Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe
-
Size
456KB
-
MD5
193a7e03c19dd6dcb492974859af3433
-
SHA1
15cc35234ac35cd92d2014fb7a80b68f1d0900e1
-
SHA256
248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81
-
SHA512
70714a5c6904506bf30f41fbe993e174da770a5e956379af7f3ef53b7f27e0d16363b2087956b1d25b72d215c11397429ee81b2bb5deb25628a24a7de7709e37
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3892-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-1751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 316 3pjjd.exe 4616 frrfrrf.exe 1048 5hbnhb.exe 720 5hhbnh.exe 1788 rxrrfll.exe 4816 bttnhb.exe 2832 xfxlxrf.exe 1180 1tnbtt.exe 3664 dpjjd.exe 4868 xllffxr.exe 3092 djjdd.exe 4296 rlrfrlf.exe 2420 jddvj.exe 3640 xlrfxrr.exe 2096 nnnhtn.exe 4520 hhbnbt.exe 2144 jjvpd.exe 4988 hnnhbt.exe 4396 fxffxlx.exe 4588 5rrlfxl.exe 1604 lxxrllf.exe 1856 5tbnhb.exe 4708 1ppjd.exe 2448 hnnhhb.exe 4700 jdvjd.exe 2664 9hhtbt.exe 320 nnthtn.exe 3564 xllffrl.exe 728 tbbthb.exe 3260 ttnbnh.exe 1780 tntntn.exe 1752 dvpdp.exe 3476 pdpjv.exe 1560 jvpjv.exe 2572 ffllffr.exe 2424 hhbttn.exe 4004 vvvpd.exe 4000 9llxrlx.exe 832 5hnhhh.exe 5092 bnnbnh.exe 1576 jpddd.exe 2256 lfrlxrl.exe 5028 3nnhtt.exe 4864 ttthhh.exe 3524 5dvpd.exe 5016 fffrflx.exe 864 ttbnbt.exe 4364 pddjd.exe 4352 xfrfrrl.exe 4632 flffxxr.exe 836 bbhnhn.exe 4824 vvvjd.exe 3336 xrrlfxr.exe 3508 thnhtn.exe 2472 pjvpp.exe 3660 vddvj.exe 2640 9xrfrlf.exe 4816 htbnhh.exe 1412 3jdvv.exe 3520 xxxxrrl.exe 1588 rrxxrll.exe 2200 tnhthh.exe 4744 jvvpp.exe 1864 xrrfxxl.exe -
resource yara_rule behavioral2/memory/3892-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-637-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3892 wrote to memory of 316 3892 248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe 83 PID 3892 wrote to memory of 316 3892 248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe 83 PID 3892 wrote to memory of 316 3892 248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe 83 PID 316 wrote to memory of 4616 316 3pjjd.exe 84 PID 316 wrote to memory of 4616 316 3pjjd.exe 84 PID 316 wrote to memory of 4616 316 3pjjd.exe 84 PID 4616 wrote to memory of 1048 4616 frrfrrf.exe 85 PID 4616 wrote to memory of 1048 4616 frrfrrf.exe 85 PID 4616 wrote to memory of 1048 4616 frrfrrf.exe 85 PID 1048 wrote to memory of 720 1048 5hbnhb.exe 86 PID 1048 wrote to memory of 720 1048 5hbnhb.exe 86 PID 1048 wrote to memory of 720 1048 5hbnhb.exe 86 PID 720 wrote to memory of 1788 720 5hhbnh.exe 87 PID 720 wrote to memory of 1788 720 5hhbnh.exe 87 PID 720 wrote to memory of 1788 720 5hhbnh.exe 87 PID 1788 wrote to memory of 4816 1788 rxrrfll.exe 88 PID 1788 wrote to memory of 4816 1788 rxrrfll.exe 88 PID 1788 wrote to memory of 4816 1788 rxrrfll.exe 88 PID 4816 wrote to memory of 2832 4816 bttnhb.exe 89 PID 4816 wrote to memory of 2832 4816 bttnhb.exe 89 PID 4816 wrote to memory of 2832 4816 bttnhb.exe 89 PID 2832 wrote to memory of 1180 2832 xfxlxrf.exe 90 PID 2832 wrote to memory of 1180 2832 xfxlxrf.exe 90 PID 2832 wrote to memory of 1180 2832 xfxlxrf.exe 90 PID 1180 wrote to memory of 3664 1180 1tnbtt.exe 91 PID 1180 wrote to memory of 3664 1180 1tnbtt.exe 91 PID 1180 wrote to memory of 3664 1180 1tnbtt.exe 91 PID 3664 wrote to memory of 4868 3664 dpjjd.exe 92 PID 3664 wrote to memory of 4868 3664 dpjjd.exe 92 PID 3664 wrote to memory of 4868 3664 dpjjd.exe 92 PID 4868 wrote to memory of 3092 4868 xllffxr.exe 93 PID 4868 wrote to memory of 3092 4868 xllffxr.exe 93 PID 4868 wrote to memory of 3092 4868 xllffxr.exe 93 PID 3092 wrote to memory of 4296 3092 djjdd.exe 94 PID 3092 wrote to memory of 4296 3092 djjdd.exe 94 PID 3092 wrote to memory of 4296 3092 djjdd.exe 94 PID 4296 wrote to memory of 2420 4296 rlrfrlf.exe 95 PID 4296 wrote to memory of 2420 4296 rlrfrlf.exe 95 PID 4296 wrote to memory of 2420 4296 rlrfrlf.exe 95 PID 2420 wrote to memory of 3640 2420 jddvj.exe 96 PID 2420 wrote to memory of 3640 2420 jddvj.exe 96 PID 2420 wrote to memory of 3640 2420 jddvj.exe 96 PID 3640 wrote to memory of 2096 3640 xlrfxrr.exe 97 PID 3640 wrote to memory of 2096 3640 xlrfxrr.exe 97 PID 3640 wrote to memory of 2096 3640 xlrfxrr.exe 97 PID 2096 wrote to memory of 4520 2096 nnnhtn.exe 98 PID 2096 wrote to memory of 4520 2096 nnnhtn.exe 98 PID 2096 wrote to memory of 4520 2096 nnnhtn.exe 98 PID 4520 wrote to memory of 2144 4520 hhbnbt.exe 99 PID 4520 wrote to memory of 2144 4520 hhbnbt.exe 99 PID 4520 wrote to memory of 2144 4520 hhbnbt.exe 99 PID 2144 wrote to memory of 4988 2144 jjvpd.exe 100 PID 2144 wrote to memory of 4988 2144 jjvpd.exe 100 PID 2144 wrote to memory of 4988 2144 jjvpd.exe 100 PID 4988 wrote to memory of 4396 4988 hnnhbt.exe 101 PID 4988 wrote to memory of 4396 4988 hnnhbt.exe 101 PID 4988 wrote to memory of 4396 4988 hnnhbt.exe 101 PID 4396 wrote to memory of 4588 4396 fxffxlx.exe 102 PID 4396 wrote to memory of 4588 4396 fxffxlx.exe 102 PID 4396 wrote to memory of 4588 4396 fxffxlx.exe 102 PID 4588 wrote to memory of 1604 4588 5rrlfxl.exe 103 PID 4588 wrote to memory of 1604 4588 5rrlfxl.exe 103 PID 4588 wrote to memory of 1604 4588 5rrlfxl.exe 103 PID 1604 wrote to memory of 1856 1604 lxxrllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe"C:\Users\Admin\AppData\Local\Temp\248cc35a1a5de82fcd2557fb468926145494fde83d2d7bee4dcf5cf28ccf6b81.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\3pjjd.exec:\3pjjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\frrfrrf.exec:\frrfrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\5hbnhb.exec:\5hbnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\5hhbnh.exec:\5hhbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:720 -
\??\c:\rxrrfll.exec:\rxrrfll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\bttnhb.exec:\bttnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\xfxlxrf.exec:\xfxlxrf.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\1tnbtt.exec:\1tnbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\dpjjd.exec:\dpjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\xllffxr.exec:\xllffxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\djjdd.exec:\djjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\rlrfrlf.exec:\rlrfrlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\jddvj.exec:\jddvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\xlrfxrr.exec:\xlrfxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\nnnhtn.exec:\nnnhtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\hhbnbt.exec:\hhbnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\jjvpd.exec:\jjvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\hnnhbt.exec:\hnnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\fxffxlx.exec:\fxffxlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
\??\c:\5rrlfxl.exec:\5rrlfxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\lxxrllf.exec:\lxxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\5tbnhb.exec:\5tbnhb.exe23⤵
- Executes dropped EXE
PID:1856 -
\??\c:\1ppjd.exec:\1ppjd.exe24⤵
- Executes dropped EXE
PID:4708 -
\??\c:\hnnhhb.exec:\hnnhhb.exe25⤵
- Executes dropped EXE
PID:2448 -
\??\c:\jdvjd.exec:\jdvjd.exe26⤵
- Executes dropped EXE
PID:4700 -
\??\c:\9hhtbt.exec:\9hhtbt.exe27⤵
- Executes dropped EXE
PID:2664 -
\??\c:\nnthtn.exec:\nnthtn.exe28⤵
- Executes dropped EXE
PID:320 -
\??\c:\xllffrl.exec:\xllffrl.exe29⤵
- Executes dropped EXE
PID:3564 -
\??\c:\tbbthb.exec:\tbbthb.exe30⤵
- Executes dropped EXE
PID:728 -
\??\c:\ttnbnh.exec:\ttnbnh.exe31⤵
- Executes dropped EXE
PID:3260 -
\??\c:\tntntn.exec:\tntntn.exe32⤵
- Executes dropped EXE
PID:1780 -
\??\c:\dvpdp.exec:\dvpdp.exe33⤵
- Executes dropped EXE
PID:1752 -
\??\c:\pdpjv.exec:\pdpjv.exe34⤵
- Executes dropped EXE
PID:3476 -
\??\c:\jvpjv.exec:\jvpjv.exe35⤵
- Executes dropped EXE
PID:1560 -
\??\c:\ffllffr.exec:\ffllffr.exe36⤵
- Executes dropped EXE
PID:2572 -
\??\c:\hhbttn.exec:\hhbttn.exe37⤵
- Executes dropped EXE
PID:2424 -
\??\c:\vvvpd.exec:\vvvpd.exe38⤵
- Executes dropped EXE
PID:4004 -
\??\c:\9llxrlx.exec:\9llxrlx.exe39⤵
- Executes dropped EXE
PID:4000 -
\??\c:\5hnhhh.exec:\5hnhhh.exe40⤵
- Executes dropped EXE
PID:832 -
\??\c:\bnnbnh.exec:\bnnbnh.exe41⤵
- Executes dropped EXE
PID:5092 -
\??\c:\jpddd.exec:\jpddd.exe42⤵
- Executes dropped EXE
PID:1576 -
\??\c:\lfrlxrl.exec:\lfrlxrl.exe43⤵
- Executes dropped EXE
PID:2256 -
\??\c:\3nnhtt.exec:\3nnhtt.exe44⤵
- Executes dropped EXE
PID:5028 -
\??\c:\ttthhh.exec:\ttthhh.exe45⤵
- Executes dropped EXE
PID:4864 -
\??\c:\5dvpd.exec:\5dvpd.exe46⤵
- Executes dropped EXE
PID:3524 -
\??\c:\fffrflx.exec:\fffrflx.exe47⤵
- Executes dropped EXE
PID:5016 -
\??\c:\ttbnbt.exec:\ttbnbt.exe48⤵
- Executes dropped EXE
PID:864 -
\??\c:\pddjd.exec:\pddjd.exe49⤵
- Executes dropped EXE
PID:4364 -
\??\c:\xfrfrrl.exec:\xfrfrrl.exe50⤵
- Executes dropped EXE
PID:4352 -
\??\c:\flffxxr.exec:\flffxxr.exe51⤵
- Executes dropped EXE
PID:4632 -
\??\c:\bbhnhn.exec:\bbhnhn.exe52⤵
- Executes dropped EXE
PID:836 -
\??\c:\vvvjd.exec:\vvvjd.exe53⤵
- Executes dropped EXE
PID:4824 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe54⤵
- Executes dropped EXE
PID:3336 -
\??\c:\thnhtn.exec:\thnhtn.exe55⤵
- Executes dropped EXE
PID:3508 -
\??\c:\pjvpp.exec:\pjvpp.exe56⤵
- Executes dropped EXE
PID:2472 -
\??\c:\vddvj.exec:\vddvj.exe57⤵
- Executes dropped EXE
PID:3660 -
\??\c:\9xrfrlf.exec:\9xrfrlf.exe58⤵
- Executes dropped EXE
PID:2640 -
\??\c:\htbnhh.exec:\htbnhh.exe59⤵
- Executes dropped EXE
PID:4816 -
\??\c:\3jdvv.exec:\3jdvv.exe60⤵
- Executes dropped EXE
PID:1412 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe61⤵
- Executes dropped EXE
PID:3520 -
\??\c:\rrxxrll.exec:\rrxxrll.exe62⤵
- Executes dropped EXE
PID:1588 -
\??\c:\tnhthh.exec:\tnhthh.exe63⤵
- Executes dropped EXE
PID:2200 -
\??\c:\jvvpp.exec:\jvvpp.exe64⤵
- Executes dropped EXE
PID:4744 -
\??\c:\xrrfxxl.exec:\xrrfxxl.exe65⤵
- Executes dropped EXE
PID:1864 -
\??\c:\3hhbbh.exec:\3hhbbh.exe66⤵PID:4060
-
\??\c:\pddvj.exec:\pddvj.exe67⤵PID:968
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe68⤵PID:4504
-
\??\c:\rfxlrlf.exec:\rfxlrlf.exe69⤵PID:3788
-
\??\c:\hbhhht.exec:\hbhhht.exe70⤵PID:3656
-
\??\c:\dpjdj.exec:\dpjdj.exe71⤵PID:2000
-
\??\c:\xfrlxxr.exec:\xfrlxxr.exe72⤵PID:4768
-
\??\c:\bbhhbt.exec:\bbhhbt.exe73⤵PID:2244
-
\??\c:\tttnbt.exec:\tttnbt.exe74⤵PID:3388
-
\??\c:\jppdv.exec:\jppdv.exe75⤵PID:3500
-
\??\c:\lllxllf.exec:\lllxllf.exe76⤵PID:1624
-
\??\c:\lxxxlfx.exec:\lxxxlfx.exe77⤵PID:3352
-
\??\c:\bnttnn.exec:\bnttnn.exe78⤵PID:4396
-
\??\c:\ppvjj.exec:\ppvjj.exe79⤵PID:2464
-
\??\c:\5xxlxrl.exec:\5xxlxrl.exe80⤵PID:1604
-
\??\c:\httnbt.exec:\httnbt.exe81⤵PID:3668
-
\??\c:\tntnnn.exec:\tntnnn.exe82⤵PID:1856
-
\??\c:\3jdpd.exec:\3jdpd.exe83⤵PID:2672
-
\??\c:\rllxxrl.exec:\rllxxrl.exe84⤵PID:2884
-
\??\c:\rlrfffr.exec:\rlrfffr.exe85⤵PID:2880
-
\??\c:\ntbtnh.exec:\ntbtnh.exe86⤵PID:2836
-
\??\c:\dvvdp.exec:\dvvdp.exe87⤵PID:3644
-
\??\c:\xffrffr.exec:\xffrffr.exe88⤵PID:2388
-
\??\c:\fffrxrf.exec:\fffrxrf.exe89⤵PID:1396
-
\??\c:\nbbtnh.exec:\nbbtnh.exe90⤵
- System Location Discovery: System Language Discovery
PID:4952 -
\??\c:\jvjvv.exec:\jvjvv.exe91⤵PID:3860
-
\??\c:\fxxflrr.exec:\fxxflrr.exe92⤵PID:4888
-
\??\c:\nhnhnh.exec:\nhnhnh.exe93⤵PID:3260
-
\??\c:\nbhbtn.exec:\nbhbtn.exe94⤵PID:940
-
\??\c:\vppjd.exec:\vppjd.exe95⤵PID:1876
-
\??\c:\frrlffx.exec:\frrlffx.exe96⤵PID:1572
-
\??\c:\nbbhtn.exec:\nbbhtn.exe97⤵PID:1352
-
\??\c:\1jdpj.exec:\1jdpj.exe98⤵PID:5004
-
\??\c:\flxfxxr.exec:\flxfxxr.exe99⤵PID:5104
-
\??\c:\hnthbt.exec:\hnthbt.exe100⤵PID:2456
-
\??\c:\bnnbnn.exec:\bnnbnn.exe101⤵PID:1976
-
\??\c:\jvvpd.exec:\jvvpd.exe102⤵PID:1220
-
\??\c:\xxfrfxr.exec:\xxfrfxr.exe103⤵PID:3124
-
\??\c:\btbnhb.exec:\btbnhb.exe104⤵PID:4128
-
\??\c:\nbbbtn.exec:\nbbbtn.exe105⤵PID:1444
-
\??\c:\jvpdp.exec:\jvpdp.exe106⤵PID:4584
-
\??\c:\frrfxxr.exec:\frrfxxr.exe107⤵PID:4924
-
\??\c:\nhnhtn.exec:\nhnhtn.exe108⤵PID:388
-
\??\c:\vdjvj.exec:\vdjvj.exe109⤵PID:2376
-
\??\c:\vpjdp.exec:\vpjdp.exe110⤵PID:5016
-
\??\c:\5flxxrx.exec:\5flxxrx.exe111⤵PID:4380
-
\??\c:\hbtnbb.exec:\hbtnbb.exe112⤵PID:3844
-
\??\c:\1dvjv.exec:\1dvjv.exe113⤵PID:3856
-
\??\c:\dpjvv.exec:\dpjvv.exe114⤵PID:4632
-
\??\c:\lxllllr.exec:\lxllllr.exe115⤵PID:1664
-
\??\c:\tbbnhb.exec:\tbbnhb.exe116⤵PID:3636
-
\??\c:\nnthtn.exec:\nnthtn.exe117⤵PID:5032
-
\??\c:\3pdvj.exec:\3pdvj.exe118⤵PID:3648
-
\??\c:\xrfrrxx.exec:\xrfrrxx.exe119⤵PID:2472
-
\??\c:\nnttnh.exec:\nnttnh.exe120⤵PID:4508
-
\??\c:\jvvpd.exec:\jvvpd.exe121⤵PID:1984
-
\??\c:\lffxxrl.exec:\lffxxrl.exe122⤵PID:1096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-