Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe
-
Size
454KB
-
MD5
1473e792116bb9e4d6b3f4743850321b
-
SHA1
68d45f1e626f51647bdfb0514c6a09fcace5d417
-
SHA256
3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af
-
SHA512
b8cfe6ae57e3da358702c057a425738f6e108c4b8f0ba046a5e1c4b5a248515d97a68f0b8e2c5a41f017ae65d3c2512c0edd720989e673c1f9e8d568b2466cff
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbed:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/740-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/768-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-1038-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-1318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-1446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-1569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 740 1jvvv.exe 1392 7xlxrrl.exe 4976 hnhbtn.exe 316 bhhbhh.exe 3928 pdppj.exe 1912 llfxrrl.exe 2344 llrrlrl.exe 4852 7hbtnt.exe 2864 pvvvd.exe 1872 jvpjj.exe 4844 xrxrllf.exe 2408 ntnnhh.exe 3520 5hbbtn.exe 1260 ppjdp.exe 1896 xrrrfff.exe 5000 1frlrrx.exe 4804 5hbbtn.exe 4140 pvjpj.exe 4964 7pjdd.exe 3932 frrfxrf.exe 1064 bnnhnn.exe 1568 vvvpp.exe 1048 pvvjv.exe 4636 rlfrllx.exe 1524 lrrlfrl.exe 3804 htnhbb.exe 1100 dpvvj.exe 4092 dvdvv.exe 2396 xlfxffx.exe 3700 ttttnn.exe 2912 vvjdv.exe 860 ddvpp.exe 1844 frrrxxl.exe 4788 xxrlfxr.exe 4856 9tnnhh.exe 2980 3vvvp.exe 3208 pdpdv.exe 1980 7ffxffl.exe 768 hhnhbb.exe 4984 hhttnb.exe 3312 vvvvp.exe 3688 vvppj.exe 2964 llrxxxx.exe 536 btnhbb.exe 4452 hthbtt.exe 4340 pjpjd.exe 2160 flfxfff.exe 2740 ffxxrrl.exe 1492 ttnhbb.exe 2536 jpddp.exe 3096 3vpjj.exe 4888 xfffxxx.exe 1540 thnntt.exe 4948 hntttt.exe 3920 vdvjd.exe 4396 9xxrllr.exe 3376 fllfxxr.exe 4852 nnhhhh.exe 3220 jpvdp.exe 5004 9jdvv.exe 1624 1rfxrrl.exe 2172 thtbth.exe 3660 1bhbtt.exe 3596 9djjd.exe -
resource yara_rule behavioral2/memory/740-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/768-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-879-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-917-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1696 wrote to memory of 740 1696 3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe 83 PID 1696 wrote to memory of 740 1696 3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe 83 PID 1696 wrote to memory of 740 1696 3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe 83 PID 740 wrote to memory of 1392 740 1jvvv.exe 84 PID 740 wrote to memory of 1392 740 1jvvv.exe 84 PID 740 wrote to memory of 1392 740 1jvvv.exe 84 PID 1392 wrote to memory of 4976 1392 7xlxrrl.exe 85 PID 1392 wrote to memory of 4976 1392 7xlxrrl.exe 85 PID 1392 wrote to memory of 4976 1392 7xlxrrl.exe 85 PID 4976 wrote to memory of 316 4976 hnhbtn.exe 86 PID 4976 wrote to memory of 316 4976 hnhbtn.exe 86 PID 4976 wrote to memory of 316 4976 hnhbtn.exe 86 PID 316 wrote to memory of 3928 316 bhhbhh.exe 87 PID 316 wrote to memory of 3928 316 bhhbhh.exe 87 PID 316 wrote to memory of 3928 316 bhhbhh.exe 87 PID 3928 wrote to memory of 1912 3928 pdppj.exe 88 PID 3928 wrote to memory of 1912 3928 pdppj.exe 88 PID 3928 wrote to memory of 1912 3928 pdppj.exe 88 PID 1912 wrote to memory of 2344 1912 llfxrrl.exe 89 PID 1912 wrote to memory of 2344 1912 llfxrrl.exe 89 PID 1912 wrote to memory of 2344 1912 llfxrrl.exe 89 PID 2344 wrote to memory of 4852 2344 llrrlrl.exe 90 PID 2344 wrote to memory of 4852 2344 llrrlrl.exe 90 PID 2344 wrote to memory of 4852 2344 llrrlrl.exe 90 PID 4852 wrote to memory of 2864 4852 7hbtnt.exe 91 PID 4852 wrote to memory of 2864 4852 7hbtnt.exe 91 PID 4852 wrote to memory of 2864 4852 7hbtnt.exe 91 PID 2864 wrote to memory of 1872 2864 pvvvd.exe 92 PID 2864 wrote to memory of 1872 2864 pvvvd.exe 92 PID 2864 wrote to memory of 1872 2864 pvvvd.exe 92 PID 1872 wrote to memory of 4844 1872 jvpjj.exe 93 PID 1872 wrote to memory of 4844 1872 jvpjj.exe 93 PID 1872 wrote to memory of 4844 1872 jvpjj.exe 93 PID 4844 wrote to memory of 2408 4844 xrxrllf.exe 94 PID 4844 wrote to memory of 2408 4844 xrxrllf.exe 94 PID 4844 wrote to memory of 2408 4844 xrxrllf.exe 94 PID 2408 wrote to memory of 3520 2408 ntnnhh.exe 95 PID 2408 wrote to memory of 3520 2408 ntnnhh.exe 95 PID 2408 wrote to memory of 3520 2408 ntnnhh.exe 95 PID 3520 wrote to memory of 1260 3520 5hbbtn.exe 96 PID 3520 wrote to memory of 1260 3520 5hbbtn.exe 96 PID 3520 wrote to memory of 1260 3520 5hbbtn.exe 96 PID 1260 wrote to memory of 1896 1260 ppjdp.exe 97 PID 1260 wrote to memory of 1896 1260 ppjdp.exe 97 PID 1260 wrote to memory of 1896 1260 ppjdp.exe 97 PID 1896 wrote to memory of 5000 1896 xrrrfff.exe 98 PID 1896 wrote to memory of 5000 1896 xrrrfff.exe 98 PID 1896 wrote to memory of 5000 1896 xrrrfff.exe 98 PID 5000 wrote to memory of 4804 5000 1frlrrx.exe 99 PID 5000 wrote to memory of 4804 5000 1frlrrx.exe 99 PID 5000 wrote to memory of 4804 5000 1frlrrx.exe 99 PID 4804 wrote to memory of 4140 4804 5hbbtn.exe 100 PID 4804 wrote to memory of 4140 4804 5hbbtn.exe 100 PID 4804 wrote to memory of 4140 4804 5hbbtn.exe 100 PID 4140 wrote to memory of 4964 4140 pvjpj.exe 101 PID 4140 wrote to memory of 4964 4140 pvjpj.exe 101 PID 4140 wrote to memory of 4964 4140 pvjpj.exe 101 PID 4964 wrote to memory of 3932 4964 7pjdd.exe 102 PID 4964 wrote to memory of 3932 4964 7pjdd.exe 102 PID 4964 wrote to memory of 3932 4964 7pjdd.exe 102 PID 3932 wrote to memory of 1064 3932 frrfxrf.exe 103 PID 3932 wrote to memory of 1064 3932 frrfxrf.exe 103 PID 3932 wrote to memory of 1064 3932 frrfxrf.exe 103 PID 1064 wrote to memory of 1568 1064 bnnhnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe"C:\Users\Admin\AppData\Local\Temp\3e1e73e66e6e1d264525fa7fe0b8bc52c0ddc73222914168f1d6bf799d6ad6af.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\1jvvv.exec:\1jvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
\??\c:\7xlxrrl.exec:\7xlxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\hnhbtn.exec:\hnhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\bhhbhh.exec:\bhhbhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\pdppj.exec:\pdppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\llfxrrl.exec:\llfxrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\llrrlrl.exec:\llrrlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\7hbtnt.exec:\7hbtnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\pvvvd.exec:\pvvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\jvpjj.exec:\jvpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\xrxrllf.exec:\xrxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\ntnnhh.exec:\ntnnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\5hbbtn.exec:\5hbbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\ppjdp.exec:\ppjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\xrrrfff.exec:\xrrrfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\1frlrrx.exec:\1frlrrx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\5hbbtn.exec:\5hbbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\pvjpj.exec:\pvjpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\7pjdd.exec:\7pjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\frrfxrf.exec:\frrfxrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\bnnhnn.exec:\bnnhnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\vvvpp.exec:\vvvpp.exe23⤵
- Executes dropped EXE
PID:1568 -
\??\c:\pvvjv.exec:\pvvjv.exe24⤵
- Executes dropped EXE
PID:1048 -
\??\c:\rlfrllx.exec:\rlfrllx.exe25⤵
- Executes dropped EXE
PID:4636 -
\??\c:\lrrlfrl.exec:\lrrlfrl.exe26⤵
- Executes dropped EXE
PID:1524 -
\??\c:\htnhbb.exec:\htnhbb.exe27⤵
- Executes dropped EXE
PID:3804 -
\??\c:\dpvvj.exec:\dpvvj.exe28⤵
- Executes dropped EXE
PID:1100 -
\??\c:\dvdvv.exec:\dvdvv.exe29⤵
- Executes dropped EXE
PID:4092 -
\??\c:\xlfxffx.exec:\xlfxffx.exe30⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ttttnn.exec:\ttttnn.exe31⤵
- Executes dropped EXE
PID:3700 -
\??\c:\vvjdv.exec:\vvjdv.exe32⤵
- Executes dropped EXE
PID:2912 -
\??\c:\ddvpp.exec:\ddvpp.exe33⤵
- Executes dropped EXE
PID:860 -
\??\c:\frrrxxl.exec:\frrrxxl.exe34⤵
- Executes dropped EXE
PID:1844 -
\??\c:\xxrlfxr.exec:\xxrlfxr.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4788 -
\??\c:\9tnnhh.exec:\9tnnhh.exe36⤵
- Executes dropped EXE
PID:4856 -
\??\c:\3vvvp.exec:\3vvvp.exe37⤵
- Executes dropped EXE
PID:2980 -
\??\c:\pdpdv.exec:\pdpdv.exe38⤵
- Executes dropped EXE
PID:3208 -
\??\c:\7ffxffl.exec:\7ffxffl.exe39⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hhnhbb.exec:\hhnhbb.exe40⤵
- Executes dropped EXE
PID:768 -
\??\c:\hhttnb.exec:\hhttnb.exe41⤵
- Executes dropped EXE
PID:4984 -
\??\c:\vvvvp.exec:\vvvvp.exe42⤵
- Executes dropped EXE
PID:3312 -
\??\c:\vvppj.exec:\vvppj.exe43⤵
- Executes dropped EXE
PID:3688 -
\??\c:\llrxxxx.exec:\llrxxxx.exe44⤵
- Executes dropped EXE
PID:2964 -
\??\c:\btnhbb.exec:\btnhbb.exe45⤵
- Executes dropped EXE
PID:536 -
\??\c:\hthbtt.exec:\hthbtt.exe46⤵
- Executes dropped EXE
PID:4452 -
\??\c:\pjpjd.exec:\pjpjd.exe47⤵
- Executes dropped EXE
PID:4340 -
\??\c:\flfxfff.exec:\flfxfff.exe48⤵
- Executes dropped EXE
PID:2160 -
\??\c:\ffxxrrl.exec:\ffxxrrl.exe49⤵
- Executes dropped EXE
PID:2740 -
\??\c:\ttnhbb.exec:\ttnhbb.exe50⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jpddp.exec:\jpddp.exe51⤵
- Executes dropped EXE
PID:2536 -
\??\c:\3vpjj.exec:\3vpjj.exe52⤵
- Executes dropped EXE
PID:3096 -
\??\c:\xfffxxx.exec:\xfffxxx.exe53⤵
- Executes dropped EXE
PID:4888 -
\??\c:\thnntt.exec:\thnntt.exe54⤵
- Executes dropped EXE
PID:1540 -
\??\c:\hntttt.exec:\hntttt.exe55⤵
- Executes dropped EXE
PID:4948 -
\??\c:\vdvjd.exec:\vdvjd.exe56⤵
- Executes dropped EXE
PID:3920 -
\??\c:\9xxrllr.exec:\9xxrllr.exe57⤵
- Executes dropped EXE
PID:4396 -
\??\c:\fllfxxr.exec:\fllfxxr.exe58⤵
- Executes dropped EXE
PID:3376 -
\??\c:\nnhhhh.exec:\nnhhhh.exe59⤵
- Executes dropped EXE
PID:4852 -
\??\c:\jpvdp.exec:\jpvdp.exe60⤵
- Executes dropped EXE
PID:3220 -
\??\c:\9jdvv.exec:\9jdvv.exe61⤵
- Executes dropped EXE
PID:5004 -
\??\c:\1rfxrrl.exec:\1rfxrrl.exe62⤵
- Executes dropped EXE
PID:1624 -
\??\c:\thtbth.exec:\thtbth.exe63⤵
- Executes dropped EXE
PID:2172 -
\??\c:\1bhbtt.exec:\1bhbtt.exe64⤵
- Executes dropped EXE
PID:3660 -
\??\c:\9djjd.exec:\9djjd.exe65⤵
- Executes dropped EXE
PID:3596 -
\??\c:\rxllfrr.exec:\rxllfrr.exe66⤵PID:5008
-
\??\c:\rfrlllf.exec:\rfrlllf.exe67⤵PID:1516
-
\??\c:\hbnbtt.exec:\hbnbtt.exe68⤵PID:2972
-
\??\c:\djjjj.exec:\djjjj.exe69⤵PID:2560
-
\??\c:\jppjd.exec:\jppjd.exe70⤵PID:3600
-
\??\c:\fffxffx.exec:\fffxffx.exe71⤵PID:2204
-
\??\c:\hhhbtt.exec:\hhhbtt.exe72⤵PID:2348
-
\??\c:\tnnhhh.exec:\tnnhhh.exe73⤵PID:4896
-
\??\c:\dvdvp.exec:\dvdvp.exe74⤵PID:1408
-
\??\c:\xlffxxl.exec:\xlffxxl.exe75⤵PID:4596
-
\??\c:\lfxlffx.exec:\lfxlffx.exe76⤵PID:3244
-
\??\c:\hhnnhb.exec:\hhnnhb.exe77⤵PID:3680
-
\??\c:\dvvvp.exec:\dvvvp.exe78⤵PID:4588
-
\??\c:\flfxrrl.exec:\flfxrrl.exe79⤵
- System Location Discovery: System Language Discovery
PID:2932 -
\??\c:\ttntnh.exec:\ttntnh.exe80⤵PID:1204
-
\??\c:\vjpjj.exec:\vjpjj.exe81⤵PID:860
-
\??\c:\5lfxxxx.exec:\5lfxxxx.exe82⤵PID:1348
-
\??\c:\hhtnhb.exec:\hhtnhb.exe83⤵PID:4860
-
\??\c:\jvdvv.exec:\jvdvv.exe84⤵
- System Location Discovery: System Language Discovery
PID:2568 -
\??\c:\rxllxxf.exec:\rxllxxf.exe85⤵PID:4736
-
\??\c:\nbtnbb.exec:\nbtnbb.exe86⤵PID:3192
-
\??\c:\dpddd.exec:\dpddd.exe87⤵PID:3432
-
\??\c:\pjvvj.exec:\pjvvj.exe88⤵PID:4120
-
\??\c:\rlrlfxf.exec:\rlrlfxf.exe89⤵PID:4740
-
\??\c:\tbtnhb.exec:\tbtnhb.exe90⤵PID:952
-
\??\c:\nhhbnh.exec:\nhhbnh.exe91⤵PID:3120
-
\??\c:\jvpdv.exec:\jvpdv.exe92⤵PID:4932
-
\??\c:\1frlfxr.exec:\1frlfxr.exe93⤵
- System Location Discovery: System Language Discovery
PID:4340 -
\??\c:\7lfrfxl.exec:\7lfrfxl.exe94⤵PID:4780
-
\??\c:\vjdvp.exec:\vjdvp.exe95⤵PID:2276
-
\??\c:\xrllllf.exec:\xrllllf.exe96⤵PID:1492
-
\??\c:\bbhttn.exec:\bbhttn.exe97⤵PID:3096
-
\??\c:\jddvp.exec:\jddvp.exe98⤵PID:4216
-
\??\c:\ddvpd.exec:\ddvpd.exe99⤵PID:3484
-
\??\c:\xxfxrrr.exec:\xxfxrrr.exe100⤵PID:3948
-
\??\c:\nnhthb.exec:\nnhthb.exe101⤵PID:3920
-
\??\c:\vvvpd.exec:\vvvpd.exe102⤵PID:2632
-
\??\c:\djjdp.exec:\djjdp.exe103⤵PID:3728
-
\??\c:\thhhhb.exec:\thhhhb.exe104⤵PID:1760
-
\??\c:\dvpdv.exec:\dvpdv.exe105⤵PID:2084
-
\??\c:\3ffxxrl.exec:\3ffxxrl.exe106⤵PID:316
-
\??\c:\9frfxrl.exec:\9frfxrl.exe107⤵PID:1912
-
\??\c:\jdjdp.exec:\jdjdp.exe108⤵PID:912
-
\??\c:\lfflfxx.exec:\lfflfxx.exe109⤵PID:5016
-
\??\c:\9nbthh.exec:\9nbthh.exe110⤵PID:3596
-
\??\c:\dpjvj.exec:\dpjvj.exe111⤵PID:2184
-
\??\c:\llfxxrr.exec:\llfxxrr.exe112⤵PID:2236
-
\??\c:\5ttnnh.exec:\5ttnnh.exe113⤵PID:1616
-
\??\c:\dppdp.exec:\dppdp.exe114⤵PID:1096
-
\??\c:\xxxfrrf.exec:\xxxfrrf.exe115⤵PID:2560
-
\??\c:\pjvpj.exec:\pjvpj.exe116⤵PID:2760
-
\??\c:\flrxlrf.exec:\flrxlrf.exe117⤵PID:4708
-
\??\c:\lrrllff.exec:\lrrllff.exe118⤵PID:4356
-
\??\c:\vpjjv.exec:\vpjjv.exe119⤵PID:3588
-
\??\c:\lxxrrxx.exec:\lxxrrxx.exe120⤵PID:5012
-
\??\c:\dvdpp.exec:\dvdpp.exe121⤵PID:4472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-