Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe
-
Size
453KB
-
MD5
826da557ee188a7d9dd44b7cef36d42f
-
SHA1
210866eac5ebf2569c6e403484f990f8b17ef7aa
-
SHA256
2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2
-
SHA512
236dd1be386fb737724d4f7fda08866c2138a014a8978ce7b972659bea581f9057978158ae452d653171c658975da080b719e2044edfbe7e130fa6552d6c8285
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR:q7Tc2NYHUrAwfMp3CDR
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/344-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-889-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-966-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-1025-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-1859-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4568 jpvpj.exe 4984 rfffxxx.exe 3500 tnhbbb.exe 4136 9hhhbh.exe 2928 hbnhhh.exe 4780 jddvv.exe 4200 flrllfx.exe 2956 tnbbnt.exe 2196 pdjdd.exe 1912 frlfxxr.exe 4876 fflfrlr.exe 1792 hnnhbt.exe 2696 ppvpv.exe 3124 rfrlllr.exe 2088 htnnnh.exe 4204 pdppv.exe 4684 jppjp.exe 4324 pvpjv.exe 3948 rfrfxxr.exe 3832 7tbbnn.exe 5096 5bbntn.exe 1464 jvdvp.exe 1448 lfxrrrl.exe 2892 9ntntt.exe 2256 3tbnhb.exe 3384 ppvpp.exe 4532 lffrrlf.exe 3568 9jjvp.exe 4540 vpdvp.exe 1200 htthbt.exe 2208 5hbthn.exe 5016 jpjdv.exe 2100 lflfllr.exe 376 9rrlllf.exe 4728 3btnhh.exe 1740 9vppp.exe 1232 3lfxrxr.exe 4152 lxxrrrr.exe 3452 7djvp.exe 2224 rrrllff.exe 372 rfflfxr.exe 4792 ttnbtt.exe 3392 ntbthb.exe 2628 pddvv.exe 1016 xflrlrx.exe 2164 nnbtbb.exe 2484 htbbtt.exe 4944 djjdd.exe 2976 rrfrfxr.exe 3064 rlxrxxl.exe 2932 5bbtnt.exe 2160 9bbttt.exe 4200 djppj.exe 2952 rrffxfx.exe 4576 3ffxrlf.exe 3508 5hhbtt.exe 2664 thhtbt.exe 68 5dppj.exe 940 rrxrxxr.exe 1284 1lxxrrr.exe 2512 bnnhbt.exe 316 hbbnhb.exe 4788 pddjj.exe 1292 xllllxx.exe -
resource yara_rule behavioral2/memory/344-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-808-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-889-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-902-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 344 wrote to memory of 4568 344 2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe 82 PID 344 wrote to memory of 4568 344 2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe 82 PID 344 wrote to memory of 4568 344 2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe 82 PID 4568 wrote to memory of 4984 4568 jpvpj.exe 83 PID 4568 wrote to memory of 4984 4568 jpvpj.exe 83 PID 4568 wrote to memory of 4984 4568 jpvpj.exe 83 PID 4984 wrote to memory of 3500 4984 rfffxxx.exe 84 PID 4984 wrote to memory of 3500 4984 rfffxxx.exe 84 PID 4984 wrote to memory of 3500 4984 rfffxxx.exe 84 PID 3500 wrote to memory of 4136 3500 tnhbbb.exe 85 PID 3500 wrote to memory of 4136 3500 tnhbbb.exe 85 PID 3500 wrote to memory of 4136 3500 tnhbbb.exe 85 PID 4136 wrote to memory of 2928 4136 9hhhbh.exe 86 PID 4136 wrote to memory of 2928 4136 9hhhbh.exe 86 PID 4136 wrote to memory of 2928 4136 9hhhbh.exe 86 PID 2928 wrote to memory of 4780 2928 hbnhhh.exe 87 PID 2928 wrote to memory of 4780 2928 hbnhhh.exe 87 PID 2928 wrote to memory of 4780 2928 hbnhhh.exe 87 PID 4780 wrote to memory of 4200 4780 jddvv.exe 88 PID 4780 wrote to memory of 4200 4780 jddvv.exe 88 PID 4780 wrote to memory of 4200 4780 jddvv.exe 88 PID 4200 wrote to memory of 2956 4200 flrllfx.exe 89 PID 4200 wrote to memory of 2956 4200 flrllfx.exe 89 PID 4200 wrote to memory of 2956 4200 flrllfx.exe 89 PID 2956 wrote to memory of 2196 2956 tnbbnt.exe 90 PID 2956 wrote to memory of 2196 2956 tnbbnt.exe 90 PID 2956 wrote to memory of 2196 2956 tnbbnt.exe 90 PID 2196 wrote to memory of 1912 2196 pdjdd.exe 91 PID 2196 wrote to memory of 1912 2196 pdjdd.exe 91 PID 2196 wrote to memory of 1912 2196 pdjdd.exe 91 PID 1912 wrote to memory of 4876 1912 frlfxxr.exe 92 PID 1912 wrote to memory of 4876 1912 frlfxxr.exe 92 PID 1912 wrote to memory of 4876 1912 frlfxxr.exe 92 PID 4876 wrote to memory of 1792 4876 fflfrlr.exe 93 PID 4876 wrote to memory of 1792 4876 fflfrlr.exe 93 PID 4876 wrote to memory of 1792 4876 fflfrlr.exe 93 PID 1792 wrote to memory of 2696 1792 hnnhbt.exe 94 PID 1792 wrote to memory of 2696 1792 hnnhbt.exe 94 PID 1792 wrote to memory of 2696 1792 hnnhbt.exe 94 PID 2696 wrote to memory of 3124 2696 ppvpv.exe 95 PID 2696 wrote to memory of 3124 2696 ppvpv.exe 95 PID 2696 wrote to memory of 3124 2696 ppvpv.exe 95 PID 3124 wrote to memory of 2088 3124 rfrlllr.exe 96 PID 3124 wrote to memory of 2088 3124 rfrlllr.exe 96 PID 3124 wrote to memory of 2088 3124 rfrlllr.exe 96 PID 2088 wrote to memory of 4204 2088 htnnnh.exe 97 PID 2088 wrote to memory of 4204 2088 htnnnh.exe 97 PID 2088 wrote to memory of 4204 2088 htnnnh.exe 97 PID 4204 wrote to memory of 4684 4204 pdppv.exe 98 PID 4204 wrote to memory of 4684 4204 pdppv.exe 98 PID 4204 wrote to memory of 4684 4204 pdppv.exe 98 PID 4684 wrote to memory of 4324 4684 jppjp.exe 99 PID 4684 wrote to memory of 4324 4684 jppjp.exe 99 PID 4684 wrote to memory of 4324 4684 jppjp.exe 99 PID 4324 wrote to memory of 3948 4324 pvpjv.exe 153 PID 4324 wrote to memory of 3948 4324 pvpjv.exe 153 PID 4324 wrote to memory of 3948 4324 pvpjv.exe 153 PID 3948 wrote to memory of 3832 3948 rfrfxxr.exe 101 PID 3948 wrote to memory of 3832 3948 rfrfxxr.exe 101 PID 3948 wrote to memory of 3832 3948 rfrfxxr.exe 101 PID 3832 wrote to memory of 5096 3832 7tbbnn.exe 102 PID 3832 wrote to memory of 5096 3832 7tbbnn.exe 102 PID 3832 wrote to memory of 5096 3832 7tbbnn.exe 102 PID 5096 wrote to memory of 1464 5096 5bbntn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe"C:\Users\Admin\AppData\Local\Temp\2138cb5347bb09a628385296eb214592c6aa07b17ed19d75cce6e3f9cf4318d2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:344 -
\??\c:\jpvpj.exec:\jpvpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\rfffxxx.exec:\rfffxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\tnhbbb.exec:\tnhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\9hhhbh.exec:\9hhhbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\hbnhhh.exec:\hbnhhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\jddvv.exec:\jddvv.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\flrllfx.exec:\flrllfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\tnbbnt.exec:\tnbbnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\pdjdd.exec:\pdjdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\frlfxxr.exec:\frlfxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\fflfrlr.exec:\fflfrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\hnnhbt.exec:\hnnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\ppvpv.exec:\ppvpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\rfrlllr.exec:\rfrlllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\htnnnh.exec:\htnnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\pdppv.exec:\pdppv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\jppjp.exec:\jppjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\pvpjv.exec:\pvpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\rfrfxxr.exec:\rfrfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\7tbbnn.exec:\7tbbnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\5bbntn.exec:\5bbntn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\jvdvp.exec:\jvdvp.exe23⤵
- Executes dropped EXE
PID:1464 -
\??\c:\lfxrrrl.exec:\lfxrrrl.exe24⤵
- Executes dropped EXE
PID:1448 -
\??\c:\9ntntt.exec:\9ntntt.exe25⤵
- Executes dropped EXE
PID:2892 -
\??\c:\3tbnhb.exec:\3tbnhb.exe26⤵
- Executes dropped EXE
PID:2256 -
\??\c:\ppvpp.exec:\ppvpp.exe27⤵
- Executes dropped EXE
PID:3384 -
\??\c:\lffrrlf.exec:\lffrrlf.exe28⤵
- Executes dropped EXE
PID:4532 -
\??\c:\9jjvp.exec:\9jjvp.exe29⤵
- Executes dropped EXE
PID:3568 -
\??\c:\vpdvp.exec:\vpdvp.exe30⤵
- Executes dropped EXE
PID:4540 -
\??\c:\htthbt.exec:\htthbt.exe31⤵
- Executes dropped EXE
PID:1200 -
\??\c:\5hbthn.exec:\5hbthn.exe32⤵
- Executes dropped EXE
PID:2208 -
\??\c:\jpjdv.exec:\jpjdv.exe33⤵
- Executes dropped EXE
PID:5016 -
\??\c:\lflfllr.exec:\lflfllr.exe34⤵
- Executes dropped EXE
PID:2100 -
\??\c:\9rrlllf.exec:\9rrlllf.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
\??\c:\3btnhh.exec:\3btnhh.exe36⤵
- Executes dropped EXE
PID:4728 -
\??\c:\9vppp.exec:\9vppp.exe37⤵
- Executes dropped EXE
PID:1740 -
\??\c:\3lfxrxr.exec:\3lfxrxr.exe38⤵
- Executes dropped EXE
PID:1232 -
\??\c:\lxxrrrr.exec:\lxxrrrr.exe39⤵
- Executes dropped EXE
PID:4152 -
\??\c:\7djvp.exec:\7djvp.exe40⤵
- Executes dropped EXE
PID:3452 -
\??\c:\rrrllff.exec:\rrrllff.exe41⤵
- Executes dropped EXE
PID:2224 -
\??\c:\rfflfxr.exec:\rfflfxr.exe42⤵
- Executes dropped EXE
PID:372 -
\??\c:\ttnbtt.exec:\ttnbtt.exe43⤵
- Executes dropped EXE
PID:4792 -
\??\c:\ntbthb.exec:\ntbthb.exe44⤵
- Executes dropped EXE
PID:3392 -
\??\c:\pddvv.exec:\pddvv.exe45⤵
- Executes dropped EXE
PID:2628 -
\??\c:\rlxlxrx.exec:\rlxlxrx.exe46⤵PID:1824
-
\??\c:\xflrlrx.exec:\xflrlrx.exe47⤵
- Executes dropped EXE
PID:1016 -
\??\c:\nnbtbb.exec:\nnbtbb.exe48⤵
- Executes dropped EXE
PID:2164 -
\??\c:\htbbtt.exec:\htbbtt.exe49⤵
- Executes dropped EXE
PID:2484 -
\??\c:\djjdd.exec:\djjdd.exe50⤵
- Executes dropped EXE
PID:4944 -
\??\c:\rrfrfxr.exec:\rrfrfxr.exe51⤵
- Executes dropped EXE
PID:2976 -
\??\c:\rlxrxxl.exec:\rlxrxxl.exe52⤵
- Executes dropped EXE
PID:3064 -
\??\c:\5bbtnt.exec:\5bbtnt.exe53⤵
- Executes dropped EXE
PID:2932 -
\??\c:\9bbttt.exec:\9bbttt.exe54⤵
- Executes dropped EXE
PID:2160 -
\??\c:\djppj.exec:\djppj.exe55⤵
- Executes dropped EXE
PID:4200 -
\??\c:\rrffxfx.exec:\rrffxfx.exe56⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3ffxrlf.exec:\3ffxrlf.exe57⤵
- Executes dropped EXE
PID:4576 -
\??\c:\5hhbtt.exec:\5hhbtt.exe58⤵
- Executes dropped EXE
PID:3508 -
\??\c:\thhtbt.exec:\thhtbt.exe59⤵
- Executes dropped EXE
PID:2664 -
\??\c:\5dppj.exec:\5dppj.exe60⤵
- Executes dropped EXE
PID:68 -
\??\c:\rrxrxxr.exec:\rrxrxxr.exe61⤵
- Executes dropped EXE
PID:940 -
\??\c:\1lxxrrr.exec:\1lxxrrr.exe62⤵
- Executes dropped EXE
PID:1284 -
\??\c:\bnnhbt.exec:\bnnhbt.exe63⤵
- Executes dropped EXE
PID:2512 -
\??\c:\hbbnhb.exec:\hbbnhb.exe64⤵
- Executes dropped EXE
PID:316 -
\??\c:\pddjj.exec:\pddjj.exe65⤵
- Executes dropped EXE
PID:4788 -
\??\c:\xllllxx.exec:\xllllxx.exe66⤵
- Executes dropped EXE
PID:1292 -
\??\c:\3lfxrrr.exec:\3lfxrrr.exe67⤵PID:5024
-
\??\c:\3bhhbb.exec:\3bhhbb.exe68⤵PID:1908
-
\??\c:\nnbttt.exec:\nnbttt.exe69⤵PID:2316
-
\??\c:\jjjdv.exec:\jjjdv.exe70⤵PID:3260
-
\??\c:\flfxlll.exec:\flfxlll.exe71⤵PID:4584
-
\??\c:\xlrlffr.exec:\xlrlffr.exe72⤵PID:4080
-
\??\c:\5ntthh.exec:\5ntthh.exe73⤵
- System Location Discovery: System Language Discovery
PID:3948 -
\??\c:\3pvpv.exec:\3pvpv.exe74⤵PID:2580
-
\??\c:\3fxrlfx.exec:\3fxrlfx.exe75⤵PID:5092
-
\??\c:\llfxllf.exec:\llfxllf.exe76⤵PID:4516
-
\??\c:\hbhbbt.exec:\hbhbbt.exe77⤵PID:4912
-
\??\c:\vvjdv.exec:\vvjdv.exe78⤵PID:2276
-
\??\c:\ppjdv.exec:\ppjdv.exe79⤵PID:1448
-
\??\c:\flrfrlf.exec:\flrfrlf.exe80⤵PID:636
-
\??\c:\3hnhnn.exec:\3hnhnn.exe81⤵PID:2892
-
\??\c:\hnnbnh.exec:\hnnbnh.exe82⤵PID:2300
-
\??\c:\vpddd.exec:\vpddd.exe83⤵PID:2764
-
\??\c:\9ddvp.exec:\9ddvp.exe84⤵PID:4548
-
\??\c:\7fxlxfl.exec:\7fxlxfl.exe85⤵PID:3664
-
\??\c:\nttnbt.exec:\nttnbt.exe86⤵PID:2176
-
\??\c:\9ttnbt.exec:\9ttnbt.exe87⤵PID:2820
-
\??\c:\9jvpd.exec:\9jvpd.exe88⤵PID:4072
-
\??\c:\frrlffx.exec:\frrlffx.exe89⤵PID:1200
-
\??\c:\tttnhb.exec:\tttnhb.exe90⤵PID:1856
-
\??\c:\hnhnnn.exec:\hnhnnn.exe91⤵PID:1996
-
\??\c:\jdjjj.exec:\jdjjj.exe92⤵PID:4588
-
\??\c:\rflffxr.exec:\rflffxr.exe93⤵PID:1108
-
\??\c:\tbhthb.exec:\tbhthb.exe94⤵PID:1768
-
\??\c:\3dvpj.exec:\3dvpj.exe95⤵PID:4524
-
\??\c:\fxlffxf.exec:\fxlffxf.exe96⤵PID:4604
-
\??\c:\3bhbnh.exec:\3bhbnh.exe97⤵PID:4000
-
\??\c:\1ppdv.exec:\1ppdv.exe98⤵PID:4428
-
\??\c:\jjjvp.exec:\jjjvp.exe99⤵PID:2808
-
\??\c:\nbnhbb.exec:\nbnhbb.exe100⤵PID:3324
-
\??\c:\frxrfxr.exec:\frxrfxr.exe101⤵PID:436
-
\??\c:\xfrllrr.exec:\xfrllrr.exe102⤵
- System Location Discovery: System Language Discovery
PID:3692 -
\??\c:\rllrxxf.exec:\rllrxxf.exe103⤵PID:2824
-
\??\c:\3tnhnn.exec:\3tnhnn.exe104⤵PID:3100
-
\??\c:\9llfxxr.exec:\9llfxxr.exe105⤵PID:3028
-
\??\c:\jdvvv.exec:\jdvvv.exe106⤵PID:4496
-
\??\c:\jdvvv.exec:\jdvvv.exe107⤵PID:4856
-
\??\c:\nhhbnn.exec:\nhhbnn.exe108⤵PID:2040
-
\??\c:\jjjdj.exec:\jjjdj.exe109⤵PID:4744
-
\??\c:\rlllxxx.exec:\rlllxxx.exe110⤵PID:2184
-
\??\c:\7lxrllr.exec:\7lxrllr.exe111⤵PID:1868
-
\??\c:\5pvpp.exec:\5pvpp.exe112⤵PID:3236
-
\??\c:\pjpjp.exec:\pjpjp.exe113⤵PID:3248
-
\??\c:\xlxrlxr.exec:\xlxrlxr.exe114⤵PID:4168
-
\??\c:\tnhbtn.exec:\tnhbtn.exe115⤵PID:4544
-
\??\c:\1dvpj.exec:\1dvpj.exe116⤵PID:3064
-
\??\c:\9vdpj.exec:\9vdpj.exe117⤵PID:2272
-
\??\c:\pjvpp.exec:\pjvpp.exe118⤵PID:3188
-
\??\c:\nbnnnn.exec:\nbnnnn.exe119⤵PID:5032
-
\??\c:\hntbnb.exec:\hntbnb.exe120⤵PID:3164
-
\??\c:\pdddv.exec:\pdddv.exe121⤵PID:3268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-