Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 03:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86N.exe
-
Size
454KB
-
MD5
ed19f4cdf4f147928f4ab251c0459300
-
SHA1
c4afb55ba0998f41e53216ea279fb964e03fa3af
-
SHA256
51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86
-
SHA512
14d4fbba291ecbe6efb744a97c916048bd994f058afaf90e309353344a1b590bb9bf278734f8ae126ed0d51154bafccbdfc94b18b3f94a129342358ff1da5a40
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2144-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-873-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-962-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-1079-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-1105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-1136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1352 5nhbnh.exe 3100 5xfrxxx.exe 2196 9rrllll.exe 2232 tthbnh.exe 4980 jdvjv.exe 216 btbnhb.exe 4584 7pdpv.exe 2896 rrrrrrr.exe 644 ttnnbn.exe 2876 hntntn.exe 3484 vjvpd.exe 2636 tntnnb.exe 3592 jjjdp.exe 4408 bhbbnn.exe 1508 3pdjv.exe 4892 ffxrfxl.exe 3604 nntnhb.exe 4544 lllxlfx.exe 1772 tthtbt.exe 3292 ppppd.exe 3136 rlflxfr.exe 2588 pppdd.exe 2300 bhnhbt.exe 3516 5dvdv.exe 3124 tbbtnh.exe 4116 nnnbtb.exe 4716 pdvpj.exe 5052 hbthtn.exe 5012 xrrfxrl.exe 5060 dvdpd.exe 3560 nbbnhb.exe 4348 9vpdp.exe 400 bttntn.exe 1348 hhthtt.exe 1588 5xfxrlx.exe 3096 jdjvp.exe 2504 xrfrlfx.exe 728 xfxlfxr.exe 4936 htnbnh.exe 4932 3pddv.exe 3920 pdppd.exe 1432 xlxlxlx.exe 3276 1hbnnt.exe 4956 ppdvj.exe 3232 llfrrxl.exe 3152 htnbnh.exe 4828 3nnhhh.exe 1756 vjdvj.exe 2424 ffrxllx.exe 4524 bhnhnb.exe 4028 pddvp.exe 1004 rlxrfxl.exe 2952 rlrrllf.exe 3688 bhtnbt.exe 3624 jpdvj.exe 3080 rrlffff.exe 3532 bhhbtn.exe 4392 hhbttt.exe 4552 vvddp.exe 2236 9rxrllr.exe 1716 nbthbt.exe 2896 tntnbt.exe 2456 vdjdp.exe 644 llxlxrf.exe -
resource yara_rule behavioral2/memory/2144-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-652-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-819-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-873-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-886-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbntn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2144 wrote to memory of 1352 2144 51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86N.exe 83 PID 2144 wrote to memory of 1352 2144 51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86N.exe 83 PID 2144 wrote to memory of 1352 2144 51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86N.exe 83 PID 1352 wrote to memory of 3100 1352 5nhbnh.exe 84 PID 1352 wrote to memory of 3100 1352 5nhbnh.exe 84 PID 1352 wrote to memory of 3100 1352 5nhbnh.exe 84 PID 3100 wrote to memory of 2196 3100 5xfrxxx.exe 85 PID 3100 wrote to memory of 2196 3100 5xfrxxx.exe 85 PID 3100 wrote to memory of 2196 3100 5xfrxxx.exe 85 PID 2196 wrote to memory of 2232 2196 9rrllll.exe 86 PID 2196 wrote to memory of 2232 2196 9rrllll.exe 86 PID 2196 wrote to memory of 2232 2196 9rrllll.exe 86 PID 2232 wrote to memory of 4980 2232 tthbnh.exe 87 PID 2232 wrote to memory of 4980 2232 tthbnh.exe 87 PID 2232 wrote to memory of 4980 2232 tthbnh.exe 87 PID 4980 wrote to memory of 216 4980 jdvjv.exe 88 PID 4980 wrote to memory of 216 4980 jdvjv.exe 88 PID 4980 wrote to memory of 216 4980 jdvjv.exe 88 PID 216 wrote to memory of 4584 216 btbnhb.exe 89 PID 216 wrote to memory of 4584 216 btbnhb.exe 89 PID 216 wrote to memory of 4584 216 btbnhb.exe 89 PID 4584 wrote to memory of 2896 4584 7pdpv.exe 90 PID 4584 wrote to memory of 2896 4584 7pdpv.exe 90 PID 4584 wrote to memory of 2896 4584 7pdpv.exe 90 PID 2896 wrote to memory of 644 2896 rrrrrrr.exe 91 PID 2896 wrote to memory of 644 2896 rrrrrrr.exe 91 PID 2896 wrote to memory of 644 2896 rrrrrrr.exe 91 PID 644 wrote to memory of 2876 644 ttnnbn.exe 92 PID 644 wrote to memory of 2876 644 ttnnbn.exe 92 PID 644 wrote to memory of 2876 644 ttnnbn.exe 92 PID 2876 wrote to memory of 3484 2876 hntntn.exe 93 PID 2876 wrote to memory of 3484 2876 hntntn.exe 93 PID 2876 wrote to memory of 3484 2876 hntntn.exe 93 PID 3484 wrote to memory of 2636 3484 vjvpd.exe 94 PID 3484 wrote to memory of 2636 3484 vjvpd.exe 94 PID 3484 wrote to memory of 2636 3484 vjvpd.exe 94 PID 2636 wrote to memory of 3592 2636 tntnnb.exe 95 PID 2636 wrote to memory of 3592 2636 tntnnb.exe 95 PID 2636 wrote to memory of 3592 2636 tntnnb.exe 95 PID 3592 wrote to memory of 4408 3592 jjjdp.exe 96 PID 3592 wrote to memory of 4408 3592 jjjdp.exe 96 PID 3592 wrote to memory of 4408 3592 jjjdp.exe 96 PID 4408 wrote to memory of 1508 4408 bhbbnn.exe 97 PID 4408 wrote to memory of 1508 4408 bhbbnn.exe 97 PID 4408 wrote to memory of 1508 4408 bhbbnn.exe 97 PID 1508 wrote to memory of 4892 1508 3pdjv.exe 98 PID 1508 wrote to memory of 4892 1508 3pdjv.exe 98 PID 1508 wrote to memory of 4892 1508 3pdjv.exe 98 PID 4892 wrote to memory of 3604 4892 ffxrfxl.exe 99 PID 4892 wrote to memory of 3604 4892 ffxrfxl.exe 99 PID 4892 wrote to memory of 3604 4892 ffxrfxl.exe 99 PID 3604 wrote to memory of 4544 3604 nntnhb.exe 100 PID 3604 wrote to memory of 4544 3604 nntnhb.exe 100 PID 3604 wrote to memory of 4544 3604 nntnhb.exe 100 PID 4544 wrote to memory of 1772 4544 lllxlfx.exe 101 PID 4544 wrote to memory of 1772 4544 lllxlfx.exe 101 PID 4544 wrote to memory of 1772 4544 lllxlfx.exe 101 PID 1772 wrote to memory of 3292 1772 tthtbt.exe 102 PID 1772 wrote to memory of 3292 1772 tthtbt.exe 102 PID 1772 wrote to memory of 3292 1772 tthtbt.exe 102 PID 3292 wrote to memory of 3136 3292 ppppd.exe 103 PID 3292 wrote to memory of 3136 3292 ppppd.exe 103 PID 3292 wrote to memory of 3136 3292 ppppd.exe 103 PID 3136 wrote to memory of 2588 3136 rlflxfr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86N.exe"C:\Users\Admin\AppData\Local\Temp\51b383a8224cc6fdaafbb6735db4308a74e3165264571afdb7e305a35dab6c86N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\5nhbnh.exec:\5nhbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\5xfrxxx.exec:\5xfrxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\9rrllll.exec:\9rrllll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\tthbnh.exec:\tthbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jdvjv.exec:\jdvjv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\btbnhb.exec:\btbnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\7pdpv.exec:\7pdpv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\ttnnbn.exec:\ttnnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\hntntn.exec:\hntntn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\vjvpd.exec:\vjvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\tntnnb.exec:\tntnnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\jjjdp.exec:\jjjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\bhbbnn.exec:\bhbbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\3pdjv.exec:\3pdjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\ffxrfxl.exec:\ffxrfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\nntnhb.exec:\nntnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\lllxlfx.exec:\lllxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\tthtbt.exec:\tthtbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\ppppd.exec:\ppppd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\rlflxfr.exec:\rlflxfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\pppdd.exec:\pppdd.exe23⤵
- Executes dropped EXE
PID:2588 -
\??\c:\bhnhbt.exec:\bhnhbt.exe24⤵
- Executes dropped EXE
PID:2300 -
\??\c:\5dvdv.exec:\5dvdv.exe25⤵
- Executes dropped EXE
PID:3516 -
\??\c:\tbbtnh.exec:\tbbtnh.exe26⤵
- Executes dropped EXE
PID:3124 -
\??\c:\nnnbtb.exec:\nnnbtb.exe27⤵
- Executes dropped EXE
PID:4116 -
\??\c:\pdvpj.exec:\pdvpj.exe28⤵
- Executes dropped EXE
PID:4716 -
\??\c:\hbthtn.exec:\hbthtn.exe29⤵
- Executes dropped EXE
PID:5052 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe30⤵
- Executes dropped EXE
PID:5012 -
\??\c:\dvdpd.exec:\dvdpd.exe31⤵
- Executes dropped EXE
PID:5060 -
\??\c:\nbbnhb.exec:\nbbnhb.exe32⤵
- Executes dropped EXE
PID:3560 -
\??\c:\9vpdp.exec:\9vpdp.exe33⤵
- Executes dropped EXE
PID:4348 -
\??\c:\bttntn.exec:\bttntn.exe34⤵
- Executes dropped EXE
PID:400 -
\??\c:\hhthtt.exec:\hhthtt.exe35⤵
- Executes dropped EXE
PID:1348 -
\??\c:\5xfxrlx.exec:\5xfxrlx.exe36⤵
- Executes dropped EXE
PID:1588 -
\??\c:\jdjvp.exec:\jdjvp.exe37⤵
- Executes dropped EXE
PID:3096 -
\??\c:\xrfrlfx.exec:\xrfrlfx.exe38⤵
- Executes dropped EXE
PID:2504 -
\??\c:\xfxlfxr.exec:\xfxlfxr.exe39⤵
- Executes dropped EXE
PID:728 -
\??\c:\htnbnh.exec:\htnbnh.exe40⤵
- Executes dropped EXE
PID:4936 -
\??\c:\3pddv.exec:\3pddv.exe41⤵
- Executes dropped EXE
PID:4932 -
\??\c:\pdppd.exec:\pdppd.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3920 -
\??\c:\xlxlxlx.exec:\xlxlxlx.exe43⤵
- Executes dropped EXE
PID:1432 -
\??\c:\1hbnnt.exec:\1hbnnt.exe44⤵
- Executes dropped EXE
PID:3276 -
\??\c:\ppdvj.exec:\ppdvj.exe45⤵
- Executes dropped EXE
PID:4956 -
\??\c:\llfrrxl.exec:\llfrrxl.exe46⤵
- Executes dropped EXE
PID:3232 -
\??\c:\htnbnh.exec:\htnbnh.exe47⤵
- Executes dropped EXE
PID:3152 -
\??\c:\3nnhhh.exec:\3nnhhh.exe48⤵
- Executes dropped EXE
PID:4828 -
\??\c:\vjdvj.exec:\vjdvj.exe49⤵
- Executes dropped EXE
PID:1756 -
\??\c:\ffrxllx.exec:\ffrxllx.exe50⤵
- Executes dropped EXE
PID:2424 -
\??\c:\bhnhnb.exec:\bhnhnb.exe51⤵
- Executes dropped EXE
PID:4524 -
\??\c:\pddvp.exec:\pddvp.exe52⤵
- Executes dropped EXE
PID:4028 -
\??\c:\rlxrfxl.exec:\rlxrfxl.exe53⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rlrrllf.exec:\rlrrllf.exe54⤵
- Executes dropped EXE
PID:2952 -
\??\c:\bhtnbt.exec:\bhtnbt.exe55⤵
- Executes dropped EXE
PID:3688 -
\??\c:\jpdvj.exec:\jpdvj.exe56⤵
- Executes dropped EXE
PID:3624 -
\??\c:\rrlffff.exec:\rrlffff.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3080 -
\??\c:\bhhbtn.exec:\bhhbtn.exe58⤵
- Executes dropped EXE
PID:3532 -
\??\c:\hhbttt.exec:\hhbttt.exe59⤵
- Executes dropped EXE
PID:4392 -
\??\c:\vvddp.exec:\vvddp.exe60⤵
- Executes dropped EXE
PID:4552 -
\??\c:\9rxrllr.exec:\9rxrllr.exe61⤵
- Executes dropped EXE
PID:2236 -
\??\c:\nbthbt.exec:\nbthbt.exe62⤵
- Executes dropped EXE
PID:1716 -
\??\c:\tntnbt.exec:\tntnbt.exe63⤵
- Executes dropped EXE
PID:2896 -
\??\c:\vdjdp.exec:\vdjdp.exe64⤵
- Executes dropped EXE
PID:2456 -
\??\c:\llxlxrf.exec:\llxlxrf.exe65⤵
- Executes dropped EXE
PID:644 -
\??\c:\7rflfxr.exec:\7rflfxr.exe66⤵PID:2876
-
\??\c:\thbtnh.exec:\thbtnh.exe67⤵PID:1016
-
\??\c:\dvpjv.exec:\dvpjv.exe68⤵PID:4068
-
\??\c:\7llxrrl.exec:\7llxrrl.exe69⤵PID:3296
-
\??\c:\fxrfxrl.exec:\fxrfxrl.exe70⤵PID:1760
-
\??\c:\bthtnt.exec:\bthtnt.exe71⤵PID:4972
-
\??\c:\ppjdp.exec:\ppjdp.exe72⤵PID:1064
-
\??\c:\7vpdv.exec:\7vpdv.exe73⤵PID:4824
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe74⤵PID:4852
-
\??\c:\htnbtn.exec:\htnbtn.exe75⤵PID:4528
-
\??\c:\bnhbnn.exec:\bnhbnn.exe76⤵PID:2512
-
\??\c:\vvpjd.exec:\vvpjd.exe77⤵PID:2304
-
\??\c:\rlfxlll.exec:\rlfxlll.exe78⤵PID:1980
-
\??\c:\tnhbtt.exec:\tnhbtt.exe79⤵PID:960
-
\??\c:\bhhbnh.exec:\bhhbnh.exe80⤵PID:4960
-
\??\c:\ppvpj.exec:\ppvpj.exe81⤵PID:2016
-
\??\c:\3ffxlfr.exec:\3ffxlfr.exe82⤵PID:1504
-
\??\c:\3llfrlf.exec:\3llfrlf.exe83⤵PID:3616
-
\??\c:\9tthtn.exec:\9tthtn.exe84⤵PID:4000
-
\??\c:\jvjdv.exec:\jvjdv.exe85⤵PID:2672
-
\??\c:\1xxrfxr.exec:\1xxrfxr.exe86⤵PID:1472
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe87⤵PID:1512
-
\??\c:\5tthbt.exec:\5tthbt.exe88⤵PID:4116
-
\??\c:\vppjv.exec:\vppjv.exe89⤵PID:4492
-
\??\c:\3jvjj.exec:\3jvjj.exe90⤵PID:4032
-
\??\c:\xxxrlff.exec:\xxxrlff.exe91⤵PID:5052
-
\??\c:\nnnnhb.exec:\nnnnhb.exe92⤵PID:856
-
\??\c:\tnbtnh.exec:\tnbtnh.exe93⤵PID:316
-
\??\c:\1vpjd.exec:\1vpjd.exe94⤵PID:1384
-
\??\c:\xxxllff.exec:\xxxllff.exe95⤵PID:1356
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe96⤵PID:4348
-
\??\c:\btthbb.exec:\btthbb.exe97⤵PID:1944
-
\??\c:\dvjpd.exec:\dvjpd.exe98⤵PID:2704
-
\??\c:\frrllfr.exec:\frrllfr.exe99⤵PID:2596
-
\??\c:\nhnttn.exec:\nhnttn.exe100⤵PID:3908
-
\??\c:\nnbnhb.exec:\nnbnhb.exe101⤵PID:2308
-
\??\c:\dppjv.exec:\dppjv.exe102⤵PID:3320
-
\??\c:\5lfrfxl.exec:\5lfrfxl.exe103⤵PID:388
-
\??\c:\nnnnhb.exec:\nnnnhb.exe104⤵PID:3668
-
\??\c:\bthbtn.exec:\bthbtn.exe105⤵PID:3920
-
\??\c:\7jjdp.exec:\7jjdp.exe106⤵PID:1816
-
\??\c:\xrrfxrf.exec:\xrrfxrf.exe107⤵PID:4900
-
\??\c:\btnbtn.exec:\btnbtn.exe108⤵PID:3528
-
\??\c:\hhhbnh.exec:\hhhbnh.exe109⤵PID:944
-
\??\c:\jvpdv.exec:\jvpdv.exe110⤵PID:5112
-
\??\c:\rxxrrlr.exec:\rxxrrlr.exe111⤵PID:1196
-
\??\c:\nhtnhb.exec:\nhtnhb.exe112⤵PID:2624
-
\??\c:\jdvpj.exec:\jdvpj.exe113⤵PID:1468
-
\??\c:\vvjdp.exec:\vvjdp.exe114⤵PID:700
-
\??\c:\9frlxrf.exec:\9frlxrf.exe115⤵PID:4908
-
\??\c:\nttnbh.exec:\nttnbh.exe116⤵PID:4216
-
\??\c:\ppdvp.exec:\ppdvp.exe117⤵PID:4680
-
\??\c:\pvvpd.exec:\pvvpd.exe118⤵PID:1120
-
\??\c:\rffxlfr.exec:\rffxlfr.exe119⤵PID:3852
-
\??\c:\btnhtt.exec:\btnhtt.exe120⤵PID:2900
-
\??\c:\nbbnhb.exec:\nbbnhb.exe121⤵PID:2232
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-