Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 05:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f.exe
-
Size
456KB
-
MD5
68776a08dcfb7e37f2e6256cb5e304b8
-
SHA1
d3d2aa1a557681df99d24f9dfe3adbd0b2b0ccd5
-
SHA256
e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f
-
SHA512
8c685062b9f138129bbef8e60bd9da5c69537a41a872fc527c08b82052eef6303a50ec68ab51c0a19a9063efc6b42e821f674b4e04428fa2ee3e80c58420ba88
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRIB:q7Tc2NYHUrAwfMp3CDRQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1356-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-704-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5048 3xxrllf.exe 3208 pjvpj.exe 2900 lxfxrrr.exe 2920 hbttnh.exe 2208 hbhbtn.exe 3220 jdjpd.exe 4848 nbbbtt.exe 3748 rxrllff.exe 1592 5ntntt.exe 1224 jdjdv.exe 2912 9flfxxr.exe 396 rfrlfrr.exe 4280 bttnhb.exe 5012 lfllffx.exe 2088 dpvpj.exe 2760 9rxxffl.exe 428 bbnnhn.exe 4472 nbbtnb.exe 3972 fffxlfx.exe 2988 lfllffx.exe 3392 7bnnhn.exe 2244 djdvp.exe 1868 flxxrrf.exe 1716 5tbbhb.exe 4324 dvvpj.exe 4624 bttnhh.exe 2440 ddpjp.exe 3952 dppjv.exe 836 llxxxrf.exe 3628 1hhhbt.exe 1352 hbthbt.exe 2708 pdvjd.exe 1408 nbtnhh.exe 2788 tnbnbh.exe 1364 thbtnt.exe 1604 vdpdj.exe 4928 nhtnhn.exe 2396 jvdpj.exe 1420 fxrlffx.exe 1060 rxxfrxf.exe 2524 jpjpp.exe 2152 nnnnhb.exe 5036 djvpj.exe 216 xlrlfxr.exe 3976 rlxrxll.exe 1656 nhhbtn.exe 1388 7flxfxf.exe 3856 xrllfxx.exe 3968 hhthbt.exe 4424 7vdjd.exe 3052 9frlfxr.exe 3540 lrfrllf.exe 644 3ntttt.exe 804 vvddj.exe 3348 pvdvj.exe 2920 lffxrxr.exe 4060 bbhhbt.exe 1340 9ttnhh.exe 3944 5jpjv.exe 3220 5lrlrrl.exe 4552 tttnhh.exe 2416 djjdv.exe 4924 3pvpp.exe 452 9xfrffx.exe -
resource yara_rule behavioral2/memory/1356-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-648-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1356 wrote to memory of 5048 1356 e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f.exe 82 PID 1356 wrote to memory of 5048 1356 e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f.exe 82 PID 1356 wrote to memory of 5048 1356 e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f.exe 82 PID 5048 wrote to memory of 3208 5048 3xxrllf.exe 83 PID 5048 wrote to memory of 3208 5048 3xxrllf.exe 83 PID 5048 wrote to memory of 3208 5048 3xxrllf.exe 83 PID 3208 wrote to memory of 2900 3208 pjvpj.exe 84 PID 3208 wrote to memory of 2900 3208 pjvpj.exe 84 PID 3208 wrote to memory of 2900 3208 pjvpj.exe 84 PID 2900 wrote to memory of 2920 2900 lxfxrrr.exe 85 PID 2900 wrote to memory of 2920 2900 lxfxrrr.exe 85 PID 2900 wrote to memory of 2920 2900 lxfxrrr.exe 85 PID 2920 wrote to memory of 2208 2920 hbttnh.exe 86 PID 2920 wrote to memory of 2208 2920 hbttnh.exe 86 PID 2920 wrote to memory of 2208 2920 hbttnh.exe 86 PID 2208 wrote to memory of 3220 2208 hbhbtn.exe 87 PID 2208 wrote to memory of 3220 2208 hbhbtn.exe 87 PID 2208 wrote to memory of 3220 2208 hbhbtn.exe 87 PID 3220 wrote to memory of 4848 3220 jdjpd.exe 88 PID 3220 wrote to memory of 4848 3220 jdjpd.exe 88 PID 3220 wrote to memory of 4848 3220 jdjpd.exe 88 PID 4848 wrote to memory of 3748 4848 nbbbtt.exe 89 PID 4848 wrote to memory of 3748 4848 nbbbtt.exe 89 PID 4848 wrote to memory of 3748 4848 nbbbtt.exe 89 PID 3748 wrote to memory of 1592 3748 rxrllff.exe 90 PID 3748 wrote to memory of 1592 3748 rxrllff.exe 90 PID 3748 wrote to memory of 1592 3748 rxrllff.exe 90 PID 1592 wrote to memory of 1224 1592 5ntntt.exe 91 PID 1592 wrote to memory of 1224 1592 5ntntt.exe 91 PID 1592 wrote to memory of 1224 1592 5ntntt.exe 91 PID 1224 wrote to memory of 2912 1224 jdjdv.exe 92 PID 1224 wrote to memory of 2912 1224 jdjdv.exe 92 PID 1224 wrote to memory of 2912 1224 jdjdv.exe 92 PID 2912 wrote to memory of 396 2912 9flfxxr.exe 93 PID 2912 wrote to memory of 396 2912 9flfxxr.exe 93 PID 2912 wrote to memory of 396 2912 9flfxxr.exe 93 PID 396 wrote to memory of 4280 396 rfrlfrr.exe 94 PID 396 wrote to memory of 4280 396 rfrlfrr.exe 94 PID 396 wrote to memory of 4280 396 rfrlfrr.exe 94 PID 4280 wrote to memory of 5012 4280 bttnhb.exe 95 PID 4280 wrote to memory of 5012 4280 bttnhb.exe 95 PID 4280 wrote to memory of 5012 4280 bttnhb.exe 95 PID 5012 wrote to memory of 2088 5012 lfllffx.exe 96 PID 5012 wrote to memory of 2088 5012 lfllffx.exe 96 PID 5012 wrote to memory of 2088 5012 lfllffx.exe 96 PID 2088 wrote to memory of 2760 2088 dpvpj.exe 97 PID 2088 wrote to memory of 2760 2088 dpvpj.exe 97 PID 2088 wrote to memory of 2760 2088 dpvpj.exe 97 PID 2760 wrote to memory of 428 2760 9rxxffl.exe 98 PID 2760 wrote to memory of 428 2760 9rxxffl.exe 98 PID 2760 wrote to memory of 428 2760 9rxxffl.exe 98 PID 428 wrote to memory of 4472 428 bbnnhn.exe 99 PID 428 wrote to memory of 4472 428 bbnnhn.exe 99 PID 428 wrote to memory of 4472 428 bbnnhn.exe 99 PID 4472 wrote to memory of 3972 4472 nbbtnb.exe 100 PID 4472 wrote to memory of 3972 4472 nbbtnb.exe 100 PID 4472 wrote to memory of 3972 4472 nbbtnb.exe 100 PID 3972 wrote to memory of 2988 3972 fffxlfx.exe 101 PID 3972 wrote to memory of 2988 3972 fffxlfx.exe 101 PID 3972 wrote to memory of 2988 3972 fffxlfx.exe 101 PID 2988 wrote to memory of 3392 2988 lfllffx.exe 102 PID 2988 wrote to memory of 3392 2988 lfllffx.exe 102 PID 2988 wrote to memory of 3392 2988 lfllffx.exe 102 PID 3392 wrote to memory of 2244 3392 7bnnhn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f.exe"C:\Users\Admin\AppData\Local\Temp\e48af0eecb39517a47f30362055240dbb1ba0d055f08f9833de8571e4fd1e62f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\3xxrllf.exec:\3xxrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\pjvpj.exec:\pjvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\hbttnh.exec:\hbttnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\hbhbtn.exec:\hbhbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\jdjpd.exec:\jdjpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\nbbbtt.exec:\nbbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\rxrllff.exec:\rxrllff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748 -
\??\c:\5ntntt.exec:\5ntntt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\jdjdv.exec:\jdjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\9flfxxr.exec:\9flfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\rfrlfrr.exec:\rfrlfrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\bttnhb.exec:\bttnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\lfllffx.exec:\lfllffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\dpvpj.exec:\dpvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\9rxxffl.exec:\9rxxffl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\bbnnhn.exec:\bbnnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\nbbtnb.exec:\nbbtnb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\fffxlfx.exec:\fffxlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\lfllffx.exec:\lfllffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\7bnnhn.exec:\7bnnhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\djdvp.exec:\djdvp.exe23⤵
- Executes dropped EXE
PID:2244 -
\??\c:\flxxrrf.exec:\flxxrrf.exe24⤵
- Executes dropped EXE
PID:1868 -
\??\c:\5tbbhb.exec:\5tbbhb.exe25⤵
- Executes dropped EXE
PID:1716 -
\??\c:\dvvpj.exec:\dvvpj.exe26⤵
- Executes dropped EXE
PID:4324 -
\??\c:\bttnhh.exec:\bttnhh.exe27⤵
- Executes dropped EXE
PID:4624 -
\??\c:\ddpjp.exec:\ddpjp.exe28⤵
- Executes dropped EXE
PID:2440 -
\??\c:\dppjv.exec:\dppjv.exe29⤵
- Executes dropped EXE
PID:3952 -
\??\c:\llxxxrf.exec:\llxxxrf.exe30⤵
- Executes dropped EXE
PID:836 -
\??\c:\1hhhbt.exec:\1hhhbt.exe31⤵
- Executes dropped EXE
PID:3628 -
\??\c:\hbthbt.exec:\hbthbt.exe32⤵
- Executes dropped EXE
PID:1352 -
\??\c:\pdvjd.exec:\pdvjd.exe33⤵
- Executes dropped EXE
PID:2708 -
\??\c:\nbtnhh.exec:\nbtnhh.exe34⤵
- Executes dropped EXE
PID:1408 -
\??\c:\tnbnbh.exec:\tnbnbh.exe35⤵
- Executes dropped EXE
PID:2788 -
\??\c:\thbtnt.exec:\thbtnt.exe36⤵
- Executes dropped EXE
PID:1364 -
\??\c:\vdpdj.exec:\vdpdj.exe37⤵
- Executes dropped EXE
PID:1604 -
\??\c:\nhtnhn.exec:\nhtnhn.exe38⤵
- Executes dropped EXE
PID:4928 -
\??\c:\jvdpj.exec:\jvdpj.exe39⤵
- Executes dropped EXE
PID:2396 -
\??\c:\fxrlffx.exec:\fxrlffx.exe40⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rxxfrxf.exec:\rxxfrxf.exe41⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jpjpp.exec:\jpjpp.exe42⤵
- Executes dropped EXE
PID:2524 -
\??\c:\nnnnhb.exec:\nnnnhb.exe43⤵
- Executes dropped EXE
PID:2152 -
\??\c:\djvpj.exec:\djvpj.exe44⤵
- Executes dropped EXE
PID:5036 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe45⤵
- Executes dropped EXE
PID:216 -
\??\c:\rlxrxll.exec:\rlxrxll.exe46⤵
- Executes dropped EXE
PID:3976 -
\??\c:\nhhbtn.exec:\nhhbtn.exe47⤵
- Executes dropped EXE
PID:1656 -
\??\c:\7flxfxf.exec:\7flxfxf.exe48⤵
- Executes dropped EXE
PID:1388 -
\??\c:\xrllfxx.exec:\xrllfxx.exe49⤵
- Executes dropped EXE
PID:3856 -
\??\c:\hhthbt.exec:\hhthbt.exe50⤵
- Executes dropped EXE
PID:3968 -
\??\c:\7vdjd.exec:\7vdjd.exe51⤵
- Executes dropped EXE
PID:4424 -
\??\c:\9frlfxr.exec:\9frlfxr.exe52⤵
- Executes dropped EXE
PID:3052 -
\??\c:\lrfrllf.exec:\lrfrllf.exe53⤵
- Executes dropped EXE
PID:3540 -
\??\c:\3ntttt.exec:\3ntttt.exe54⤵
- Executes dropped EXE
PID:644 -
\??\c:\vvddj.exec:\vvddj.exe55⤵
- Executes dropped EXE
PID:804 -
\??\c:\pvdvj.exec:\pvdvj.exe56⤵
- Executes dropped EXE
PID:3348 -
\??\c:\lffxrxr.exec:\lffxrxr.exe57⤵
- Executes dropped EXE
PID:2920 -
\??\c:\bbhhbt.exec:\bbhhbt.exe58⤵
- Executes dropped EXE
PID:4060 -
\??\c:\9ttnhh.exec:\9ttnhh.exe59⤵
- Executes dropped EXE
PID:1340 -
\??\c:\5jpjv.exec:\5jpjv.exe60⤵
- Executes dropped EXE
PID:3944 -
\??\c:\5lrlrrl.exec:\5lrlrrl.exe61⤵
- Executes dropped EXE
PID:3220 -
\??\c:\tttnhh.exec:\tttnhh.exe62⤵
- Executes dropped EXE
PID:4552 -
\??\c:\djjdv.exec:\djjdv.exe63⤵
- Executes dropped EXE
PID:2416 -
\??\c:\3pvpp.exec:\3pvpp.exe64⤵
- Executes dropped EXE
PID:4924 -
\??\c:\9xfrffx.exec:\9xfrffx.exe65⤵
- Executes dropped EXE
PID:452 -
\??\c:\5nhtnn.exec:\5nhtnn.exe66⤵PID:4816
-
\??\c:\dpvpj.exec:\dpvpj.exe67⤵PID:1804
-
\??\c:\5pjjd.exec:\5pjjd.exe68⤵PID:1668
-
\??\c:\xrrlllf.exec:\xrrlllf.exe69⤵PID:3096
-
\??\c:\tbbthh.exec:\tbbthh.exe70⤵PID:4296
-
\??\c:\htnnbt.exec:\htnnbt.exe71⤵PID:2796
-
\??\c:\1pjjd.exec:\1pjjd.exe72⤵PID:244
-
\??\c:\5frrllx.exec:\5frrllx.exe73⤵PID:2716
-
\??\c:\tnhbbt.exec:\tnhbbt.exe74⤵PID:2944
-
\??\c:\dpdvp.exec:\dpdvp.exe75⤵PID:3100
-
\??\c:\vdjdp.exec:\vdjdp.exe76⤵PID:748
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe77⤵PID:2660
-
\??\c:\5fffrrl.exec:\5fffrrl.exe78⤵PID:3840
-
\??\c:\hnhnhb.exec:\hnhnhb.exe79⤵PID:4100
-
\??\c:\9vvpp.exec:\9vvpp.exe80⤵PID:4396
-
\??\c:\lllffxl.exec:\lllffxl.exe81⤵PID:3420
-
\??\c:\nhtnhh.exec:\nhtnhh.exe82⤵PID:5100
-
\??\c:\7hnbnh.exec:\7hnbnh.exe83⤵PID:3960
-
\??\c:\xxlfxrr.exec:\xxlfxrr.exe84⤵PID:2452
-
\??\c:\rxlxrrl.exec:\rxlxrrl.exe85⤵PID:2244
-
\??\c:\ttbnnh.exec:\ttbnnh.exe86⤵PID:1144
-
\??\c:\jpppj.exec:\jpppj.exe87⤵PID:5084
-
\??\c:\lxfrllf.exec:\lxfrllf.exe88⤵PID:2424
-
\??\c:\xlllfff.exec:\xlllfff.exe89⤵PID:5108
-
\??\c:\nnnhbb.exec:\nnnhbb.exe90⤵PID:4624
-
\??\c:\9dvpp.exec:\9dvpp.exe91⤵
- System Location Discovery: System Language Discovery
PID:960 -
\??\c:\xrxrfrf.exec:\xrxrfrf.exe92⤵PID:4944
-
\??\c:\xlrllff.exec:\xlrllff.exe93⤵PID:2436
-
\??\c:\tntnbt.exec:\tntnbt.exe94⤵PID:1952
-
\??\c:\9jpjv.exec:\9jpjv.exe95⤵PID:3628
-
\??\c:\vpdvj.exec:\vpdvj.exe96⤵PID:2004
-
\??\c:\xflfrrl.exec:\xflfrrl.exe97⤵PID:2992
-
\??\c:\5bhbhh.exec:\5bhbhh.exe98⤵PID:4392
-
\??\c:\3jdpj.exec:\3jdpj.exe99⤵
- System Location Discovery: System Language Discovery
PID:4320 -
\??\c:\7pvpv.exec:\7pvpv.exe100⤵PID:4780
-
\??\c:\1xrrllf.exec:\1xrrllf.exe101⤵PID:4616
-
\??\c:\9btnnh.exec:\9btnnh.exe102⤵PID:1604
-
\??\c:\pjjpd.exec:\pjjpd.exe103⤵PID:4524
-
\??\c:\jddvd.exec:\jddvd.exe104⤵PID:3604
-
\??\c:\rrrlffr.exec:\rrrlffr.exe105⤵PID:4756
-
\??\c:\5hhhbb.exec:\5hhhbb.exe106⤵PID:3776
-
\??\c:\5vpjd.exec:\5vpjd.exe107⤵PID:2872
-
\??\c:\pdjdv.exec:\pdjdv.exe108⤵PID:1912
-
\??\c:\3flfxxr.exec:\3flfxxr.exe109⤵PID:2152
-
\??\c:\3nhbtt.exec:\3nhbtt.exe110⤵PID:3524
-
\??\c:\jdpjp.exec:\jdpjp.exe111⤵PID:2556
-
\??\c:\5ffrlfx.exec:\5ffrlfx.exe112⤵PID:2028
-
\??\c:\hntnbt.exec:\hntnbt.exe113⤵PID:4564
-
\??\c:\hbntbt.exec:\hbntbt.exe114⤵PID:1436
-
\??\c:\pjjdv.exec:\pjjdv.exe115⤵
- System Location Discovery: System Language Discovery
PID:404 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe116⤵PID:4408
-
\??\c:\7nhbnn.exec:\7nhbnn.exe117⤵PID:5032
-
\??\c:\nnbtbb.exec:\nnbtbb.exe118⤵PID:2904
-
\??\c:\jddvd.exec:\jddvd.exe119⤵PID:3452
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe120⤵PID:2648
-
\??\c:\5hhbbt.exec:\5hhbbt.exe121⤵PID:4492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-