Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d.exe
-
Size
454KB
-
MD5
22d677bacb60344e879fb9042b9a1313
-
SHA1
07bec762950b9ca0804d7cf7d20f725f3923a436
-
SHA256
23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d
-
SHA512
9b58f207c77287de40569fd9425dc0ada962bcf3c96b5327a1ad185c308f3772c2b73e949d10b5e78679555fc3934cb2718e32e6d6d57bd866f57dbfad931206
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2032-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-1133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-1209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-1231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-1602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4556 llxrrrf.exe 1116 7djjd.exe 392 pvdjp.exe 4020 ppvpj.exe 2636 jvjdd.exe 3164 lfllxxr.exe 4608 nbbbbb.exe 1020 jdjpp.exe 1772 pjppj.exe 4832 5rfxffl.exe 1496 bbhbbb.exe 3492 1llxlfl.exe 2252 9nhbnh.exe 3864 nhhtnt.exe 3316 nhhtnh.exe 4008 pjdvj.exe 1988 hbhhhh.exe 3728 fllfrlf.exe 2272 hnnhtt.exe 1304 xxxrxfx.exe 624 bnbntb.exe 2232 7pjvd.exe 4732 hntntt.exe 3408 3ddvj.exe 1244 pdpvj.exe 1760 hbhbtn.exe 2876 xxrrlll.exe 4748 thnhht.exe 5076 5jvvp.exe 3980 xxfxxxl.exe 3684 fxfxlfl.exe 2788 htnhhh.exe 1068 5vdvp.exe 720 3hbtnt.exe 1276 1ppjj.exe 3732 rxfrlll.exe 1732 btnbbt.exe 2200 pppjv.exe 4236 llrflfr.exe 4968 flrlfxl.exe 4004 hthnbt.exe 3708 dpjdp.exe 4776 fxrlfff.exe 4372 nhnbht.exe 3284 pjvjv.exe 640 flxxrrf.exe 4556 hhnhtn.exe 1468 vjpjd.exe 3256 pjjjv.exe 4808 hbthbt.exe 60 1tnthb.exe 3060 vjjvd.exe 4760 pjpdv.exe 1508 fxxrrlf.exe 4608 htthtn.exe 2608 pjjvj.exe 4316 llxrxrx.exe 4744 rxfffff.exe 4832 jpvvp.exe 4436 1pjvd.exe 780 frrlffl.exe 980 btbttn.exe 2524 bttthh.exe 2196 jdvjj.exe -
resource yara_rule behavioral2/memory/2032-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-689-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2032 wrote to memory of 4556 2032 23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d.exe 82 PID 2032 wrote to memory of 4556 2032 23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d.exe 82 PID 2032 wrote to memory of 4556 2032 23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d.exe 82 PID 4556 wrote to memory of 1116 4556 llxrrrf.exe 83 PID 4556 wrote to memory of 1116 4556 llxrrrf.exe 83 PID 4556 wrote to memory of 1116 4556 llxrrrf.exe 83 PID 1116 wrote to memory of 392 1116 7djjd.exe 84 PID 1116 wrote to memory of 392 1116 7djjd.exe 84 PID 1116 wrote to memory of 392 1116 7djjd.exe 84 PID 392 wrote to memory of 4020 392 pvdjp.exe 85 PID 392 wrote to memory of 4020 392 pvdjp.exe 85 PID 392 wrote to memory of 4020 392 pvdjp.exe 85 PID 4020 wrote to memory of 2636 4020 ppvpj.exe 86 PID 4020 wrote to memory of 2636 4020 ppvpj.exe 86 PID 4020 wrote to memory of 2636 4020 ppvpj.exe 86 PID 2636 wrote to memory of 3164 2636 jvjdd.exe 87 PID 2636 wrote to memory of 3164 2636 jvjdd.exe 87 PID 2636 wrote to memory of 3164 2636 jvjdd.exe 87 PID 3164 wrote to memory of 4608 3164 lfllxxr.exe 88 PID 3164 wrote to memory of 4608 3164 lfllxxr.exe 88 PID 3164 wrote to memory of 4608 3164 lfllxxr.exe 88 PID 4608 wrote to memory of 1020 4608 nbbbbb.exe 89 PID 4608 wrote to memory of 1020 4608 nbbbbb.exe 89 PID 4608 wrote to memory of 1020 4608 nbbbbb.exe 89 PID 1020 wrote to memory of 1772 1020 jdjpp.exe 90 PID 1020 wrote to memory of 1772 1020 jdjpp.exe 90 PID 1020 wrote to memory of 1772 1020 jdjpp.exe 90 PID 1772 wrote to memory of 4832 1772 pjppj.exe 91 PID 1772 wrote to memory of 4832 1772 pjppj.exe 91 PID 1772 wrote to memory of 4832 1772 pjppj.exe 91 PID 4832 wrote to memory of 1496 4832 5rfxffl.exe 92 PID 4832 wrote to memory of 1496 4832 5rfxffl.exe 92 PID 4832 wrote to memory of 1496 4832 5rfxffl.exe 92 PID 1496 wrote to memory of 3492 1496 bbhbbb.exe 93 PID 1496 wrote to memory of 3492 1496 bbhbbb.exe 93 PID 1496 wrote to memory of 3492 1496 bbhbbb.exe 93 PID 3492 wrote to memory of 2252 3492 1llxlfl.exe 94 PID 3492 wrote to memory of 2252 3492 1llxlfl.exe 94 PID 3492 wrote to memory of 2252 3492 1llxlfl.exe 94 PID 2252 wrote to memory of 3864 2252 9nhbnh.exe 95 PID 2252 wrote to memory of 3864 2252 9nhbnh.exe 95 PID 2252 wrote to memory of 3864 2252 9nhbnh.exe 95 PID 3864 wrote to memory of 3316 3864 nhhtnt.exe 96 PID 3864 wrote to memory of 3316 3864 nhhtnt.exe 96 PID 3864 wrote to memory of 3316 3864 nhhtnt.exe 96 PID 3316 wrote to memory of 4008 3316 nhhtnh.exe 97 PID 3316 wrote to memory of 4008 3316 nhhtnh.exe 97 PID 3316 wrote to memory of 4008 3316 nhhtnh.exe 97 PID 4008 wrote to memory of 1988 4008 pjdvj.exe 98 PID 4008 wrote to memory of 1988 4008 pjdvj.exe 98 PID 4008 wrote to memory of 1988 4008 pjdvj.exe 98 PID 1988 wrote to memory of 3728 1988 hbhhhh.exe 99 PID 1988 wrote to memory of 3728 1988 hbhhhh.exe 99 PID 1988 wrote to memory of 3728 1988 hbhhhh.exe 99 PID 3728 wrote to memory of 2272 3728 fllfrlf.exe 100 PID 3728 wrote to memory of 2272 3728 fllfrlf.exe 100 PID 3728 wrote to memory of 2272 3728 fllfrlf.exe 100 PID 2272 wrote to memory of 1304 2272 hnnhtt.exe 101 PID 2272 wrote to memory of 1304 2272 hnnhtt.exe 101 PID 2272 wrote to memory of 1304 2272 hnnhtt.exe 101 PID 1304 wrote to memory of 624 1304 xxxrxfx.exe 102 PID 1304 wrote to memory of 624 1304 xxxrxfx.exe 102 PID 1304 wrote to memory of 624 1304 xxxrxfx.exe 102 PID 624 wrote to memory of 2232 624 bnbntb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d.exe"C:\Users\Admin\AppData\Local\Temp\23342650f890cb44811530777913f749504f6c4007c1fcb4e8ea06d53ac1023d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\llxrrrf.exec:\llxrrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\7djjd.exec:\7djjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\pvdjp.exec:\pvdjp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\ppvpj.exec:\ppvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\jvjdd.exec:\jvjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\lfllxxr.exec:\lfllxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\nbbbbb.exec:\nbbbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\jdjpp.exec:\jdjpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\pjppj.exec:\pjppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\5rfxffl.exec:\5rfxffl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\bbhbbb.exec:\bbhbbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\1llxlfl.exec:\1llxlfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\9nhbnh.exec:\9nhbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\nhhtnt.exec:\nhhtnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\nhhtnh.exec:\nhhtnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\pjdvj.exec:\pjdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\hbhhhh.exec:\hbhhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\fllfrlf.exec:\fllfrlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3728 -
\??\c:\hnnhtt.exec:\hnnhtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\xxxrxfx.exec:\xxxrxfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\bnbntb.exec:\bnbntb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\7pjvd.exec:\7pjvd.exe23⤵
- Executes dropped EXE
PID:2232 -
\??\c:\hntntt.exec:\hntntt.exe24⤵
- Executes dropped EXE
PID:4732 -
\??\c:\3ddvj.exec:\3ddvj.exe25⤵
- Executes dropped EXE
PID:3408 -
\??\c:\pdpvj.exec:\pdpvj.exe26⤵
- Executes dropped EXE
PID:1244 -
\??\c:\hbhbtn.exec:\hbhbtn.exe27⤵
- Executes dropped EXE
PID:1760 -
\??\c:\xxrrlll.exec:\xxrrlll.exe28⤵
- Executes dropped EXE
PID:2876 -
\??\c:\thnhht.exec:\thnhht.exe29⤵
- Executes dropped EXE
PID:4748 -
\??\c:\5jvvp.exec:\5jvvp.exe30⤵
- Executes dropped EXE
PID:5076 -
\??\c:\xxfxxxl.exec:\xxfxxxl.exe31⤵
- Executes dropped EXE
PID:3980 -
\??\c:\fxfxlfl.exec:\fxfxlfl.exe32⤵
- Executes dropped EXE
PID:3684 -
\??\c:\htnhhh.exec:\htnhhh.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
\??\c:\5vdvp.exec:\5vdvp.exe34⤵
- Executes dropped EXE
PID:1068 -
\??\c:\3hbtnt.exec:\3hbtnt.exe35⤵
- Executes dropped EXE
PID:720 -
\??\c:\1ppjj.exec:\1ppjj.exe36⤵
- Executes dropped EXE
PID:1276 -
\??\c:\rxfrlll.exec:\rxfrlll.exe37⤵
- Executes dropped EXE
PID:3732 -
\??\c:\btnbbt.exec:\btnbbt.exe38⤵
- Executes dropped EXE
PID:1732 -
\??\c:\pppjv.exec:\pppjv.exe39⤵
- Executes dropped EXE
PID:2200 -
\??\c:\llrflfr.exec:\llrflfr.exe40⤵
- Executes dropped EXE
PID:4236 -
\??\c:\flrlfxl.exec:\flrlfxl.exe41⤵
- Executes dropped EXE
PID:4968 -
\??\c:\hthnbt.exec:\hthnbt.exe42⤵
- Executes dropped EXE
PID:4004 -
\??\c:\dpjdp.exec:\dpjdp.exe43⤵
- Executes dropped EXE
PID:3708 -
\??\c:\fxrlfff.exec:\fxrlfff.exe44⤵
- Executes dropped EXE
PID:4776 -
\??\c:\nhnbht.exec:\nhnbht.exe45⤵
- Executes dropped EXE
PID:4372 -
\??\c:\pjvjv.exec:\pjvjv.exe46⤵
- Executes dropped EXE
PID:3284 -
\??\c:\flxxrrf.exec:\flxxrrf.exe47⤵
- Executes dropped EXE
PID:640 -
\??\c:\hhnhtn.exec:\hhnhtn.exe48⤵
- Executes dropped EXE
PID:4556 -
\??\c:\vjpjd.exec:\vjpjd.exe49⤵
- Executes dropped EXE
PID:1468 -
\??\c:\pjjjv.exec:\pjjjv.exe50⤵
- Executes dropped EXE
PID:3256 -
\??\c:\hbthbt.exec:\hbthbt.exe51⤵
- Executes dropped EXE
PID:4808 -
\??\c:\1tnthb.exec:\1tnthb.exe52⤵
- Executes dropped EXE
PID:60 -
\??\c:\vjjvd.exec:\vjjvd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
\??\c:\pjpdv.exec:\pjpdv.exe54⤵
- Executes dropped EXE
PID:4760 -
\??\c:\fxxrrlf.exec:\fxxrrlf.exe55⤵
- Executes dropped EXE
PID:1508 -
\??\c:\htthtn.exec:\htthtn.exe56⤵
- Executes dropped EXE
PID:4608 -
\??\c:\pjjvj.exec:\pjjvj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2608 -
\??\c:\llxrxrx.exec:\llxrxrx.exe58⤵
- Executes dropped EXE
PID:4316 -
\??\c:\rxfffff.exec:\rxfffff.exe59⤵
- Executes dropped EXE
PID:4744 -
\??\c:\jpvvp.exec:\jpvvp.exe60⤵
- Executes dropped EXE
PID:4832 -
\??\c:\1pjvd.exec:\1pjvd.exe61⤵
- Executes dropped EXE
PID:4436 -
\??\c:\frrlffl.exec:\frrlffl.exe62⤵
- Executes dropped EXE
PID:780 -
\??\c:\btbttn.exec:\btbttn.exe63⤵
- Executes dropped EXE
PID:980 -
\??\c:\bttthh.exec:\bttthh.exe64⤵
- Executes dropped EXE
PID:2524 -
\??\c:\jdvjj.exec:\jdvjj.exe65⤵
- Executes dropped EXE
PID:2196 -
\??\c:\3xxlxrl.exec:\3xxlxrl.exe66⤵PID:4332
-
\??\c:\7tnbnn.exec:\7tnbnn.exe67⤵PID:4544
-
\??\c:\vdjvj.exec:\vdjvj.exe68⤵PID:2004
-
\??\c:\lxfxllf.exec:\lxfxllf.exe69⤵PID:3940
-
\??\c:\rrrfrlf.exec:\rrrfrlf.exe70⤵PID:4296
-
\??\c:\tbbbtt.exec:\tbbbtt.exe71⤵PID:3612
-
\??\c:\5jvpd.exec:\5jvpd.exe72⤵PID:4564
-
\??\c:\jvvjv.exec:\jvvjv.exe73⤵PID:1592
-
\??\c:\lrrflfx.exec:\lrrflfx.exe74⤵PID:2556
-
\??\c:\htbtht.exec:\htbtht.exe75⤵PID:4944
-
\??\c:\djdvj.exec:\djdvj.exe76⤵PID:1472
-
\??\c:\7pdpd.exec:\7pdpd.exe77⤵PID:2232
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe78⤵PID:3152
-
\??\c:\thnhth.exec:\thnhth.exe79⤵PID:2000
-
\??\c:\btbtnh.exec:\btbtnh.exe80⤵PID:5116
-
\??\c:\jppjd.exec:\jppjd.exe81⤵PID:3988
-
\??\c:\fxllrrx.exec:\fxllrrx.exe82⤵PID:1576
-
\??\c:\btbtnn.exec:\btbtnn.exe83⤵PID:3288
-
\??\c:\vjjvp.exec:\vjjvp.exe84⤵PID:1044
-
\??\c:\xxlfflx.exec:\xxlfflx.exe85⤵PID:4816
-
\??\c:\xrlxxxf.exec:\xrlxxxf.exe86⤵PID:696
-
\??\c:\pjpdv.exec:\pjpdv.exe87⤵PID:5044
-
\??\c:\1vdpd.exec:\1vdpd.exe88⤵PID:2388
-
\??\c:\fllxfxr.exec:\fllxfxr.exe89⤵PID:2780
-
\??\c:\bnthtn.exec:\bnthtn.exe90⤵PID:1604
-
\??\c:\jddvj.exec:\jddvj.exe91⤵PID:3140
-
\??\c:\3lxrxrl.exec:\3lxrxrl.exe92⤵PID:3796
-
\??\c:\7hthbh.exec:\7hthbh.exe93⤵PID:2816
-
\??\c:\9jvjv.exec:\9jvjv.exe94⤵PID:1500
-
\??\c:\5lfxlfx.exec:\5lfxlfx.exe95⤵PID:4728
-
\??\c:\7lxxlfr.exec:\7lxxlfr.exe96⤵PID:2312
-
\??\c:\tbtntn.exec:\tbtntn.exe97⤵PID:4988
-
\??\c:\djjvd.exec:\djjvd.exe98⤵PID:4696
-
\??\c:\xlllxxl.exec:\xlllxxl.exe99⤵PID:1180
-
\??\c:\xfxfrlx.exec:\xfxfrlx.exe100⤵PID:1712
-
\??\c:\7ntntn.exec:\7ntntn.exe101⤵PID:4400
-
\??\c:\jvvdp.exec:\jvvdp.exe102⤵PID:4444
-
\??\c:\lfrfrlx.exec:\lfrfrlx.exe103⤵PID:4836
-
\??\c:\9nbtnh.exec:\9nbtnh.exe104⤵PID:5008
-
\??\c:\hhnhbt.exec:\hhnhbt.exe105⤵PID:2920
-
\??\c:\vjjvj.exec:\vjjvj.exe106⤵PID:1116
-
\??\c:\lllxlff.exec:\lllxlff.exe107⤵PID:2104
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe108⤵PID:5020
-
\??\c:\1nnbnn.exec:\1nnbnn.exe109⤵PID:1580
-
\??\c:\pvpjd.exec:\pvpjd.exe110⤵PID:1048
-
\??\c:\xlfrxrf.exec:\xlfrxrf.exe111⤵PID:2396
-
\??\c:\1rrlxrf.exec:\1rrlxrf.exe112⤵PID:5016
-
\??\c:\httnhb.exec:\httnhb.exe113⤵PID:3724
-
\??\c:\pdpdv.exec:\pdpdv.exe114⤵PID:880
-
\??\c:\ffxlflf.exec:\ffxlflf.exe115⤵PID:4608
-
\??\c:\nhbthb.exec:\nhbthb.exe116⤵PID:2980
-
\??\c:\nbthtn.exec:\nbthtn.exe117⤵PID:4316
-
\??\c:\jvpjv.exec:\jvpjv.exe118⤵PID:4052
-
\??\c:\xxlxlff.exec:\xxlxlff.exe119⤵PID:4356
-
\??\c:\9btnhn.exec:\9btnhn.exe120⤵PID:3948
-
\??\c:\nnnbth.exec:\nnnbth.exe121⤵PID:3492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-