Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe
-
Size
454KB
-
MD5
b9a742dd8f9d8a4456237a88ff801dff
-
SHA1
ab09169e2bfc796d27f58479a7009686840c52e0
-
SHA256
249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08
-
SHA512
f10b51a83a7820b993cea4a32fb6f6c4cbdad4f3334f7e5109091ec87bfea7f2ee016fda12905d1fe4d8861b611643ea283fdc39736311589e8f04fb07ad31e0
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4412-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-800-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-899-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-967-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-980-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-1171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1016 lllfrrf.exe 1144 bhbtnh.exe 3668 nnhbnh.exe 4820 pvppp.exe 4960 7pjdd.exe 4992 3hbbtb.exe 3024 pvpvd.exe 4280 5htnbb.exe 2892 djdjd.exe 3684 jjdvv.exe 2368 dvdvp.exe 1872 5fxxxff.exe 3508 nnnntb.exe 968 djjjv.exe 1260 rxfrllf.exe 2308 jvvvp.exe 3036 xxxrlll.exe 4956 vjddv.exe 2024 3nbtbb.exe 1448 xllffll.exe 920 frrlffl.exe 4452 bbttnh.exe 2312 nhnnnn.exe 1436 7fxxfxx.exe 4296 nnbbbn.exe 2256 1dppp.exe 4900 bhtnbh.exe 976 ppvvp.exe 348 hbtttb.exe 4356 7xffffl.exe 1560 bhhnnn.exe 4492 dpjpp.exe 1924 vjpjv.exe 2844 3lrlfff.exe 4172 3nhthn.exe 632 7dvvv.exe 1212 3jpvv.exe 5092 hhnhhb.exe 4208 9btttb.exe 3588 ddddp.exe 2944 9bbbth.exe 4312 ddjvp.exe 2280 9hbtnt.exe 4304 pvjpj.exe 1584 rxfxxxf.exe 4888 bhhhhh.exe 3040 jjppp.exe 2404 dvdvv.exe 3572 xffrxrf.exe 4348 ntnbbt.exe 2532 jddpp.exe 4412 5vddj.exe 1016 lrrlllf.exe 3164 1ttnhn.exe 4004 ddjjd.exe 880 vdddv.exe 2068 bbhttt.exe 4820 3nnhbb.exe 3880 ppdpd.exe 5004 5rrlflf.exe 4500 ttbbhh.exe 4012 vpvvv.exe 4860 xxxffll.exe 3340 1nhhbh.exe -
resource yara_rule behavioral2/memory/4412-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-800-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-837-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-899-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-942-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4412 wrote to memory of 1016 4412 249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe 83 PID 4412 wrote to memory of 1016 4412 249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe 83 PID 4412 wrote to memory of 1016 4412 249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe 83 PID 1016 wrote to memory of 1144 1016 lllfrrf.exe 84 PID 1016 wrote to memory of 1144 1016 lllfrrf.exe 84 PID 1016 wrote to memory of 1144 1016 lllfrrf.exe 84 PID 1144 wrote to memory of 3668 1144 bhbtnh.exe 85 PID 1144 wrote to memory of 3668 1144 bhbtnh.exe 85 PID 1144 wrote to memory of 3668 1144 bhbtnh.exe 85 PID 3668 wrote to memory of 4820 3668 nnhbnh.exe 86 PID 3668 wrote to memory of 4820 3668 nnhbnh.exe 86 PID 3668 wrote to memory of 4820 3668 nnhbnh.exe 86 PID 4820 wrote to memory of 4960 4820 pvppp.exe 87 PID 4820 wrote to memory of 4960 4820 pvppp.exe 87 PID 4820 wrote to memory of 4960 4820 pvppp.exe 87 PID 4960 wrote to memory of 4992 4960 7pjdd.exe 88 PID 4960 wrote to memory of 4992 4960 7pjdd.exe 88 PID 4960 wrote to memory of 4992 4960 7pjdd.exe 88 PID 4992 wrote to memory of 3024 4992 3hbbtb.exe 89 PID 4992 wrote to memory of 3024 4992 3hbbtb.exe 89 PID 4992 wrote to memory of 3024 4992 3hbbtb.exe 89 PID 3024 wrote to memory of 4280 3024 pvpvd.exe 90 PID 3024 wrote to memory of 4280 3024 pvpvd.exe 90 PID 3024 wrote to memory of 4280 3024 pvpvd.exe 90 PID 4280 wrote to memory of 2892 4280 5htnbb.exe 91 PID 4280 wrote to memory of 2892 4280 5htnbb.exe 91 PID 4280 wrote to memory of 2892 4280 5htnbb.exe 91 PID 2892 wrote to memory of 3684 2892 djdjd.exe 92 PID 2892 wrote to memory of 3684 2892 djdjd.exe 92 PID 2892 wrote to memory of 3684 2892 djdjd.exe 92 PID 3684 wrote to memory of 2368 3684 jjdvv.exe 93 PID 3684 wrote to memory of 2368 3684 jjdvv.exe 93 PID 3684 wrote to memory of 2368 3684 jjdvv.exe 93 PID 2368 wrote to memory of 1872 2368 dvdvp.exe 94 PID 2368 wrote to memory of 1872 2368 dvdvp.exe 94 PID 2368 wrote to memory of 1872 2368 dvdvp.exe 94 PID 1872 wrote to memory of 3508 1872 5fxxxff.exe 95 PID 1872 wrote to memory of 3508 1872 5fxxxff.exe 95 PID 1872 wrote to memory of 3508 1872 5fxxxff.exe 95 PID 3508 wrote to memory of 968 3508 nnnntb.exe 96 PID 3508 wrote to memory of 968 3508 nnnntb.exe 96 PID 3508 wrote to memory of 968 3508 nnnntb.exe 96 PID 968 wrote to memory of 1260 968 djjjv.exe 97 PID 968 wrote to memory of 1260 968 djjjv.exe 97 PID 968 wrote to memory of 1260 968 djjjv.exe 97 PID 1260 wrote to memory of 2308 1260 rxfrllf.exe 98 PID 1260 wrote to memory of 2308 1260 rxfrllf.exe 98 PID 1260 wrote to memory of 2308 1260 rxfrllf.exe 98 PID 2308 wrote to memory of 3036 2308 jvvvp.exe 99 PID 2308 wrote to memory of 3036 2308 jvvvp.exe 99 PID 2308 wrote to memory of 3036 2308 jvvvp.exe 99 PID 3036 wrote to memory of 4956 3036 xxxrlll.exe 100 PID 3036 wrote to memory of 4956 3036 xxxrlll.exe 100 PID 3036 wrote to memory of 4956 3036 xxxrlll.exe 100 PID 4956 wrote to memory of 2024 4956 vjddv.exe 101 PID 4956 wrote to memory of 2024 4956 vjddv.exe 101 PID 4956 wrote to memory of 2024 4956 vjddv.exe 101 PID 2024 wrote to memory of 1448 2024 3nbtbb.exe 102 PID 2024 wrote to memory of 1448 2024 3nbtbb.exe 102 PID 2024 wrote to memory of 1448 2024 3nbtbb.exe 102 PID 1448 wrote to memory of 920 1448 xllffll.exe 103 PID 1448 wrote to memory of 920 1448 xllffll.exe 103 PID 1448 wrote to memory of 920 1448 xllffll.exe 103 PID 920 wrote to memory of 4452 920 frrlffl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe"C:\Users\Admin\AppData\Local\Temp\249fef9b379b6ccd1c545b13916c18a957ca3900fe118920b68f863f57d88e08.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\lllfrrf.exec:\lllfrrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\bhbtnh.exec:\bhbtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\nnhbnh.exec:\nnhbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\pvppp.exec:\pvppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\7pjdd.exec:\7pjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\3hbbtb.exec:\3hbbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\pvpvd.exec:\pvpvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\5htnbb.exec:\5htnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\djdjd.exec:\djdjd.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\jjdvv.exec:\jjdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\dvdvp.exec:\dvdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\5fxxxff.exec:\5fxxxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\nnnntb.exec:\nnnntb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\djjjv.exec:\djjjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\rxfrllf.exec:\rxfrllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\jvvvp.exec:\jvvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\xxxrlll.exec:\xxxrlll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\vjddv.exec:\vjddv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\3nbtbb.exec:\3nbtbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xllffll.exec:\xllffll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\frrlffl.exec:\frrlffl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\bbttnh.exec:\bbttnh.exe23⤵
- Executes dropped EXE
PID:4452 -
\??\c:\nhnnnn.exec:\nhnnnn.exe24⤵
- Executes dropped EXE
PID:2312 -
\??\c:\7fxxfxx.exec:\7fxxfxx.exe25⤵
- Executes dropped EXE
PID:1436 -
\??\c:\nnbbbn.exec:\nnbbbn.exe26⤵
- Executes dropped EXE
PID:4296 -
\??\c:\1dppp.exec:\1dppp.exe27⤵
- Executes dropped EXE
PID:2256 -
\??\c:\bhtnbh.exec:\bhtnbh.exe28⤵
- Executes dropped EXE
PID:4900 -
\??\c:\ppvvp.exec:\ppvvp.exe29⤵
- Executes dropped EXE
PID:976 -
\??\c:\hbtttb.exec:\hbtttb.exe30⤵
- Executes dropped EXE
PID:348 -
\??\c:\7xffffl.exec:\7xffffl.exe31⤵
- Executes dropped EXE
PID:4356 -
\??\c:\bhhnnn.exec:\bhhnnn.exe32⤵
- Executes dropped EXE
PID:1560 -
\??\c:\dpjpp.exec:\dpjpp.exe33⤵
- Executes dropped EXE
PID:4492 -
\??\c:\vjpjv.exec:\vjpjv.exe34⤵
- Executes dropped EXE
PID:1924 -
\??\c:\3lrlfff.exec:\3lrlfff.exe35⤵
- Executes dropped EXE
PID:2844 -
\??\c:\3nhthn.exec:\3nhthn.exe36⤵
- Executes dropped EXE
PID:4172 -
\??\c:\7dvvv.exec:\7dvvv.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\3jpvv.exec:\3jpvv.exe38⤵
- Executes dropped EXE
PID:1212 -
\??\c:\hhnhhb.exec:\hhnhhb.exe39⤵
- Executes dropped EXE
PID:5092 -
\??\c:\9btttb.exec:\9btttb.exe40⤵
- Executes dropped EXE
PID:4208 -
\??\c:\ddddp.exec:\ddddp.exe41⤵
- Executes dropped EXE
PID:3588 -
\??\c:\9bbbth.exec:\9bbbth.exe42⤵
- Executes dropped EXE
PID:2944 -
\??\c:\ddjvp.exec:\ddjvp.exe43⤵
- Executes dropped EXE
PID:4312 -
\??\c:\9hbtnt.exec:\9hbtnt.exe44⤵
- Executes dropped EXE
PID:2280 -
\??\c:\pvjpj.exec:\pvjpj.exe45⤵
- Executes dropped EXE
PID:4304 -
\??\c:\rxfxxxf.exec:\rxfxxxf.exe46⤵
- Executes dropped EXE
PID:1584 -
\??\c:\bhhhhh.exec:\bhhhhh.exe47⤵
- Executes dropped EXE
PID:4888 -
\??\c:\jjppp.exec:\jjppp.exe48⤵
- Executes dropped EXE
PID:3040 -
\??\c:\dvdvv.exec:\dvdvv.exe49⤵
- Executes dropped EXE
PID:2404 -
\??\c:\xffrxrf.exec:\xffrxrf.exe50⤵
- Executes dropped EXE
PID:3572 -
\??\c:\ntnbbt.exec:\ntnbbt.exe51⤵
- Executes dropped EXE
PID:4348 -
\??\c:\jddpp.exec:\jddpp.exe52⤵
- Executes dropped EXE
PID:2532 -
\??\c:\5vddj.exec:\5vddj.exe53⤵
- Executes dropped EXE
PID:4412 -
\??\c:\lrrlllf.exec:\lrrlllf.exe54⤵
- Executes dropped EXE
PID:1016 -
\??\c:\1ttnhn.exec:\1ttnhn.exe55⤵
- Executes dropped EXE
PID:3164 -
\??\c:\ddjjd.exec:\ddjjd.exe56⤵
- Executes dropped EXE
PID:4004 -
\??\c:\vdddv.exec:\vdddv.exe57⤵
- Executes dropped EXE
PID:880 -
\??\c:\bbhttt.exec:\bbhttt.exe58⤵
- Executes dropped EXE
PID:2068 -
\??\c:\3nnhbb.exec:\3nnhbb.exe59⤵
- Executes dropped EXE
PID:4820 -
\??\c:\ppdpd.exec:\ppdpd.exe60⤵
- Executes dropped EXE
PID:3880 -
\??\c:\5rrlflf.exec:\5rrlflf.exe61⤵
- Executes dropped EXE
PID:5004 -
\??\c:\ttbbhh.exec:\ttbbhh.exe62⤵
- Executes dropped EXE
PID:4500 -
\??\c:\vpvvv.exec:\vpvvv.exe63⤵
- Executes dropped EXE
PID:4012 -
\??\c:\xxxffll.exec:\xxxffll.exe64⤵
- Executes dropped EXE
PID:4860 -
\??\c:\1nhhbh.exec:\1nhhbh.exe65⤵
- Executes dropped EXE
PID:3340 -
\??\c:\nnnhtt.exec:\nnnhtt.exe66⤵PID:3424
-
\??\c:\vjdvp.exec:\vjdvp.exe67⤵PID:1928
-
\??\c:\ffflffl.exec:\ffflffl.exe68⤵PID:4856
-
\??\c:\nntttn.exec:\nntttn.exe69⤵PID:5040
-
\??\c:\pjvjd.exec:\pjvjd.exe70⤵PID:620
-
\??\c:\rxrxlrf.exec:\rxrxlrf.exe71⤵PID:3112
-
\??\c:\fxrrrrr.exec:\fxrrrrr.exe72⤵PID:4164
-
\??\c:\5bbbbb.exec:\5bbbbb.exe73⤵PID:2332
-
\??\c:\dppjd.exec:\dppjd.exe74⤵PID:1988
-
\??\c:\xfxxxxx.exec:\xfxxxxx.exe75⤵PID:1968
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe76⤵PID:4688
-
\??\c:\9htttt.exec:\9htttt.exe77⤵PID:5008
-
\??\c:\vvjjd.exec:\vvjjd.exe78⤵PID:1056
-
\??\c:\vdjjd.exec:\vdjjd.exe79⤵PID:4808
-
\??\c:\xllfxxr.exec:\xllfxxr.exe80⤵PID:232
-
\??\c:\5hhhbt.exec:\5hhhbt.exe81⤵PID:1448
-
\??\c:\ddjdd.exec:\ddjdd.exe82⤵PID:2352
-
\??\c:\xrlfffx.exec:\xrlfffx.exe83⤵PID:920
-
\??\c:\frlrlll.exec:\frlrlll.exe84⤵PID:3912
-
\??\c:\ttnhtt.exec:\ttnhtt.exe85⤵PID:2776
-
\??\c:\1vvpj.exec:\1vvpj.exe86⤵PID:4516
-
\??\c:\frrllll.exec:\frrllll.exe87⤵PID:936
-
\??\c:\btbtbt.exec:\btbtbt.exe88⤵PID:3944
-
\??\c:\jdjdv.exec:\jdjdv.exe89⤵PID:4756
-
\??\c:\9dvvv.exec:\9dvvv.exe90⤵PID:336
-
\??\c:\rfrlffx.exec:\rfrlffx.exe91⤵PID:3188
-
\??\c:\bbnttt.exec:\bbnttt.exe92⤵PID:752
-
\??\c:\bbnnhb.exec:\bbnnhb.exe93⤵PID:1032
-
\??\c:\pjjjd.exec:\pjjjd.exe94⤵PID:4036
-
\??\c:\rlrrffr.exec:\rlrrffr.exe95⤵PID:4356
-
\??\c:\3hbbtb.exec:\3hbbtb.exe96⤵PID:2044
-
\??\c:\jpdpj.exec:\jpdpj.exe97⤵PID:636
-
\??\c:\jjvpp.exec:\jjvpp.exe98⤵PID:4620
-
\??\c:\xxxxrll.exec:\xxxxrll.exe99⤵PID:4204
-
\??\c:\bhhhbt.exec:\bhhhbt.exe100⤵PID:4060
-
\??\c:\pddpj.exec:\pddpj.exe101⤵PID:4616
-
\??\c:\pvjjj.exec:\pvjjj.exe102⤵PID:3516
-
\??\c:\5lxrllx.exec:\5lxrllx.exe103⤵PID:3084
-
\??\c:\hnnntb.exec:\hnnntb.exe104⤵PID:8
-
\??\c:\djddv.exec:\djddv.exe105⤵PID:4588
-
\??\c:\5lfxllr.exec:\5lfxllr.exe106⤵PID:3744
-
\??\c:\lffxxxr.exec:\lffxxxr.exe107⤵PID:5024
-
\??\c:\ttbttt.exec:\ttbttt.exe108⤵PID:3988
-
\??\c:\jdjdd.exec:\jdjdd.exe109⤵PID:1824
-
\??\c:\frlfrrf.exec:\frlfrrf.exe110⤵PID:4304
-
\??\c:\5rxxrrl.exec:\5rxxrrl.exe111⤵PID:1920
-
\??\c:\ttnnht.exec:\ttnnht.exe112⤵PID:4552
-
\??\c:\vjjjj.exec:\vjjjj.exe113⤵PID:3040
-
\??\c:\xfxlflf.exec:\xfxlflf.exe114⤵PID:4340
-
\??\c:\3nnhbh.exec:\3nnhbh.exe115⤵PID:4288
-
\??\c:\pjvvd.exec:\pjvvd.exe116⤵PID:1576
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe117⤵PID:3244
-
\??\c:\bbtnhb.exec:\bbtnhb.exe118⤵PID:4328
-
\??\c:\vppvj.exec:\vppvj.exe119⤵PID:3844
-
\??\c:\vjdvd.exec:\vjdvd.exe120⤵PID:4884
-
\??\c:\lxllxrr.exec:\lxllxrr.exe121⤵PID:4004
-
\??\c:\bbhhbb.exec:\bbhhbb.exe122⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-