Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe
-
Size
454KB
-
MD5
a283e376125e3a47c88b2e7c1d5f6c4e
-
SHA1
ead8f9437a61757c2da005fcc3570ea1c36e30e2
-
SHA256
abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c
-
SHA512
14b4f957f96c71423ab2c757e12a9cc5342d9c9eeaa6e13458efb2284c868a463e0b0a09b133f4e28c32cf97268be81e5e7734d39df652e62387dcb6e7ba468d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1R:q7Tc2NYHUrAwfMp3CD1R
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3352-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/992-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-1291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-1923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1264 bnhbht.exe 4040 jdjvp.exe 1376 hbnhtt.exe 4736 5vvpd.exe 868 dddvd.exe 3528 bbhbbn.exe 1808 vjjdp.exe 2344 7rlflfx.exe 2260 fllffxr.exe 2200 ffllxxr.exe 2976 bbnnhb.exe 2840 xlxxxlf.exe 3040 7fxlfxr.exe 1496 1flfrrl.exe 2068 vddpd.exe 4896 httnhh.exe 3440 bhhtbb.exe 3588 djpjd.exe 3268 jdjvj.exe 404 xlfxrlf.exe 1452 9nnhnh.exe 4752 lxxxrfx.exe 3436 3nhbnh.exe 2744 rfrxxfl.exe 3572 tntnhb.exe 212 dvdvp.exe 3172 9ttnbb.exe 3516 nthtnh.exe 5100 xlrlfxx.exe 728 ddppj.exe 4088 5xrlfxx.exe 4964 jjpjj.exe 1444 rflffff.exe 4660 nnnnhn.exe 4484 jjdvp.exe 4264 lrxrrxx.exe 1812 bhntnn.exe 3640 djpdv.exe 2872 xfrrffx.exe 1080 hhhhbt.exe 2560 hbhtnh.exe 1420 vpdvv.exe 4420 xrfrllf.exe 2544 1thbnn.exe 3992 jjpjv.exe 4100 xlrrxrr.exe 2632 rllxlrx.exe 548 ttbbhh.exe 872 jddvp.exe 4940 7rxfllx.exe 868 frfrrfr.exe 4892 bbtnhh.exe 4972 9ddvj.exe 1412 frrxfxx.exe 888 thnhbb.exe 1344 9btntt.exe 4944 jjpdv.exe 1092 rllfxxr.exe 3668 bhhbbb.exe 2964 ntnbnt.exe 2200 jvdvj.exe 2976 fxxlxrr.exe 2840 1bnhbb.exe 3868 jdppv.exe -
resource yara_rule behavioral2/memory/3352-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/992-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-914-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 1264 3352 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 82 PID 3352 wrote to memory of 1264 3352 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 82 PID 3352 wrote to memory of 1264 3352 abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe 82 PID 1264 wrote to memory of 4040 1264 bnhbht.exe 83 PID 1264 wrote to memory of 4040 1264 bnhbht.exe 83 PID 1264 wrote to memory of 4040 1264 bnhbht.exe 83 PID 4040 wrote to memory of 1376 4040 jdjvp.exe 84 PID 4040 wrote to memory of 1376 4040 jdjvp.exe 84 PID 4040 wrote to memory of 1376 4040 jdjvp.exe 84 PID 1376 wrote to memory of 4736 1376 hbnhtt.exe 85 PID 1376 wrote to memory of 4736 1376 hbnhtt.exe 85 PID 1376 wrote to memory of 4736 1376 hbnhtt.exe 85 PID 4736 wrote to memory of 868 4736 5vvpd.exe 86 PID 4736 wrote to memory of 868 4736 5vvpd.exe 86 PID 4736 wrote to memory of 868 4736 5vvpd.exe 86 PID 868 wrote to memory of 3528 868 dddvd.exe 87 PID 868 wrote to memory of 3528 868 dddvd.exe 87 PID 868 wrote to memory of 3528 868 dddvd.exe 87 PID 3528 wrote to memory of 1808 3528 bbhbbn.exe 88 PID 3528 wrote to memory of 1808 3528 bbhbbn.exe 88 PID 3528 wrote to memory of 1808 3528 bbhbbn.exe 88 PID 1808 wrote to memory of 2344 1808 vjjdp.exe 89 PID 1808 wrote to memory of 2344 1808 vjjdp.exe 89 PID 1808 wrote to memory of 2344 1808 vjjdp.exe 89 PID 2344 wrote to memory of 2260 2344 7rlflfx.exe 90 PID 2344 wrote to memory of 2260 2344 7rlflfx.exe 90 PID 2344 wrote to memory of 2260 2344 7rlflfx.exe 90 PID 2260 wrote to memory of 2200 2260 fllffxr.exe 91 PID 2260 wrote to memory of 2200 2260 fllffxr.exe 91 PID 2260 wrote to memory of 2200 2260 fllffxr.exe 91 PID 2200 wrote to memory of 2976 2200 ffllxxr.exe 92 PID 2200 wrote to memory of 2976 2200 ffllxxr.exe 92 PID 2200 wrote to memory of 2976 2200 ffllxxr.exe 92 PID 2976 wrote to memory of 2840 2976 bbnnhb.exe 93 PID 2976 wrote to memory of 2840 2976 bbnnhb.exe 93 PID 2976 wrote to memory of 2840 2976 bbnnhb.exe 93 PID 2840 wrote to memory of 3040 2840 xlxxxlf.exe 94 PID 2840 wrote to memory of 3040 2840 xlxxxlf.exe 94 PID 2840 wrote to memory of 3040 2840 xlxxxlf.exe 94 PID 3040 wrote to memory of 1496 3040 7fxlfxr.exe 95 PID 3040 wrote to memory of 1496 3040 7fxlfxr.exe 95 PID 3040 wrote to memory of 1496 3040 7fxlfxr.exe 95 PID 1496 wrote to memory of 2068 1496 1flfrrl.exe 96 PID 1496 wrote to memory of 2068 1496 1flfrrl.exe 96 PID 1496 wrote to memory of 2068 1496 1flfrrl.exe 96 PID 2068 wrote to memory of 4896 2068 vddpd.exe 97 PID 2068 wrote to memory of 4896 2068 vddpd.exe 97 PID 2068 wrote to memory of 4896 2068 vddpd.exe 97 PID 4896 wrote to memory of 3440 4896 httnhh.exe 98 PID 4896 wrote to memory of 3440 4896 httnhh.exe 98 PID 4896 wrote to memory of 3440 4896 httnhh.exe 98 PID 3440 wrote to memory of 3588 3440 bhhtbb.exe 99 PID 3440 wrote to memory of 3588 3440 bhhtbb.exe 99 PID 3440 wrote to memory of 3588 3440 bhhtbb.exe 99 PID 3588 wrote to memory of 3268 3588 djpjd.exe 100 PID 3588 wrote to memory of 3268 3588 djpjd.exe 100 PID 3588 wrote to memory of 3268 3588 djpjd.exe 100 PID 3268 wrote to memory of 404 3268 jdjvj.exe 101 PID 3268 wrote to memory of 404 3268 jdjvj.exe 101 PID 3268 wrote to memory of 404 3268 jdjvj.exe 101 PID 404 wrote to memory of 1452 404 xlfxrlf.exe 102 PID 404 wrote to memory of 1452 404 xlfxrlf.exe 102 PID 404 wrote to memory of 1452 404 xlfxrlf.exe 102 PID 1452 wrote to memory of 4752 1452 9nnhnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe"C:\Users\Admin\AppData\Local\Temp\abff855862c1ee7ad2007a2b7c7468726f6e3004fc4425255deb221fa7e9ae7c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\bnhbht.exec:\bnhbht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\jdjvp.exec:\jdjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\hbnhtt.exec:\hbnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\5vvpd.exec:\5vvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\dddvd.exec:\dddvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\bbhbbn.exec:\bbhbbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\vjjdp.exec:\vjjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\7rlflfx.exec:\7rlflfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\fllffxr.exec:\fllffxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\ffllxxr.exec:\ffllxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\bbnnhb.exec:\bbnnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\xlxxxlf.exec:\xlxxxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\7fxlfxr.exec:\7fxlfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\1flfrrl.exec:\1flfrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\vddpd.exec:\vddpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\httnhh.exec:\httnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\bhhtbb.exec:\bhhtbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3440 -
\??\c:\djpjd.exec:\djpjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\jdjvj.exec:\jdjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\xlfxrlf.exec:\xlfxrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\9nnhnh.exec:\9nnhnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\lxxxrfx.exec:\lxxxrfx.exe23⤵
- Executes dropped EXE
PID:4752 -
\??\c:\3nhbnh.exec:\3nhbnh.exe24⤵
- Executes dropped EXE
PID:3436 -
\??\c:\rfrxxfl.exec:\rfrxxfl.exe25⤵
- Executes dropped EXE
PID:2744 -
\??\c:\tntnhb.exec:\tntnhb.exe26⤵
- Executes dropped EXE
PID:3572 -
\??\c:\dvdvp.exec:\dvdvp.exe27⤵
- Executes dropped EXE
PID:212 -
\??\c:\9ttnbb.exec:\9ttnbb.exe28⤵
- Executes dropped EXE
PID:3172 -
\??\c:\nthtnh.exec:\nthtnh.exe29⤵
- Executes dropped EXE
PID:3516 -
\??\c:\xlrlfxx.exec:\xlrlfxx.exe30⤵
- Executes dropped EXE
PID:5100 -
\??\c:\ddppj.exec:\ddppj.exe31⤵
- Executes dropped EXE
PID:728 -
\??\c:\5xrlfxx.exec:\5xrlfxx.exe32⤵
- Executes dropped EXE
PID:4088 -
\??\c:\jjpjj.exec:\jjpjj.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4964 -
\??\c:\rflffff.exec:\rflffff.exe34⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nnnnhn.exec:\nnnnhn.exe35⤵
- Executes dropped EXE
PID:4660 -
\??\c:\jjdvp.exec:\jjdvp.exe36⤵
- Executes dropped EXE
PID:4484 -
\??\c:\lrxrrxx.exec:\lrxrrxx.exe37⤵
- Executes dropped EXE
PID:4264 -
\??\c:\bhntnn.exec:\bhntnn.exe38⤵
- Executes dropped EXE
PID:1812 -
\??\c:\djpdv.exec:\djpdv.exe39⤵
- Executes dropped EXE
PID:3640 -
\??\c:\xfrrffx.exec:\xfrrffx.exe40⤵
- Executes dropped EXE
PID:2872 -
\??\c:\hhhhbt.exec:\hhhhbt.exe41⤵
- Executes dropped EXE
PID:1080 -
\??\c:\hbhtnh.exec:\hbhtnh.exe42⤵
- Executes dropped EXE
PID:2560 -
\??\c:\vpdvv.exec:\vpdvv.exe43⤵
- Executes dropped EXE
PID:1420 -
\??\c:\xrfrllf.exec:\xrfrllf.exe44⤵
- Executes dropped EXE
PID:4420 -
\??\c:\1thbnn.exec:\1thbnn.exe45⤵
- Executes dropped EXE
PID:2544 -
\??\c:\jjpjv.exec:\jjpjv.exe46⤵
- Executes dropped EXE
PID:3992 -
\??\c:\xlrrxrr.exec:\xlrrxrr.exe47⤵
- Executes dropped EXE
PID:4100 -
\??\c:\rllxlrx.exec:\rllxlrx.exe48⤵
- Executes dropped EXE
PID:2632 -
\??\c:\ttbbhh.exec:\ttbbhh.exe49⤵
- Executes dropped EXE
PID:548 -
\??\c:\jddvp.exec:\jddvp.exe50⤵
- Executes dropped EXE
PID:872 -
\??\c:\7rxfllx.exec:\7rxfllx.exe51⤵
- Executes dropped EXE
PID:4940 -
\??\c:\frfrrfr.exec:\frfrrfr.exe52⤵
- Executes dropped EXE
PID:868 -
\??\c:\bbtnhh.exec:\bbtnhh.exe53⤵
- Executes dropped EXE
PID:4892 -
\??\c:\9ddvj.exec:\9ddvj.exe54⤵
- Executes dropped EXE
PID:4972 -
\??\c:\frrxfxx.exec:\frrxfxx.exe55⤵
- Executes dropped EXE
PID:1412 -
\??\c:\thnhbb.exec:\thnhbb.exe56⤵
- Executes dropped EXE
PID:888 -
\??\c:\9btntt.exec:\9btntt.exe57⤵
- Executes dropped EXE
PID:1344 -
\??\c:\jjpdv.exec:\jjpdv.exe58⤵
- Executes dropped EXE
PID:4944 -
\??\c:\rllfxxr.exec:\rllfxxr.exe59⤵
- Executes dropped EXE
PID:1092 -
\??\c:\bhhbbb.exec:\bhhbbb.exe60⤵
- Executes dropped EXE
PID:3668 -
\??\c:\ntnbnt.exec:\ntnbnt.exe61⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jvdvj.exec:\jvdvj.exe62⤵
- Executes dropped EXE
PID:2200 -
\??\c:\fxxlxrr.exec:\fxxlxrr.exe63⤵
- Executes dropped EXE
PID:2976 -
\??\c:\1bnhbb.exec:\1bnhbb.exe64⤵
- Executes dropped EXE
PID:2840 -
\??\c:\jdppv.exec:\jdppv.exe65⤵
- Executes dropped EXE
PID:3868 -
\??\c:\fxrlfxf.exec:\fxrlfxf.exe66⤵PID:3040
-
\??\c:\nnhtnb.exec:\nnhtnb.exe67⤵PID:3044
-
\??\c:\dvjdv.exec:\dvjdv.exe68⤵PID:1192
-
\??\c:\rrllxxr.exec:\rrllxxr.exe69⤵PID:3660
-
\??\c:\rfrlfxx.exec:\rfrlfxx.exe70⤵PID:2068
-
\??\c:\bhhhtt.exec:\bhhhtt.exe71⤵PID:3688
-
\??\c:\vjjdv.exec:\vjjdv.exe72⤵PID:1468
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe73⤵PID:664
-
\??\c:\xxxllff.exec:\xxxllff.exe74⤵PID:3588
-
\??\c:\thnhbb.exec:\thnhbb.exe75⤵PID:2448
-
\??\c:\3dvpp.exec:\3dvpp.exe76⤵PID:4748
-
\??\c:\ttnbtn.exec:\ttnbtn.exe77⤵PID:1288
-
\??\c:\hhbtnn.exec:\hhbtnn.exe78⤵PID:3632
-
\??\c:\jdpjp.exec:\jdpjp.exe79⤵PID:2704
-
\??\c:\rxxrfxr.exec:\rxxrfxr.exe80⤵PID:4840
-
\??\c:\hhbnhb.exec:\hhbnhb.exe81⤵PID:2860
-
\??\c:\tbhbnn.exec:\tbhbnn.exe82⤵PID:4872
-
\??\c:\7vjvj.exec:\7vjvj.exe83⤵PID:2144
-
\??\c:\lfllffl.exec:\lfllffl.exe84⤵PID:388
-
\??\c:\ttthbb.exec:\ttthbb.exe85⤵PID:876
-
\??\c:\jjdvp.exec:\jjdvp.exe86⤵PID:4792
-
\??\c:\ppvpp.exec:\ppvpp.exe87⤵PID:3572
-
\??\c:\lfffxrl.exec:\lfffxrl.exe88⤵PID:2724
-
\??\c:\hhhhbh.exec:\hhhhbh.exe89⤵PID:2884
-
\??\c:\jddvp.exec:\jddvp.exe90⤵PID:2508
-
\??\c:\jjpjj.exec:\jjpjj.exe91⤵PID:3516
-
\??\c:\1lxrllf.exec:\1lxrllf.exe92⤵PID:5100
-
\??\c:\nnbthb.exec:\nnbthb.exe93⤵PID:1920
-
\??\c:\jpppj.exec:\jpppj.exe94⤵PID:728
-
\??\c:\7xxrlrr.exec:\7xxrlrr.exe95⤵PID:4088
-
\??\c:\5bhtbt.exec:\5bhtbt.exe96⤵PID:432
-
\??\c:\dpvjd.exec:\dpvjd.exe97⤵PID:4572
-
\??\c:\jpvjd.exec:\jpvjd.exe98⤵PID:4344
-
\??\c:\7rxxrrr.exec:\7rxxrrr.exe99⤵PID:2492
-
\??\c:\thttbb.exec:\thttbb.exe100⤵
- System Location Discovery: System Language Discovery
PID:100 -
\??\c:\jvjpp.exec:\jvjpp.exe101⤵PID:1100
-
\??\c:\rrrrrrr.exec:\rrrrrrr.exe102⤵PID:3860
-
\??\c:\rrllrlr.exec:\rrllrlr.exe103⤵PID:860
-
\??\c:\bbbbtt.exec:\bbbbtt.exe104⤵PID:4432
-
\??\c:\jvppj.exec:\jvppj.exe105⤵PID:2124
-
\??\c:\flxlxfr.exec:\flxlxfr.exe106⤵PID:4136
-
\??\c:\tnnhhb.exec:\tnnhhb.exe107⤵PID:4708
-
\??\c:\ddvvp.exec:\ddvvp.exe108⤵PID:4420
-
\??\c:\pvdvv.exec:\pvdvv.exe109⤵PID:3380
-
\??\c:\xrxrrlf.exec:\xrxrrlf.exe110⤵PID:4876
-
\??\c:\bhhbbb.exec:\bhhbbb.exe111⤵PID:1660
-
\??\c:\jjjjj.exec:\jjjjj.exe112⤵PID:1304
-
\??\c:\rxllflr.exec:\rxllflr.exe113⤵PID:4736
-
\??\c:\nbbbtt.exec:\nbbbtt.exe114⤵PID:2368
-
\??\c:\tnhbtt.exec:\tnhbtt.exe115⤵PID:1940
-
\??\c:\ddjdv.exec:\ddjdv.exe116⤵PID:992
-
\??\c:\1frflll.exec:\1frflll.exe117⤵PID:1172
-
\??\c:\5xxxrrl.exec:\5xxxrrl.exe118⤵PID:3948
-
\??\c:\9tntht.exec:\9tntht.exe119⤵PID:4020
-
\??\c:\pvddv.exec:\pvddv.exe120⤵PID:724
-
\??\c:\5lllflf.exec:\5lllflf.exe121⤵PID:1336
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-