Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe
-
Size
454KB
-
MD5
d831cc058ef62c48c0a1ec7cb33bbc40
-
SHA1
c0738465fabe52e3324005d4eb440b1a05a029ad
-
SHA256
968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5
-
SHA512
86fad2e9f8f224d39b9e1f6644767d2af9797ff1b86461e84afa6a507c4696c0b2a0897383bf8a29cc51dde8eac9b41511126387bde9ffe0fc2dcde0e2021b8d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeW:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1020-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-914-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 880 1tnnnn.exe 2408 pjppj.exe 4004 xlxrlfx.exe 5096 hnthbt.exe 4540 xffxrrl.exe 2980 ddjdd.exe 672 5nhnnn.exe 4348 9vddd.exe 2424 hhhbhb.exe 3724 dvvvp.exe 680 lflxxxf.exe 5092 7hhbtt.exe 3260 thnhhh.exe 4452 vpvvp.exe 4020 dvdvp.exe 4012 vvppv.exe 5016 ffllllr.exe 1612 1djpp.exe 4404 lflfxxr.exe 3940 jvdvp.exe 1956 rxxrlll.exe 1416 tnnnnt.exe 1688 jdjjd.exe 2784 3nbtbb.exe 1864 pjddj.exe 2364 hnbnbt.exe 2584 9rfflrx.exe 3660 hbnnhn.exe 2956 xrfffff.exe 1064 ddvvv.exe 3856 btbttt.exe 2900 vdppp.exe 1804 dpdjd.exe 3136 hntttt.exe 1616 nttnnb.exe 2588 pdjjv.exe 3088 xrfxllx.exe 1940 1lrllfx.exe 4276 nbbnnh.exe 4972 9pjdp.exe 3220 7xffxxf.exe 2688 bttnnn.exe 3432 5ppjd.exe 2748 lfllfff.exe 4368 nttbnh.exe 4388 ddjdd.exe 3728 rllfrll.exe 1724 hhhhbb.exe 2408 9tnhbb.exe 3268 jvvdp.exe 4004 flllflf.exe 396 htbtnn.exe 4608 jpvvd.exe 5040 lxfrlff.exe 3196 ththtb.exe 4624 vppdd.exe 4124 xrlfrfr.exe 2596 lfffxrl.exe 3880 9bhtnh.exe 676 dpvdp.exe 3948 lllllrr.exe 3568 hhhhhh.exe 1976 ddjdv.exe 2100 7lrrxxx.exe -
resource yara_rule behavioral2/memory/1020-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-642-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1flffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1020 wrote to memory of 880 1020 968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe 82 PID 1020 wrote to memory of 880 1020 968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe 82 PID 1020 wrote to memory of 880 1020 968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe 82 PID 880 wrote to memory of 2408 880 1tnnnn.exe 83 PID 880 wrote to memory of 2408 880 1tnnnn.exe 83 PID 880 wrote to memory of 2408 880 1tnnnn.exe 83 PID 2408 wrote to memory of 4004 2408 pjppj.exe 84 PID 2408 wrote to memory of 4004 2408 pjppj.exe 84 PID 2408 wrote to memory of 4004 2408 pjppj.exe 84 PID 4004 wrote to memory of 5096 4004 xlxrlfx.exe 85 PID 4004 wrote to memory of 5096 4004 xlxrlfx.exe 85 PID 4004 wrote to memory of 5096 4004 xlxrlfx.exe 85 PID 5096 wrote to memory of 4540 5096 hnthbt.exe 86 PID 5096 wrote to memory of 4540 5096 hnthbt.exe 86 PID 5096 wrote to memory of 4540 5096 hnthbt.exe 86 PID 4540 wrote to memory of 2980 4540 xffxrrl.exe 87 PID 4540 wrote to memory of 2980 4540 xffxrrl.exe 87 PID 4540 wrote to memory of 2980 4540 xffxrrl.exe 87 PID 2980 wrote to memory of 672 2980 ddjdd.exe 88 PID 2980 wrote to memory of 672 2980 ddjdd.exe 88 PID 2980 wrote to memory of 672 2980 ddjdd.exe 88 PID 672 wrote to memory of 4348 672 5nhnnn.exe 89 PID 672 wrote to memory of 4348 672 5nhnnn.exe 89 PID 672 wrote to memory of 4348 672 5nhnnn.exe 89 PID 4348 wrote to memory of 2424 4348 9vddd.exe 90 PID 4348 wrote to memory of 2424 4348 9vddd.exe 90 PID 4348 wrote to memory of 2424 4348 9vddd.exe 90 PID 2424 wrote to memory of 3724 2424 hhhbhb.exe 91 PID 2424 wrote to memory of 3724 2424 hhhbhb.exe 91 PID 2424 wrote to memory of 3724 2424 hhhbhb.exe 91 PID 3724 wrote to memory of 680 3724 dvvvp.exe 92 PID 3724 wrote to memory of 680 3724 dvvvp.exe 92 PID 3724 wrote to memory of 680 3724 dvvvp.exe 92 PID 680 wrote to memory of 5092 680 lflxxxf.exe 93 PID 680 wrote to memory of 5092 680 lflxxxf.exe 93 PID 680 wrote to memory of 5092 680 lflxxxf.exe 93 PID 5092 wrote to memory of 3260 5092 7hhbtt.exe 94 PID 5092 wrote to memory of 3260 5092 7hhbtt.exe 94 PID 5092 wrote to memory of 3260 5092 7hhbtt.exe 94 PID 3260 wrote to memory of 4452 3260 thnhhh.exe 95 PID 3260 wrote to memory of 4452 3260 thnhhh.exe 95 PID 3260 wrote to memory of 4452 3260 thnhhh.exe 95 PID 4452 wrote to memory of 4020 4452 vpvvp.exe 96 PID 4452 wrote to memory of 4020 4452 vpvvp.exe 96 PID 4452 wrote to memory of 4020 4452 vpvvp.exe 96 PID 4020 wrote to memory of 4012 4020 dvdvp.exe 97 PID 4020 wrote to memory of 4012 4020 dvdvp.exe 97 PID 4020 wrote to memory of 4012 4020 dvdvp.exe 97 PID 4012 wrote to memory of 5016 4012 vvppv.exe 98 PID 4012 wrote to memory of 5016 4012 vvppv.exe 98 PID 4012 wrote to memory of 5016 4012 vvppv.exe 98 PID 5016 wrote to memory of 1612 5016 ffllllr.exe 99 PID 5016 wrote to memory of 1612 5016 ffllllr.exe 99 PID 5016 wrote to memory of 1612 5016 ffllllr.exe 99 PID 1612 wrote to memory of 4404 1612 1djpp.exe 100 PID 1612 wrote to memory of 4404 1612 1djpp.exe 100 PID 1612 wrote to memory of 4404 1612 1djpp.exe 100 PID 4404 wrote to memory of 3940 4404 lflfxxr.exe 101 PID 4404 wrote to memory of 3940 4404 lflfxxr.exe 101 PID 4404 wrote to memory of 3940 4404 lflfxxr.exe 101 PID 3940 wrote to memory of 1956 3940 jvdvp.exe 102 PID 3940 wrote to memory of 1956 3940 jvdvp.exe 102 PID 3940 wrote to memory of 1956 3940 jvdvp.exe 102 PID 1956 wrote to memory of 1416 1956 rxxrlll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe"C:\Users\Admin\AppData\Local\Temp\968ab3400d5a5d9ab80ca59dfb69466f732bf86f2f84384feacb67ff4f1fcff5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\1tnnnn.exec:\1tnnnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\pjppj.exec:\pjppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\xlxrlfx.exec:\xlxrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\hnthbt.exec:\hnthbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\xffxrrl.exec:\xffxrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\ddjdd.exec:\ddjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\5nhnnn.exec:\5nhnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\9vddd.exec:\9vddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\hhhbhb.exec:\hhhbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\dvvvp.exec:\dvvvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\lflxxxf.exec:\lflxxxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\7hhbtt.exec:\7hhbtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\thnhhh.exec:\thnhhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\vpvvp.exec:\vpvvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\dvdvp.exec:\dvdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\vvppv.exec:\vvppv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\ffllllr.exec:\ffllllr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\1djpp.exec:\1djpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\lflfxxr.exec:\lflfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\jvdvp.exec:\jvdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\rxxrlll.exec:\rxxrlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\tnnnnt.exec:\tnnnnt.exe23⤵
- Executes dropped EXE
PID:1416 -
\??\c:\jdjjd.exec:\jdjjd.exe24⤵
- Executes dropped EXE
PID:1688 -
\??\c:\3nbtbb.exec:\3nbtbb.exe25⤵
- Executes dropped EXE
PID:2784 -
\??\c:\pjddj.exec:\pjddj.exe26⤵
- Executes dropped EXE
PID:1864 -
\??\c:\hnbnbt.exec:\hnbnbt.exe27⤵
- Executes dropped EXE
PID:2364 -
\??\c:\9rfflrx.exec:\9rfflrx.exe28⤵
- Executes dropped EXE
PID:2584 -
\??\c:\hbnnhn.exec:\hbnnhn.exe29⤵
- Executes dropped EXE
PID:3660 -
\??\c:\xrfffff.exec:\xrfffff.exe30⤵
- Executes dropped EXE
PID:2956 -
\??\c:\ddvvv.exec:\ddvvv.exe31⤵
- Executes dropped EXE
PID:1064 -
\??\c:\btbttt.exec:\btbttt.exe32⤵
- Executes dropped EXE
PID:3856 -
\??\c:\vdppp.exec:\vdppp.exe33⤵
- Executes dropped EXE
PID:2900 -
\??\c:\dpdjd.exec:\dpdjd.exe34⤵
- Executes dropped EXE
PID:1804 -
\??\c:\hntttt.exec:\hntttt.exe35⤵
- Executes dropped EXE
PID:3136 -
\??\c:\nttnnb.exec:\nttnnb.exe36⤵
- Executes dropped EXE
PID:1616 -
\??\c:\pdjjv.exec:\pdjjv.exe37⤵
- Executes dropped EXE
PID:2588 -
\??\c:\xrfxllx.exec:\xrfxllx.exe38⤵
- Executes dropped EXE
PID:3088 -
\??\c:\1lrllfx.exec:\1lrllfx.exe39⤵
- Executes dropped EXE
PID:1940 -
\??\c:\nbbnnh.exec:\nbbnnh.exe40⤵
- Executes dropped EXE
PID:4276 -
\??\c:\9pjdp.exec:\9pjdp.exe41⤵
- Executes dropped EXE
PID:4972 -
\??\c:\7xffxxf.exec:\7xffxxf.exe42⤵
- Executes dropped EXE
PID:3220 -
\??\c:\bttnnn.exec:\bttnnn.exe43⤵
- Executes dropped EXE
PID:2688 -
\??\c:\5ppjd.exec:\5ppjd.exe44⤵
- Executes dropped EXE
PID:3432 -
\??\c:\lfllfff.exec:\lfllfff.exe45⤵
- Executes dropped EXE
PID:2748 -
\??\c:\nttbnh.exec:\nttbnh.exe46⤵
- Executes dropped EXE
PID:4368 -
\??\c:\ddjdd.exec:\ddjdd.exe47⤵
- Executes dropped EXE
PID:4388 -
\??\c:\rllfrll.exec:\rllfrll.exe48⤵
- Executes dropped EXE
PID:3728 -
\??\c:\hhhhbb.exec:\hhhhbb.exe49⤵
- Executes dropped EXE
PID:1724 -
\??\c:\9tnhbb.exec:\9tnhbb.exe50⤵
- Executes dropped EXE
PID:2408 -
\??\c:\jvvdp.exec:\jvvdp.exe51⤵
- Executes dropped EXE
PID:3268 -
\??\c:\flllflf.exec:\flllflf.exe52⤵
- Executes dropped EXE
PID:4004 -
\??\c:\htbtnn.exec:\htbtnn.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396 -
\??\c:\jpvvd.exec:\jpvvd.exe54⤵
- Executes dropped EXE
PID:4608 -
\??\c:\lxfrlff.exec:\lxfrlff.exe55⤵
- Executes dropped EXE
PID:5040 -
\??\c:\ththtb.exec:\ththtb.exe56⤵
- Executes dropped EXE
PID:3196 -
\??\c:\vppdd.exec:\vppdd.exe57⤵
- Executes dropped EXE
PID:4624 -
\??\c:\xrlfrfr.exec:\xrlfrfr.exe58⤵
- Executes dropped EXE
PID:4124 -
\??\c:\lfffxrl.exec:\lfffxrl.exe59⤵
- Executes dropped EXE
PID:2596 -
\??\c:\9bhtnh.exec:\9bhtnh.exe60⤵
- Executes dropped EXE
PID:3880 -
\??\c:\dpvdp.exec:\dpvdp.exe61⤵
- Executes dropped EXE
PID:676 -
\??\c:\lllllrr.exec:\lllllrr.exe62⤵
- Executes dropped EXE
PID:3948 -
\??\c:\hhhhhh.exec:\hhhhhh.exe63⤵
- Executes dropped EXE
PID:3568 -
\??\c:\ddjdv.exec:\ddjdv.exe64⤵
- Executes dropped EXE
PID:1976 -
\??\c:\7lrrxxx.exec:\7lrrxxx.exe65⤵
- Executes dropped EXE
PID:2100 -
\??\c:\ffrlflr.exec:\ffrlflr.exe66⤵PID:4268
-
\??\c:\3thnnt.exec:\3thnnt.exe67⤵PID:4684
-
\??\c:\ppvvv.exec:\ppvvv.exe68⤵PID:4808
-
\??\c:\3jjdv.exec:\3jjdv.exe69⤵PID:2172
-
\??\c:\7fllfff.exec:\7fllfff.exe70⤵PID:2184
-
\??\c:\nhnntb.exec:\nhnntb.exe71⤵PID:3116
-
\??\c:\7djpp.exec:\7djpp.exe72⤵PID:3376
-
\??\c:\rxfllll.exec:\rxfllll.exe73⤵PID:384
-
\??\c:\hhbbht.exec:\hhbbht.exe74⤵PID:3340
-
\??\c:\hhnnnt.exec:\hhnnnt.exe75⤵PID:452
-
\??\c:\pdppj.exec:\pdppj.exe76⤵PID:3940
-
\??\c:\xfxfxrr.exec:\xfxfxrr.exe77⤵PID:3224
-
\??\c:\3xffflr.exec:\3xffflr.exe78⤵PID:1416
-
\??\c:\9nbbnn.exec:\9nbbnn.exe79⤵PID:2356
-
\??\c:\pdpjd.exec:\pdpjd.exe80⤵PID:4244
-
\??\c:\pjvpp.exec:\pjvpp.exe81⤵PID:4636
-
\??\c:\xlxrlrl.exec:\xlxrlrl.exe82⤵PID:3932
-
\??\c:\bbhhbb.exec:\bbhhbb.exe83⤵PID:1328
-
\??\c:\5jvvp.exec:\5jvvp.exe84⤵PID:5112
-
\??\c:\fxllfrl.exec:\fxllfrl.exe85⤵PID:3668
-
\??\c:\hhhnbh.exec:\hhhnbh.exe86⤵PID:3504
-
\??\c:\tnbttb.exec:\tnbttb.exe87⤵PID:4596
-
\??\c:\xxrfxll.exec:\xxrfxll.exe88⤵PID:740
-
\??\c:\7tbttt.exec:\7tbttt.exe89⤵PID:1552
-
\??\c:\hbbnhb.exec:\hbbnhb.exe90⤵PID:4288
-
\??\c:\dpdpj.exec:\dpdpj.exe91⤵PID:2776
-
\??\c:\xxrlffx.exec:\xxrlffx.exe92⤵PID:1748
-
\??\c:\htbbtn.exec:\htbbtn.exe93⤵PID:3240
-
\??\c:\pvddd.exec:\pvddd.exe94⤵PID:644
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe95⤵PID:3464
-
\??\c:\nhtnbt.exec:\nhtnbt.exe96⤵PID:548
-
\??\c:\vjvpv.exec:\vjvpv.exe97⤵PID:3468
-
\??\c:\xlxflxl.exec:\xlxflxl.exe98⤵PID:380
-
\??\c:\xflffxr.exec:\xflffxr.exe99⤵
- System Location Discovery: System Language Discovery
PID:4176 -
\??\c:\1nbttb.exec:\1nbttb.exe100⤵PID:5012
-
\??\c:\5vppd.exec:\5vppd.exe101⤵PID:3988
-
\??\c:\frrfrlf.exec:\frrfrlf.exe102⤵PID:4180
-
\??\c:\hhnbth.exec:\hhnbth.exe103⤵PID:1580
-
\??\c:\vdjjd.exec:\vdjjd.exe104⤵PID:4528
-
\??\c:\lfrrlll.exec:\lfrrlll.exe105⤵PID:3968
-
\??\c:\9rfrfxf.exec:\9rfrfxf.exe106⤵PID:4388
-
\??\c:\hbnntb.exec:\hbnntb.exe107⤵PID:3124
-
\??\c:\vvdvv.exec:\vvdvv.exe108⤵PID:1724
-
\??\c:\xxxffxr.exec:\xxxffxr.exe109⤵PID:412
-
\??\c:\hbhbbt.exec:\hbhbbt.exe110⤵PID:1048
-
\??\c:\pvjdv.exec:\pvjdv.exe111⤵PID:3980
-
\??\c:\dpppj.exec:\dpppj.exe112⤵PID:2012
-
\??\c:\xrrlflf.exec:\xrrlflf.exe113⤵PID:4344
-
\??\c:\bnbthb.exec:\bnbthb.exe114⤵PID:968
-
\??\c:\nbnhtt.exec:\nbnhtt.exe115⤵PID:3180
-
\??\c:\jjjjj.exec:\jjjjj.exe116⤵PID:1596
-
\??\c:\5rxrxrx.exec:\5rxrxrx.exe117⤵
- System Location Discovery: System Language Discovery
PID:1812 -
\??\c:\hnbtnn.exec:\hnbtnn.exe118⤵
- System Location Discovery: System Language Discovery
PID:1380 -
\??\c:\djpjv.exec:\djpjv.exe119⤵PID:3096
-
\??\c:\lfrrlfr.exec:\lfrrlfr.exe120⤵PID:5052
-
\??\c:\xxxrlff.exec:\xxxrlff.exe121⤵PID:3008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-