Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe
-
Size
453KB
-
MD5
279c0bf89115446246b702f81ea47a0e
-
SHA1
780d7ee678fd21458d0f4332ef44e1454addb58d
-
SHA256
7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1
-
SHA512
4e673d96e24988c51ac851f7e8b5bc0ec21dbdde92d5e1dd92e56e2cb06b84b6fcd13d68ae6cc8c510f38dcb9a20af51f378a1449f2e6a5d0b1ed2744659c6ad
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4048-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-959-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-1011-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-1487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4148 3bhbnn.exe 400 jpdjv.exe 4992 5rfxxxr.exe 4052 rlrlfxx.exe 720 1nntnb.exe 2516 dvvpj.exe 3396 9nnnhn.exe 3652 frxlffx.exe 4572 dddjj.exe 872 5lllflf.exe 1512 ppvvv.exe 4760 rffrlfr.exe 936 3thbbh.exe 2408 jddvp.exe 1440 thtnhh.exe 5080 tnttbt.exe 1664 5xxxrxr.exe 1576 llfxrlf.exe 4272 pvdvv.exe 4016 rflffxx.exe 1712 lflrlff.exe 5032 vvdvv.exe 4140 flxrllf.exe 516 hbnhnn.exe 2208 hbbbtt.exe 1844 fxxrrrr.exe 1536 1fxxrrf.exe 3500 hhnhhb.exe 4940 tnbnhh.exe 3196 jdvvp.exe 1388 ntnhhh.exe 2572 3vdvd.exe 4452 llfxxxr.exe 3552 bntnhh.exe 1564 jvdvp.exe 3672 lfxlfrl.exe 2660 nhbnhb.exe 856 vjpjv.exe 3708 3ffxllf.exe 4268 tbhbtn.exe 5100 pjdvd.exe 3908 jpvpd.exe 3592 nbthtn.exe 2768 vdddp.exe 4692 xfflrrl.exe 4404 ttbtnn.exe 4552 nbhbtn.exe 2100 pjvpp.exe 3176 thtnnn.exe 3684 7hhhbb.exe 3584 xflffff.exe 4152 fxxflfl.exe 1360 nbbtnh.exe 2936 jvdvp.exe 2536 9ntbnn.exe 212 tbhbtn.exe 3460 vjdjp.exe 4864 xrxlrlf.exe 4000 tnttnh.exe 1304 pjvpd.exe 1288 xrxxfxx.exe 1512 bttnhh.exe 1060 pjjjp.exe 3116 lxxrrrl.exe -
resource yara_rule behavioral2/memory/4048-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-959-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-1011-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 4148 4048 7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe 82 PID 4048 wrote to memory of 4148 4048 7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe 82 PID 4048 wrote to memory of 4148 4048 7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe 82 PID 4148 wrote to memory of 400 4148 3bhbnn.exe 83 PID 4148 wrote to memory of 400 4148 3bhbnn.exe 83 PID 4148 wrote to memory of 400 4148 3bhbnn.exe 83 PID 400 wrote to memory of 4992 400 jpdjv.exe 84 PID 400 wrote to memory of 4992 400 jpdjv.exe 84 PID 400 wrote to memory of 4992 400 jpdjv.exe 84 PID 4992 wrote to memory of 4052 4992 5rfxxxr.exe 85 PID 4992 wrote to memory of 4052 4992 5rfxxxr.exe 85 PID 4992 wrote to memory of 4052 4992 5rfxxxr.exe 85 PID 4052 wrote to memory of 720 4052 rlrlfxx.exe 86 PID 4052 wrote to memory of 720 4052 rlrlfxx.exe 86 PID 4052 wrote to memory of 720 4052 rlrlfxx.exe 86 PID 720 wrote to memory of 2516 720 1nntnb.exe 87 PID 720 wrote to memory of 2516 720 1nntnb.exe 87 PID 720 wrote to memory of 2516 720 1nntnb.exe 87 PID 2516 wrote to memory of 3396 2516 dvvpj.exe 88 PID 2516 wrote to memory of 3396 2516 dvvpj.exe 88 PID 2516 wrote to memory of 3396 2516 dvvpj.exe 88 PID 3396 wrote to memory of 3652 3396 9nnnhn.exe 89 PID 3396 wrote to memory of 3652 3396 9nnnhn.exe 89 PID 3396 wrote to memory of 3652 3396 9nnnhn.exe 89 PID 3652 wrote to memory of 4572 3652 frxlffx.exe 90 PID 3652 wrote to memory of 4572 3652 frxlffx.exe 90 PID 3652 wrote to memory of 4572 3652 frxlffx.exe 90 PID 4572 wrote to memory of 872 4572 dddjj.exe 91 PID 4572 wrote to memory of 872 4572 dddjj.exe 91 PID 4572 wrote to memory of 872 4572 dddjj.exe 91 PID 872 wrote to memory of 1512 872 5lllflf.exe 92 PID 872 wrote to memory of 1512 872 5lllflf.exe 92 PID 872 wrote to memory of 1512 872 5lllflf.exe 92 PID 1512 wrote to memory of 4760 1512 ppvvv.exe 93 PID 1512 wrote to memory of 4760 1512 ppvvv.exe 93 PID 1512 wrote to memory of 4760 1512 ppvvv.exe 93 PID 4760 wrote to memory of 936 4760 rffrlfr.exe 94 PID 4760 wrote to memory of 936 4760 rffrlfr.exe 94 PID 4760 wrote to memory of 936 4760 rffrlfr.exe 94 PID 936 wrote to memory of 2408 936 3thbbh.exe 95 PID 936 wrote to memory of 2408 936 3thbbh.exe 95 PID 936 wrote to memory of 2408 936 3thbbh.exe 95 PID 2408 wrote to memory of 1440 2408 jddvp.exe 96 PID 2408 wrote to memory of 1440 2408 jddvp.exe 96 PID 2408 wrote to memory of 1440 2408 jddvp.exe 96 PID 1440 wrote to memory of 5080 1440 thtnhh.exe 97 PID 1440 wrote to memory of 5080 1440 thtnhh.exe 97 PID 1440 wrote to memory of 5080 1440 thtnhh.exe 97 PID 5080 wrote to memory of 1664 5080 tnttbt.exe 98 PID 5080 wrote to memory of 1664 5080 tnttbt.exe 98 PID 5080 wrote to memory of 1664 5080 tnttbt.exe 98 PID 1664 wrote to memory of 1576 1664 5xxxrxr.exe 99 PID 1664 wrote to memory of 1576 1664 5xxxrxr.exe 99 PID 1664 wrote to memory of 1576 1664 5xxxrxr.exe 99 PID 1576 wrote to memory of 4272 1576 llfxrlf.exe 100 PID 1576 wrote to memory of 4272 1576 llfxrlf.exe 100 PID 1576 wrote to memory of 4272 1576 llfxrlf.exe 100 PID 4272 wrote to memory of 4016 4272 pvdvv.exe 101 PID 4272 wrote to memory of 4016 4272 pvdvv.exe 101 PID 4272 wrote to memory of 4016 4272 pvdvv.exe 101 PID 4016 wrote to memory of 1712 4016 rflffxx.exe 102 PID 4016 wrote to memory of 1712 4016 rflffxx.exe 102 PID 4016 wrote to memory of 1712 4016 rflffxx.exe 102 PID 1712 wrote to memory of 5032 1712 lflrlff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe"C:\Users\Admin\AppData\Local\Temp\7a86f38aa37093d191b2e99274b2966072628382adb63df3d554074ddafaebb1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\3bhbnn.exec:\3bhbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\jpdjv.exec:\jpdjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\5rfxxxr.exec:\5rfxxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\rlrlfxx.exec:\rlrlfxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\1nntnb.exec:\1nntnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\dvvpj.exec:\dvvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\9nnnhn.exec:\9nnnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\frxlffx.exec:\frxlffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\dddjj.exec:\dddjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\5lllflf.exec:\5lllflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\ppvvv.exec:\ppvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\rffrlfr.exec:\rffrlfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\3thbbh.exec:\3thbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\jddvp.exec:\jddvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\thtnhh.exec:\thtnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\tnttbt.exec:\tnttbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\5xxxrxr.exec:\5xxxrxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\llfxrlf.exec:\llfxrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\pvdvv.exec:\pvdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\rflffxx.exec:\rflffxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4016 -
\??\c:\lflrlff.exec:\lflrlff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\vvdvv.exec:\vvdvv.exe23⤵
- Executes dropped EXE
PID:5032 -
\??\c:\flxrllf.exec:\flxrllf.exe24⤵
- Executes dropped EXE
PID:4140 -
\??\c:\hbnhnn.exec:\hbnhnn.exe25⤵
- Executes dropped EXE
PID:516 -
\??\c:\hbbbtt.exec:\hbbbtt.exe26⤵
- Executes dropped EXE
PID:2208 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe27⤵
- Executes dropped EXE
PID:1844 -
\??\c:\1fxxrrf.exec:\1fxxrrf.exe28⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hhnhhb.exec:\hhnhhb.exe29⤵
- Executes dropped EXE
PID:3500 -
\??\c:\tnbnhh.exec:\tnbnhh.exe30⤵
- Executes dropped EXE
PID:4940 -
\??\c:\jdvvp.exec:\jdvvp.exe31⤵
- Executes dropped EXE
PID:3196 -
\??\c:\ntnhhh.exec:\ntnhhh.exe32⤵
- Executes dropped EXE
PID:1388 -
\??\c:\3vdvd.exec:\3vdvd.exe33⤵
- Executes dropped EXE
PID:2572 -
\??\c:\llfxxxr.exec:\llfxxxr.exe34⤵
- Executes dropped EXE
PID:4452 -
\??\c:\bntnhh.exec:\bntnhh.exe35⤵
- Executes dropped EXE
PID:3552 -
\??\c:\jvdvp.exec:\jvdvp.exe36⤵
- Executes dropped EXE
PID:1564 -
\??\c:\lfxlfrl.exec:\lfxlfrl.exe37⤵
- Executes dropped EXE
PID:3672 -
\??\c:\nhbnhb.exec:\nhbnhb.exe38⤵
- Executes dropped EXE
PID:2660 -
\??\c:\vjpjv.exec:\vjpjv.exe39⤵
- Executes dropped EXE
PID:856 -
\??\c:\3ffxllf.exec:\3ffxllf.exe40⤵
- Executes dropped EXE
PID:3708 -
\??\c:\tbhbtn.exec:\tbhbtn.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4268 -
\??\c:\pjdvd.exec:\pjdvd.exe42⤵
- Executes dropped EXE
PID:5100 -
\??\c:\jpvpd.exec:\jpvpd.exe43⤵
- Executes dropped EXE
PID:3908 -
\??\c:\nbthtn.exec:\nbthtn.exe44⤵
- Executes dropped EXE
PID:3592 -
\??\c:\vdddp.exec:\vdddp.exe45⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xfflrrl.exec:\xfflrrl.exe46⤵
- Executes dropped EXE
PID:4692 -
\??\c:\ttbtnn.exec:\ttbtnn.exe47⤵
- Executes dropped EXE
PID:4404 -
\??\c:\nbhbtn.exec:\nbhbtn.exe48⤵
- Executes dropped EXE
PID:4552 -
\??\c:\pjvpp.exec:\pjvpp.exe49⤵
- Executes dropped EXE
PID:2100 -
\??\c:\thtnnn.exec:\thtnnn.exe50⤵
- Executes dropped EXE
PID:3176 -
\??\c:\7hhhbb.exec:\7hhhbb.exe51⤵
- Executes dropped EXE
PID:3684 -
\??\c:\xflffff.exec:\xflffff.exe52⤵
- Executes dropped EXE
PID:3584 -
\??\c:\fxxflfl.exec:\fxxflfl.exe53⤵
- Executes dropped EXE
PID:4152 -
\??\c:\nbbtnh.exec:\nbbtnh.exe54⤵
- Executes dropped EXE
PID:1360 -
\??\c:\jvdvp.exec:\jvdvp.exe55⤵
- Executes dropped EXE
PID:2936 -
\??\c:\9ntbnn.exec:\9ntbnn.exe56⤵
- Executes dropped EXE
PID:2536 -
\??\c:\tbhbtn.exec:\tbhbtn.exe57⤵
- Executes dropped EXE
PID:212 -
\??\c:\vjdjp.exec:\vjdjp.exe58⤵
- Executes dropped EXE
PID:3460 -
\??\c:\xrxlrlf.exec:\xrxlrlf.exe59⤵
- Executes dropped EXE
PID:4864 -
\??\c:\tnttnh.exec:\tnttnh.exe60⤵
- Executes dropped EXE
PID:4000 -
\??\c:\pjvpd.exec:\pjvpd.exe61⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xrxxfxx.exec:\xrxxfxx.exe62⤵
- Executes dropped EXE
PID:1288 -
\??\c:\bttnhh.exec:\bttnhh.exe63⤵
- Executes dropped EXE
PID:1512 -
\??\c:\pjjjp.exec:\pjjjp.exe64⤵
- Executes dropped EXE
PID:1060 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe65⤵
- Executes dropped EXE
PID:3116 -
\??\c:\nhhhbb.exec:\nhhhbb.exe66⤵PID:2820
-
\??\c:\5ttnnt.exec:\5ttnnt.exe67⤵PID:3356
-
\??\c:\ddddv.exec:\ddddv.exe68⤵PID:2856
-
\??\c:\1flxrrl.exec:\1flxrrl.exe69⤵PID:1184
-
\??\c:\9bbtnt.exec:\9bbtnt.exe70⤵PID:2300
-
\??\c:\vvppp.exec:\vvppp.exe71⤵PID:5080
-
\??\c:\frxlffx.exec:\frxlffx.exe72⤵PID:5048
-
\??\c:\hbnntt.exec:\hbnntt.exe73⤵PID:3636
-
\??\c:\3pvpj.exec:\3pvpj.exe74⤵PID:3152
-
\??\c:\pdjdv.exec:\pdjdv.exe75⤵PID:3216
-
\??\c:\7llfxxr.exec:\7llfxxr.exe76⤵PID:4488
-
\??\c:\1bbbnn.exec:\1bbbnn.exe77⤵PID:2456
-
\??\c:\pdjdv.exec:\pdjdv.exe78⤵PID:4352
-
\??\c:\xrfxrlr.exec:\xrfxrlr.exe79⤵PID:3788
-
\??\c:\3ntntt.exec:\3ntntt.exe80⤵PID:4632
-
\??\c:\pvdvp.exec:\pvdvp.exe81⤵PID:4896
-
\??\c:\vpvpp.exec:\vpvpp.exe82⤵PID:2208
-
\??\c:\thhbbt.exec:\thhbbt.exe83⤵PID:3024
-
\??\c:\nbnnhh.exec:\nbnnhh.exe84⤵PID:1844
-
\??\c:\pvvjv.exec:\pvvjv.exe85⤵PID:1536
-
\??\c:\xxxxrlf.exec:\xxxxrlf.exe86⤵PID:3464
-
\??\c:\xlxrfxx.exec:\xlxrfxx.exe87⤵PID:404
-
\??\c:\7ttnnb.exec:\7ttnnb.exe88⤵PID:1836
-
\??\c:\jdpdp.exec:\jdpdp.exe89⤵PID:3196
-
\??\c:\3rxrrrl.exec:\3rxrrrl.exe90⤵PID:2416
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe91⤵PID:1444
-
\??\c:\bntnth.exec:\bntnth.exe92⤵PID:1468
-
\??\c:\vpjvp.exec:\vpjvp.exe93⤵PID:2220
-
\??\c:\7pvpj.exec:\7pvpj.exe94⤵PID:3352
-
\??\c:\rxffrrr.exec:\rxffrrr.exe95⤵PID:4408
-
\??\c:\hhhbtn.exec:\hhhbtn.exe96⤵PID:3656
-
\??\c:\vjpjd.exec:\vjpjd.exe97⤵PID:3144
-
\??\c:\xffxrrl.exec:\xffxrrl.exe98⤵PID:856
-
\??\c:\nnbttn.exec:\nnbttn.exe99⤵PID:3708
-
\??\c:\5vdpj.exec:\5vdpj.exe100⤵PID:4268
-
\??\c:\9xflffx.exec:\9xflffx.exe101⤵PID:2324
-
\??\c:\ffflfrl.exec:\ffflfrl.exe102⤵PID:3480
-
\??\c:\hnbttn.exec:\hnbttn.exe103⤵PID:3912
-
\??\c:\djjpp.exec:\djjpp.exe104⤵PID:2332
-
\??\c:\rfxrfxl.exec:\rfxrfxl.exe105⤵PID:3056
-
\??\c:\xxxffff.exec:\xxxffff.exe106⤵PID:1756
-
\??\c:\nbbttt.exec:\nbbttt.exe107⤵PID:3980
-
\??\c:\jdjdd.exec:\jdjdd.exe108⤵PID:4552
-
\??\c:\lflllll.exec:\lflllll.exe109⤵PID:4800
-
\??\c:\xxllxff.exec:\xxllxff.exe110⤵PID:3176
-
\??\c:\tthbnh.exec:\tthbnh.exe111⤵PID:3684
-
\??\c:\pdjdd.exec:\pdjdd.exe112⤵PID:4264
-
\??\c:\5fllfrl.exec:\5fllfrl.exe113⤵PID:2736
-
\??\c:\nnnbth.exec:\nnnbth.exe114⤵PID:1360
-
\??\c:\5pppp.exec:\5pppp.exe115⤵PID:1216
-
\??\c:\pdpjd.exec:\pdpjd.exe116⤵PID:3976
-
\??\c:\rlflffl.exec:\rlflffl.exe117⤵PID:1476
-
\??\c:\7nhbnn.exec:\7nhbnn.exe118⤵PID:1392
-
\??\c:\vvpvp.exec:\vvpvp.exe119⤵PID:5068
-
\??\c:\rffrllf.exec:\rffrllf.exe120⤵PID:4436
-
\??\c:\rlrlffx.exec:\rlrlffx.exe121⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-