Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517N.exe
-
Size
456KB
-
MD5
b4cd63ddd017be32465fb58b4caa4c50
-
SHA1
4ba920daa0018ef241d0dc931e601d14446c3750
-
SHA256
127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517
-
SHA512
abcd83974c30c4f4966f6a8fdbece812f77d964d41373f167ce20285ad68502313817b605a8ce7165ccb7647391420f7ce4a3eab97fc5bec9b94ba999273326e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRG:q7Tc2NYHUrAwfMp3CDRG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/916-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-1097-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-1619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1680 tthhbn.exe 4952 rlrxfrx.exe 4800 jpjjp.exe 3608 dppjp.exe 3232 rlfxxxr.exe 2380 pvjdd.exe 4584 rxfxxxx.exe 2320 ffxxrxr.exe 4308 tnnhhh.exe 2836 dppjd.exe 3832 vvdvv.exe 3088 btbtnt.exe 2452 ppdvp.exe 3436 3lfxrrr.exe 2952 xrxxrrl.exe 1096 nnnhnn.exe 3980 ddpjd.exe 2592 7rlfflf.exe 4100 hhttbb.exe 4568 djpdp.exe 536 pdpjj.exe 828 thnhbb.exe 1116 jdppv.exe 4016 rflfxrl.exe 4708 5rxrrxx.exe 3864 rffxrrl.exe 2276 dvvjd.exe 2792 rllfxxr.exe 5100 hnnhbt.exe 3940 fxfxfxx.exe 3704 tbnhhb.exe 3292 ddjdj.exe 3852 vdpjd.exe 4228 vdjdv.exe 3648 1llrrrl.exe 1152 dddvp.exe 1108 lfxffxx.exe 1408 rxfffxx.exe 3620 bnbtbb.exe 4336 vjpjd.exe 4492 fxfxfff.exe 4032 5tbtnt.exe 2740 7hnnhh.exe 1552 vjpjd.exe 3836 nnnhbt.exe 2608 vdddv.exe 2172 7rlfxrr.exe 4468 htbthb.exe 3300 1jpjj.exe 4472 xflfxrl.exe 1016 bbhbnh.exe 1820 bntnbb.exe 2108 pjddv.exe 4456 5rrlxxx.exe 2980 xrrlfxr.exe 3000 ntbtnt.exe 1560 jvdvp.exe 2144 xrrrrlf.exe 4312 nhbtbb.exe 4572 bttnhh.exe 1188 jvjvp.exe 3928 dvddj.exe 840 3nnhtn.exe 4484 hbbtnn.exe -
resource yara_rule behavioral2/memory/916-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-884-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 916 wrote to memory of 1680 916 127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517N.exe 83 PID 916 wrote to memory of 1680 916 127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517N.exe 83 PID 916 wrote to memory of 1680 916 127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517N.exe 83 PID 1680 wrote to memory of 4952 1680 tthhbn.exe 84 PID 1680 wrote to memory of 4952 1680 tthhbn.exe 84 PID 1680 wrote to memory of 4952 1680 tthhbn.exe 84 PID 4952 wrote to memory of 4800 4952 rlrxfrx.exe 85 PID 4952 wrote to memory of 4800 4952 rlrxfrx.exe 85 PID 4952 wrote to memory of 4800 4952 rlrxfrx.exe 85 PID 4800 wrote to memory of 3608 4800 jpjjp.exe 86 PID 4800 wrote to memory of 3608 4800 jpjjp.exe 86 PID 4800 wrote to memory of 3608 4800 jpjjp.exe 86 PID 3608 wrote to memory of 3232 3608 dppjp.exe 87 PID 3608 wrote to memory of 3232 3608 dppjp.exe 87 PID 3608 wrote to memory of 3232 3608 dppjp.exe 87 PID 3232 wrote to memory of 2380 3232 rlfxxxr.exe 88 PID 3232 wrote to memory of 2380 3232 rlfxxxr.exe 88 PID 3232 wrote to memory of 2380 3232 rlfxxxr.exe 88 PID 2380 wrote to memory of 4584 2380 pvjdd.exe 89 PID 2380 wrote to memory of 4584 2380 pvjdd.exe 89 PID 2380 wrote to memory of 4584 2380 pvjdd.exe 89 PID 4584 wrote to memory of 2320 4584 rxfxxxx.exe 90 PID 4584 wrote to memory of 2320 4584 rxfxxxx.exe 90 PID 4584 wrote to memory of 2320 4584 rxfxxxx.exe 90 PID 2320 wrote to memory of 4308 2320 ffxxrxr.exe 91 PID 2320 wrote to memory of 4308 2320 ffxxrxr.exe 91 PID 2320 wrote to memory of 4308 2320 ffxxrxr.exe 91 PID 4308 wrote to memory of 2836 4308 tnnhhh.exe 92 PID 4308 wrote to memory of 2836 4308 tnnhhh.exe 92 PID 4308 wrote to memory of 2836 4308 tnnhhh.exe 92 PID 2836 wrote to memory of 3832 2836 dppjd.exe 93 PID 2836 wrote to memory of 3832 2836 dppjd.exe 93 PID 2836 wrote to memory of 3832 2836 dppjd.exe 93 PID 3832 wrote to memory of 3088 3832 vvdvv.exe 94 PID 3832 wrote to memory of 3088 3832 vvdvv.exe 94 PID 3832 wrote to memory of 3088 3832 vvdvv.exe 94 PID 3088 wrote to memory of 2452 3088 btbtnt.exe 95 PID 3088 wrote to memory of 2452 3088 btbtnt.exe 95 PID 3088 wrote to memory of 2452 3088 btbtnt.exe 95 PID 2452 wrote to memory of 3436 2452 ppdvp.exe 96 PID 2452 wrote to memory of 3436 2452 ppdvp.exe 96 PID 2452 wrote to memory of 3436 2452 ppdvp.exe 96 PID 3436 wrote to memory of 2952 3436 3lfxrrr.exe 97 PID 3436 wrote to memory of 2952 3436 3lfxrrr.exe 97 PID 3436 wrote to memory of 2952 3436 3lfxrrr.exe 97 PID 2952 wrote to memory of 1096 2952 xrxxrrl.exe 98 PID 2952 wrote to memory of 1096 2952 xrxxrrl.exe 98 PID 2952 wrote to memory of 1096 2952 xrxxrrl.exe 98 PID 1096 wrote to memory of 3980 1096 nnnhnn.exe 99 PID 1096 wrote to memory of 3980 1096 nnnhnn.exe 99 PID 1096 wrote to memory of 3980 1096 nnnhnn.exe 99 PID 3980 wrote to memory of 2592 3980 ddpjd.exe 100 PID 3980 wrote to memory of 2592 3980 ddpjd.exe 100 PID 3980 wrote to memory of 2592 3980 ddpjd.exe 100 PID 2592 wrote to memory of 4100 2592 7rlfflf.exe 101 PID 2592 wrote to memory of 4100 2592 7rlfflf.exe 101 PID 2592 wrote to memory of 4100 2592 7rlfflf.exe 101 PID 4100 wrote to memory of 4568 4100 hhttbb.exe 102 PID 4100 wrote to memory of 4568 4100 hhttbb.exe 102 PID 4100 wrote to memory of 4568 4100 hhttbb.exe 102 PID 4568 wrote to memory of 536 4568 djpdp.exe 103 PID 4568 wrote to memory of 536 4568 djpdp.exe 103 PID 4568 wrote to memory of 536 4568 djpdp.exe 103 PID 536 wrote to memory of 828 536 pdpjj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517N.exe"C:\Users\Admin\AppData\Local\Temp\127d5b896cd264d74ea4cf7e8d2b5e0c7c79c4cc20b72acbf2cfb22b896d8517N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\tthhbn.exec:\tthhbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\rlrxfrx.exec:\rlrxfrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\jpjjp.exec:\jpjjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\dppjp.exec:\dppjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\pvjdd.exec:\pvjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\rxfxxxx.exec:\rxfxxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\ffxxrxr.exec:\ffxxrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\tnnhhh.exec:\tnnhhh.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\dppjd.exec:\dppjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2836 -
\??\c:\vvdvv.exec:\vvdvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\btbtnt.exec:\btbtnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\ppdvp.exec:\ppdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\3lfxrrr.exec:\3lfxrrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\nnnhnn.exec:\nnnhnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\ddpjd.exec:\ddpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\7rlfflf.exec:\7rlfflf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\hhttbb.exec:\hhttbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\djpdp.exec:\djpdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\pdpjj.exec:\pdpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\thnhbb.exec:\thnhbb.exe23⤵
- Executes dropped EXE
PID:828 -
\??\c:\jdppv.exec:\jdppv.exe24⤵
- Executes dropped EXE
PID:1116 -
\??\c:\rflfxrl.exec:\rflfxrl.exe25⤵
- Executes dropped EXE
PID:4016 -
\??\c:\5rxrrxx.exec:\5rxrrxx.exe26⤵
- Executes dropped EXE
PID:4708 -
\??\c:\rffxrrl.exec:\rffxrrl.exe27⤵
- Executes dropped EXE
PID:3864 -
\??\c:\dvvjd.exec:\dvvjd.exe28⤵
- Executes dropped EXE
PID:2276 -
\??\c:\rllfxxr.exec:\rllfxxr.exe29⤵
- Executes dropped EXE
PID:2792 -
\??\c:\hnnhbt.exec:\hnnhbt.exe30⤵
- Executes dropped EXE
PID:5100 -
\??\c:\fxfxfxx.exec:\fxfxfxx.exe31⤵
- Executes dropped EXE
PID:3940 -
\??\c:\tbnhhb.exec:\tbnhhb.exe32⤵
- Executes dropped EXE
PID:3704 -
\??\c:\ddjdj.exec:\ddjdj.exe33⤵
- Executes dropped EXE
PID:3292 -
\??\c:\vdpjd.exec:\vdpjd.exe34⤵
- Executes dropped EXE
PID:3852 -
\??\c:\vdjdv.exec:\vdjdv.exe35⤵
- Executes dropped EXE
PID:4228 -
\??\c:\1llrrrl.exec:\1llrrrl.exe36⤵
- Executes dropped EXE
PID:3648 -
\??\c:\dddvp.exec:\dddvp.exe37⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lfxffxx.exec:\lfxffxx.exe38⤵
- Executes dropped EXE
PID:1108 -
\??\c:\rxfffxx.exec:\rxfffxx.exe39⤵
- Executes dropped EXE
PID:1408 -
\??\c:\bnbtbb.exec:\bnbtbb.exe40⤵
- Executes dropped EXE
PID:3620 -
\??\c:\vjpjd.exec:\vjpjd.exe41⤵
- Executes dropped EXE
PID:4336 -
\??\c:\fxfxfff.exec:\fxfxfff.exe42⤵
- Executes dropped EXE
PID:4492 -
\??\c:\5tbtnt.exec:\5tbtnt.exe43⤵
- Executes dropped EXE
PID:4032 -
\??\c:\7hnnhh.exec:\7hnnhh.exe44⤵
- Executes dropped EXE
PID:2740 -
\??\c:\vjpjd.exec:\vjpjd.exe45⤵
- Executes dropped EXE
PID:1552 -
\??\c:\nnnhbt.exec:\nnnhbt.exe46⤵
- Executes dropped EXE
PID:3836 -
\??\c:\vdddv.exec:\vdddv.exe47⤵
- Executes dropped EXE
PID:2608 -
\??\c:\7rlfxrr.exec:\7rlfxrr.exe48⤵
- Executes dropped EXE
PID:2172 -
\??\c:\htbthb.exec:\htbthb.exe49⤵
- Executes dropped EXE
PID:4468 -
\??\c:\1jpjj.exec:\1jpjj.exe50⤵
- Executes dropped EXE
PID:3300 -
\??\c:\xflfxrl.exec:\xflfxrl.exe51⤵
- Executes dropped EXE
PID:4472 -
\??\c:\bbhbnh.exec:\bbhbnh.exe52⤵
- Executes dropped EXE
PID:1016 -
\??\c:\bntnbb.exec:\bntnbb.exe53⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pjddv.exec:\pjddv.exe54⤵
- Executes dropped EXE
PID:2108 -
\??\c:\5rrlxxx.exec:\5rrlxxx.exe55⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe56⤵
- Executes dropped EXE
PID:2980 -
\??\c:\ntbtnt.exec:\ntbtnt.exe57⤵
- Executes dropped EXE
PID:3000 -
\??\c:\jvdvp.exec:\jvdvp.exe58⤵
- Executes dropped EXE
PID:1560 -
\??\c:\xrrrrlf.exec:\xrrrrlf.exe59⤵
- Executes dropped EXE
PID:2144 -
\??\c:\nhbtbb.exec:\nhbtbb.exe60⤵
- Executes dropped EXE
PID:4312 -
\??\c:\bttnhh.exec:\bttnhh.exe61⤵
- Executes dropped EXE
PID:4572 -
\??\c:\jvjvp.exec:\jvjvp.exe62⤵
- Executes dropped EXE
PID:1188 -
\??\c:\dvddj.exec:\dvddj.exe63⤵
- Executes dropped EXE
PID:3928 -
\??\c:\3nnhtn.exec:\3nnhtn.exe64⤵
- Executes dropped EXE
PID:840 -
\??\c:\hbbtnn.exec:\hbbtnn.exe65⤵
- Executes dropped EXE
PID:4484 -
\??\c:\pddpd.exec:\pddpd.exe66⤵PID:3088
-
\??\c:\xfffxrl.exec:\xfffxrl.exe67⤵PID:3496
-
\??\c:\7hhbtt.exec:\7hhbtt.exe68⤵PID:552
-
\??\c:\hhhbtn.exec:\hhhbtn.exe69⤵PID:1816
-
\??\c:\9vpjd.exec:\9vpjd.exe70⤵PID:2360
-
\??\c:\xrfxxxx.exec:\xrfxxxx.exe71⤵PID:4080
-
\??\c:\1llfxxx.exec:\1llfxxx.exe72⤵PID:3516
-
\??\c:\9nbbtb.exec:\9nbbtb.exe73⤵
- System Location Discovery: System Language Discovery
PID:4852 -
\??\c:\dvvpd.exec:\dvvpd.exe74⤵PID:3980
-
\??\c:\rrrlffx.exec:\rrrlffx.exe75⤵PID:4020
-
\??\c:\nnhbnb.exec:\nnhbnb.exe76⤵PID:2500
-
\??\c:\1nnbtt.exec:\1nnbtt.exe77⤵PID:1780
-
\??\c:\jjddv.exec:\jjddv.exe78⤵PID:2460
-
\??\c:\9ffxrrx.exec:\9ffxrrx.exe79⤵PID:936
-
\??\c:\bhnhbn.exec:\bhnhbn.exe80⤵PID:3224
-
\??\c:\tnhthh.exec:\tnhthh.exe81⤵PID:2220
-
\??\c:\dpdvp.exec:\dpdvp.exe82⤵PID:2976
-
\??\c:\lfxlxlf.exec:\lfxlxlf.exe83⤵PID:4204
-
\??\c:\btbbbh.exec:\btbbbh.exe84⤵PID:4296
-
\??\c:\dpjvj.exec:\dpjvj.exe85⤵PID:3024
-
\??\c:\ddpjd.exec:\ddpjd.exe86⤵PID:2760
-
\??\c:\rrrrrll.exec:\rrrrrll.exe87⤵PID:2984
-
\??\c:\tttnhb.exec:\tttnhb.exe88⤵PID:1880
-
\??\c:\pdpjd.exec:\pdpjd.exe89⤵PID:1456
-
\??\c:\pvjpd.exec:\pvjpd.exe90⤵PID:3228
-
\??\c:\5xfxrxx.exec:\5xfxrxx.exe91⤵PID:4208
-
\??\c:\bhnnhb.exec:\bhnnhb.exe92⤵PID:4004
-
\??\c:\3nhbtt.exec:\3nhbtt.exe93⤵PID:5072
-
\??\c:\vvpjp.exec:\vvpjp.exe94⤵PID:4400
-
\??\c:\llffrlf.exec:\llffrlf.exe95⤵PID:2920
-
\??\c:\hbntnh.exec:\hbntnh.exe96⤵PID:1912
-
\??\c:\pdpjd.exec:\pdpjd.exe97⤵PID:4052
-
\??\c:\dpvpj.exec:\dpvpj.exe98⤵PID:1488
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe99⤵PID:812
-
\??\c:\hbbnnt.exec:\hbbnnt.exe100⤵PID:4656
-
\??\c:\vdvjv.exec:\vdvjv.exe101⤵PID:3664
-
\??\c:\5jvpp.exec:\5jvpp.exe102⤵PID:464
-
\??\c:\1llfrlf.exec:\1llfrlf.exe103⤵PID:3576
-
\??\c:\btbttn.exec:\btbttn.exe104⤵PID:4336
-
\??\c:\pjjjd.exec:\pjjjd.exe105⤵PID:4240
-
\??\c:\rlrfxxr.exec:\rlrfxxr.exe106⤵PID:4032
-
\??\c:\tbhthh.exec:\tbhthh.exe107⤵PID:3696
-
\??\c:\7bnhbb.exec:\7bnhbb.exe108⤵PID:4900
-
\??\c:\dpdpp.exec:\dpdpp.exe109⤵PID:2664
-
\??\c:\frfrlff.exec:\frfrlff.exe110⤵PID:4800
-
\??\c:\nnbttt.exec:\nnbttt.exe111⤵PID:4676
-
\??\c:\pjppj.exec:\pjppj.exe112⤵PID:3624
-
\??\c:\pdjvp.exec:\pdjvp.exe113⤵PID:3948
-
\??\c:\7flfflf.exec:\7flfflf.exe114⤵PID:1708
-
\??\c:\9hhtnh.exec:\9hhtnh.exe115⤵PID:216
-
\??\c:\vvvvj.exec:\vvvvj.exe116⤵PID:2328
-
\??\c:\pvpjd.exec:\pvpjd.exe117⤵PID:1820
-
\??\c:\lffxrlf.exec:\lffxrlf.exe118⤵PID:4024
-
\??\c:\hthbnh.exec:\hthbnh.exe119⤵PID:4456
-
\??\c:\ddvvj.exec:\ddvvj.exe120⤵PID:4188
-
\??\c:\1fxxrll.exec:\1fxxrll.exe121⤵PID:4584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-