Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df.exe
-
Size
454KB
-
MD5
0fdf248b7a23f8d34edd70196f9dd55d
-
SHA1
9ea5d4caf8f1cef00128bde43c21d2a5a7c042a0
-
SHA256
dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df
-
SHA512
ab124149e3600569a245af5718b5e509ae9690c3dac313fb57731793b074aece0ad525ab6a0f0bee3b6971c9ef60ec3aef9fc3629adf2ea1ec0cdde90b410d7b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTS:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/5080-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-1021-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-1274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-1531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4544 jjvpj.exe 3204 nnbbht.exe 3880 9nhtbb.exe 3988 7jvpd.exe 3892 3ddpj.exe 4936 lfxrrrl.exe 2192 3hhbnn.exe 3524 jvdpj.exe 3580 lxrlxrl.exe 4120 bnbnhh.exe 4568 bttnhh.exe 4704 jpvpj.exe 2768 rrrllfx.exe 4832 bbnnhh.exe 3188 vpppd.exe 1420 rflrxlr.exe 2464 tnnbtn.exe 228 5pvdp.exe 3056 flxrxxl.exe 2568 ttbhht.exe 2112 nbbttt.exe 4232 pvvjd.exe 860 1rxrffx.exe 2108 bbhnbt.exe 4532 dvjjp.exe 1496 7xxxrrr.exe 1156 jvdpv.exe 5084 xlrxrrr.exe 3068 bhtnnn.exe 4412 jddvp.exe 3640 hbnbht.exe 4012 dddvp.exe 2784 9lrlxrl.exe 2752 hhtbhb.exe 1728 pddvp.exe 4464 1ffxllf.exe 1772 hhhnnn.exe 4228 9dvvp.exe 2652 vjpjj.exe 388 nbthbn.exe 2428 ddvvp.exe 1892 vdjdp.exe 3172 fxlrlll.exe 3568 tnbbtt.exe 4084 9nbbtt.exe 1848 vdjdp.exe 4800 lllrxxf.exe 756 bbbhht.exe 4508 pdjdv.exe 4512 pdddv.exe 2344 1frlxrx.exe 1316 bbtnnh.exe 3116 btbhbn.exe 920 dpvpj.exe 3140 llrfllf.exe 2356 tnnhhb.exe 1488 vjpjd.exe 1476 9jddv.exe 4936 5ffxrfx.exe 3396 btnnnn.exe 2192 nbbbtt.exe 4688 pvvvp.exe 4912 1rfxffr.exe 2452 lrrlfrx.exe -
resource yara_rule behavioral2/memory/5080-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1008-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-908-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4544 5080 dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df.exe 83 PID 5080 wrote to memory of 4544 5080 dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df.exe 83 PID 5080 wrote to memory of 4544 5080 dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df.exe 83 PID 4544 wrote to memory of 3204 4544 jjvpj.exe 84 PID 4544 wrote to memory of 3204 4544 jjvpj.exe 84 PID 4544 wrote to memory of 3204 4544 jjvpj.exe 84 PID 3204 wrote to memory of 3880 3204 nnbbht.exe 85 PID 3204 wrote to memory of 3880 3204 nnbbht.exe 85 PID 3204 wrote to memory of 3880 3204 nnbbht.exe 85 PID 3880 wrote to memory of 3988 3880 9nhtbb.exe 86 PID 3880 wrote to memory of 3988 3880 9nhtbb.exe 86 PID 3880 wrote to memory of 3988 3880 9nhtbb.exe 86 PID 3988 wrote to memory of 3892 3988 7jvpd.exe 87 PID 3988 wrote to memory of 3892 3988 7jvpd.exe 87 PID 3988 wrote to memory of 3892 3988 7jvpd.exe 87 PID 3892 wrote to memory of 4936 3892 3ddpj.exe 141 PID 3892 wrote to memory of 4936 3892 3ddpj.exe 141 PID 3892 wrote to memory of 4936 3892 3ddpj.exe 141 PID 4936 wrote to memory of 2192 4936 lfxrrrl.exe 143 PID 4936 wrote to memory of 2192 4936 lfxrrrl.exe 143 PID 4936 wrote to memory of 2192 4936 lfxrrrl.exe 143 PID 2192 wrote to memory of 3524 2192 3hhbnn.exe 90 PID 2192 wrote to memory of 3524 2192 3hhbnn.exe 90 PID 2192 wrote to memory of 3524 2192 3hhbnn.exe 90 PID 3524 wrote to memory of 3580 3524 jvdpj.exe 91 PID 3524 wrote to memory of 3580 3524 jvdpj.exe 91 PID 3524 wrote to memory of 3580 3524 jvdpj.exe 91 PID 3580 wrote to memory of 4120 3580 lxrlxrl.exe 92 PID 3580 wrote to memory of 4120 3580 lxrlxrl.exe 92 PID 3580 wrote to memory of 4120 3580 lxrlxrl.exe 92 PID 4120 wrote to memory of 4568 4120 bnbnhh.exe 93 PID 4120 wrote to memory of 4568 4120 bnbnhh.exe 93 PID 4120 wrote to memory of 4568 4120 bnbnhh.exe 93 PID 4568 wrote to memory of 4704 4568 bttnhh.exe 94 PID 4568 wrote to memory of 4704 4568 bttnhh.exe 94 PID 4568 wrote to memory of 4704 4568 bttnhh.exe 94 PID 4704 wrote to memory of 2768 4704 jpvpj.exe 95 PID 4704 wrote to memory of 2768 4704 jpvpj.exe 95 PID 4704 wrote to memory of 2768 4704 jpvpj.exe 95 PID 2768 wrote to memory of 4832 2768 rrrllfx.exe 96 PID 2768 wrote to memory of 4832 2768 rrrllfx.exe 96 PID 2768 wrote to memory of 4832 2768 rrrllfx.exe 96 PID 4832 wrote to memory of 3188 4832 bbnnhh.exe 97 PID 4832 wrote to memory of 3188 4832 bbnnhh.exe 97 PID 4832 wrote to memory of 3188 4832 bbnnhh.exe 97 PID 3188 wrote to memory of 1420 3188 vpppd.exe 155 PID 3188 wrote to memory of 1420 3188 vpppd.exe 155 PID 3188 wrote to memory of 1420 3188 vpppd.exe 155 PID 1420 wrote to memory of 2464 1420 rflrxlr.exe 99 PID 1420 wrote to memory of 2464 1420 rflrxlr.exe 99 PID 1420 wrote to memory of 2464 1420 rflrxlr.exe 99 PID 2464 wrote to memory of 228 2464 tnnbtn.exe 100 PID 2464 wrote to memory of 228 2464 tnnbtn.exe 100 PID 2464 wrote to memory of 228 2464 tnnbtn.exe 100 PID 228 wrote to memory of 3056 228 5pvdp.exe 101 PID 228 wrote to memory of 3056 228 5pvdp.exe 101 PID 228 wrote to memory of 3056 228 5pvdp.exe 101 PID 3056 wrote to memory of 2568 3056 flxrxxl.exe 102 PID 3056 wrote to memory of 2568 3056 flxrxxl.exe 102 PID 3056 wrote to memory of 2568 3056 flxrxxl.exe 102 PID 2568 wrote to memory of 2112 2568 ttbhht.exe 103 PID 2568 wrote to memory of 2112 2568 ttbhht.exe 103 PID 2568 wrote to memory of 2112 2568 ttbhht.exe 103 PID 2112 wrote to memory of 4232 2112 nbbttt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df.exe"C:\Users\Admin\AppData\Local\Temp\dbf61c2ac9ea6f02bba3b5c98678a647c0bc4d6516e2407f73cb2738433283df.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\jjvpj.exec:\jjvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\nnbbht.exec:\nnbbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\9nhtbb.exec:\9nhtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\7jvpd.exec:\7jvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\3ddpj.exec:\3ddpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\lfxrrrl.exec:\lfxrrrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\3hhbnn.exec:\3hhbnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\jvdpj.exec:\jvdpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\lxrlxrl.exec:\lxrlxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\bnbnhh.exec:\bnbnhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\bttnhh.exec:\bttnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\jpvpj.exec:\jpvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\rrrllfx.exec:\rrrllfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\bbnnhh.exec:\bbnnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\vpppd.exec:\vpppd.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\rflrxlr.exec:\rflrxlr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\tnnbtn.exec:\tnnbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\5pvdp.exec:\5pvdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\flxrxxl.exec:\flxrxxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\ttbhht.exec:\ttbhht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\nbbttt.exec:\nbbttt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\pvvjd.exec:\pvvjd.exe23⤵
- Executes dropped EXE
PID:4232 -
\??\c:\1rxrffx.exec:\1rxrffx.exe24⤵
- Executes dropped EXE
PID:860 -
\??\c:\bbhnbt.exec:\bbhnbt.exe25⤵
- Executes dropped EXE
PID:2108 -
\??\c:\dvjjp.exec:\dvjjp.exe26⤵
- Executes dropped EXE
PID:4532 -
\??\c:\7xxxrrr.exec:\7xxxrrr.exe27⤵
- Executes dropped EXE
PID:1496 -
\??\c:\jvdpv.exec:\jvdpv.exe28⤵
- Executes dropped EXE
PID:1156 -
\??\c:\xlrxrrr.exec:\xlrxrrr.exe29⤵
- Executes dropped EXE
PID:5084 -
\??\c:\bhtnnn.exec:\bhtnnn.exe30⤵
- Executes dropped EXE
PID:3068 -
\??\c:\jddvp.exec:\jddvp.exe31⤵
- Executes dropped EXE
PID:4412 -
\??\c:\hbnbht.exec:\hbnbht.exe32⤵
- Executes dropped EXE
PID:3640 -
\??\c:\dddvp.exec:\dddvp.exe33⤵
- Executes dropped EXE
PID:4012 -
\??\c:\9lrlxrl.exec:\9lrlxrl.exe34⤵
- Executes dropped EXE
PID:2784 -
\??\c:\hhtbhb.exec:\hhtbhb.exe35⤵
- Executes dropped EXE
PID:2752 -
\??\c:\pddvp.exec:\pddvp.exe36⤵
- Executes dropped EXE
PID:1728 -
\??\c:\1ffxllf.exec:\1ffxllf.exe37⤵
- Executes dropped EXE
PID:4464 -
\??\c:\hhhnnn.exec:\hhhnnn.exe38⤵
- Executes dropped EXE
PID:1772 -
\??\c:\9dvvp.exec:\9dvvp.exe39⤵
- Executes dropped EXE
PID:4228 -
\??\c:\vjpjj.exec:\vjpjj.exe40⤵
- Executes dropped EXE
PID:2652 -
\??\c:\nbthbn.exec:\nbthbn.exe41⤵
- Executes dropped EXE
PID:388 -
\??\c:\ddvvp.exec:\ddvvp.exe42⤵
- Executes dropped EXE
PID:2428 -
\??\c:\vdjdp.exec:\vdjdp.exe43⤵
- Executes dropped EXE
PID:1892 -
\??\c:\fxlrlll.exec:\fxlrlll.exe44⤵
- Executes dropped EXE
PID:3172 -
\??\c:\tnbbtt.exec:\tnbbtt.exe45⤵
- Executes dropped EXE
PID:3568 -
\??\c:\9nbbtt.exec:\9nbbtt.exe46⤵
- Executes dropped EXE
PID:4084 -
\??\c:\vdjdp.exec:\vdjdp.exe47⤵
- Executes dropped EXE
PID:1848 -
\??\c:\lllrxxf.exec:\lllrxxf.exe48⤵
- Executes dropped EXE
PID:4800 -
\??\c:\bbbhht.exec:\bbbhht.exe49⤵
- Executes dropped EXE
PID:756 -
\??\c:\pdjdv.exec:\pdjdv.exe50⤵
- Executes dropped EXE
PID:4508 -
\??\c:\pdddv.exec:\pdddv.exe51⤵
- Executes dropped EXE
PID:4512 -
\??\c:\1frlxrx.exec:\1frlxrx.exe52⤵
- Executes dropped EXE
PID:2344 -
\??\c:\bbtnnh.exec:\bbtnnh.exe53⤵
- Executes dropped EXE
PID:1316 -
\??\c:\btbhbn.exec:\btbhbn.exe54⤵
- Executes dropped EXE
PID:3116 -
\??\c:\dpvpj.exec:\dpvpj.exe55⤵
- Executes dropped EXE
PID:920 -
\??\c:\llrfllf.exec:\llrfllf.exe56⤵
- Executes dropped EXE
PID:3140 -
\??\c:\tnnhhb.exec:\tnnhhb.exe57⤵
- Executes dropped EXE
PID:2356 -
\??\c:\vjpjd.exec:\vjpjd.exe58⤵
- Executes dropped EXE
PID:1488 -
\??\c:\9jddv.exec:\9jddv.exe59⤵
- Executes dropped EXE
PID:1476 -
\??\c:\5ffxrfx.exec:\5ffxrfx.exe60⤵
- Executes dropped EXE
PID:4936 -
\??\c:\btnnnn.exec:\btnnnn.exe61⤵
- Executes dropped EXE
PID:3396 -
\??\c:\nbbbtt.exec:\nbbbtt.exe62⤵
- Executes dropped EXE
PID:2192 -
\??\c:\pvvvp.exec:\pvvvp.exe63⤵
- Executes dropped EXE
PID:4688 -
\??\c:\1rfxffr.exec:\1rfxffr.exe64⤵
- Executes dropped EXE
PID:4912 -
\??\c:\lrrlfrx.exec:\lrrlfrx.exe65⤵
- Executes dropped EXE
PID:2452 -
\??\c:\hnhhtt.exec:\hnhhtt.exe66⤵PID:1280
-
\??\c:\jddvp.exec:\jddvp.exe67⤵PID:1440
-
\??\c:\vpvpj.exec:\vpvpj.exe68⤵PID:2732
-
\??\c:\xrrxrxr.exec:\xrrxrxr.exe69⤵PID:1960
-
\??\c:\5lxrffr.exec:\5lxrffr.exe70⤵PID:3764
-
\??\c:\jpdpj.exec:\jpdpj.exe71⤵
- System Location Discovery: System Language Discovery
PID:3856 -
\??\c:\llrffxr.exec:\llrffxr.exe72⤵PID:4036
-
\??\c:\bhhnbn.exec:\bhhnbn.exe73⤵PID:4208
-
\??\c:\vdvjv.exec:\vdvjv.exe74⤵PID:1420
-
\??\c:\llfrfrf.exec:\llfrfrf.exe75⤵PID:2560
-
\??\c:\hthbnt.exec:\hthbnt.exe76⤵PID:1532
-
\??\c:\vvvjd.exec:\vvvjd.exe77⤵PID:4784
-
\??\c:\tnhtht.exec:\tnhtht.exe78⤵PID:3948
-
\??\c:\flflfxl.exec:\flflfxl.exe79⤵PID:5008
-
\??\c:\tbbbbb.exec:\tbbbbb.exe80⤵PID:2112
-
\??\c:\7djvd.exec:\7djvd.exe81⤵PID:1556
-
\??\c:\xlfrxrl.exec:\xlfrxrl.exe82⤵PID:4064
-
\??\c:\ttbhbt.exec:\ttbhbt.exe83⤵PID:1732
-
\??\c:\vpvpv.exec:\vpvpv.exe84⤵PID:2108
-
\??\c:\1fxllfr.exec:\1fxllfr.exe85⤵PID:2044
-
\??\c:\hhnhbt.exec:\hhnhbt.exe86⤵PID:452
-
\??\c:\dvvpd.exec:\dvvpd.exe87⤵PID:2308
-
\??\c:\rlfrffx.exec:\rlfrffx.exe88⤵PID:2864
-
\??\c:\hbbbtn.exec:\hbbbtn.exe89⤵PID:3068
-
\??\c:\7fffrrr.exec:\7fffrrr.exe90⤵PID:2208
-
\??\c:\frfllll.exec:\frfllll.exe91⤵PID:1292
-
\??\c:\tnhbtn.exec:\tnhbtn.exe92⤵PID:728
-
\??\c:\3jppd.exec:\3jppd.exe93⤵PID:4012
-
\??\c:\7xxxrrl.exec:\7xxxrrl.exe94⤵PID:3644
-
\??\c:\xfllfll.exec:\xfllfll.exe95⤵PID:4988
-
\??\c:\tntnbt.exec:\tntnbt.exe96⤵PID:1988
-
\??\c:\bbhbtb.exec:\bbhbtb.exe97⤵PID:5052
-
\??\c:\ppvdv.exec:\ppvdv.exe98⤵
- System Location Discovery: System Language Discovery
PID:4964 -
\??\c:\lfrllff.exec:\lfrllff.exe99⤵PID:4436
-
\??\c:\djjjj.exec:\djjjj.exe100⤵PID:4992
-
\??\c:\fxffrrr.exec:\fxffrrr.exe101⤵PID:1008
-
\??\c:\btbbhh.exec:\btbbhh.exe102⤵PID:2364
-
\??\c:\pjdvd.exec:\pjdvd.exe103⤵PID:1784
-
\??\c:\rrlrrlr.exec:\rrlrrlr.exe104⤵PID:2280
-
\??\c:\bntttt.exec:\bntttt.exe105⤵PID:1892
-
\??\c:\vppvp.exec:\vppvp.exe106⤵PID:3464
-
\??\c:\fffxxxx.exec:\fffxxxx.exe107⤵PID:3160
-
\??\c:\7ttnhh.exec:\7ttnhh.exe108⤵PID:4268
-
\??\c:\nnnhbb.exec:\nnnhbb.exe109⤵PID:1980
-
\??\c:\ddjvd.exec:\ddjvd.exe110⤵PID:448
-
\??\c:\xxllfff.exec:\xxllfff.exe111⤵PID:4580
-
\??\c:\7fllffx.exec:\7fllffx.exe112⤵PID:2736
-
\??\c:\bbttbb.exec:\bbttbb.exe113⤵PID:4540
-
\??\c:\jdpjj.exec:\jdpjj.exe114⤵PID:4020
-
\??\c:\fxlfrrf.exec:\fxlfrrf.exe115⤵PID:4544
-
\??\c:\9tbbbb.exec:\9tbbbb.exe116⤵PID:1068
-
\??\c:\bnnnnn.exec:\bnnnnn.exe117⤵PID:4132
-
\??\c:\3jdvv.exec:\3jdvv.exe118⤵PID:1464
-
\??\c:\xxffxxx.exec:\xxffxxx.exe119⤵PID:4380
-
\??\c:\rxlfffr.exec:\rxlfffr.exe120⤵PID:224
-
\??\c:\bthbtt.exec:\bthbtt.exe121⤵PID:3600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-