Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360N.exe
-
Size
453KB
-
MD5
98cb0a158548c7cda262ffc37792cd90
-
SHA1
f141c3a389cfe7c6abea200a93c8ea40d61e8d04
-
SHA256
39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360
-
SHA512
eb95fa137179f219a1771eccf61d1a30f87a064757eff8ff0bc519584708894bfb2055ddcec06655a7c9bcf547f9fec58c9a0983c6ab0a80dc071d4ecd6f9624
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2924-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-1064-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3088 1xfrxxr.exe 1616 5ffrlfr.exe 1492 vpppj.exe 2244 rrffxfx.exe 1368 frxrfxf.exe 1348 btnhnn.exe 2576 pvjdv.exe 1556 jpvpj.exe 1352 xfrfxrf.exe 1228 nhtnhb.exe 5100 lfxxxrr.exe 2180 hbtnht.exe 4036 7lfxlfx.exe 1100 lffxlfx.exe 4920 5ppvp.exe 1452 3flflfr.exe 4480 djdvp.exe 4240 rffxrrf.exe 1144 lfffxff.exe 5096 tttnnn.exe 2300 7djdv.exe 1440 bttnhh.exe 3036 djpdd.exe 4292 bbbbnn.exe 4668 bbbbnh.exe 4336 vppjd.exe 4536 lxlflfr.exe 4484 frrlxrl.exe 4032 jdvdd.exe 2280 bbbttb.exe 2920 htbhnn.exe 2928 rfllxxr.exe 4056 dpvpd.exe 4880 rxfffff.exe 3032 lfxrllf.exe 4316 bhtnhh.exe 1132 pvvpj.exe 456 xlrfrfl.exe 4700 9bbttt.exe 2476 jjppj.exe 4808 frxlfxr.exe 3276 lfxrxxx.exe 1988 hbnhnh.exe 3660 pdvpj.exe 3956 lxxxxxx.exe 3964 thbtnh.exe 4456 pjpjd.exe 2580 lfflxxr.exe 952 hhttnt.exe 3596 9bnhbb.exe 920 9rlfffx.exe 5116 1hhbtt.exe 3264 dvvvp.exe 3628 rrlfxrr.exe 2828 frrlxrl.exe 644 nbnthb.exe 3056 vpdjj.exe 4608 3xrfllf.exe 4928 thhbtn.exe 3204 pddvj.exe 2212 5fxlfxl.exe 3732 fxxxrll.exe 1836 btbtnh.exe 3168 vdvjd.exe -
resource yara_rule behavioral2/memory/2924-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-626-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 3088 2924 39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360N.exe 83 PID 2924 wrote to memory of 3088 2924 39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360N.exe 83 PID 2924 wrote to memory of 3088 2924 39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360N.exe 83 PID 3088 wrote to memory of 1616 3088 1xfrxxr.exe 84 PID 3088 wrote to memory of 1616 3088 1xfrxxr.exe 84 PID 3088 wrote to memory of 1616 3088 1xfrxxr.exe 84 PID 1616 wrote to memory of 1492 1616 5ffrlfr.exe 85 PID 1616 wrote to memory of 1492 1616 5ffrlfr.exe 85 PID 1616 wrote to memory of 1492 1616 5ffrlfr.exe 85 PID 1492 wrote to memory of 2244 1492 vpppj.exe 86 PID 1492 wrote to memory of 2244 1492 vpppj.exe 86 PID 1492 wrote to memory of 2244 1492 vpppj.exe 86 PID 2244 wrote to memory of 1368 2244 rrffxfx.exe 87 PID 2244 wrote to memory of 1368 2244 rrffxfx.exe 87 PID 2244 wrote to memory of 1368 2244 rrffxfx.exe 87 PID 1368 wrote to memory of 1348 1368 frxrfxf.exe 88 PID 1368 wrote to memory of 1348 1368 frxrfxf.exe 88 PID 1368 wrote to memory of 1348 1368 frxrfxf.exe 88 PID 1348 wrote to memory of 2576 1348 btnhnn.exe 89 PID 1348 wrote to memory of 2576 1348 btnhnn.exe 89 PID 1348 wrote to memory of 2576 1348 btnhnn.exe 89 PID 2576 wrote to memory of 1556 2576 pvjdv.exe 90 PID 2576 wrote to memory of 1556 2576 pvjdv.exe 90 PID 2576 wrote to memory of 1556 2576 pvjdv.exe 90 PID 1556 wrote to memory of 1352 1556 jpvpj.exe 91 PID 1556 wrote to memory of 1352 1556 jpvpj.exe 91 PID 1556 wrote to memory of 1352 1556 jpvpj.exe 91 PID 1352 wrote to memory of 1228 1352 xfrfxrf.exe 92 PID 1352 wrote to memory of 1228 1352 xfrfxrf.exe 92 PID 1352 wrote to memory of 1228 1352 xfrfxrf.exe 92 PID 1228 wrote to memory of 5100 1228 nhtnhb.exe 93 PID 1228 wrote to memory of 5100 1228 nhtnhb.exe 93 PID 1228 wrote to memory of 5100 1228 nhtnhb.exe 93 PID 5100 wrote to memory of 2180 5100 lfxxxrr.exe 94 PID 5100 wrote to memory of 2180 5100 lfxxxrr.exe 94 PID 5100 wrote to memory of 2180 5100 lfxxxrr.exe 94 PID 2180 wrote to memory of 4036 2180 hbtnht.exe 95 PID 2180 wrote to memory of 4036 2180 hbtnht.exe 95 PID 2180 wrote to memory of 4036 2180 hbtnht.exe 95 PID 4036 wrote to memory of 1100 4036 7lfxlfx.exe 96 PID 4036 wrote to memory of 1100 4036 7lfxlfx.exe 96 PID 4036 wrote to memory of 1100 4036 7lfxlfx.exe 96 PID 1100 wrote to memory of 4920 1100 lffxlfx.exe 97 PID 1100 wrote to memory of 4920 1100 lffxlfx.exe 97 PID 1100 wrote to memory of 4920 1100 lffxlfx.exe 97 PID 4920 wrote to memory of 1452 4920 5ppvp.exe 98 PID 4920 wrote to memory of 1452 4920 5ppvp.exe 98 PID 4920 wrote to memory of 1452 4920 5ppvp.exe 98 PID 1452 wrote to memory of 4480 1452 3flflfr.exe 99 PID 1452 wrote to memory of 4480 1452 3flflfr.exe 99 PID 1452 wrote to memory of 4480 1452 3flflfr.exe 99 PID 4480 wrote to memory of 4240 4480 djdvp.exe 100 PID 4480 wrote to memory of 4240 4480 djdvp.exe 100 PID 4480 wrote to memory of 4240 4480 djdvp.exe 100 PID 4240 wrote to memory of 1144 4240 rffxrrf.exe 101 PID 4240 wrote to memory of 1144 4240 rffxrrf.exe 101 PID 4240 wrote to memory of 1144 4240 rffxrrf.exe 101 PID 1144 wrote to memory of 5096 1144 lfffxff.exe 102 PID 1144 wrote to memory of 5096 1144 lfffxff.exe 102 PID 1144 wrote to memory of 5096 1144 lfffxff.exe 102 PID 5096 wrote to memory of 2300 5096 tttnnn.exe 103 PID 5096 wrote to memory of 2300 5096 tttnnn.exe 103 PID 5096 wrote to memory of 2300 5096 tttnnn.exe 103 PID 2300 wrote to memory of 1440 2300 7djdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360N.exe"C:\Users\Admin\AppData\Local\Temp\39fa248de863162216428501232d39b99623a08f6eb16f8fa7909f443f774360N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\1xfrxxr.exec:\1xfrxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\5ffrlfr.exec:\5ffrlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\vpppj.exec:\vpppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\rrffxfx.exec:\rrffxfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\frxrfxf.exec:\frxrfxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\btnhnn.exec:\btnhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\pvjdv.exec:\pvjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\jpvpj.exec:\jpvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\xfrfxrf.exec:\xfrfxrf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\nhtnhb.exec:\nhtnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\lfxxxrr.exec:\lfxxxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\hbtnht.exec:\hbtnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\7lfxlfx.exec:\7lfxlfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\lffxlfx.exec:\lffxlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\5ppvp.exec:\5ppvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\3flflfr.exec:\3flflfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\djdvp.exec:\djdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\rffxrrf.exec:\rffxrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
\??\c:\lfffxff.exec:\lfffxff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\tttnnn.exec:\tttnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\7djdv.exec:\7djdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\bttnhh.exec:\bttnhh.exe23⤵
- Executes dropped EXE
PID:1440 -
\??\c:\djpdd.exec:\djpdd.exe24⤵
- Executes dropped EXE
PID:3036 -
\??\c:\bbbbnn.exec:\bbbbnn.exe25⤵
- Executes dropped EXE
PID:4292 -
\??\c:\bbbbnh.exec:\bbbbnh.exe26⤵
- Executes dropped EXE
PID:4668 -
\??\c:\vppjd.exec:\vppjd.exe27⤵
- Executes dropped EXE
PID:4336 -
\??\c:\lxlflfr.exec:\lxlflfr.exe28⤵
- Executes dropped EXE
PID:4536 -
\??\c:\frrlxrl.exec:\frrlxrl.exe29⤵
- Executes dropped EXE
PID:4484 -
\??\c:\jdvdd.exec:\jdvdd.exe30⤵
- Executes dropped EXE
PID:4032 -
\??\c:\bbbttb.exec:\bbbttb.exe31⤵
- Executes dropped EXE
PID:2280 -
\??\c:\htbhnn.exec:\htbhnn.exe32⤵
- Executes dropped EXE
PID:2920 -
\??\c:\rfllxxr.exec:\rfllxxr.exe33⤵
- Executes dropped EXE
PID:2928 -
\??\c:\dpvpd.exec:\dpvpd.exe34⤵
- Executes dropped EXE
PID:4056 -
\??\c:\rxfffff.exec:\rxfffff.exe35⤵
- Executes dropped EXE
PID:4880 -
\??\c:\lfxrllf.exec:\lfxrllf.exe36⤵
- Executes dropped EXE
PID:3032 -
\??\c:\bhtnhh.exec:\bhtnhh.exe37⤵
- Executes dropped EXE
PID:4316 -
\??\c:\pvvpj.exec:\pvvpj.exe38⤵
- Executes dropped EXE
PID:1132 -
\??\c:\xlrfrfl.exec:\xlrfrfl.exe39⤵
- Executes dropped EXE
PID:456 -
\??\c:\9bbttt.exec:\9bbttt.exe40⤵
- Executes dropped EXE
PID:4700 -
\??\c:\jjppj.exec:\jjppj.exe41⤵
- Executes dropped EXE
PID:2476 -
\??\c:\frxlfxr.exec:\frxlfxr.exe42⤵
- Executes dropped EXE
PID:4808 -
\??\c:\lfxrxxx.exec:\lfxrxxx.exe43⤵
- Executes dropped EXE
PID:3276 -
\??\c:\hbnhnh.exec:\hbnhnh.exe44⤵
- Executes dropped EXE
PID:1988 -
\??\c:\pdvpj.exec:\pdvpj.exe45⤵
- Executes dropped EXE
PID:3660 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe46⤵
- Executes dropped EXE
PID:3956 -
\??\c:\thbtnh.exec:\thbtnh.exe47⤵
- Executes dropped EXE
PID:3964 -
\??\c:\pjpjd.exec:\pjpjd.exe48⤵
- Executes dropped EXE
PID:4456 -
\??\c:\lfflxxr.exec:\lfflxxr.exe49⤵
- Executes dropped EXE
PID:2580 -
\??\c:\hhttnt.exec:\hhttnt.exe50⤵
- Executes dropped EXE
PID:952 -
\??\c:\9bnhbb.exec:\9bnhbb.exe51⤵
- Executes dropped EXE
PID:3596 -
\??\c:\9rlfffx.exec:\9rlfffx.exe52⤵
- Executes dropped EXE
PID:920 -
\??\c:\1hhbtt.exec:\1hhbtt.exe53⤵
- Executes dropped EXE
PID:5116 -
\??\c:\dvvvp.exec:\dvvvp.exe54⤵
- Executes dropped EXE
PID:3264 -
\??\c:\rrlfxrr.exec:\rrlfxrr.exe55⤵
- Executes dropped EXE
PID:3628 -
\??\c:\frrlxrl.exec:\frrlxrl.exe56⤵
- Executes dropped EXE
PID:2828 -
\??\c:\nbnthb.exec:\nbnthb.exe57⤵
- Executes dropped EXE
PID:644 -
\??\c:\vpdjj.exec:\vpdjj.exe58⤵
- Executes dropped EXE
PID:3056 -
\??\c:\3xrfllf.exec:\3xrfllf.exe59⤵
- Executes dropped EXE
PID:4608 -
\??\c:\thhbtn.exec:\thhbtn.exe60⤵
- Executes dropped EXE
PID:4928 -
\??\c:\pddvj.exec:\pddvj.exe61⤵
- Executes dropped EXE
PID:3204 -
\??\c:\5fxlfxl.exec:\5fxlfxl.exe62⤵
- Executes dropped EXE
PID:2212 -
\??\c:\fxxxrll.exec:\fxxxrll.exe63⤵
- Executes dropped EXE
PID:3732 -
\??\c:\btbtnh.exec:\btbtnh.exe64⤵
- Executes dropped EXE
PID:1836 -
\??\c:\vdvjd.exec:\vdvjd.exe65⤵
- Executes dropped EXE
PID:3168 -
\??\c:\1fxlfxx.exec:\1fxlfxx.exe66⤵PID:3860
-
\??\c:\tttnnn.exec:\tttnnn.exe67⤵PID:4068
-
\??\c:\hbbtnt.exec:\hbbtnt.exe68⤵PID:2432
-
\??\c:\dppjd.exec:\dppjd.exe69⤵PID:3560
-
\??\c:\xllfrlf.exec:\xllfrlf.exe70⤵PID:316
-
\??\c:\1hnhbb.exec:\1hnhbb.exe71⤵PID:4616
-
\??\c:\5tbtnn.exec:\5tbtnn.exe72⤵PID:1452
-
\??\c:\vpjdp.exec:\vpjdp.exe73⤵PID:3308
-
\??\c:\fflxrrx.exec:\fflxrrx.exe74⤵PID:4024
-
\??\c:\7tnhhb.exec:\7tnhhb.exe75⤵PID:4308
-
\??\c:\jvdvp.exec:\jvdvp.exe76⤵PID:436
-
\??\c:\dpdvp.exec:\dpdvp.exe77⤵PID:2228
-
\??\c:\lxxxrlx.exec:\lxxxrlx.exe78⤵PID:2704
-
\??\c:\nhhbtt.exec:\nhhbtt.exe79⤵PID:3972
-
\??\c:\nnhbhh.exec:\nnhbhh.exe80⤵PID:2724
-
\??\c:\ppddv.exec:\ppddv.exe81⤵PID:116
-
\??\c:\vdjvj.exec:\vdjvj.exe82⤵
- System Location Discovery: System Language Discovery
PID:4292 -
\??\c:\xrrlxrr.exec:\xrrlxrr.exe83⤵PID:3028
-
\??\c:\1htnhh.exec:\1htnhh.exe84⤵PID:3776
-
\??\c:\jppdv.exec:\jppdv.exe85⤵PID:4524
-
\??\c:\vjjdv.exec:\vjjdv.exe86⤵PID:4336
-
\??\c:\rlrlllr.exec:\rlrlllr.exe87⤵PID:836
-
\??\c:\bttnbh.exec:\bttnbh.exe88⤵PID:4564
-
\??\c:\pdpjj.exec:\pdpjj.exe89⤵PID:2100
-
\??\c:\jvvjj.exec:\jvvjj.exe90⤵PID:1044
-
\??\c:\lrrlffr.exec:\lrrlffr.exe91⤵PID:3316
-
\??\c:\tbhhhh.exec:\tbhhhh.exe92⤵PID:1072
-
\??\c:\nhnhtt.exec:\nhnhtt.exe93⤵PID:4716
-
\??\c:\7jjvp.exec:\7jjvp.exe94⤵PID:3652
-
\??\c:\frffffx.exec:\frffffx.exe95⤵PID:4824
-
\??\c:\bhhhbh.exec:\bhhhbh.exe96⤵PID:1236
-
\??\c:\3dpjv.exec:\3dpjv.exe97⤵PID:3744
-
\??\c:\9vpdv.exec:\9vpdv.exe98⤵PID:2232
-
\??\c:\3xfxxrx.exec:\3xfxxrx.exe99⤵PID:4316
-
\??\c:\hbbnhh.exec:\hbbnhh.exe100⤵PID:1132
-
\??\c:\vpjvj.exec:\vpjvj.exe101⤵PID:456
-
\??\c:\1xrlfxx.exec:\1xrlfxx.exe102⤵PID:4700
-
\??\c:\1xllffx.exec:\1xllffx.exe103⤵PID:2756
-
\??\c:\hnnbtt.exec:\hnnbtt.exe104⤵PID:2740
-
\??\c:\dvvdv.exec:\dvvdv.exe105⤵PID:924
-
\??\c:\3flxlfr.exec:\3flxlfr.exe106⤵PID:4120
-
\??\c:\3tnbbh.exec:\3tnbbh.exe107⤵PID:2484
-
\??\c:\btbtnh.exec:\btbtnh.exe108⤵PID:3956
-
\??\c:\dvjjj.exec:\dvjjj.exe109⤵PID:4452
-
\??\c:\fxxrrff.exec:\fxxrrff.exe110⤵PID:4532
-
\??\c:\tttnhn.exec:\tttnhn.exe111⤵PID:532
-
\??\c:\tntnnh.exec:\tntnnh.exe112⤵PID:4840
-
\??\c:\pjjvj.exec:\pjjvj.exe113⤵PID:2308
-
\??\c:\fxffrlf.exec:\fxffrlf.exe114⤵PID:4072
-
\??\c:\lxlxrll.exec:\lxlxrll.exe115⤵PID:3980
-
\??\c:\ttbtnn.exec:\ttbtnn.exe116⤵PID:2544
-
\??\c:\pjjvj.exec:\pjjvj.exe117⤵PID:1976
-
\??\c:\1pjdp.exec:\1pjdp.exe118⤵PID:3708
-
\??\c:\fxfrrxl.exec:\fxfrrxl.exe119⤵PID:5032
-
\??\c:\1tthhb.exec:\1tthhb.exe120⤵PID:2040
-
\??\c:\vpdvp.exec:\vpdvp.exe121⤵PID:3684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-