Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe
-
Size
454KB
-
MD5
a10630f3225618121648cb7fbe9f2c1f
-
SHA1
f7f30eec18c1e3bd98172c2d4175db9f5a855f77
-
SHA256
b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43
-
SHA512
ef0474dc6b450fe5d2de416fff91812f94356f05eadf221d0496da1b88f238a70ed3c5e094d9d14ac40389c22c32b9ac82262b5186d73b54a2da8428c32d225c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4440-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-1160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5100 jvjvd.exe 2072 rxfrfrf.exe 1324 ttbnbn.exe 392 vvvjd.exe 1960 xxfxfrx.exe 2124 btthbb.exe 1036 jjpdp.exe 4248 hhhbbb.exe 1304 pjjdv.exe 1656 5hhthb.exe 1492 vdddv.exe 376 7tnbnh.exe 4900 ddpdv.exe 2964 bbthnb.exe 2992 pddjp.exe 2304 lfxxxff.exe 2028 dvpdd.exe 388 xrfrfxx.exe 4596 3hhhbn.exe 4944 djjdp.exe 3100 rrxrxrl.exe 4604 9llfrlx.exe 3664 5pjdp.exe 4860 bnhbnh.exe 1264 dvvjv.exe 1808 rxfrrrf.exe 220 dppjv.exe 3960 lfrxlxl.exe 4168 vjpjp.exe 3388 fxlxlxx.exe 3860 vvvdv.exe 2088 hbbhbb.exe 4780 jjjdv.exe 2496 fxxrrxx.exe 792 hhnhbb.exe 2456 3vdpj.exe 1208 fxlxfxx.exe 2296 ntnbtn.exe 4924 rxlfxxr.exe 1832 hbbtnh.exe 1892 dvddv.exe 4164 jpvpv.exe 4480 3xrrfff.exe 2264 7nhbnn.exe 1140 7pjvj.exe 4976 lfxlxrl.exe 3636 hbtnbt.exe 4296 djdvj.exe 1940 rflfffx.exe 904 rlxlxxl.exe 4368 hhtbnb.exe 4372 vjpdv.exe 4892 rxxrfrr.exe 2692 lffxxrl.exe 3028 btbbbb.exe 2112 pjjjj.exe 1612 9xxlxrl.exe 1376 hhhbbb.exe 3948 jdpjv.exe 3236 frxlxrx.exe 4912 tttbtt.exe 1236 7djjj.exe 744 pjjvj.exe 5112 frxrlrl.exe -
resource yara_rule behavioral2/memory/4440-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-689-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4440 wrote to memory of 5100 4440 b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe 82 PID 4440 wrote to memory of 5100 4440 b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe 82 PID 4440 wrote to memory of 5100 4440 b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe 82 PID 5100 wrote to memory of 2072 5100 jvjvd.exe 83 PID 5100 wrote to memory of 2072 5100 jvjvd.exe 83 PID 5100 wrote to memory of 2072 5100 jvjvd.exe 83 PID 2072 wrote to memory of 1324 2072 rxfrfrf.exe 84 PID 2072 wrote to memory of 1324 2072 rxfrfrf.exe 84 PID 2072 wrote to memory of 1324 2072 rxfrfrf.exe 84 PID 1324 wrote to memory of 392 1324 ttbnbn.exe 85 PID 1324 wrote to memory of 392 1324 ttbnbn.exe 85 PID 1324 wrote to memory of 392 1324 ttbnbn.exe 85 PID 392 wrote to memory of 1960 392 vvvjd.exe 86 PID 392 wrote to memory of 1960 392 vvvjd.exe 86 PID 392 wrote to memory of 1960 392 vvvjd.exe 86 PID 1960 wrote to memory of 2124 1960 xxfxfrx.exe 87 PID 1960 wrote to memory of 2124 1960 xxfxfrx.exe 87 PID 1960 wrote to memory of 2124 1960 xxfxfrx.exe 87 PID 2124 wrote to memory of 1036 2124 btthbb.exe 88 PID 2124 wrote to memory of 1036 2124 btthbb.exe 88 PID 2124 wrote to memory of 1036 2124 btthbb.exe 88 PID 1036 wrote to memory of 4248 1036 jjpdp.exe 89 PID 1036 wrote to memory of 4248 1036 jjpdp.exe 89 PID 1036 wrote to memory of 4248 1036 jjpdp.exe 89 PID 4248 wrote to memory of 1304 4248 hhhbbb.exe 90 PID 4248 wrote to memory of 1304 4248 hhhbbb.exe 90 PID 4248 wrote to memory of 1304 4248 hhhbbb.exe 90 PID 1304 wrote to memory of 1656 1304 pjjdv.exe 91 PID 1304 wrote to memory of 1656 1304 pjjdv.exe 91 PID 1304 wrote to memory of 1656 1304 pjjdv.exe 91 PID 1656 wrote to memory of 1492 1656 5hhthb.exe 92 PID 1656 wrote to memory of 1492 1656 5hhthb.exe 92 PID 1656 wrote to memory of 1492 1656 5hhthb.exe 92 PID 1492 wrote to memory of 376 1492 vdddv.exe 93 PID 1492 wrote to memory of 376 1492 vdddv.exe 93 PID 1492 wrote to memory of 376 1492 vdddv.exe 93 PID 376 wrote to memory of 4900 376 7tnbnh.exe 94 PID 376 wrote to memory of 4900 376 7tnbnh.exe 94 PID 376 wrote to memory of 4900 376 7tnbnh.exe 94 PID 4900 wrote to memory of 2964 4900 ddpdv.exe 95 PID 4900 wrote to memory of 2964 4900 ddpdv.exe 95 PID 4900 wrote to memory of 2964 4900 ddpdv.exe 95 PID 2964 wrote to memory of 2992 2964 bbthnb.exe 96 PID 2964 wrote to memory of 2992 2964 bbthnb.exe 96 PID 2964 wrote to memory of 2992 2964 bbthnb.exe 96 PID 2992 wrote to memory of 2304 2992 pddjp.exe 97 PID 2992 wrote to memory of 2304 2992 pddjp.exe 97 PID 2992 wrote to memory of 2304 2992 pddjp.exe 97 PID 2304 wrote to memory of 2028 2304 lfxxxff.exe 98 PID 2304 wrote to memory of 2028 2304 lfxxxff.exe 98 PID 2304 wrote to memory of 2028 2304 lfxxxff.exe 98 PID 2028 wrote to memory of 388 2028 dvpdd.exe 99 PID 2028 wrote to memory of 388 2028 dvpdd.exe 99 PID 2028 wrote to memory of 388 2028 dvpdd.exe 99 PID 388 wrote to memory of 4596 388 xrfrfxx.exe 100 PID 388 wrote to memory of 4596 388 xrfrfxx.exe 100 PID 388 wrote to memory of 4596 388 xrfrfxx.exe 100 PID 4596 wrote to memory of 4944 4596 3hhhbn.exe 101 PID 4596 wrote to memory of 4944 4596 3hhhbn.exe 101 PID 4596 wrote to memory of 4944 4596 3hhhbn.exe 101 PID 4944 wrote to memory of 3100 4944 djjdp.exe 102 PID 4944 wrote to memory of 3100 4944 djjdp.exe 102 PID 4944 wrote to memory of 3100 4944 djjdp.exe 102 PID 3100 wrote to memory of 4604 3100 rrxrxrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe"C:\Users\Admin\AppData\Local\Temp\b8dc278b284474bd0cc523d752899f840ad9339d6a7a77a3f026f9cd3c12da43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
\??\c:\jvjvd.exec:\jvjvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\rxfrfrf.exec:\rxfrfrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\ttbnbn.exec:\ttbnbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\vvvjd.exec:\vvvjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\xxfxfrx.exec:\xxfxfrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\btthbb.exec:\btthbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\jjpdp.exec:\jjpdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\hhhbbb.exec:\hhhbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\pjjdv.exec:\pjjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\5hhthb.exec:\5hhthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\vdddv.exec:\vdddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\7tnbnh.exec:\7tnbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\ddpdv.exec:\ddpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\bbthnb.exec:\bbthnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\pddjp.exec:\pddjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\lfxxxff.exec:\lfxxxff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\dvpdd.exec:\dvpdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028 -
\??\c:\xrfrfxx.exec:\xrfrfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\3hhhbn.exec:\3hhhbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\djjdp.exec:\djjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\rrxrxrl.exec:\rrxrxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\9llfrlx.exec:\9llfrlx.exe23⤵
- Executes dropped EXE
PID:4604 -
\??\c:\5pjdp.exec:\5pjdp.exe24⤵
- Executes dropped EXE
PID:3664 -
\??\c:\bnhbnh.exec:\bnhbnh.exe25⤵
- Executes dropped EXE
PID:4860 -
\??\c:\dvvjv.exec:\dvvjv.exe26⤵
- Executes dropped EXE
PID:1264 -
\??\c:\rxfrrrf.exec:\rxfrrrf.exe27⤵
- Executes dropped EXE
PID:1808 -
\??\c:\dppjv.exec:\dppjv.exe28⤵
- Executes dropped EXE
PID:220 -
\??\c:\lfrxlxl.exec:\lfrxlxl.exe29⤵
- Executes dropped EXE
PID:3960 -
\??\c:\vjpjp.exec:\vjpjp.exe30⤵
- Executes dropped EXE
PID:4168 -
\??\c:\fxlxlxx.exec:\fxlxlxx.exe31⤵
- Executes dropped EXE
PID:3388 -
\??\c:\vvvdv.exec:\vvvdv.exe32⤵
- Executes dropped EXE
PID:3860 -
\??\c:\hbbhbb.exec:\hbbhbb.exe33⤵
- Executes dropped EXE
PID:2088 -
\??\c:\jjjdv.exec:\jjjdv.exe34⤵
- Executes dropped EXE
PID:4780 -
\??\c:\fxxrrxx.exec:\fxxrrxx.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
\??\c:\hhnhbb.exec:\hhnhbb.exe36⤵
- Executes dropped EXE
PID:792 -
\??\c:\3vdpj.exec:\3vdpj.exe37⤵
- Executes dropped EXE
PID:2456 -
\??\c:\fxlxfxx.exec:\fxlxfxx.exe38⤵
- Executes dropped EXE
PID:1208 -
\??\c:\ntnbtn.exec:\ntnbtn.exe39⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe40⤵
- Executes dropped EXE
PID:4924 -
\??\c:\hbbtnh.exec:\hbbtnh.exe41⤵
- Executes dropped EXE
PID:1832 -
\??\c:\dvddv.exec:\dvddv.exe42⤵
- Executes dropped EXE
PID:1892 -
\??\c:\jpvpv.exec:\jpvpv.exe43⤵
- Executes dropped EXE
PID:4164 -
\??\c:\3xrrfff.exec:\3xrrfff.exe44⤵
- Executes dropped EXE
PID:4480 -
\??\c:\7nhbnn.exec:\7nhbnn.exe45⤵
- Executes dropped EXE
PID:2264 -
\??\c:\7pjvj.exec:\7pjvj.exe46⤵
- Executes dropped EXE
PID:1140 -
\??\c:\lfxlxrl.exec:\lfxlxrl.exe47⤵
- Executes dropped EXE
PID:4976 -
\??\c:\hbtnbt.exec:\hbtnbt.exe48⤵
- Executes dropped EXE
PID:3636 -
\??\c:\djdvj.exec:\djdvj.exe49⤵
- Executes dropped EXE
PID:4296 -
\??\c:\rflfffx.exec:\rflfffx.exe50⤵
- Executes dropped EXE
PID:1940 -
\??\c:\rlxlxxl.exec:\rlxlxxl.exe51⤵
- Executes dropped EXE
PID:904 -
\??\c:\hhtbnb.exec:\hhtbnb.exe52⤵
- Executes dropped EXE
PID:4368 -
\??\c:\vjpdv.exec:\vjpdv.exe53⤵
- Executes dropped EXE
PID:4372 -
\??\c:\rxxrfrr.exec:\rxxrfrr.exe54⤵
- Executes dropped EXE
PID:4892 -
\??\c:\lffxxrl.exec:\lffxxrl.exe55⤵
- Executes dropped EXE
PID:2692 -
\??\c:\btbbbb.exec:\btbbbb.exe56⤵
- Executes dropped EXE
PID:3028 -
\??\c:\pjjjj.exec:\pjjjj.exe57⤵
- Executes dropped EXE
PID:2112 -
\??\c:\9xxlxrl.exec:\9xxlxrl.exe58⤵
- Executes dropped EXE
PID:1612 -
\??\c:\hhhbbb.exec:\hhhbbb.exe59⤵
- Executes dropped EXE
PID:1376 -
\??\c:\jdpjv.exec:\jdpjv.exe60⤵
- Executes dropped EXE
PID:3948 -
\??\c:\frxlxrx.exec:\frxlxrx.exe61⤵
- Executes dropped EXE
PID:3236 -
\??\c:\tttbtt.exec:\tttbtt.exe62⤵
- Executes dropped EXE
PID:4912 -
\??\c:\7djjj.exec:\7djjj.exe63⤵
- Executes dropped EXE
PID:1236 -
\??\c:\pjjvj.exec:\pjjvj.exe64⤵
- Executes dropped EXE
PID:744 -
\??\c:\frxrlrl.exec:\frxrlrl.exe65⤵
- Executes dropped EXE
PID:5112 -
\??\c:\nhttbb.exec:\nhttbb.exe66⤵PID:4512
-
\??\c:\vpdvp.exec:\vpdvp.exe67⤵PID:2748
-
\??\c:\tttnhb.exec:\tttnhb.exe68⤵PID:1104
-
\??\c:\tthbtb.exec:\tthbtb.exe69⤵PID:4268
-
\??\c:\9pvjv.exec:\9pvjv.exe70⤵PID:3428
-
\??\c:\lxfflxf.exec:\lxfflxf.exe71⤵PID:2000
-
\??\c:\tnbttn.exec:\tnbttn.exe72⤵PID:4256
-
\??\c:\vjpdd.exec:\vjpdd.exe73⤵PID:3996
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe74⤵PID:712
-
\??\c:\xrxxffl.exec:\xrxxffl.exe75⤵PID:4752
-
\??\c:\bthhnn.exec:\bthhnn.exe76⤵PID:2740
-
\??\c:\tntnbh.exec:\tntnbh.exe77⤵PID:2364
-
\??\c:\pjjdj.exec:\pjjdj.exe78⤵PID:2304
-
\??\c:\jjvpv.exec:\jjvpv.exe79⤵PID:2996
-
\??\c:\ffllllx.exec:\ffllllx.exe80⤵PID:4688
-
\??\c:\nbnbbb.exec:\nbnbbb.exe81⤵PID:388
-
\??\c:\bbtnhh.exec:\bbtnhh.exe82⤵PID:4988
-
\??\c:\9pppd.exec:\9pppd.exe83⤵PID:2412
-
\??\c:\1xxxlxr.exec:\1xxxlxr.exe84⤵PID:2276
-
\??\c:\ffrllll.exec:\ffrllll.exe85⤵PID:4460
-
\??\c:\7nhtnn.exec:\7nhtnn.exe86⤵PID:1800
-
\??\c:\jjppj.exec:\jjppj.exe87⤵PID:2284
-
\??\c:\rlfxllf.exec:\rlfxllf.exe88⤵PID:3032
-
\??\c:\bbnntb.exec:\bbnntb.exe89⤵PID:4044
-
\??\c:\thnhbb.exec:\thnhbb.exe90⤵PID:1360
-
\??\c:\dpdpj.exec:\dpdpj.exe91⤵PID:264
-
\??\c:\lffxrxx.exec:\lffxrxx.exe92⤵PID:5060
-
\??\c:\3tnhnn.exec:\3tnhnn.exe93⤵PID:748
-
\??\c:\nhbtnn.exec:\nhbtnn.exe94⤵PID:3076
-
\??\c:\dpddd.exec:\dpddd.exe95⤵PID:3936
-
\??\c:\xrxxxxx.exec:\xrxxxxx.exe96⤵PID:2788
-
\??\c:\nbnhbb.exec:\nbnhbb.exe97⤵PID:4524
-
\??\c:\3bbbtt.exec:\3bbbtt.exe98⤵PID:4504
-
\??\c:\jjjdv.exec:\jjjdv.exe99⤵PID:3860
-
\??\c:\xxrrrrr.exec:\xxrrrrr.exe100⤵PID:2088
-
\??\c:\hbhbbt.exec:\hbhbbt.exe101⤵PID:4024
-
\??\c:\bthbtt.exec:\bthbtt.exe102⤵PID:2712
-
\??\c:\vppvp.exec:\vppvp.exe103⤵PID:1696
-
\??\c:\frxfxff.exec:\frxfxff.exe104⤵PID:2040
-
\??\c:\9htnhn.exec:\9htnhn.exe105⤵PID:692
-
\??\c:\bbbbtt.exec:\bbbbtt.exe106⤵PID:3500
-
\??\c:\dpjpd.exec:\dpjpd.exe107⤵PID:3052
-
\??\c:\rffxrll.exec:\rffxrll.exe108⤵PID:1540
-
\??\c:\bthnbb.exec:\bthnbb.exe109⤵PID:4584
-
\??\c:\1hnhhn.exec:\1hnhhn.exe110⤵PID:1892
-
\??\c:\jvdvp.exec:\jvdvp.exe111⤵PID:2280
-
\??\c:\rrffxfx.exec:\rrffxfx.exe112⤵PID:1504
-
\??\c:\flxrxxr.exec:\flxrxxr.exe113⤵PID:432
-
\??\c:\thnbnh.exec:\thnbnh.exe114⤵PID:2548
-
\??\c:\pjpdp.exec:\pjpdp.exe115⤵PID:2476
-
\??\c:\9vvjp.exec:\9vvjp.exe116⤵PID:516
-
\??\c:\xxfffff.exec:\xxfffff.exe117⤵PID:3792
-
\??\c:\nhhbbb.exec:\nhhbbb.exe118⤵PID:3568
-
\??\c:\jvjvj.exec:\jvjvj.exe119⤵PID:2536
-
\??\c:\lfrlxxf.exec:\lfrlxxf.exe120⤵PID:3512
-
\??\c:\ttbbht.exec:\ttbbht.exe121⤵PID:876
-
\??\c:\nhbtnn.exec:\nhbtnn.exe122⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-