Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd.exe
-
Size
347KB
-
MD5
38e98d30b76a63660ce41fa09158f92e
-
SHA1
fc920207517535b1d2acda98f910bb31865bd970
-
SHA256
e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd
-
SHA512
90ffd9fcd1656e8c52788dcd8a0c5f01c92fb8692cf4d77321acb12ac6a991f9130cfbfb20e6c20c383111b0c15e2b337a4641134b06aa1db18936b0ab497fea
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAp:l7TcbWXZshJX2VGdp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3696-6-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2460-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1880-17-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1988-24-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3672-30-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1640-40-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1560-46-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2104-52-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2184-62-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2020-66-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4476-87-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3512-80-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4360-93-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3248-104-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/556-111-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4808-117-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4248-123-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4832-129-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3176-141-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2860-157-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4752-169-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1532-168-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3548-180-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4776-189-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2168-193-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2864-197-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5108-201-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5080-205-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3172-218-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3920-222-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4020-232-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2140-251-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1188-258-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/860-271-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1884-278-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4404-291-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1924-295-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/812-320-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3692-336-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2260-340-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4376-347-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/972-369-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3768-373-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4648-383-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/648-396-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1208-400-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3960-404-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5044-414-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2000-445-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3056-452-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4916-459-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4016-472-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2948-486-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4416-493-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4224-512-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1808-579-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3960-589-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2768-614-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4280-759-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1392-853-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2576-939-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4140-943-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2480-1636-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2460 ppjdv.exe 1880 nhhbtt.exe 1988 lfxrxxf.exe 1820 7hhhbh.exe 3672 vjdvj.exe 1640 dddjv.exe 1560 thhbnh.exe 2104 lrrfrrf.exe 1448 vvdvd.exe 2184 rllfxfr.exe 2020 hhhnhh.exe 3056 dppvp.exe 3512 nhbtnh.exe 4476 dvjdv.exe 4360 pppjd.exe 1868 1xlffxf.exe 3248 pvjjv.exe 556 fflxlfx.exe 4808 hbbtnh.exe 4248 lflfxrr.exe 4832 bbhhnn.exe 1272 llffxrr.exe 3176 tbbnhh.exe 4156 vdjjv.exe 436 bnbbbt.exe 2260 hthbtn.exe 2860 djppj.exe 1532 lrfrlff.exe 4752 dvppj.exe 3548 ppppd.exe 2828 lfxrrrl.exe 4776 xrfxfxl.exe 2168 1dpdv.exe 2864 rxxrfxl.exe 5108 ppjdp.exe 5080 xflfrfl.exe 3556 9nthbb.exe 2648 djjjd.exe 1252 xrfxxxr.exe 3172 nnnhtt.exe 3920 3nhbtn.exe 2460 7dddj.exe 5016 rrrllfx.exe 4020 5rrxlfx.exe 1820 nttttb.exe 700 1pvjv.exe 3932 fxxfrfl.exe 4580 thbbtn.exe 984 5tbnhh.exe 2140 5jpjp.exe 4348 9vvjj.exe 1188 xlrfxrx.exe 1932 bnthtn.exe 652 jvpdv.exe 2000 vpjdv.exe 860 fllxlfl.exe 2372 ttnhbh.exe 1884 9nbttt.exe 3512 jpvdv.exe 4476 lflxfll.exe 3828 9lxfffl.exe 4404 9tbtth.exe 1924 ppjdj.exe 3532 lllxxrl.exe -
resource yara_rule behavioral2/memory/3696-6-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2460-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1880-17-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1988-24-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3672-30-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1640-40-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1560-46-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2104-52-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2184-62-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2020-66-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4360-88-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4476-87-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3512-80-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4360-93-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3248-104-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/556-111-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4808-112-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4808-117-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4248-123-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4832-129-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3176-141-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2860-157-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4752-169-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1532-168-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3548-180-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4776-189-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2168-193-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2864-197-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5108-201-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5080-205-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3172-218-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3920-222-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4020-232-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2140-251-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1188-258-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/860-271-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1884-278-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4404-291-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1924-295-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/812-320-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3692-336-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2260-340-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4376-347-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/972-369-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3768-373-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4648-383-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/648-396-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1208-400-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3960-404-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5044-414-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2000-445-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3056-452-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4916-459-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4016-472-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2948-482-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2948-486-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4416-493-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4224-512-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1808-579-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3960-589-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2768-614-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4280-759-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1392-853-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3548-905-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3696 wrote to memory of 2460 3696 e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd.exe 84 PID 3696 wrote to memory of 2460 3696 e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd.exe 84 PID 3696 wrote to memory of 2460 3696 e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd.exe 84 PID 2460 wrote to memory of 1880 2460 ppjdv.exe 85 PID 2460 wrote to memory of 1880 2460 ppjdv.exe 85 PID 2460 wrote to memory of 1880 2460 ppjdv.exe 85 PID 1880 wrote to memory of 1988 1880 nhhbtt.exe 86 PID 1880 wrote to memory of 1988 1880 nhhbtt.exe 86 PID 1880 wrote to memory of 1988 1880 nhhbtt.exe 86 PID 1988 wrote to memory of 1820 1988 lfxrxxf.exe 87 PID 1988 wrote to memory of 1820 1988 lfxrxxf.exe 87 PID 1988 wrote to memory of 1820 1988 lfxrxxf.exe 87 PID 1820 wrote to memory of 3672 1820 7hhhbh.exe 88 PID 1820 wrote to memory of 3672 1820 7hhhbh.exe 88 PID 1820 wrote to memory of 3672 1820 7hhhbh.exe 88 PID 3672 wrote to memory of 1640 3672 vjdvj.exe 89 PID 3672 wrote to memory of 1640 3672 vjdvj.exe 89 PID 3672 wrote to memory of 1640 3672 vjdvj.exe 89 PID 1640 wrote to memory of 1560 1640 dddjv.exe 90 PID 1640 wrote to memory of 1560 1640 dddjv.exe 90 PID 1640 wrote to memory of 1560 1640 dddjv.exe 90 PID 1560 wrote to memory of 2104 1560 thhbnh.exe 91 PID 1560 wrote to memory of 2104 1560 thhbnh.exe 91 PID 1560 wrote to memory of 2104 1560 thhbnh.exe 91 PID 2104 wrote to memory of 1448 2104 lrrfrrf.exe 92 PID 2104 wrote to memory of 1448 2104 lrrfrrf.exe 92 PID 2104 wrote to memory of 1448 2104 lrrfrrf.exe 92 PID 1448 wrote to memory of 2184 1448 vvdvd.exe 93 PID 1448 wrote to memory of 2184 1448 vvdvd.exe 93 PID 1448 wrote to memory of 2184 1448 vvdvd.exe 93 PID 2184 wrote to memory of 2020 2184 rllfxfr.exe 94 PID 2184 wrote to memory of 2020 2184 rllfxfr.exe 94 PID 2184 wrote to memory of 2020 2184 rllfxfr.exe 94 PID 2020 wrote to memory of 3056 2020 hhhnhh.exe 95 PID 2020 wrote to memory of 3056 2020 hhhnhh.exe 95 PID 2020 wrote to memory of 3056 2020 hhhnhh.exe 95 PID 3056 wrote to memory of 3512 3056 dppvp.exe 96 PID 3056 wrote to memory of 3512 3056 dppvp.exe 96 PID 3056 wrote to memory of 3512 3056 dppvp.exe 96 PID 3512 wrote to memory of 4476 3512 nhbtnh.exe 97 PID 3512 wrote to memory of 4476 3512 nhbtnh.exe 97 PID 3512 wrote to memory of 4476 3512 nhbtnh.exe 97 PID 4476 wrote to memory of 4360 4476 dvjdv.exe 98 PID 4476 wrote to memory of 4360 4476 dvjdv.exe 98 PID 4476 wrote to memory of 4360 4476 dvjdv.exe 98 PID 4360 wrote to memory of 1868 4360 pppjd.exe 99 PID 4360 wrote to memory of 1868 4360 pppjd.exe 99 PID 4360 wrote to memory of 1868 4360 pppjd.exe 99 PID 1868 wrote to memory of 3248 1868 1xlffxf.exe 100 PID 1868 wrote to memory of 3248 1868 1xlffxf.exe 100 PID 1868 wrote to memory of 3248 1868 1xlffxf.exe 100 PID 3248 wrote to memory of 556 3248 pvjjv.exe 101 PID 3248 wrote to memory of 556 3248 pvjjv.exe 101 PID 3248 wrote to memory of 556 3248 pvjjv.exe 101 PID 556 wrote to memory of 4808 556 fflxlfx.exe 102 PID 556 wrote to memory of 4808 556 fflxlfx.exe 102 PID 556 wrote to memory of 4808 556 fflxlfx.exe 102 PID 4808 wrote to memory of 4248 4808 hbbtnh.exe 103 PID 4808 wrote to memory of 4248 4808 hbbtnh.exe 103 PID 4808 wrote to memory of 4248 4808 hbbtnh.exe 103 PID 4248 wrote to memory of 4832 4248 lflfxrr.exe 104 PID 4248 wrote to memory of 4832 4248 lflfxrr.exe 104 PID 4248 wrote to memory of 4832 4248 lflfxrr.exe 104 PID 4832 wrote to memory of 1272 4832 bbhhnn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd.exe"C:\Users\Admin\AppData\Local\Temp\e5355bb2a93403d04b4505a06b58da40cbb1784cf82213295eecea82ff8359dd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\ppjdv.exec:\ppjdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\nhhbtt.exec:\nhhbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\7hhhbh.exec:\7hhhbh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\vjdvj.exec:\vjdvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\dddjv.exec:\dddjv.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\thhbnh.exec:\thhbnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\lrrfrrf.exec:\lrrfrrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\vvdvd.exec:\vvdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\rllfxfr.exec:\rllfxfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\hhhnhh.exec:\hhhnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\dppvp.exec:\dppvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\nhbtnh.exec:\nhbtnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\dvjdv.exec:\dvjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\pppjd.exec:\pppjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\1xlffxf.exec:\1xlffxf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\pvjjv.exec:\pvjjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\fflxlfx.exec:\fflxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\hbbtnh.exec:\hbbtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\lflfxrr.exec:\lflfxrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\bbhhnn.exec:\bbhhnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\llffxrr.exec:\llffxrr.exe23⤵
- Executes dropped EXE
PID:1272 -
\??\c:\tbbnhh.exec:\tbbnhh.exe24⤵
- Executes dropped EXE
PID:3176 -
\??\c:\vdjjv.exec:\vdjjv.exe25⤵
- Executes dropped EXE
PID:4156 -
\??\c:\bnbbbt.exec:\bnbbbt.exe26⤵
- Executes dropped EXE
PID:436 -
\??\c:\hthbtn.exec:\hthbtn.exe27⤵
- Executes dropped EXE
PID:2260 -
\??\c:\djppj.exec:\djppj.exe28⤵
- Executes dropped EXE
PID:2860 -
\??\c:\lrfrlff.exec:\lrfrlff.exe29⤵
- Executes dropped EXE
PID:1532 -
\??\c:\dvppj.exec:\dvppj.exe30⤵
- Executes dropped EXE
PID:4752 -
\??\c:\ppppd.exec:\ppppd.exe31⤵
- Executes dropped EXE
PID:3548 -
\??\c:\lfxrrrl.exec:\lfxrrrl.exe32⤵
- Executes dropped EXE
PID:2828 -
\??\c:\xrfxfxl.exec:\xrfxfxl.exe33⤵
- Executes dropped EXE
PID:4776 -
\??\c:\1dpdv.exec:\1dpdv.exe34⤵
- Executes dropped EXE
PID:2168 -
\??\c:\rxxrfxl.exec:\rxxrfxl.exe35⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ppjdp.exec:\ppjdp.exe36⤵
- Executes dropped EXE
PID:5108 -
\??\c:\xflfrfl.exec:\xflfrfl.exe37⤵
- Executes dropped EXE
PID:5080 -
\??\c:\9nthbb.exec:\9nthbb.exe38⤵
- Executes dropped EXE
PID:3556 -
\??\c:\djjjd.exec:\djjjd.exe39⤵
- Executes dropped EXE
PID:2648 -
\??\c:\xrfxxxr.exec:\xrfxxxr.exe40⤵
- Executes dropped EXE
PID:1252 -
\??\c:\nnnhtt.exec:\nnnhtt.exe41⤵
- Executes dropped EXE
PID:3172 -
\??\c:\3nhbtn.exec:\3nhbtn.exe42⤵
- Executes dropped EXE
PID:3920 -
\??\c:\7dddj.exec:\7dddj.exe43⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rrrllfx.exec:\rrrllfx.exe44⤵
- Executes dropped EXE
PID:5016 -
\??\c:\5rrxlfx.exec:\5rrxlfx.exe45⤵
- Executes dropped EXE
PID:4020 -
\??\c:\nttttb.exec:\nttttb.exe46⤵
- Executes dropped EXE
PID:1820 -
\??\c:\1pvjv.exec:\1pvjv.exe47⤵
- Executes dropped EXE
PID:700 -
\??\c:\fxxfrfl.exec:\fxxfrfl.exe48⤵
- Executes dropped EXE
PID:3932 -
\??\c:\thbbtn.exec:\thbbtn.exe49⤵
- Executes dropped EXE
PID:4580 -
\??\c:\5tbnhh.exec:\5tbnhh.exe50⤵
- Executes dropped EXE
PID:984 -
\??\c:\5jpjp.exec:\5jpjp.exe51⤵
- Executes dropped EXE
PID:2140 -
\??\c:\9vvjj.exec:\9vvjj.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348 -
\??\c:\xlrfxrx.exec:\xlrfxrx.exe53⤵
- Executes dropped EXE
PID:1188 -
\??\c:\bnthtn.exec:\bnthtn.exe54⤵
- Executes dropped EXE
PID:1932 -
\??\c:\jvpdv.exec:\jvpdv.exe55⤵
- Executes dropped EXE
PID:652 -
\??\c:\vpjdv.exec:\vpjdv.exe56⤵
- Executes dropped EXE
PID:2000 -
\??\c:\fllxlfl.exec:\fllxlfl.exe57⤵
- Executes dropped EXE
PID:860 -
\??\c:\ttnhbh.exec:\ttnhbh.exe58⤵
- Executes dropped EXE
PID:2372 -
\??\c:\9nbttt.exec:\9nbttt.exe59⤵
- Executes dropped EXE
PID:1884 -
\??\c:\jpvdv.exec:\jpvdv.exe60⤵
- Executes dropped EXE
PID:3512 -
\??\c:\lflxfll.exec:\lflxfll.exe61⤵
- Executes dropped EXE
PID:4476 -
\??\c:\9lxfffl.exec:\9lxfffl.exe62⤵
- Executes dropped EXE
PID:3828 -
\??\c:\9tbtth.exec:\9tbtth.exe63⤵
- Executes dropped EXE
PID:4404 -
\??\c:\ppjdj.exec:\ppjdj.exe64⤵
- Executes dropped EXE
PID:1924 -
\??\c:\lllxxrl.exec:\lllxxrl.exe65⤵
- Executes dropped EXE
PID:3532 -
\??\c:\nbhbtt.exec:\nbhbtt.exe66⤵PID:4964
-
\??\c:\djjdv.exec:\djjdv.exe67⤵PID:4220
-
\??\c:\9vvpj.exec:\9vvpj.exe68⤵PID:4416
-
\??\c:\xxlfxrx.exec:\xxlfxrx.exe69⤵PID:3664
-
\??\c:\bttnhh.exec:\bttnhh.exe70⤵PID:688
-
\??\c:\dvdvv.exec:\dvdvv.exe71⤵PID:3124
-
\??\c:\3xfxfxf.exec:\3xfxfxf.exe72⤵PID:812
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe73⤵PID:1584
-
\??\c:\nhbtnh.exec:\nhbtnh.exe74⤵PID:3176
-
\??\c:\tnhhtn.exec:\tnhhtn.exe75⤵PID:4036
-
\??\c:\vjjjd.exec:\vjjjd.exe76⤵PID:1128
-
\??\c:\rrfxfrf.exec:\rrfxfrf.exe77⤵PID:3692
-
\??\c:\nhhbnn.exec:\nhhbnn.exe78⤵PID:2260
-
\??\c:\pvjdv.exec:\pvjdv.exe79⤵PID:4064
-
\??\c:\jjvpd.exec:\jjvpd.exe80⤵PID:4376
-
\??\c:\rrrlxrf.exec:\rrrlxrf.exe81⤵PID:1008
-
\??\c:\nbbnnh.exec:\nbbnnh.exe82⤵PID:2276
-
\??\c:\3dvdp.exec:\3dvdp.exe83⤵PID:4496
-
\??\c:\5vdpp.exec:\5vdpp.exe84⤵PID:4736
-
\??\c:\rlrffxr.exec:\rlrffxr.exe85⤵PID:4544
-
\??\c:\tthbtt.exec:\tthbtt.exe86⤵PID:4976
-
\??\c:\bnnntb.exec:\bnnntb.exe87⤵PID:972
-
\??\c:\vvvvv.exec:\vvvvv.exe88⤵PID:3768
-
\??\c:\lllfxxr.exec:\lllfxxr.exe89⤵PID:5108
-
\??\c:\nhhbbt.exec:\nhhbbt.exe90⤵PID:4876
-
\??\c:\3btnhb.exec:\3btnhb.exe91⤵PID:4648
-
\??\c:\dvppp.exec:\dvppp.exe92⤵PID:4352
-
\??\c:\3rrlxxr.exec:\3rrlxxr.exe93⤵PID:1352
-
\??\c:\tnhbtt.exec:\tnhbtt.exe94⤵PID:1212
-
\??\c:\tbhbtn.exec:\tbhbtn.exe95⤵
- System Location Discovery: System Language Discovery
PID:648 -
\??\c:\pvvpp.exec:\pvvpp.exe96⤵PID:1208
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe97⤵PID:3960
-
\??\c:\rffxrll.exec:\rffxrll.exe98⤵PID:3068
-
\??\c:\hhnhbh.exec:\hhnhbh.exe99⤵PID:1820
-
\??\c:\vjpjv.exec:\vjpjv.exe100⤵PID:5044
-
\??\c:\fflrrlx.exec:\fflrrlx.exe101⤵PID:4720
-
\??\c:\bhnntn.exec:\bhnntn.exe102⤵PID:3012
-
\??\c:\pjvvd.exec:\pjvvd.exe103⤵PID:3644
-
\??\c:\ppddv.exec:\ppddv.exe104⤵PID:4820
-
\??\c:\xflfllf.exec:\xflfllf.exe105⤵PID:4816
-
\??\c:\5nnhbb.exec:\5nnhbb.exe106⤵PID:2360
-
\??\c:\pdvjd.exec:\pdvjd.exe107⤵PID:2968
-
\??\c:\ffxxxrr.exec:\ffxxxrr.exe108⤵PID:3236
-
\??\c:\rxllffx.exec:\rxllffx.exe109⤵PID:652
-
\??\c:\hnhbhh.exec:\hnhbhh.exe110⤵PID:2000
-
\??\c:\pdjdp.exec:\pdjdp.exe111⤵PID:4388
-
\??\c:\3jjvp.exec:\3jjvp.exe112⤵PID:3056
-
\??\c:\lxrlfxl.exec:\lxrlfxl.exe113⤵PID:1564
-
\??\c:\btnnhh.exec:\btnnhh.exe114⤵PID:4916
-
\??\c:\vdjvj.exec:\vdjvj.exe115⤵PID:2072
-
\??\c:\jdjjp.exec:\jdjjp.exe116⤵PID:4868
-
\??\c:\lrrlffr.exec:\lrrlffr.exe117⤵PID:4540
-
\??\c:\hthttb.exec:\hthttb.exe118⤵PID:4016
-
\??\c:\5ttnhb.exec:\5ttnhb.exe119⤵PID:4784
-
\??\c:\dpppj.exec:\dpppj.exe120⤵PID:1284
-
\??\c:\xxlfxrr.exec:\xxlfxrr.exe121⤵PID:3224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-