Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277.exe
-
Size
455KB
-
MD5
9444a1b9658de9aeee8260cc9bdfd9b5
-
SHA1
4adf402c0e2cac69c29a667d1d4c3e9efc995368
-
SHA256
341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277
-
SHA512
dab8fdd7da2997e356a63dd9e30b6ccbffe4a041157e14b6d2710f844bd97531ac276df6f3b2e064e2e9ed9ac346000713bf814b7abc652c2b8b0c78a9350c12
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2096-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/324-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-818-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-1106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-1116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-1331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4544 jjjvp.exe 3648 ffrfrlx.exe 1460 dvjdv.exe 2876 rfxlffx.exe 4488 tbbnbt.exe 2824 jvdvj.exe 2496 lflfrxl.exe 4660 3rffrlx.exe 2136 tthnhb.exe 2180 tntbnh.exe 2132 hbtnhh.exe 4672 9ppjj.exe 3052 bbnnhh.exe 5076 ppvdv.exe 2560 fxrfrfr.exe 1140 xflxlfr.exe 1352 hntnhh.exe 4080 jppjd.exe 3348 rffxrrl.exe 936 bnhbnh.exe 2264 dpjvp.exe 4492 vddpv.exe 1700 xlfxrfr.exe 1728 1tthtn.exe 1112 vjvpv.exe 1756 lllfffx.exe 1624 nbhtnh.exe 3748 3jpjp.exe 4276 rfxlrlx.exe 3772 pppdp.exe 4432 1frrflx.exe 336 bbthtn.exe 1560 xrrxlfr.exe 4068 vdjvp.exe 1748 lxrfxrl.exe 2028 frxrxrr.exe 1016 nnnhbb.exe 1980 1vjdd.exe 3536 vvjjj.exe 1132 fxrlxrl.exe 1936 nbtbnb.exe 2556 ttnhbh.exe 4196 jdjdv.exe 2504 frrllxx.exe 324 lllfrxr.exe 4572 nhnbth.exe 1968 7dvjd.exe 5080 dpvvv.exe 4480 xllxlfx.exe 4608 httnnh.exe 1284 tbbtnh.exe 2016 7ppjd.exe 1692 lxrxrlr.exe 4860 xxfxxxr.exe 1900 hhbnth.exe 2448 vjddp.exe 3620 xrrfrrf.exe 744 xffxxxr.exe 4680 5nhhtt.exe 4512 bnbhnb.exe 1384 7vvpd.exe 5100 5xxlfxl.exe 2300 3llffff.exe 2008 ntthth.exe -
resource yara_rule behavioral2/memory/2096-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/324-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-814-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-818-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-840-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 4544 2096 341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277.exe 84 PID 2096 wrote to memory of 4544 2096 341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277.exe 84 PID 2096 wrote to memory of 4544 2096 341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277.exe 84 PID 4544 wrote to memory of 3648 4544 jjjvp.exe 85 PID 4544 wrote to memory of 3648 4544 jjjvp.exe 85 PID 4544 wrote to memory of 3648 4544 jjjvp.exe 85 PID 3648 wrote to memory of 1460 3648 ffrfrlx.exe 86 PID 3648 wrote to memory of 1460 3648 ffrfrlx.exe 86 PID 3648 wrote to memory of 1460 3648 ffrfrlx.exe 86 PID 1460 wrote to memory of 2876 1460 dvjdv.exe 87 PID 1460 wrote to memory of 2876 1460 dvjdv.exe 87 PID 1460 wrote to memory of 2876 1460 dvjdv.exe 87 PID 2876 wrote to memory of 4488 2876 rfxlffx.exe 88 PID 2876 wrote to memory of 4488 2876 rfxlffx.exe 88 PID 2876 wrote to memory of 4488 2876 rfxlffx.exe 88 PID 4488 wrote to memory of 2824 4488 tbbnbt.exe 89 PID 4488 wrote to memory of 2824 4488 tbbnbt.exe 89 PID 4488 wrote to memory of 2824 4488 tbbnbt.exe 89 PID 2824 wrote to memory of 2496 2824 jvdvj.exe 90 PID 2824 wrote to memory of 2496 2824 jvdvj.exe 90 PID 2824 wrote to memory of 2496 2824 jvdvj.exe 90 PID 2496 wrote to memory of 4660 2496 lflfrxl.exe 91 PID 2496 wrote to memory of 4660 2496 lflfrxl.exe 91 PID 2496 wrote to memory of 4660 2496 lflfrxl.exe 91 PID 4660 wrote to memory of 2136 4660 3rffrlx.exe 92 PID 4660 wrote to memory of 2136 4660 3rffrlx.exe 92 PID 4660 wrote to memory of 2136 4660 3rffrlx.exe 92 PID 2136 wrote to memory of 2180 2136 tthnhb.exe 93 PID 2136 wrote to memory of 2180 2136 tthnhb.exe 93 PID 2136 wrote to memory of 2180 2136 tthnhb.exe 93 PID 2180 wrote to memory of 2132 2180 tntbnh.exe 94 PID 2180 wrote to memory of 2132 2180 tntbnh.exe 94 PID 2180 wrote to memory of 2132 2180 tntbnh.exe 94 PID 2132 wrote to memory of 4672 2132 hbtnhh.exe 95 PID 2132 wrote to memory of 4672 2132 hbtnhh.exe 95 PID 2132 wrote to memory of 4672 2132 hbtnhh.exe 95 PID 4672 wrote to memory of 3052 4672 9ppjj.exe 96 PID 4672 wrote to memory of 3052 4672 9ppjj.exe 96 PID 4672 wrote to memory of 3052 4672 9ppjj.exe 96 PID 3052 wrote to memory of 5076 3052 bbnnhh.exe 97 PID 3052 wrote to memory of 5076 3052 bbnnhh.exe 97 PID 3052 wrote to memory of 5076 3052 bbnnhh.exe 97 PID 5076 wrote to memory of 2560 5076 ppvdv.exe 98 PID 5076 wrote to memory of 2560 5076 ppvdv.exe 98 PID 5076 wrote to memory of 2560 5076 ppvdv.exe 98 PID 2560 wrote to memory of 1140 2560 fxrfrfr.exe 99 PID 2560 wrote to memory of 1140 2560 fxrfrfr.exe 99 PID 2560 wrote to memory of 1140 2560 fxrfrfr.exe 99 PID 1140 wrote to memory of 1352 1140 xflxlfr.exe 100 PID 1140 wrote to memory of 1352 1140 xflxlfr.exe 100 PID 1140 wrote to memory of 1352 1140 xflxlfr.exe 100 PID 1352 wrote to memory of 4080 1352 hntnhh.exe 101 PID 1352 wrote to memory of 4080 1352 hntnhh.exe 101 PID 1352 wrote to memory of 4080 1352 hntnhh.exe 101 PID 4080 wrote to memory of 3348 4080 jppjd.exe 102 PID 4080 wrote to memory of 3348 4080 jppjd.exe 102 PID 4080 wrote to memory of 3348 4080 jppjd.exe 102 PID 3348 wrote to memory of 936 3348 rffxrrl.exe 103 PID 3348 wrote to memory of 936 3348 rffxrrl.exe 103 PID 3348 wrote to memory of 936 3348 rffxrrl.exe 103 PID 936 wrote to memory of 2264 936 bnhbnh.exe 162 PID 936 wrote to memory of 2264 936 bnhbnh.exe 162 PID 936 wrote to memory of 2264 936 bnhbnh.exe 162 PID 2264 wrote to memory of 4492 2264 dpjvp.exe 163
Processes
-
C:\Users\Admin\AppData\Local\Temp\341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277.exe"C:\Users\Admin\AppData\Local\Temp\341a555b42bb2018952ace94730882f8d58a260a9c1ee6aa11e8db8d4d58a277.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\jjjvp.exec:\jjjvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\ffrfrlx.exec:\ffrfrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\dvjdv.exec:\dvjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\rfxlffx.exec:\rfxlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\tbbnbt.exec:\tbbnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\jvdvj.exec:\jvdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\lflfrxl.exec:\lflfrxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\3rffrlx.exec:\3rffrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\tthnhb.exec:\tthnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\tntbnh.exec:\tntbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\hbtnhh.exec:\hbtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\9ppjj.exec:\9ppjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\bbnnhh.exec:\bbnnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\ppvdv.exec:\ppvdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\fxrfrfr.exec:\fxrfrfr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\xflxlfr.exec:\xflxlfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\hntnhh.exec:\hntnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\jppjd.exec:\jppjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\rffxrrl.exec:\rffxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\bnhbnh.exec:\bnhbnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\dpjvp.exec:\dpjvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\vddpv.exec:\vddpv.exe23⤵
- Executes dropped EXE
PID:4492 -
\??\c:\xlfxrfr.exec:\xlfxrfr.exe24⤵
- Executes dropped EXE
PID:1700 -
\??\c:\1tthtn.exec:\1tthtn.exe25⤵
- Executes dropped EXE
PID:1728 -
\??\c:\vjvpv.exec:\vjvpv.exe26⤵
- Executes dropped EXE
PID:1112 -
\??\c:\lllfffx.exec:\lllfffx.exe27⤵
- Executes dropped EXE
PID:1756 -
\??\c:\nbhtnh.exec:\nbhtnh.exe28⤵
- Executes dropped EXE
PID:1624 -
\??\c:\3jpjp.exec:\3jpjp.exe29⤵
- Executes dropped EXE
PID:3748 -
\??\c:\rfxlrlx.exec:\rfxlrlx.exe30⤵
- Executes dropped EXE
PID:4276 -
\??\c:\pppdp.exec:\pppdp.exe31⤵
- Executes dropped EXE
PID:3772 -
\??\c:\1frrflx.exec:\1frrflx.exe32⤵
- Executes dropped EXE
PID:4432 -
\??\c:\bbthtn.exec:\bbthtn.exe33⤵
- Executes dropped EXE
PID:336 -
\??\c:\xrrxlfr.exec:\xrrxlfr.exe34⤵
- Executes dropped EXE
PID:1560 -
\??\c:\vdjvp.exec:\vdjvp.exe35⤵
- Executes dropped EXE
PID:4068 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe36⤵
- Executes dropped EXE
PID:1748 -
\??\c:\frxrxrr.exec:\frxrxrr.exe37⤵
- Executes dropped EXE
PID:2028 -
\??\c:\nnnhbb.exec:\nnnhbb.exe38⤵
- Executes dropped EXE
PID:1016 -
\??\c:\1vjdd.exec:\1vjdd.exe39⤵
- Executes dropped EXE
PID:1980 -
\??\c:\vvjjj.exec:\vvjjj.exe40⤵
- Executes dropped EXE
PID:3536 -
\??\c:\fxrlxrl.exec:\fxrlxrl.exe41⤵
- Executes dropped EXE
PID:1132 -
\??\c:\nbtbnb.exec:\nbtbnb.exe42⤵
- Executes dropped EXE
PID:1936 -
\??\c:\ttnhbh.exec:\ttnhbh.exe43⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jdjdv.exec:\jdjdv.exe44⤵
- Executes dropped EXE
PID:4196 -
\??\c:\frrllxx.exec:\frrllxx.exe45⤵
- Executes dropped EXE
PID:2504 -
\??\c:\lllfrxr.exec:\lllfrxr.exe46⤵
- Executes dropped EXE
PID:324 -
\??\c:\nhnbth.exec:\nhnbth.exe47⤵
- Executes dropped EXE
PID:4572 -
\??\c:\7dvjd.exec:\7dvjd.exe48⤵
- Executes dropped EXE
PID:1968 -
\??\c:\dpvvv.exec:\dpvvv.exe49⤵
- Executes dropped EXE
PID:5080 -
\??\c:\xllxlfx.exec:\xllxlfx.exe50⤵
- Executes dropped EXE
PID:4480 -
\??\c:\httnnh.exec:\httnnh.exe51⤵
- Executes dropped EXE
PID:4608 -
\??\c:\tbbtnh.exec:\tbbtnh.exe52⤵
- Executes dropped EXE
PID:1284 -
\??\c:\7ppjd.exec:\7ppjd.exe53⤵
- Executes dropped EXE
PID:2016 -
\??\c:\lxrxrlr.exec:\lxrxrlr.exe54⤵
- Executes dropped EXE
PID:1692 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe55⤵
- Executes dropped EXE
PID:4860 -
\??\c:\hhbnth.exec:\hhbnth.exe56⤵
- Executes dropped EXE
PID:1900 -
\??\c:\vjddp.exec:\vjddp.exe57⤵
- Executes dropped EXE
PID:2448 -
\??\c:\xrrfrrf.exec:\xrrfrrf.exe58⤵
- Executes dropped EXE
PID:3620 -
\??\c:\xffxxxr.exec:\xffxxxr.exe59⤵
- Executes dropped EXE
PID:744 -
\??\c:\5nhhtt.exec:\5nhhtt.exe60⤵
- Executes dropped EXE
PID:4680 -
\??\c:\bnbhnb.exec:\bnbhnb.exe61⤵
- Executes dropped EXE
PID:4512 -
\??\c:\7vvpd.exec:\7vvpd.exe62⤵
- Executes dropped EXE
PID:1384 -
\??\c:\5xxlfxl.exec:\5xxlfxl.exe63⤵
- Executes dropped EXE
PID:5100 -
\??\c:\3llffff.exec:\3llffff.exe64⤵
- Executes dropped EXE
PID:2300 -
\??\c:\ntthth.exec:\ntthth.exe65⤵
- Executes dropped EXE
PID:2008 -
\??\c:\hnnbtb.exec:\hnnbtb.exe66⤵PID:1640
-
\??\c:\jdjjj.exec:\jdjjj.exe67⤵PID:3228
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe68⤵PID:4436
-
\??\c:\nttnbb.exec:\nttnbb.exe69⤵PID:2184
-
\??\c:\vjvpp.exec:\vjvpp.exe70⤵PID:4104
-
\??\c:\1jvpv.exec:\1jvpv.exe71⤵PID:5008
-
\??\c:\llfflrr.exec:\llfflrr.exe72⤵PID:2236
-
\??\c:\bhbttn.exec:\bhbttn.exe73⤵PID:3192
-
\??\c:\ppddv.exec:\ppddv.exe74⤵PID:3848
-
\??\c:\3rfrfxl.exec:\3rfrfxl.exe75⤵PID:2996
-
\??\c:\bbhtht.exec:\bbhtht.exe76⤵PID:2284
-
\??\c:\vjpdv.exec:\vjpdv.exe77⤵PID:2116
-
\??\c:\7fxlrlf.exec:\7fxlrlf.exe78⤵PID:2044
-
\??\c:\5tthhb.exec:\5tthhb.exe79⤵PID:1660
-
\??\c:\xllfxrl.exec:\xllfxrl.exe80⤵PID:2264
-
\??\c:\hhhbtt.exec:\hhhbtt.exe81⤵PID:4492
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe82⤵PID:3664
-
\??\c:\vpvpd.exec:\vpvpd.exe83⤵PID:5068
-
\??\c:\jddpj.exec:\jddpj.exe84⤵PID:468
-
\??\c:\llxrrrx.exec:\llxrrrx.exe85⤵PID:2832
-
\??\c:\5nttnn.exec:\5nttnn.exe86⤵PID:2856
-
\??\c:\nnthnh.exec:\nnthnh.exe87⤵PID:3616
-
\??\c:\rxfxrll.exec:\rxfxrll.exe88⤵PID:2592
-
\??\c:\xxfrflr.exec:\xxfrflr.exe89⤵PID:1496
-
\??\c:\thtnbb.exec:\thtnbb.exe90⤵PID:3060
-
\??\c:\jdvjp.exec:\jdvjp.exe91⤵PID:720
-
\??\c:\1rlxllx.exec:\1rlxllx.exe92⤵PID:2684
-
\??\c:\tnbnnt.exec:\tnbnnt.exe93⤵PID:3824
-
\??\c:\bhhhtt.exec:\bhhhtt.exe94⤵PID:4876
-
\??\c:\lllrfxf.exec:\lllrfxf.exe95⤵PID:336
-
\??\c:\nntnhb.exec:\nntnhb.exe96⤵
- System Location Discovery: System Language Discovery
PID:2976 -
\??\c:\dpjvj.exec:\dpjvj.exe97⤵PID:920
-
\??\c:\1xxxrrr.exec:\1xxxrrr.exe98⤵
- System Location Discovery: System Language Discovery
PID:4068 -
\??\c:\nhbnth.exec:\nhbnth.exe99⤵PID:3556
-
\??\c:\3vpdj.exec:\3vpdj.exe100⤵PID:4796
-
\??\c:\1llxfxl.exec:\1llxfxl.exe101⤵PID:2912
-
\??\c:\fflfxxr.exec:\fflfxxr.exe102⤵PID:2012
-
\??\c:\5nttnt.exec:\5nttnt.exe103⤵PID:3604
-
\??\c:\vdpdp.exec:\vdpdp.exe104⤵PID:812
-
\??\c:\pvjdv.exec:\pvjdv.exe105⤵PID:2192
-
\??\c:\rrlfffx.exec:\rrlfffx.exe106⤵PID:3700
-
\??\c:\5btbtb.exec:\5btbtb.exe107⤵PID:556
-
\??\c:\vdjvp.exec:\vdjvp.exe108⤵PID:64
-
\??\c:\7xfrllx.exec:\7xfrllx.exe109⤵PID:4588
-
\??\c:\3ttttt.exec:\3ttttt.exe110⤵PID:4784
-
\??\c:\9vdvv.exec:\9vdvv.exe111⤵PID:2868
-
\??\c:\pppdd.exec:\pppdd.exe112⤵PID:4416
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe113⤵PID:3540
-
\??\c:\bhnhhb.exec:\bhnhhb.exe114⤵PID:3508
-
\??\c:\bbhnbb.exec:\bbhnbb.exe115⤵PID:2152
-
\??\c:\jvvpd.exec:\jvvpd.exe116⤵PID:232
-
\??\c:\rlxrffx.exec:\rlxrffx.exe117⤵PID:1840
-
\??\c:\rfllfxr.exec:\rfllfxr.exe118⤵PID:1088
-
\??\c:\hntnhn.exec:\hntnhn.exe119⤵PID:2876
-
\??\c:\dddvj.exec:\dddvj.exe120⤵PID:4988
-
\??\c:\vjjdp.exec:\vjjdp.exe121⤵PID:4488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-