Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 23:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad.exe
-
Size
454KB
-
MD5
806c2d200c67b837a4435cf4461e2c5d
-
SHA1
8317c197fa220a6da919bfc88fa8afea49ec934a
-
SHA256
5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad
-
SHA512
bf96668d57cbf8372f22f6bd8e4ccee5a59a17d5b8a0fb7d73a9c089add1c1e0559ef88149ddb27c1b24f91e166a6add78b7601840bd8f3cb83b8d31dfac9a52
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1068-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-951-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-1290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-1922-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-1983-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5004 ddjdj.exe 3568 rlllfff.exe 936 9jvpj.exe 2456 fllfflf.exe 452 vpjpv.exe 3004 bbbbbh.exe 828 rfxrrrl.exe 4416 rxxfxff.exe 3212 jjddd.exe 1196 dpvpp.exe 3940 dvjjv.exe 1988 5hhtnh.exe 1780 9jjjd.exe 1624 rffxxxf.exe 4744 3hbbtt.exe 1456 7vvvj.exe 3548 3xrlxrl.exe 3392 tttnnh.exe 3456 hhnhtb.exe 4640 ttbnhb.exe 3488 3pjdv.exe 1664 rffffxr.exe 1140 jpppj.exe 2800 dvvpj.exe 3372 7hbbtt.exe 1708 9dvpj.exe 4360 nbhbbb.exe 1832 jvpdp.exe 3988 rrlrrlr.exe 4652 jvvvp.exe 4196 llrlxxf.exe 2776 nnhbtt.exe 2176 7pppj.exe 3116 nbnbnh.exe 1760 hhnhbb.exe 1204 7jjdp.exe 2524 5frflfr.exe 4356 hnhbtt.exe 2740 dvvpd.exe 1416 ppvjd.exe 1424 xxxrrrr.exe 2948 hnnbnh.exe 2788 pvjjd.exe 4536 7rxllll.exe 1124 hthbnh.exe 3076 jvjvd.exe 2848 dppjv.exe 1552 3llffff.exe 1244 bhhhbb.exe 3868 vvjvp.exe 4448 5fxlxrf.exe 4456 btnbnh.exe 4856 7vvjv.exe 904 jvpjv.exe 2424 7lfxfll.exe 2620 bnnbnh.exe 936 ttbnbb.exe 4904 5jjjd.exe 4088 lxrfrlf.exe 452 httnbt.exe 3608 thhhhh.exe 2636 jdppd.exe 1064 rrxrrlf.exe 5028 btbtnh.exe -
resource yara_rule behavioral2/memory/1068-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3212-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-670-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-718-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fffrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9thbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1068 wrote to memory of 5004 1068 5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad.exe 84 PID 1068 wrote to memory of 5004 1068 5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad.exe 84 PID 1068 wrote to memory of 5004 1068 5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad.exe 84 PID 5004 wrote to memory of 3568 5004 ddjdj.exe 85 PID 5004 wrote to memory of 3568 5004 ddjdj.exe 85 PID 5004 wrote to memory of 3568 5004 ddjdj.exe 85 PID 3568 wrote to memory of 936 3568 rlllfff.exe 86 PID 3568 wrote to memory of 936 3568 rlllfff.exe 86 PID 3568 wrote to memory of 936 3568 rlllfff.exe 86 PID 936 wrote to memory of 2456 936 9jvpj.exe 87 PID 936 wrote to memory of 2456 936 9jvpj.exe 87 PID 936 wrote to memory of 2456 936 9jvpj.exe 87 PID 2456 wrote to memory of 452 2456 fllfflf.exe 88 PID 2456 wrote to memory of 452 2456 fllfflf.exe 88 PID 2456 wrote to memory of 452 2456 fllfflf.exe 88 PID 452 wrote to memory of 3004 452 vpjpv.exe 89 PID 452 wrote to memory of 3004 452 vpjpv.exe 89 PID 452 wrote to memory of 3004 452 vpjpv.exe 89 PID 3004 wrote to memory of 828 3004 bbbbbh.exe 90 PID 3004 wrote to memory of 828 3004 bbbbbh.exe 90 PID 3004 wrote to memory of 828 3004 bbbbbh.exe 90 PID 828 wrote to memory of 4416 828 rfxrrrl.exe 91 PID 828 wrote to memory of 4416 828 rfxrrrl.exe 91 PID 828 wrote to memory of 4416 828 rfxrrrl.exe 91 PID 4416 wrote to memory of 3212 4416 rxxfxff.exe 92 PID 4416 wrote to memory of 3212 4416 rxxfxff.exe 92 PID 4416 wrote to memory of 3212 4416 rxxfxff.exe 92 PID 3212 wrote to memory of 1196 3212 jjddd.exe 93 PID 3212 wrote to memory of 1196 3212 jjddd.exe 93 PID 3212 wrote to memory of 1196 3212 jjddd.exe 93 PID 1196 wrote to memory of 3940 1196 dpvpp.exe 94 PID 1196 wrote to memory of 3940 1196 dpvpp.exe 94 PID 1196 wrote to memory of 3940 1196 dpvpp.exe 94 PID 3940 wrote to memory of 1988 3940 dvjjv.exe 95 PID 3940 wrote to memory of 1988 3940 dvjjv.exe 95 PID 3940 wrote to memory of 1988 3940 dvjjv.exe 95 PID 1988 wrote to memory of 1780 1988 5hhtnh.exe 96 PID 1988 wrote to memory of 1780 1988 5hhtnh.exe 96 PID 1988 wrote to memory of 1780 1988 5hhtnh.exe 96 PID 1780 wrote to memory of 1624 1780 9jjjd.exe 97 PID 1780 wrote to memory of 1624 1780 9jjjd.exe 97 PID 1780 wrote to memory of 1624 1780 9jjjd.exe 97 PID 1624 wrote to memory of 4744 1624 rffxxxf.exe 98 PID 1624 wrote to memory of 4744 1624 rffxxxf.exe 98 PID 1624 wrote to memory of 4744 1624 rffxxxf.exe 98 PID 4744 wrote to memory of 1456 4744 3hbbtt.exe 99 PID 4744 wrote to memory of 1456 4744 3hbbtt.exe 99 PID 4744 wrote to memory of 1456 4744 3hbbtt.exe 99 PID 1456 wrote to memory of 3548 1456 7vvvj.exe 100 PID 1456 wrote to memory of 3548 1456 7vvvj.exe 100 PID 1456 wrote to memory of 3548 1456 7vvvj.exe 100 PID 3548 wrote to memory of 3392 3548 3xrlxrl.exe 101 PID 3548 wrote to memory of 3392 3548 3xrlxrl.exe 101 PID 3548 wrote to memory of 3392 3548 3xrlxrl.exe 101 PID 3392 wrote to memory of 3456 3392 tttnnh.exe 102 PID 3392 wrote to memory of 3456 3392 tttnnh.exe 102 PID 3392 wrote to memory of 3456 3392 tttnnh.exe 102 PID 3456 wrote to memory of 4640 3456 hhnhtb.exe 103 PID 3456 wrote to memory of 4640 3456 hhnhtb.exe 103 PID 3456 wrote to memory of 4640 3456 hhnhtb.exe 103 PID 4640 wrote to memory of 3488 4640 ttbnhb.exe 104 PID 4640 wrote to memory of 3488 4640 ttbnhb.exe 104 PID 4640 wrote to memory of 3488 4640 ttbnhb.exe 104 PID 3488 wrote to memory of 1664 3488 3pjdv.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad.exe"C:\Users\Admin\AppData\Local\Temp\5bb95a0491237ae0d939b0e63484fa825b3b2870131f85260597edc8540ba6ad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\ddjdj.exec:\ddjdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\rlllfff.exec:\rlllfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\9jvpj.exec:\9jvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\fllfflf.exec:\fllfflf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\vpjpv.exec:\vpjpv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452 -
\??\c:\bbbbbh.exec:\bbbbbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\rfxrrrl.exec:\rfxrrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\rxxfxff.exec:\rxxfxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\jjddd.exec:\jjddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\dpvpp.exec:\dpvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\dvjjv.exec:\dvjjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\5hhtnh.exec:\5hhtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\9jjjd.exec:\9jjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\rffxxxf.exec:\rffxxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\3hbbtt.exec:\3hbbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\7vvvj.exec:\7vvvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\3xrlxrl.exec:\3xrlxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\tttnnh.exec:\tttnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\hhnhtb.exec:\hhnhtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\ttbnhb.exec:\ttbnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\3pjdv.exec:\3pjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\rffffxr.exec:\rffffxr.exe23⤵
- Executes dropped EXE
PID:1664 -
\??\c:\jpppj.exec:\jpppj.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\dvvpj.exec:\dvvpj.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2800 -
\??\c:\7hbbtt.exec:\7hbbtt.exe26⤵
- Executes dropped EXE
PID:3372 -
\??\c:\9dvpj.exec:\9dvpj.exe27⤵
- Executes dropped EXE
PID:1708 -
\??\c:\nbhbbb.exec:\nbhbbb.exe28⤵
- Executes dropped EXE
PID:4360 -
\??\c:\jvpdp.exec:\jvpdp.exe29⤵
- Executes dropped EXE
PID:1832 -
\??\c:\rrlrrlr.exec:\rrlrrlr.exe30⤵
- Executes dropped EXE
PID:3988 -
\??\c:\jvvvp.exec:\jvvvp.exe31⤵
- Executes dropped EXE
PID:4652 -
\??\c:\llrlxxf.exec:\llrlxxf.exe32⤵
- Executes dropped EXE
PID:4196 -
\??\c:\nnhbtt.exec:\nnhbtt.exe33⤵
- Executes dropped EXE
PID:2776 -
\??\c:\7pppj.exec:\7pppj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
\??\c:\nbnbnh.exec:\nbnbnh.exe35⤵
- Executes dropped EXE
PID:3116 -
\??\c:\hhnhbb.exec:\hhnhbb.exe36⤵
- Executes dropped EXE
PID:1760 -
\??\c:\7jjdp.exec:\7jjdp.exe37⤵
- Executes dropped EXE
PID:1204 -
\??\c:\5frflfr.exec:\5frflfr.exe38⤵
- Executes dropped EXE
PID:2524 -
\??\c:\hnhbtt.exec:\hnhbtt.exe39⤵
- Executes dropped EXE
PID:4356 -
\??\c:\dvvpd.exec:\dvvpd.exe40⤵
- Executes dropped EXE
PID:2740 -
\??\c:\ppvjd.exec:\ppvjd.exe41⤵
- Executes dropped EXE
PID:1416 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe42⤵
- Executes dropped EXE
PID:1424 -
\??\c:\hnnbnh.exec:\hnnbnh.exe43⤵
- Executes dropped EXE
PID:2948 -
\??\c:\pvjjd.exec:\pvjjd.exe44⤵
- Executes dropped EXE
PID:2788 -
\??\c:\7rxllll.exec:\7rxllll.exe45⤵
- Executes dropped EXE
PID:4536 -
\??\c:\hthbnh.exec:\hthbnh.exe46⤵
- Executes dropped EXE
PID:1124 -
\??\c:\jvjvd.exec:\jvjvd.exe47⤵
- Executes dropped EXE
PID:3076 -
\??\c:\dppjv.exec:\dppjv.exe48⤵
- Executes dropped EXE
PID:2848 -
\??\c:\3llffff.exec:\3llffff.exe49⤵
- Executes dropped EXE
PID:1552 -
\??\c:\bhhhbb.exec:\bhhhbb.exe50⤵
- Executes dropped EXE
PID:1244 -
\??\c:\vvjvp.exec:\vvjvp.exe51⤵
- Executes dropped EXE
PID:3868 -
\??\c:\5fxlxrf.exec:\5fxlxrf.exe52⤵
- Executes dropped EXE
PID:4448 -
\??\c:\btnbnh.exec:\btnbnh.exe53⤵
- Executes dropped EXE
PID:4456 -
\??\c:\7vvjv.exec:\7vvjv.exe54⤵
- Executes dropped EXE
PID:4856 -
\??\c:\jvpjv.exec:\jvpjv.exe55⤵
- Executes dropped EXE
PID:904 -
\??\c:\7lfxfll.exec:\7lfxfll.exe56⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bnnbnh.exec:\bnnbnh.exe57⤵
- Executes dropped EXE
PID:2620 -
\??\c:\ttbnbb.exec:\ttbnbb.exe58⤵
- Executes dropped EXE
PID:936 -
\??\c:\5jjjd.exec:\5jjjd.exe59⤵
- Executes dropped EXE
PID:4904 -
\??\c:\lxrfrlf.exec:\lxrfrlf.exe60⤵
- Executes dropped EXE
PID:4088 -
\??\c:\httnbt.exec:\httnbt.exe61⤵
- Executes dropped EXE
PID:452 -
\??\c:\thhhhh.exec:\thhhhh.exe62⤵
- Executes dropped EXE
PID:3608 -
\??\c:\jdppd.exec:\jdppd.exe63⤵
- Executes dropped EXE
PID:2636 -
\??\c:\rrxrrlf.exec:\rrxrrlf.exe64⤵
- Executes dropped EXE
PID:1064 -
\??\c:\btbtnh.exec:\btbtnh.exe65⤵
- Executes dropped EXE
PID:5028 -
\??\c:\hbtnhh.exec:\hbtnhh.exe66⤵PID:3408
-
\??\c:\pddvd.exec:\pddvd.exe67⤵PID:4700
-
\??\c:\fxxxlfx.exec:\fxxxlfx.exe68⤵PID:2432
-
\??\c:\5lxrlfx.exec:\5lxrlfx.exe69⤵PID:4540
-
\??\c:\thhbtn.exec:\thhbtn.exe70⤵PID:2396
-
\??\c:\vpvjv.exec:\vpvjv.exe71⤵PID:3560
-
\??\c:\lxxlrlf.exec:\lxxlrlf.exe72⤵PID:4236
-
\??\c:\lxxfrrf.exec:\lxxfrrf.exe73⤵PID:4940
-
\??\c:\hhtntt.exec:\hhtntt.exe74⤵PID:4424
-
\??\c:\7vvjd.exec:\7vvjd.exe75⤵PID:5096
-
\??\c:\1jjpj.exec:\1jjpj.exe76⤵PID:4744
-
\??\c:\7rlxrlf.exec:\7rlxrlf.exe77⤵PID:4252
-
\??\c:\7tbthh.exec:\7tbthh.exe78⤵PID:2604
-
\??\c:\nhbhbb.exec:\nhbhbb.exe79⤵PID:3548
-
\??\c:\ppvvp.exec:\ppvvp.exe80⤵PID:4628
-
\??\c:\lflxfxf.exec:\lflxfxf.exe81⤵PID:1500
-
\??\c:\hbtnbb.exec:\hbtnbb.exe82⤵PID:3656
-
\??\c:\hbbtnn.exec:\hbbtnn.exe83⤵PID:1192
-
\??\c:\jppjj.exec:\jppjj.exe84⤵PID:392
-
\??\c:\rfrflfl.exec:\rfrflfl.exe85⤵PID:1664
-
\??\c:\fxfflfx.exec:\fxfflfx.exe86⤵PID:3688
-
\??\c:\bntntn.exec:\bntntn.exe87⤵PID:3388
-
\??\c:\jdvpj.exec:\jdvpj.exe88⤵PID:4332
-
\??\c:\5xrfxrl.exec:\5xrfxrl.exe89⤵PID:5112
-
\??\c:\xlrrrfx.exec:\xlrrrfx.exe90⤵PID:3744
-
\??\c:\5bbtnt.exec:\5bbtnt.exe91⤵PID:2748
-
\??\c:\9jvvd.exec:\9jvvd.exe92⤵PID:2464
-
\??\c:\ppdvv.exec:\ppdvv.exe93⤵PID:2944
-
\??\c:\7lllffx.exec:\7lllffx.exe94⤵PID:1692
-
\??\c:\5nttnn.exec:\5nttnn.exe95⤵PID:2364
-
\??\c:\5ddvp.exec:\5ddvp.exe96⤵PID:1936
-
\??\c:\ddjdp.exec:\ddjdp.exe97⤵PID:3976
-
\??\c:\9xxrrrr.exec:\9xxrrrr.exe98⤵PID:3884
-
\??\c:\3tnhbt.exec:\3tnhbt.exe99⤵PID:3528
-
\??\c:\pvjdd.exec:\pvjdd.exe100⤵PID:708
-
\??\c:\3flfxxx.exec:\3flfxxx.exe101⤵PID:3936
-
\??\c:\bnthbh.exec:\bnthbh.exe102⤵PID:2736
-
\??\c:\nbbtnn.exec:\nbbtnn.exe103⤵PID:4588
-
\??\c:\vjpjj.exec:\vjpjj.exe104⤵PID:1600
-
\??\c:\3xrxrrx.exec:\3xrxrrx.exe105⤵PID:5084
-
\??\c:\3rrlflf.exec:\3rrlflf.exe106⤵PID:3468
-
\??\c:\nbbbtt.exec:\nbbbtt.exe107⤵PID:1424
-
\??\c:\jvpjv.exec:\jvpjv.exe108⤵PID:1264
-
\??\c:\jjpjd.exec:\jjpjd.exe109⤵PID:4024
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe110⤵PID:2744
-
\??\c:\bththb.exec:\bththb.exe111⤵PID:2816
-
\??\c:\7hhbnt.exec:\7hhbnt.exe112⤵PID:4496
-
\??\c:\dvdvp.exec:\dvdvp.exe113⤵PID:1260
-
\??\c:\xrrrlff.exec:\xrrrlff.exe114⤵PID:3672
-
\??\c:\xllfxxx.exec:\xllfxxx.exe115⤵PID:4564
-
\??\c:\htnnhb.exec:\htnnhb.exe116⤵PID:4480
-
\??\c:\pvvjd.exec:\pvvjd.exe117⤵PID:4860
-
\??\c:\xrlxlxr.exec:\xrlxlxr.exe118⤵PID:3972
-
\??\c:\lrxllxr.exec:\lrxllxr.exe119⤵PID:3776
-
\??\c:\5bbnht.exec:\5bbnht.exe120⤵PID:2804
-
\??\c:\pvjdv.exec:\pvjdv.exe121⤵PID:5060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-