Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543edN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543edN.exe
-
Size
453KB
-
MD5
1f54838389ed2fdd0e65b05cfb433a40
-
SHA1
38556cd647d84d1bfba8be65fd2075c0aaf3072b
-
SHA256
238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543ed
-
SHA512
906abcb164d0f91713a6038bf986ae9f6f8a8534501626db67e33ca6e10d7309902fcd0a00993235841163b862be4e7b9de579fabe503c4a6db43ed49e353f7d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3228-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/588-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-579-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-1374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1648 jpvvv.exe 2788 5ttbbb.exe 3260 xllfxxr.exe 3904 frxlffx.exe 4992 vpjpv.exe 4336 9ntnnn.exe 2224 nnhbbb.exe 4360 jvdvp.exe 3536 nbhbbb.exe 3992 lfflfrr.exe 4376 bbbhnn.exe 3940 jjppj.exe 2952 btbtnn.exe 4608 pjjjj.exe 5048 rrlfxrl.exe 3588 thnhht.exe 4964 fxfrfxf.exe 4428 lrfrrrf.exe 532 djpjv.exe 1892 vvpdp.exe 2636 vjpjj.exe 2860 rllxxxx.exe 3404 pddjj.exe 2536 rlfxrlf.exe 4500 tnbtbt.exe 716 pjppp.exe 860 bnbttt.exe 4248 hbnhhb.exe 1152 vpvpv.exe 4820 lffffff.exe 1980 9tnnbb.exe 4776 djvpd.exe 1944 bnhbtt.exe 4772 jjddj.exe 4420 fxxrllf.exe 1904 jvjdv.exe 2996 rlllfff.exe 4412 bhhtnh.exe 4792 9hbtnn.exe 4696 jvppd.exe 552 9xrfxrl.exe 4584 xltthth.exe 588 hhnhhn.exe 2264 djpdv.exe 1940 xrxrxrf.exe 5100 1bbnbt.exe 3208 nbhbtt.exe 3212 dddvd.exe 2472 xlfrlrf.exe 2296 3lxrlxr.exe 3224 pvvpj.exe 2920 rlrlfrl.exe 3700 tnnhbb.exe 3664 bttnbt.exe 4868 jppjv.exe 2316 xrfxflf.exe 3904 htbtnn.exe 1848 7tbnbh.exe 3432 jpdvv.exe 1924 rxxlfrf.exe 1140 tbbnbb.exe 4892 tbtnhb.exe 5084 djpjv.exe 3328 rlrrrrl.exe -
resource yara_rule behavioral2/memory/3228-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/588-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-909-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-970-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3228 wrote to memory of 1648 3228 238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543edN.exe 82 PID 3228 wrote to memory of 1648 3228 238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543edN.exe 82 PID 3228 wrote to memory of 1648 3228 238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543edN.exe 82 PID 1648 wrote to memory of 2788 1648 jpvvv.exe 83 PID 1648 wrote to memory of 2788 1648 jpvvv.exe 83 PID 1648 wrote to memory of 2788 1648 jpvvv.exe 83 PID 2788 wrote to memory of 3260 2788 5ttbbb.exe 84 PID 2788 wrote to memory of 3260 2788 5ttbbb.exe 84 PID 2788 wrote to memory of 3260 2788 5ttbbb.exe 84 PID 3260 wrote to memory of 3904 3260 xllfxxr.exe 85 PID 3260 wrote to memory of 3904 3260 xllfxxr.exe 85 PID 3260 wrote to memory of 3904 3260 xllfxxr.exe 85 PID 3904 wrote to memory of 4992 3904 frxlffx.exe 86 PID 3904 wrote to memory of 4992 3904 frxlffx.exe 86 PID 3904 wrote to memory of 4992 3904 frxlffx.exe 86 PID 4992 wrote to memory of 4336 4992 vpjpv.exe 87 PID 4992 wrote to memory of 4336 4992 vpjpv.exe 87 PID 4992 wrote to memory of 4336 4992 vpjpv.exe 87 PID 4336 wrote to memory of 2224 4336 9ntnnn.exe 88 PID 4336 wrote to memory of 2224 4336 9ntnnn.exe 88 PID 4336 wrote to memory of 2224 4336 9ntnnn.exe 88 PID 2224 wrote to memory of 4360 2224 nnhbbb.exe 89 PID 2224 wrote to memory of 4360 2224 nnhbbb.exe 89 PID 2224 wrote to memory of 4360 2224 nnhbbb.exe 89 PID 4360 wrote to memory of 3536 4360 jvdvp.exe 90 PID 4360 wrote to memory of 3536 4360 jvdvp.exe 90 PID 4360 wrote to memory of 3536 4360 jvdvp.exe 90 PID 3536 wrote to memory of 3992 3536 nbhbbb.exe 91 PID 3536 wrote to memory of 3992 3536 nbhbbb.exe 91 PID 3536 wrote to memory of 3992 3536 nbhbbb.exe 91 PID 3992 wrote to memory of 4376 3992 lfflfrr.exe 92 PID 3992 wrote to memory of 4376 3992 lfflfrr.exe 92 PID 3992 wrote to memory of 4376 3992 lfflfrr.exe 92 PID 4376 wrote to memory of 3940 4376 bbbhnn.exe 93 PID 4376 wrote to memory of 3940 4376 bbbhnn.exe 93 PID 4376 wrote to memory of 3940 4376 bbbhnn.exe 93 PID 3940 wrote to memory of 2952 3940 jjppj.exe 94 PID 3940 wrote to memory of 2952 3940 jjppj.exe 94 PID 3940 wrote to memory of 2952 3940 jjppj.exe 94 PID 2952 wrote to memory of 4608 2952 btbtnn.exe 95 PID 2952 wrote to memory of 4608 2952 btbtnn.exe 95 PID 2952 wrote to memory of 4608 2952 btbtnn.exe 95 PID 4608 wrote to memory of 5048 4608 pjjjj.exe 96 PID 4608 wrote to memory of 5048 4608 pjjjj.exe 96 PID 4608 wrote to memory of 5048 4608 pjjjj.exe 96 PID 5048 wrote to memory of 3588 5048 rrlfxrl.exe 97 PID 5048 wrote to memory of 3588 5048 rrlfxrl.exe 97 PID 5048 wrote to memory of 3588 5048 rrlfxrl.exe 97 PID 3588 wrote to memory of 4964 3588 thnhht.exe 98 PID 3588 wrote to memory of 4964 3588 thnhht.exe 98 PID 3588 wrote to memory of 4964 3588 thnhht.exe 98 PID 4964 wrote to memory of 4428 4964 fxfrfxf.exe 99 PID 4964 wrote to memory of 4428 4964 fxfrfxf.exe 99 PID 4964 wrote to memory of 4428 4964 fxfrfxf.exe 99 PID 4428 wrote to memory of 532 4428 lrfrrrf.exe 100 PID 4428 wrote to memory of 532 4428 lrfrrrf.exe 100 PID 4428 wrote to memory of 532 4428 lrfrrrf.exe 100 PID 532 wrote to memory of 1892 532 djpjv.exe 102 PID 532 wrote to memory of 1892 532 djpjv.exe 102 PID 532 wrote to memory of 1892 532 djpjv.exe 102 PID 1892 wrote to memory of 2636 1892 vvpdp.exe 103 PID 1892 wrote to memory of 2636 1892 vvpdp.exe 103 PID 1892 wrote to memory of 2636 1892 vvpdp.exe 103 PID 2636 wrote to memory of 2860 2636 vjpjj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543edN.exe"C:\Users\Admin\AppData\Local\Temp\238de9b2082e87e70803a0c566a4c42c4c9b407687a98eecc1935deacc8543edN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\jpvvv.exec:\jpvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\5ttbbb.exec:\5ttbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\xllfxxr.exec:\xllfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\frxlffx.exec:\frxlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\vpjpv.exec:\vpjpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\9ntnnn.exec:\9ntnnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\nnhbbb.exec:\nnhbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\jvdvp.exec:\jvdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\nbhbbb.exec:\nbhbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\lfflfrr.exec:\lfflfrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
\??\c:\bbbhnn.exec:\bbbhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\jjppj.exec:\jjppj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\btbtnn.exec:\btbtnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\pjjjj.exec:\pjjjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\thnhht.exec:\thnhht.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\fxfrfxf.exec:\fxfrfxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\lrfrrrf.exec:\lrfrrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\djpjv.exec:\djpjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\vvpdp.exec:\vvpdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\vjpjj.exec:\vjpjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\rllxxxx.exec:\rllxxxx.exe23⤵
- Executes dropped EXE
PID:2860 -
\??\c:\pddjj.exec:\pddjj.exe24⤵
- Executes dropped EXE
PID:3404 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe25⤵
- Executes dropped EXE
PID:2536 -
\??\c:\tnbtbt.exec:\tnbtbt.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4500 -
\??\c:\pjppp.exec:\pjppp.exe27⤵
- Executes dropped EXE
PID:716 -
\??\c:\bnbttt.exec:\bnbttt.exe28⤵
- Executes dropped EXE
PID:860 -
\??\c:\hbnhhb.exec:\hbnhhb.exe29⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vpvpv.exec:\vpvpv.exe30⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lffffff.exec:\lffffff.exe31⤵
- Executes dropped EXE
PID:4820 -
\??\c:\9tnnbb.exec:\9tnnbb.exe32⤵
- Executes dropped EXE
PID:1980 -
\??\c:\djvpd.exec:\djvpd.exe33⤵
- Executes dropped EXE
PID:4776 -
\??\c:\bnhbtt.exec:\bnhbtt.exe34⤵
- Executes dropped EXE
PID:1944 -
\??\c:\jjddj.exec:\jjddj.exe35⤵
- Executes dropped EXE
PID:4772 -
\??\c:\fxxrllf.exec:\fxxrllf.exe36⤵
- Executes dropped EXE
PID:4420 -
\??\c:\jvjdv.exec:\jvjdv.exe37⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rlllfff.exec:\rlllfff.exe38⤵
- Executes dropped EXE
PID:2996 -
\??\c:\bhhtnh.exec:\bhhtnh.exe39⤵
- Executes dropped EXE
PID:4412 -
\??\c:\9hbtnn.exec:\9hbtnn.exe40⤵
- Executes dropped EXE
PID:4792 -
\??\c:\jvppd.exec:\jvppd.exe41⤵
- Executes dropped EXE
PID:4696 -
\??\c:\9xrfxrl.exec:\9xrfxrl.exe42⤵
- Executes dropped EXE
PID:552 -
\??\c:\xltthth.exec:\xltthth.exe43⤵
- Executes dropped EXE
PID:4584 -
\??\c:\hhnhhn.exec:\hhnhhn.exe44⤵
- Executes dropped EXE
PID:588 -
\??\c:\djpdv.exec:\djpdv.exe45⤵
- Executes dropped EXE
PID:2264 -
\??\c:\xrxrxrf.exec:\xrxrxrf.exe46⤵
- Executes dropped EXE
PID:1940 -
\??\c:\1bbnbt.exec:\1bbnbt.exe47⤵
- Executes dropped EXE
PID:5100 -
\??\c:\nbhbtt.exec:\nbhbtt.exe48⤵
- Executes dropped EXE
PID:3208 -
\??\c:\dddvd.exec:\dddvd.exe49⤵
- Executes dropped EXE
PID:3212 -
\??\c:\xlfrlrf.exec:\xlfrlrf.exe50⤵
- Executes dropped EXE
PID:2472 -
\??\c:\3lxrlxr.exec:\3lxrlxr.exe51⤵
- Executes dropped EXE
PID:2296 -
\??\c:\5btnbn.exec:\5btnbn.exe52⤵PID:4520
-
\??\c:\pvvpj.exec:\pvvpj.exe53⤵
- Executes dropped EXE
PID:3224 -
\??\c:\rlrlfrl.exec:\rlrlfrl.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
\??\c:\tnnhbb.exec:\tnnhbb.exe55⤵
- Executes dropped EXE
PID:3700 -
\??\c:\bttnbt.exec:\bttnbt.exe56⤵
- Executes dropped EXE
PID:3664 -
\??\c:\jppjv.exec:\jppjv.exe57⤵
- Executes dropped EXE
PID:4868 -
\??\c:\xrfxflf.exec:\xrfxflf.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
\??\c:\htbtnn.exec:\htbtnn.exe59⤵
- Executes dropped EXE
PID:3904 -
\??\c:\7tbnbh.exec:\7tbnbh.exe60⤵
- Executes dropped EXE
PID:1848 -
\??\c:\jpdvv.exec:\jpdvv.exe61⤵
- Executes dropped EXE
PID:3432 -
\??\c:\rxxlfrf.exec:\rxxlfrf.exe62⤵
- Executes dropped EXE
PID:1924 -
\??\c:\tbbnbb.exec:\tbbnbb.exe63⤵
- Executes dropped EXE
PID:1140 -
\??\c:\tbtnhb.exec:\tbtnhb.exe64⤵
- Executes dropped EXE
PID:4892 -
\??\c:\djpjv.exec:\djpjv.exe65⤵
- Executes dropped EXE
PID:5084 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe66⤵
- Executes dropped EXE
PID:3328 -
\??\c:\bhnhbb.exec:\bhnhbb.exe67⤵PID:3536
-
\??\c:\jjjdv.exec:\jjjdv.exe68⤵PID:3992
-
\??\c:\7vdpj.exec:\7vdpj.exe69⤵PID:3408
-
\??\c:\rffrfrl.exec:\rffrfrl.exe70⤵PID:4036
-
\??\c:\nntnth.exec:\nntnth.exe71⤵PID:3940
-
\??\c:\hhtnnn.exec:\hhtnnn.exe72⤵PID:3100
-
\??\c:\jppjj.exec:\jppjj.exe73⤵PID:2452
-
\??\c:\frfxxxf.exec:\frfxxxf.exe74⤵PID:3332
-
\??\c:\btbbnn.exec:\btbbnn.exe75⤵
- System Location Discovery: System Language Discovery
PID:1428 -
\??\c:\1jpjd.exec:\1jpjd.exe76⤵PID:5060
-
\??\c:\frrlxrl.exec:\frrlxrl.exe77⤵PID:4948
-
\??\c:\nhhbtt.exec:\nhhbtt.exe78⤵PID:3784
-
\??\c:\jjvjp.exec:\jjvjp.exe79⤵PID:3728
-
\??\c:\vppjv.exec:\vppjv.exe80⤵PID:4932
-
\??\c:\lfxrllf.exec:\lfxrllf.exe81⤵PID:1628
-
\??\c:\thbtnh.exec:\thbtnh.exe82⤵PID:3756
-
\??\c:\3vpjd.exec:\3vpjd.exe83⤵PID:2636
-
\??\c:\3jjdv.exec:\3jjdv.exe84⤵PID:224
-
\??\c:\lfllfxx.exec:\lfllfxx.exe85⤵PID:1408
-
\??\c:\3tthbt.exec:\3tthbt.exe86⤵PID:2680
-
\??\c:\tttnbt.exec:\tttnbt.exe87⤵PID:1572
-
\??\c:\vvjdv.exec:\vvjdv.exe88⤵PID:3352
-
\??\c:\fxlxxlr.exec:\fxlxxlr.exe89⤵PID:1044
-
\??\c:\1ffrfxl.exec:\1ffrfxl.exe90⤵PID:4044
-
\??\c:\hnnhhb.exec:\hnnhhb.exe91⤵PID:5076
-
\??\c:\dpvvp.exec:\dpvvp.exe92⤵PID:1268
-
\??\c:\lrxrffx.exec:\lrxrffx.exe93⤵PID:4872
-
\??\c:\tntnhb.exec:\tntnhb.exe94⤵PID:2488
-
\??\c:\bntnnh.exec:\bntnnh.exe95⤵PID:4820
-
\??\c:\vjvpp.exec:\vjvpp.exe96⤵PID:4348
-
\??\c:\frrlxrf.exec:\frrlxrf.exe97⤵PID:4116
-
\??\c:\hthbtt.exec:\hthbtt.exe98⤵PID:4776
-
\??\c:\vjvjv.exec:\vjvjv.exe99⤵PID:4884
-
\??\c:\djpvp.exec:\djpvp.exe100⤵PID:4952
-
\??\c:\lrxrllf.exec:\lrxrllf.exe101⤵PID:1548
-
\??\c:\9nthtt.exec:\9nthtt.exe102⤵PID:5104
-
\??\c:\htbbbt.exec:\htbbbt.exe103⤵PID:4352
-
\??\c:\vpppv.exec:\vpppv.exe104⤵PID:2584
-
\??\c:\flfxfxr.exec:\flfxfxr.exe105⤵PID:4112
-
\??\c:\thnnnb.exec:\thnnnb.exe106⤵PID:3252
-
\??\c:\dpvvd.exec:\dpvvd.exe107⤵PID:3448
-
\??\c:\rflfxxx.exec:\rflfxxx.exe108⤵PID:3032
-
\??\c:\xffxxrx.exec:\xffxxrx.exe109⤵PID:4164
-
\??\c:\nbtnhh.exec:\nbtnhh.exe110⤵PID:3932
-
\??\c:\dpvpd.exec:\dpvpd.exe111⤵PID:2264
-
\??\c:\xxlxrrl.exec:\xxlxrrl.exe112⤵PID:1404
-
\??\c:\3bbbtt.exec:\3bbbtt.exe113⤵PID:5100
-
\??\c:\5vddv.exec:\5vddv.exe114⤵PID:3364
-
\??\c:\llxrrrx.exec:\llxrrrx.exe115⤵
- System Location Discovery: System Language Discovery
PID:244 -
\??\c:\bnhbtt.exec:\bnhbtt.exe116⤵PID:2472
-
\??\c:\hbbnhb.exec:\hbbnhb.exe117⤵PID:3228
-
\??\c:\7dvjd.exec:\7dvjd.exe118⤵PID:4464
-
\??\c:\lffxxxx.exec:\lffxxxx.exe119⤵PID:3592
-
\??\c:\bhnnhh.exec:\bhnnhh.exe120⤵PID:1128
-
\??\c:\tttnhb.exec:\tttnhb.exe121⤵PID:1504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-