015cf9b739850c42d1f86c79a79a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2960-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-736-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-1037-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-1125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-1237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-1357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2320 vjvpj.exe 2960 frfrfrf.exe 3980 hntbbt.exe 2768 nhbbbt.exe 956 rlfxlfr.exe 4148 jvdvp.exe 2656 1vpdp.exe 3676 5bhttn.exe 2176 rxxlxrl.exe 3020 hntnhh.exe 4756 rfrlfxr.exe 3728 pjppv.exe 544 ttbtbt.exe 2248 9jjvp.exe 1384 lxrrllf.exe 2148 vjpjv.exe 5024 rllxrrf.exe 60 vjpjj.exe 1988 rxrfrll.exe 3140 jjjdd.exe 2624 7lfrxrl.exe 4516 9ttnbt.exe 1860 1ffrrlf.exe 2620 vpjvj.exe 4820 9lfxlfr.exe 3264 hntbhn.exe 4596 jjpjv.exe 2188 btbbtt.exe 4212 hthbnn.exe 432 5pvpp.exe 2604 xrrxllx.exe 1392 nhnhbb.exe 4156 xfxlxll.exe 2964 7frfllr.exe 1652 jjjdv.exe 3428 xlrlrxl.exe 2844 btbtnn.exe 440 djjdd.exe 4244 fllfrrx.exe 3504 nbhbtt.exe 2920 dvvjj.exe 228 5bbthb.exe 3564 jvvjv.exe 1048 djvdv.exe 2472 1rrllfx.exe 4436 thhhbt.exe 788 3tthtn.exe 1800 dvpjv.exe 2184 btbnht.exe 1232 thhtth.exe 1744 xlxlxrf.exe 4976 xlflxxl.exe 3980 tbtnbt.exe 2908 1djpd.exe 1696 fxrfrlx.exe 4028 3htnbb.exe 2588 nbbthb.exe 4780 jddpp.exe 1240 9rrlxrl.exe 2112 btbtnh.exe 4944 pjdpd.exe 3372 lxfrfrx.exe 812 htnbnn.exe 2132 htbnbb.exe -
resource yara_rule behavioral2/memory/2320-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-736-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lllxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 2320 2204 cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47N.exe 84 PID 2204 wrote to memory of 2320 2204 cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47N.exe 84 PID 2204 wrote to memory of 2320 2204 cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47N.exe 84 PID 2320 wrote to memory of 2960 2320 vjvpj.exe 85 PID 2320 wrote to memory of 2960 2320 vjvpj.exe 85 PID 2320 wrote to memory of 2960 2320 vjvpj.exe 85 PID 2960 wrote to memory of 3980 2960 frfrfrf.exe 86 PID 2960 wrote to memory of 3980 2960 frfrfrf.exe 86 PID 2960 wrote to memory of 3980 2960 frfrfrf.exe 86 PID 3980 wrote to memory of 2768 3980 hntbbt.exe 87 PID 3980 wrote to memory of 2768 3980 hntbbt.exe 87 PID 3980 wrote to memory of 2768 3980 hntbbt.exe 87 PID 2768 wrote to memory of 956 2768 nhbbbt.exe 88 PID 2768 wrote to memory of 956 2768 nhbbbt.exe 88 PID 2768 wrote to memory of 956 2768 nhbbbt.exe 88 PID 956 wrote to memory of 4148 956 rlfxlfr.exe 89 PID 956 wrote to memory of 4148 956 rlfxlfr.exe 89 PID 956 wrote to memory of 4148 956 rlfxlfr.exe 89 PID 4148 wrote to memory of 2656 4148 jvdvp.exe 90 PID 4148 wrote to memory of 2656 4148 jvdvp.exe 90 PID 4148 wrote to memory of 2656 4148 jvdvp.exe 90 PID 2656 wrote to memory of 3676 2656 1vpdp.exe 91 PID 2656 wrote to memory of 3676 2656 1vpdp.exe 91 PID 2656 wrote to memory of 3676 2656 1vpdp.exe 91 PID 3676 wrote to memory of 2176 3676 5bhttn.exe 92 PID 3676 wrote to memory of 2176 3676 5bhttn.exe 92 PID 3676 wrote to memory of 2176 3676 5bhttn.exe 92 PID 2176 wrote to memory of 3020 2176 rxxlxrl.exe 93 PID 2176 wrote to memory of 3020 2176 rxxlxrl.exe 93 PID 2176 wrote to memory of 3020 2176 rxxlxrl.exe 93 PID 3020 wrote to memory of 4756 3020 hntnhh.exe 94 PID 3020 wrote to memory of 4756 3020 hntnhh.exe 94 PID 3020 wrote to memory of 4756 3020 hntnhh.exe 94 PID 4756 wrote to memory of 3728 4756 rfrlfxr.exe 95 PID 4756 wrote to memory of 3728 4756 rfrlfxr.exe 95 PID 4756 wrote to memory of 3728 4756 rfrlfxr.exe 95 PID 3728 wrote to memory of 544 3728 pjppv.exe 96 PID 3728 wrote to memory of 544 3728 pjppv.exe 96 PID 3728 wrote to memory of 544 3728 pjppv.exe 96 PID 544 wrote to memory of 2248 544 ttbtbt.exe 97 PID 544 wrote to memory of 2248 544 ttbtbt.exe 97 PID 544 wrote to memory of 2248 544 ttbtbt.exe 97 PID 2248 wrote to memory of 1384 2248 9jjvp.exe 98 PID 2248 wrote to memory of 1384 2248 9jjvp.exe 98 PID 2248 wrote to memory of 1384 2248 9jjvp.exe 98 PID 1384 wrote to memory of 2148 1384 lxrrllf.exe 99 PID 1384 wrote to memory of 2148 1384 lxrrllf.exe 99 PID 1384 wrote to memory of 2148 1384 lxrrllf.exe 99 PID 2148 wrote to memory of 5024 2148 vjpjv.exe 100 PID 2148 wrote to memory of 5024 2148 vjpjv.exe 100 PID 2148 wrote to memory of 5024 2148 vjpjv.exe 100 PID 5024 wrote to memory of 60 5024 rllxrrf.exe 101 PID 5024 wrote to memory of 60 5024 rllxrrf.exe 101 PID 5024 wrote to memory of 60 5024 rllxrrf.exe 101 PID 60 wrote to memory of 1988 60 vjpjj.exe 102 PID 60 wrote to memory of 1988 60 vjpjj.exe 102 PID 60 wrote to memory of 1988 60 vjpjj.exe 102 PID 1988 wrote to memory of 3140 1988 rxrfrll.exe 103 PID 1988 wrote to memory of 3140 1988 rxrfrll.exe 103 PID 1988 wrote to memory of 3140 1988 rxrfrll.exe 103 PID 3140 wrote to memory of 2624 3140 jjjdd.exe 104 PID 3140 wrote to memory of 2624 3140 jjjdd.exe 104 PID 3140 wrote to memory of 2624 3140 jjjdd.exe 104 PID 2624 wrote to memory of 4516 2624 7lfrxrl.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47N.exe"C:\Users\Admin\AppData\Local\Temp\cad1ec4c0c8075493281c4022d4e56d1ae36574c4df2785c9e02c2fb68aa2c47N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\vjvpj.exec:\vjvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\frfrfrf.exec:\frfrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\hntbbt.exec:\hntbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\nhbbbt.exec:\nhbbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\rlfxlfr.exec:\rlfxlfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\jvdvp.exec:\jvdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\1vpdp.exec:\1vpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\5bhttn.exec:\5bhttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\rxxlxrl.exec:\rxxlxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\hntnhh.exec:\hntnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\pjppv.exec:\pjppv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\ttbtbt.exec:\ttbtbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\9jjvp.exec:\9jjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\lxrrllf.exec:\lxrrllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384 -
\??\c:\vjpjv.exec:\vjpjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\rllxrrf.exec:\rllxrrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\vjpjj.exec:\vjpjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\rxrfrll.exec:\rxrfrll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\jjjdd.exec:\jjjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\7lfrxrl.exec:\7lfrxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\9ttnbt.exec:\9ttnbt.exe23⤵
- Executes dropped EXE
PID:4516 -
\??\c:\1ffrrlf.exec:\1ffrrlf.exe24⤵
- Executes dropped EXE
PID:1860 -
\??\c:\vpjvj.exec:\vpjvj.exe25⤵
- Executes dropped EXE
PID:2620 -
\??\c:\9lfxlfr.exec:\9lfxlfr.exe26⤵
- Executes dropped EXE
PID:4820 -
\??\c:\hntbhn.exec:\hntbhn.exe27⤵
- Executes dropped EXE
PID:3264 -
\??\c:\jjpjv.exec:\jjpjv.exe28⤵
- Executes dropped EXE
PID:4596 -
\??\c:\btbbtt.exec:\btbbtt.exe29⤵
- Executes dropped EXE
PID:2188 -
\??\c:\hthbnn.exec:\hthbnn.exe30⤵
- Executes dropped EXE
PID:4212 -
\??\c:\5pvpp.exec:\5pvpp.exe31⤵
- Executes dropped EXE
PID:432 -
\??\c:\xrrxllx.exec:\xrrxllx.exe32⤵
- Executes dropped EXE
PID:2604 -
\??\c:\nhnhbb.exec:\nhnhbb.exe33⤵
- Executes dropped EXE
PID:1392 -
\??\c:\xfxlxll.exec:\xfxlxll.exe34⤵
- Executes dropped EXE
PID:4156 -
\??\c:\7frfllr.exec:\7frfllr.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
\??\c:\jjjdv.exec:\jjjdv.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
\??\c:\xlrlrxl.exec:\xlrlrxl.exe37⤵
- Executes dropped EXE
PID:3428 -
\??\c:\btbtnn.exec:\btbtnn.exe38⤵
- Executes dropped EXE
PID:2844 -
\??\c:\djjdd.exec:\djjdd.exe39⤵
- Executes dropped EXE
PID:440 -
\??\c:\fllfrrx.exec:\fllfrrx.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4244 -
\??\c:\nbhbtt.exec:\nbhbtt.exe41⤵
- Executes dropped EXE
PID:3504 -
\??\c:\dvvjj.exec:\dvvjj.exe42⤵
- Executes dropped EXE
PID:2920 -
\??\c:\5bbthb.exec:\5bbthb.exe43⤵
- Executes dropped EXE
PID:228 -
\??\c:\jvvjv.exec:\jvvjv.exe44⤵
- Executes dropped EXE
PID:3564 -
\??\c:\djvdv.exec:\djvdv.exe45⤵
- Executes dropped EXE
PID:1048 -
\??\c:\1rrllfx.exec:\1rrllfx.exe46⤵
- Executes dropped EXE
PID:2472 -
\??\c:\thhhbt.exec:\thhhbt.exe47⤵
- Executes dropped EXE
PID:4436 -
\??\c:\3tthtn.exec:\3tthtn.exe48⤵
- Executes dropped EXE
PID:788 -
\??\c:\dvpjv.exec:\dvpjv.exe49⤵
- Executes dropped EXE
PID:1800 -
\??\c:\rfxlfxr.exec:\rfxlfxr.exe50⤵PID:1336
-
\??\c:\btbnht.exec:\btbnht.exe51⤵
- Executes dropped EXE
PID:2184 -
\??\c:\thhtth.exec:\thhtth.exe52⤵
- Executes dropped EXE
PID:1232 -
\??\c:\xlxlxrf.exec:\xlxlxrf.exe53⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xlflxxl.exec:\xlflxxl.exe54⤵
- Executes dropped EXE
PID:4976 -
\??\c:\tbtnbt.exec:\tbtnbt.exe55⤵
- Executes dropped EXE
PID:3980 -
\??\c:\1djpd.exec:\1djpd.exe56⤵
- Executes dropped EXE
PID:2908 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe57⤵
- Executes dropped EXE
PID:1696 -
\??\c:\3htnbb.exec:\3htnbb.exe58⤵
- Executes dropped EXE
PID:4028 -
\??\c:\nbbthb.exec:\nbbthb.exe59⤵
- Executes dropped EXE
PID:2588 -
\??\c:\jddpp.exec:\jddpp.exe60⤵
- Executes dropped EXE
PID:4780 -
\??\c:\9rrlxrl.exec:\9rrlxrl.exe61⤵
- Executes dropped EXE
PID:1240 -
\??\c:\btbtnh.exec:\btbtnh.exe62⤵
- Executes dropped EXE
PID:2112 -
\??\c:\pjdpd.exec:\pjdpd.exe63⤵
- Executes dropped EXE
PID:4944 -
\??\c:\lxfrfrx.exec:\lxfrfrx.exe64⤵
- Executes dropped EXE
PID:3372 -
\??\c:\htnbnn.exec:\htnbnn.exe65⤵
- Executes dropped EXE
PID:812 -
\??\c:\htbnbb.exec:\htbnbb.exe66⤵
- Executes dropped EXE
PID:2132 -
\??\c:\3ppdp.exec:\3ppdp.exe67⤵PID:2460
-
\??\c:\5llxfxr.exec:\5llxfxr.exe68⤵PID:4208
-
\??\c:\nnbnnh.exec:\nnbnnh.exe69⤵PID:4684
-
\??\c:\1jjvv.exec:\1jjvv.exe70⤵PID:1740
-
\??\c:\7ffrfxl.exec:\7ffrfxl.exe71⤵PID:2700
-
\??\c:\rrrlxlf.exec:\rrrlxlf.exe72⤵PID:464
-
\??\c:\nntthn.exec:\nntthn.exe73⤵PID:5036
-
\??\c:\vpjjv.exec:\vpjjv.exe74⤵PID:2528
-
\??\c:\xllxlrl.exec:\xllxlrl.exe75⤵PID:840
-
\??\c:\1tthbt.exec:\1tthbt.exe76⤵PID:3768
-
\??\c:\dpjvd.exec:\dpjvd.exe77⤵PID:4896
-
\??\c:\vvpjv.exec:\vvpjv.exe78⤵PID:3400
-
\??\c:\5fflrlx.exec:\5fflrlx.exe79⤵PID:3556
-
\??\c:\tthtbt.exec:\tthtbt.exe80⤵PID:4240
-
\??\c:\tbttbt.exec:\tbttbt.exe81⤵PID:1324
-
\??\c:\pppdp.exec:\pppdp.exe82⤵PID:2624
-
\??\c:\xlxfrlf.exec:\xlxfrlf.exe83⤵PID:4516
-
\??\c:\nbbbnn.exec:\nbbbnn.exe84⤵PID:1972
-
\??\c:\bnhtht.exec:\bnhtht.exe85⤵PID:2192
-
\??\c:\9vvdv.exec:\9vvdv.exe86⤵PID:2512
-
\??\c:\rflfxxx.exec:\rflfxxx.exe87⤵PID:4820
-
\??\c:\nhtnhh.exec:\nhtnhh.exe88⤵PID:4584
-
\??\c:\vpdvp.exec:\vpdvp.exe89⤵PID:3104
-
\??\c:\xrlxlfx.exec:\xrlxlfx.exe90⤵PID:456
-
\??\c:\3xrfrfx.exec:\3xrfrfx.exe91⤵PID:3704
-
\??\c:\bnthtt.exec:\bnthtt.exe92⤵PID:1656
-
\??\c:\ppvpd.exec:\ppvpd.exe93⤵PID:1268
-
\??\c:\1jjvj.exec:\1jjvj.exe94⤵PID:1968
-
\??\c:\3xrlxxx.exec:\3xrlxxx.exe95⤵PID:4892
-
\??\c:\nhnbtt.exec:\nhnbtt.exe96⤵PID:4480
-
\??\c:\bhnthh.exec:\bhnthh.exe97⤵PID:4928
-
\??\c:\pvpjv.exec:\pvpjv.exe98⤵PID:2752
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe99⤵PID:2776
-
\??\c:\flrfxrf.exec:\flrfxrf.exe100⤵PID:3740
-
\??\c:\bhbthb.exec:\bhbthb.exe101⤵PID:4236
-
\??\c:\vjdvd.exec:\vjdvd.exe102⤵PID:4920
-
\??\c:\fflfrlf.exec:\fflfrlf.exe103⤵PID:924
-
\??\c:\hbhtnt.exec:\hbhtnt.exe104⤵PID:1076
-
\??\c:\hhthtn.exec:\hhthtn.exe105⤵PID:2256
-
\??\c:\pvjdv.exec:\pvjdv.exe106⤵PID:2144
-
\??\c:\rffrlfl.exec:\rffrlfl.exe107⤵PID:3460
-
\??\c:\lffrlfx.exec:\lffrlfx.exe108⤵PID:2980
-
\??\c:\htthtn.exec:\htthtn.exe109⤵PID:628
-
\??\c:\jdjjj.exec:\jdjjj.exe110⤵PID:4232
-
\??\c:\fxxrffr.exec:\fxxrffr.exe111⤵PID:2584
-
\??\c:\btttnb.exec:\btttnb.exe112⤵PID:4300
-
\??\c:\djpjd.exec:\djpjd.exe113⤵PID:1888
-
\??\c:\5rlxlxl.exec:\5rlxlxl.exe114⤵PID:4692
-
\??\c:\hhnntt.exec:\hhnntt.exe115⤵PID:2436
-
\??\c:\vjjdj.exec:\vjjdj.exe116⤵PID:2372
-
\??\c:\xxlllrr.exec:\xxlllrr.exe117⤵PID:4568
-
\??\c:\tbbbtt.exec:\tbbbtt.exe118⤵PID:4832
-
\??\c:\3jpjv.exec:\3jpjv.exe119⤵PID:436
-
\??\c:\jvppp.exec:\jvppp.exe120⤵PID:4108
-
\??\c:\xffxllx.exec:\xffxllx.exe121⤵PID:208
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-