Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 02:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8.exe
-
Size
454KB
-
MD5
4fe4a5ea04793e11b04f113e672f0e2f
-
SHA1
ba830c6806044a7eaec4d9d353c88dffc3018b5e
-
SHA256
983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8
-
SHA512
8a805bc007a59753ffb0f7b71e8a805acc2b96aed0f1d26d228c7d2b18f4d5c8f318c5b40e6f5192e87a8b339235e1ddb60c41120190cfd2618aeb5714b5165b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3440-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-1132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-1151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-1723-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5100 xxrrrxx.exe 2056 nbnhbb.exe 876 5vjdd.exe 392 rlrlffx.exe 1960 bttnhh.exe 3424 hbnnhb.exe 1584 jpvpp.exe 1860 xlfrxlx.exe 2716 pdjvj.exe 1664 xllxxxx.exe 3384 bnnbnb.exe 3428 jvjdp.exe 4188 lxrlfxf.exe 184 3tnnhn.exe 2824 3pjjv.exe 4448 xlfxlfr.exe 5000 hnbbnh.exe 2164 pvvjv.exe 4596 fxrlxrf.exe 4988 7bhtnn.exe 440 bhthtn.exe 1476 pppdp.exe 892 rfflxrr.exe 3648 bnhbth.exe 3064 nntntt.exe 3116 rlxllxr.exe 3848 ttttnn.exe 1168 9jjvj.exe 748 1xrfrlr.exe 1500 htthtt.exe 2788 ppjvj.exe 3504 xrxlffl.exe 1312 7bbhtt.exe 5072 dddpd.exe 792 frrfrlf.exe 3308 hbthnb.exe 1756 vdjvp.exe 692 vvvjv.exe 4556 7tbnhb.exe 3052 hnnhnb.exe 1540 pjjdp.exe 4112 pvvpd.exe 3380 fxfrffr.exe 2280 ttntnh.exe 1504 7jdvp.exe 1836 jvdpv.exe 3264 1fxlfrf.exe 3644 5hhthb.exe 2268 ttthtn.exe 1772 pddpd.exe 2900 ppvvp.exe 4356 xlllfff.exe 4824 fflrrrl.exe 2692 thnnbh.exe 4588 ppjpj.exe 3964 jvdvp.exe 4496 fffxfxr.exe 392 lfxlxrl.exe 1960 thhbbt.exe 2312 pdvjd.exe 2272 jvvjd.exe 4500 9flflfl.exe 3688 rfxrrlr.exe 4108 nhhtht.exe -
resource yara_rule behavioral2/memory/3440-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-845-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfrrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3440 wrote to memory of 5100 3440 983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8.exe 82 PID 3440 wrote to memory of 5100 3440 983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8.exe 82 PID 3440 wrote to memory of 5100 3440 983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8.exe 82 PID 5100 wrote to memory of 2056 5100 xxrrrxx.exe 83 PID 5100 wrote to memory of 2056 5100 xxrrrxx.exe 83 PID 5100 wrote to memory of 2056 5100 xxrrrxx.exe 83 PID 2056 wrote to memory of 876 2056 nbnhbb.exe 84 PID 2056 wrote to memory of 876 2056 nbnhbb.exe 84 PID 2056 wrote to memory of 876 2056 nbnhbb.exe 84 PID 876 wrote to memory of 392 876 5vjdd.exe 139 PID 876 wrote to memory of 392 876 5vjdd.exe 139 PID 876 wrote to memory of 392 876 5vjdd.exe 139 PID 392 wrote to memory of 1960 392 rlrlffx.exe 140 PID 392 wrote to memory of 1960 392 rlrlffx.exe 140 PID 392 wrote to memory of 1960 392 rlrlffx.exe 140 PID 1960 wrote to memory of 3424 1960 bttnhh.exe 87 PID 1960 wrote to memory of 3424 1960 bttnhh.exe 87 PID 1960 wrote to memory of 3424 1960 bttnhh.exe 87 PID 3424 wrote to memory of 1584 3424 hbnnhb.exe 88 PID 3424 wrote to memory of 1584 3424 hbnnhb.exe 88 PID 3424 wrote to memory of 1584 3424 hbnnhb.exe 88 PID 1584 wrote to memory of 1860 1584 jpvpp.exe 89 PID 1584 wrote to memory of 1860 1584 jpvpp.exe 89 PID 1584 wrote to memory of 1860 1584 jpvpp.exe 89 PID 1860 wrote to memory of 2716 1860 xlfrxlx.exe 90 PID 1860 wrote to memory of 2716 1860 xlfrxlx.exe 90 PID 1860 wrote to memory of 2716 1860 xlfrxlx.exe 90 PID 2716 wrote to memory of 1664 2716 pdjvj.exe 91 PID 2716 wrote to memory of 1664 2716 pdjvj.exe 91 PID 2716 wrote to memory of 1664 2716 pdjvj.exe 91 PID 1664 wrote to memory of 3384 1664 xllxxxx.exe 92 PID 1664 wrote to memory of 3384 1664 xllxxxx.exe 92 PID 1664 wrote to memory of 3384 1664 xllxxxx.exe 92 PID 3384 wrote to memory of 3428 3384 bnnbnb.exe 93 PID 3384 wrote to memory of 3428 3384 bnnbnb.exe 93 PID 3384 wrote to memory of 3428 3384 bnnbnb.exe 93 PID 3428 wrote to memory of 4188 3428 jvjdp.exe 94 PID 3428 wrote to memory of 4188 3428 jvjdp.exe 94 PID 3428 wrote to memory of 4188 3428 jvjdp.exe 94 PID 4188 wrote to memory of 184 4188 lxrlfxf.exe 95 PID 4188 wrote to memory of 184 4188 lxrlfxf.exe 95 PID 4188 wrote to memory of 184 4188 lxrlfxf.exe 95 PID 184 wrote to memory of 2824 184 3tnnhn.exe 96 PID 184 wrote to memory of 2824 184 3tnnhn.exe 96 PID 184 wrote to memory of 2824 184 3tnnhn.exe 96 PID 2824 wrote to memory of 4448 2824 3pjjv.exe 97 PID 2824 wrote to memory of 4448 2824 3pjjv.exe 97 PID 2824 wrote to memory of 4448 2824 3pjjv.exe 97 PID 4448 wrote to memory of 5000 4448 xlfxlfr.exe 98 PID 4448 wrote to memory of 5000 4448 xlfxlfr.exe 98 PID 4448 wrote to memory of 5000 4448 xlfxlfr.exe 98 PID 5000 wrote to memory of 2164 5000 hnbbnh.exe 157 PID 5000 wrote to memory of 2164 5000 hnbbnh.exe 157 PID 5000 wrote to memory of 2164 5000 hnbbnh.exe 157 PID 2164 wrote to memory of 4596 2164 pvvjv.exe 100 PID 2164 wrote to memory of 4596 2164 pvvjv.exe 100 PID 2164 wrote to memory of 4596 2164 pvvjv.exe 100 PID 4596 wrote to memory of 4988 4596 fxrlxrf.exe 101 PID 4596 wrote to memory of 4988 4596 fxrlxrf.exe 101 PID 4596 wrote to memory of 4988 4596 fxrlxrf.exe 101 PID 4988 wrote to memory of 440 4988 7bhtnn.exe 102 PID 4988 wrote to memory of 440 4988 7bhtnn.exe 102 PID 4988 wrote to memory of 440 4988 7bhtnn.exe 102 PID 440 wrote to memory of 1476 440 bhthtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8.exe"C:\Users\Admin\AppData\Local\Temp\983ae61f1e514ab6d62e0c198fb1d6a934c16f09d57efddd38daca758484f6f8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\xxrrrxx.exec:\xxrrrxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\nbnhbb.exec:\nbnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\5vjdd.exec:\5vjdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\rlrlffx.exec:\rlrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\bttnhh.exec:\bttnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\hbnnhb.exec:\hbnnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\jpvpp.exec:\jpvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\xlfrxlx.exec:\xlfrxlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\pdjvj.exec:\pdjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\xllxxxx.exec:\xllxxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\bnnbnb.exec:\bnnbnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3384 -
\??\c:\jvjdp.exec:\jvjdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\lxrlfxf.exec:\lxrlfxf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\3tnnhn.exec:\3tnnhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\3pjjv.exec:\3pjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\hnbbnh.exec:\hnbbnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\pvvjv.exec:\pvvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\fxrlxrf.exec:\fxrlxrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\7bhtnn.exec:\7bhtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4988 -
\??\c:\bhthtn.exec:\bhthtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\pppdp.exec:\pppdp.exe23⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rfflxrr.exec:\rfflxrr.exe24⤵
- Executes dropped EXE
PID:892 -
\??\c:\bnhbth.exec:\bnhbth.exe25⤵
- Executes dropped EXE
PID:3648 -
\??\c:\nntntt.exec:\nntntt.exe26⤵
- Executes dropped EXE
PID:3064 -
\??\c:\rlxllxr.exec:\rlxllxr.exe27⤵
- Executes dropped EXE
PID:3116 -
\??\c:\ttttnn.exec:\ttttnn.exe28⤵
- Executes dropped EXE
PID:3848 -
\??\c:\9jjvj.exec:\9jjvj.exe29⤵
- Executes dropped EXE
PID:1168 -
\??\c:\1xrfrlr.exec:\1xrfrlr.exe30⤵
- Executes dropped EXE
PID:748 -
\??\c:\htthtt.exec:\htthtt.exe31⤵
- Executes dropped EXE
PID:1500 -
\??\c:\ppjvj.exec:\ppjvj.exe32⤵
- Executes dropped EXE
PID:2788 -
\??\c:\xrxlffl.exec:\xrxlffl.exe33⤵
- Executes dropped EXE
PID:3504 -
\??\c:\7bbhtt.exec:\7bbhtt.exe34⤵
- Executes dropped EXE
PID:1312 -
\??\c:\dddpd.exec:\dddpd.exe35⤵
- Executes dropped EXE
PID:5072 -
\??\c:\frrfrlf.exec:\frrfrlf.exe36⤵
- Executes dropped EXE
PID:792 -
\??\c:\hbthnb.exec:\hbthnb.exe37⤵
- Executes dropped EXE
PID:3308 -
\??\c:\vdjvp.exec:\vdjvp.exe38⤵
- Executes dropped EXE
PID:1756 -
\??\c:\vvvjv.exec:\vvvjv.exe39⤵
- Executes dropped EXE
PID:692 -
\??\c:\7tbnhb.exec:\7tbnhb.exe40⤵
- Executes dropped EXE
PID:4556 -
\??\c:\hnnhnb.exec:\hnnhnb.exe41⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pjjdp.exec:\pjjdp.exe42⤵
- Executes dropped EXE
PID:1540 -
\??\c:\pvvpd.exec:\pvvpd.exe43⤵
- Executes dropped EXE
PID:4112 -
\??\c:\fxfrffr.exec:\fxfrffr.exe44⤵
- Executes dropped EXE
PID:3380 -
\??\c:\ttntnh.exec:\ttntnh.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
\??\c:\7jdvp.exec:\7jdvp.exe46⤵
- Executes dropped EXE
PID:1504 -
\??\c:\jvdpv.exec:\jvdpv.exe47⤵
- Executes dropped EXE
PID:1836 -
\??\c:\1fxlfrf.exec:\1fxlfrf.exe48⤵
- Executes dropped EXE
PID:3264 -
\??\c:\5hhthb.exec:\5hhthb.exe49⤵
- Executes dropped EXE
PID:3644 -
\??\c:\ttthtn.exec:\ttthtn.exe50⤵
- Executes dropped EXE
PID:2268 -
\??\c:\pddpd.exec:\pddpd.exe51⤵
- Executes dropped EXE
PID:1772 -
\??\c:\ppvvp.exec:\ppvvp.exe52⤵
- Executes dropped EXE
PID:2900 -
\??\c:\xlllfff.exec:\xlllfff.exe53⤵
- Executes dropped EXE
PID:4356 -
\??\c:\fflrrrl.exec:\fflrrrl.exe54⤵
- Executes dropped EXE
PID:4824 -
\??\c:\thnnbh.exec:\thnnbh.exe55⤵
- Executes dropped EXE
PID:2692 -
\??\c:\ppjpj.exec:\ppjpj.exe56⤵
- Executes dropped EXE
PID:4588 -
\??\c:\jvdvp.exec:\jvdvp.exe57⤵
- Executes dropped EXE
PID:3964 -
\??\c:\fffxfxr.exec:\fffxfxr.exe58⤵
- Executes dropped EXE
PID:4496 -
\??\c:\lfxlxrl.exec:\lfxlxrl.exe59⤵
- Executes dropped EXE
PID:392 -
\??\c:\thhbbt.exec:\thhbbt.exe60⤵
- Executes dropped EXE
PID:1960 -
\??\c:\pdvjd.exec:\pdvjd.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
\??\c:\jvvjd.exec:\jvvjd.exe62⤵
- Executes dropped EXE
PID:2272 -
\??\c:\9flflfl.exec:\9flflfl.exe63⤵
- Executes dropped EXE
PID:4500 -
\??\c:\rfxrrlr.exec:\rfxrrlr.exe64⤵
- Executes dropped EXE
PID:3688 -
\??\c:\nhhtht.exec:\nhhtht.exe65⤵
- Executes dropped EXE
PID:4108 -
\??\c:\pjjdd.exec:\pjjdd.exe66⤵PID:3412
-
\??\c:\jpppd.exec:\jpppd.exe67⤵PID:3988
-
\??\c:\3hhbnh.exec:\3hhbnh.exe68⤵PID:1492
-
\??\c:\ttbnht.exec:\ttbnht.exe69⤵PID:2008
-
\??\c:\jjvvd.exec:\jjvvd.exe70⤵PID:4400
-
\??\c:\xlxrlfr.exec:\xlxrlfr.exe71⤵PID:712
-
\??\c:\fxxlxfr.exec:\fxxlxfr.exe72⤵PID:2104
-
\??\c:\bnttnh.exec:\bnttnh.exe73⤵PID:5040
-
\??\c:\1bhthh.exec:\1bhthh.exe74⤵
- System Location Discovery: System Language Discovery
PID:5004 -
\??\c:\1jvjv.exec:\1jvjv.exe75⤵PID:860
-
\??\c:\vpjvj.exec:\vpjvj.exe76⤵PID:2584
-
\??\c:\3rrflfx.exec:\3rrflfx.exe77⤵PID:2164
-
\??\c:\9ffrflx.exec:\9ffrflx.exe78⤵PID:4740
-
\??\c:\bntnbn.exec:\bntnbn.exe79⤵PID:2760
-
\??\c:\pdvjp.exec:\pdvjp.exe80⤵PID:1852
-
\??\c:\vvddj.exec:\vvddj.exe81⤵PID:4992
-
\??\c:\7llxrrf.exec:\7llxrrf.exe82⤵PID:2836
-
\??\c:\7xlfrrl.exec:\7xlfrrl.exe83⤵PID:2136
-
\??\c:\3tthtn.exec:\3tthtn.exe84⤵PID:372
-
\??\c:\htnbtn.exec:\htnbtn.exe85⤵PID:4884
-
\??\c:\vvdpj.exec:\vvdpj.exe86⤵PID:3972
-
\??\c:\vjpjv.exec:\vjpjv.exe87⤵PID:4344
-
\??\c:\ffxlxrf.exec:\ffxlxrf.exe88⤵PID:2424
-
\??\c:\xxfrfxf.exec:\xxfrfxf.exe89⤵PID:3848
-
\??\c:\httnnh.exec:\httnnh.exe90⤵PID:1512
-
\??\c:\vppdd.exec:\vppdd.exe91⤵PID:748
-
\??\c:\jjdvp.exec:\jjdvp.exe92⤵PID:3856
-
\??\c:\7frfrlx.exec:\7frfrlx.exe93⤵PID:1764
-
\??\c:\frrfrlf.exec:\frrfrlf.exe94⤵PID:3036
-
\??\c:\hbbbnt.exec:\hbbbnt.exe95⤵PID:4504
-
\??\c:\btbnhn.exec:\btbnhn.exe96⤵PID:1920
-
\??\c:\dvpjv.exec:\dvpjv.exe97⤵PID:1256
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe98⤵PID:1928
-
\??\c:\3xlxlfr.exec:\3xlxlfr.exe99⤵PID:3916
-
\??\c:\nbbtbt.exec:\nbbtbt.exe100⤵PID:4476
-
\??\c:\tbthtn.exec:\tbthtn.exe101⤵PID:3936
-
\??\c:\vppjv.exec:\vppjv.exe102⤵PID:2872
-
\??\c:\9pdpd.exec:\9pdpd.exe103⤵PID:1632
-
\??\c:\5lxrxrx.exec:\5lxrxrx.exe104⤵PID:4404
-
\??\c:\5tbtnt.exec:\5tbtnt.exe105⤵PID:4848
-
\??\c:\bbthnh.exec:\bbthnh.exe106⤵PID:3052
-
\??\c:\7vjdp.exec:\7vjdp.exe107⤵PID:1540
-
\??\c:\dvdvd.exec:\dvdvd.exe108⤵PID:4112
-
\??\c:\3xxxrll.exec:\3xxxrll.exe109⤵PID:4832
-
\??\c:\9htnnn.exec:\9htnnn.exe110⤵PID:3708
-
\??\c:\tbbnbt.exec:\tbbnbt.exe111⤵PID:2192
-
\??\c:\ddpvd.exec:\ddpvd.exe112⤵PID:3712
-
\??\c:\xlrflxf.exec:\xlrflxf.exe113⤵PID:1076
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe114⤵PID:2308
-
\??\c:\bbttnn.exec:\bbttnn.exe115⤵PID:4744
-
\??\c:\3tnhnh.exec:\3tnhnh.exe116⤵PID:4432
-
\??\c:\7dvpp.exec:\7dvpp.exe117⤵PID:4368
-
\??\c:\9djjp.exec:\9djjp.exe118⤵PID:4372
-
\??\c:\jjpdv.exec:\jjpdv.exe119⤵PID:4340
-
\??\c:\ffxfrlx.exec:\ffxfrlx.exe120⤵PID:2112
-
\??\c:\llrfllx.exec:\llrfllx.exe121⤵PID:5100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-