Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 20:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25.exe
-
Size
456KB
-
MD5
671231fc6158870f2a2d6cd41136fe6e
-
SHA1
3150012d1855c4e9ce9d3340f44688a5218b49df
-
SHA256
2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25
-
SHA512
c7fde17396ad8b73a79adf7d576b4e11490642b2060955db211547eaf08d785a43c1b6c96bc397bbd506340c1f8d4665c17a635763c577837ffb90d04c54b81d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3716-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-984-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-1147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-1232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3716 1bhbhh.exe 1312 dvdvp.exe 2888 xrrfxxr.exe 920 lxxlfxr.exe 2664 5bbtnn.exe 5052 jpvvp.exe 1352 5xfrrrl.exe 3028 lxlfllx.exe 2132 nbbnbn.exe 1584 jdpvp.exe 4744 5xrlfxr.exe 3140 pddpj.exe 2804 5nnttt.exe 3964 xlrlxrl.exe 1536 hntnhh.exe 4932 frxxxrf.exe 4064 bhnhhb.exe 2388 ppdvd.exe 3684 hnnhtn.exe 5092 htbtbb.exe 4532 vjpdv.exe 1052 lxlfxrl.exe 2936 ttbtnn.exe 1796 5vvpp.exe 1280 thtnhh.exe 2064 vvdvv.exe 3144 1vpjv.exe 1532 9xrlfxr.exe 3568 tnntnh.exe 2944 xrfxlfx.exe 2320 bnnhtn.exe 4092 pppjv.exe 2256 1lrflff.exe 1012 bbbbbn.exe 4552 pdjvp.exe 3020 lrlfxfl.exe 4204 ntbnhb.exe 2280 dvvjd.exe 4868 3rlfxxr.exe 4304 1tnnhn.exe 2176 lxlxrlf.exe 4024 lfxllll.exe 1168 nhhbnn.exe 3084 vdpjv.exe 4232 htnhnb.exe 4120 vpddd.exe 1496 lfffrrr.exe 4504 rlrlrfx.exe 3408 nbhbtn.exe 536 vpvpp.exe 1028 vppjd.exe 4948 xlffrxl.exe 4408 bnnnbn.exe 5088 jpjvp.exe 1048 rxlxrrl.exe 1952 3xxlfxr.exe 3368 nhhbtn.exe 2888 nbnbtn.exe 4820 ppvpj.exe 1860 frrlfxr.exe 1380 thnhbt.exe 928 dppdv.exe 3028 lxxrflf.exe 1596 flrlxxr.exe -
resource yara_rule behavioral2/memory/3716-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-708-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-974-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-1147-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllrfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2832 wrote to memory of 3716 2832 2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25.exe 82 PID 2832 wrote to memory of 3716 2832 2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25.exe 82 PID 2832 wrote to memory of 3716 2832 2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25.exe 82 PID 3716 wrote to memory of 1312 3716 1bhbhh.exe 83 PID 3716 wrote to memory of 1312 3716 1bhbhh.exe 83 PID 3716 wrote to memory of 1312 3716 1bhbhh.exe 83 PID 1312 wrote to memory of 2888 1312 dvdvp.exe 84 PID 1312 wrote to memory of 2888 1312 dvdvp.exe 84 PID 1312 wrote to memory of 2888 1312 dvdvp.exe 84 PID 2888 wrote to memory of 920 2888 xrrfxxr.exe 85 PID 2888 wrote to memory of 920 2888 xrrfxxr.exe 85 PID 2888 wrote to memory of 920 2888 xrrfxxr.exe 85 PID 920 wrote to memory of 2664 920 lxxlfxr.exe 86 PID 920 wrote to memory of 2664 920 lxxlfxr.exe 86 PID 920 wrote to memory of 2664 920 lxxlfxr.exe 86 PID 2664 wrote to memory of 5052 2664 5bbtnn.exe 87 PID 2664 wrote to memory of 5052 2664 5bbtnn.exe 87 PID 2664 wrote to memory of 5052 2664 5bbtnn.exe 87 PID 5052 wrote to memory of 1352 5052 jpvvp.exe 88 PID 5052 wrote to memory of 1352 5052 jpvvp.exe 88 PID 5052 wrote to memory of 1352 5052 jpvvp.exe 88 PID 1352 wrote to memory of 3028 1352 5xfrrrl.exe 89 PID 1352 wrote to memory of 3028 1352 5xfrrrl.exe 89 PID 1352 wrote to memory of 3028 1352 5xfrrrl.exe 89 PID 3028 wrote to memory of 2132 3028 lxlfllx.exe 90 PID 3028 wrote to memory of 2132 3028 lxlfllx.exe 90 PID 3028 wrote to memory of 2132 3028 lxlfllx.exe 90 PID 2132 wrote to memory of 1584 2132 nbbnbn.exe 91 PID 2132 wrote to memory of 1584 2132 nbbnbn.exe 91 PID 2132 wrote to memory of 1584 2132 nbbnbn.exe 91 PID 1584 wrote to memory of 4744 1584 jdpvp.exe 92 PID 1584 wrote to memory of 4744 1584 jdpvp.exe 92 PID 1584 wrote to memory of 4744 1584 jdpvp.exe 92 PID 4744 wrote to memory of 3140 4744 5xrlfxr.exe 93 PID 4744 wrote to memory of 3140 4744 5xrlfxr.exe 93 PID 4744 wrote to memory of 3140 4744 5xrlfxr.exe 93 PID 3140 wrote to memory of 2804 3140 pddpj.exe 94 PID 3140 wrote to memory of 2804 3140 pddpj.exe 94 PID 3140 wrote to memory of 2804 3140 pddpj.exe 94 PID 2804 wrote to memory of 3964 2804 5nnttt.exe 95 PID 2804 wrote to memory of 3964 2804 5nnttt.exe 95 PID 2804 wrote to memory of 3964 2804 5nnttt.exe 95 PID 3964 wrote to memory of 1536 3964 xlrlxrl.exe 96 PID 3964 wrote to memory of 1536 3964 xlrlxrl.exe 96 PID 3964 wrote to memory of 1536 3964 xlrlxrl.exe 96 PID 1536 wrote to memory of 4932 1536 hntnhh.exe 97 PID 1536 wrote to memory of 4932 1536 hntnhh.exe 97 PID 1536 wrote to memory of 4932 1536 hntnhh.exe 97 PID 4932 wrote to memory of 4064 4932 frxxxrf.exe 98 PID 4932 wrote to memory of 4064 4932 frxxxrf.exe 98 PID 4932 wrote to memory of 4064 4932 frxxxrf.exe 98 PID 4064 wrote to memory of 2388 4064 bhnhhb.exe 99 PID 4064 wrote to memory of 2388 4064 bhnhhb.exe 99 PID 4064 wrote to memory of 2388 4064 bhnhhb.exe 99 PID 2388 wrote to memory of 3684 2388 ppdvd.exe 100 PID 2388 wrote to memory of 3684 2388 ppdvd.exe 100 PID 2388 wrote to memory of 3684 2388 ppdvd.exe 100 PID 3684 wrote to memory of 5092 3684 hnnhtn.exe 101 PID 3684 wrote to memory of 5092 3684 hnnhtn.exe 101 PID 3684 wrote to memory of 5092 3684 hnnhtn.exe 101 PID 5092 wrote to memory of 4532 5092 htbtbb.exe 102 PID 5092 wrote to memory of 4532 5092 htbtbb.exe 102 PID 5092 wrote to memory of 4532 5092 htbtbb.exe 102 PID 4532 wrote to memory of 1052 4532 vjpdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25.exe"C:\Users\Admin\AppData\Local\Temp\2004f7c71878aa601b35c543d3134e37839b536fb305162b2ebcf1c602c9dc25.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\1bhbhh.exec:\1bhbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\dvdvp.exec:\dvdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\xrrfxxr.exec:\xrrfxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\5bbtnn.exec:\5bbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\jpvvp.exec:\jpvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\5xfrrrl.exec:\5xfrrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\lxlfllx.exec:\lxlfllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\nbbnbn.exec:\nbbnbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\jdpvp.exec:\jdpvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\5xrlfxr.exec:\5xrlfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\pddpj.exec:\pddpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\5nnttt.exec:\5nnttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\hntnhh.exec:\hntnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\frxxxrf.exec:\frxxxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\bhnhhb.exec:\bhnhhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\ppdvd.exec:\ppdvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\hnnhtn.exec:\hnnhtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\htbtbb.exec:\htbtbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\vjpdv.exec:\vjpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe23⤵
- Executes dropped EXE
PID:1052 -
\??\c:\ttbtnn.exec:\ttbtnn.exe24⤵
- Executes dropped EXE
PID:2936 -
\??\c:\5vvpp.exec:\5vvpp.exe25⤵
- Executes dropped EXE
PID:1796 -
\??\c:\thtnhh.exec:\thtnhh.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1280 -
\??\c:\vvdvv.exec:\vvdvv.exe27⤵
- Executes dropped EXE
PID:2064 -
\??\c:\1vpjv.exec:\1vpjv.exe28⤵
- Executes dropped EXE
PID:3144 -
\??\c:\9xrlfxr.exec:\9xrlfxr.exe29⤵
- Executes dropped EXE
PID:1532 -
\??\c:\tnntnh.exec:\tnntnh.exe30⤵
- Executes dropped EXE
PID:3568 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe31⤵
- Executes dropped EXE
PID:2944 -
\??\c:\bnnhtn.exec:\bnnhtn.exe32⤵
- Executes dropped EXE
PID:2320 -
\??\c:\pppjv.exec:\pppjv.exe33⤵
- Executes dropped EXE
PID:4092 -
\??\c:\1lrflff.exec:\1lrflff.exe34⤵
- Executes dropped EXE
PID:2256 -
\??\c:\bbbbbn.exec:\bbbbbn.exe35⤵
- Executes dropped EXE
PID:1012 -
\??\c:\pdjvp.exec:\pdjvp.exe36⤵
- Executes dropped EXE
PID:4552 -
\??\c:\lrlfxfl.exec:\lrlfxfl.exe37⤵
- Executes dropped EXE
PID:3020 -
\??\c:\ntbnhb.exec:\ntbnhb.exe38⤵
- Executes dropped EXE
PID:4204 -
\??\c:\dvvjd.exec:\dvvjd.exe39⤵
- Executes dropped EXE
PID:2280 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe40⤵
- Executes dropped EXE
PID:4868 -
\??\c:\1tnnhn.exec:\1tnnhn.exe41⤵
- Executes dropped EXE
PID:4304 -
\??\c:\lxlxrlf.exec:\lxlxrlf.exe42⤵
- Executes dropped EXE
PID:2176 -
\??\c:\lfxllll.exec:\lfxllll.exe43⤵
- Executes dropped EXE
PID:4024 -
\??\c:\nhhbnn.exec:\nhhbnn.exe44⤵
- Executes dropped EXE
PID:1168 -
\??\c:\vdpjv.exec:\vdpjv.exe45⤵
- Executes dropped EXE
PID:3084 -
\??\c:\htnhnb.exec:\htnhnb.exe46⤵
- Executes dropped EXE
PID:4232 -
\??\c:\vpddd.exec:\vpddd.exe47⤵
- Executes dropped EXE
PID:4120 -
\??\c:\lfffrrr.exec:\lfffrrr.exe48⤵
- Executes dropped EXE
PID:1496 -
\??\c:\rlrlrfx.exec:\rlrlrfx.exe49⤵
- Executes dropped EXE
PID:4504 -
\??\c:\nbhbtn.exec:\nbhbtn.exe50⤵
- Executes dropped EXE
PID:3408 -
\??\c:\vpvpp.exec:\vpvpp.exe51⤵
- Executes dropped EXE
PID:536 -
\??\c:\vppjd.exec:\vppjd.exe52⤵
- Executes dropped EXE
PID:1028 -
\??\c:\xlffrxl.exec:\xlffrxl.exe53⤵
- Executes dropped EXE
PID:4948 -
\??\c:\bnnnbn.exec:\bnnnbn.exe54⤵
- Executes dropped EXE
PID:4408 -
\??\c:\jpjvp.exec:\jpjvp.exe55⤵
- Executes dropped EXE
PID:5088 -
\??\c:\rxlxrrl.exec:\rxlxrrl.exe56⤵
- Executes dropped EXE
PID:1048 -
\??\c:\3xxlfxr.exec:\3xxlfxr.exe57⤵
- Executes dropped EXE
PID:1952 -
\??\c:\nhhbtn.exec:\nhhbtn.exe58⤵
- Executes dropped EXE
PID:3368 -
\??\c:\nbnbtn.exec:\nbnbtn.exe59⤵
- Executes dropped EXE
PID:2888 -
\??\c:\ppvpj.exec:\ppvpj.exe60⤵
- Executes dropped EXE
PID:4820 -
\??\c:\frrlfxr.exec:\frrlfxr.exe61⤵
- Executes dropped EXE
PID:1860 -
\??\c:\thnhbt.exec:\thnhbt.exe62⤵
- Executes dropped EXE
PID:1380 -
\??\c:\dppdv.exec:\dppdv.exe63⤵
- Executes dropped EXE
PID:928 -
\??\c:\lxxrflf.exec:\lxxrflf.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028 -
\??\c:\flrlxxr.exec:\flrlxxr.exe65⤵
- Executes dropped EXE
PID:1596 -
\??\c:\tntnhh.exec:\tntnhh.exe66⤵PID:2744
-
\??\c:\pvdpj.exec:\pvdpj.exe67⤵PID:1000
-
\??\c:\7lrlffx.exec:\7lrlffx.exe68⤵PID:2132
-
\??\c:\hhtntt.exec:\hhtntt.exe69⤵PID:2168
-
\??\c:\hhhbnn.exec:\hhhbnn.exe70⤵PID:1240
-
\??\c:\vpjvj.exec:\vpjvj.exe71⤵PID:3956
-
\??\c:\rllxrlf.exec:\rllxrlf.exe72⤵PID:1500
-
\??\c:\5bhbbb.exec:\5bhbbb.exe73⤵PID:2292
-
\??\c:\nnbtbn.exec:\nnbtbn.exe74⤵PID:2032
-
\??\c:\dvpjd.exec:\dvpjd.exe75⤵PID:940
-
\??\c:\xlfrxrx.exec:\xlfrxrx.exe76⤵PID:2240
-
\??\c:\nbbthb.exec:\nbbthb.exe77⤵PID:2420
-
\??\c:\nhnhtn.exec:\nhnhtn.exe78⤵PID:4932
-
\??\c:\pddjv.exec:\pddjv.exe79⤵PID:1940
-
\??\c:\ffxrlff.exec:\ffxrlff.exe80⤵PID:4400
-
\??\c:\lrxxllx.exec:\lrxxllx.exe81⤵PID:2472
-
\??\c:\nhnhbh.exec:\nhnhbh.exe82⤵PID:3428
-
\??\c:\jvdpj.exec:\jvdpj.exe83⤵PID:2312
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe84⤵PID:2964
-
\??\c:\rflfxxr.exec:\rflfxxr.exe85⤵PID:1544
-
\??\c:\nbbtnn.exec:\nbbtnn.exe86⤵PID:1388
-
\??\c:\dpdvd.exec:\dpdvd.exe87⤵PID:2020
-
\??\c:\ffrfxxx.exec:\ffrfxxx.exe88⤵PID:1344
-
\??\c:\ntbtnh.exec:\ntbtnh.exe89⤵PID:816
-
\??\c:\vdppj.exec:\vdppj.exe90⤵PID:2496
-
\??\c:\xffrlfx.exec:\xffrlfx.exe91⤵PID:2064
-
\??\c:\bbbtnh.exec:\bbbtnh.exe92⤵PID:768
-
\??\c:\hbnhnn.exec:\hbnhnn.exe93⤵PID:5036
-
\??\c:\dvdjp.exec:\dvdjp.exe94⤵PID:1976
-
\??\c:\rxfrxrr.exec:\rxfrxrr.exe95⤵PID:1816
-
\??\c:\bhnhhb.exec:\bhnhhb.exe96⤵PID:4404
-
\??\c:\nhnnnh.exec:\nhnnnh.exe97⤵PID:2488
-
\??\c:\jdjvp.exec:\jdjvp.exe98⤵PID:1980
-
\??\c:\flxlfxr.exec:\flxlfxr.exe99⤵PID:2284
-
\??\c:\7hhbtt.exec:\7hhbtt.exe100⤵PID:384
-
\??\c:\tntnhh.exec:\tntnhh.exe101⤵PID:2596
-
\??\c:\ppjdv.exec:\ppjdv.exe102⤵PID:4572
-
\??\c:\xrxrffx.exec:\xrxrffx.exe103⤵PID:4492
-
\??\c:\bbhnhb.exec:\bbhnhb.exe104⤵PID:3272
-
\??\c:\bhnnhh.exec:\bhnnhh.exe105⤵PID:4676
-
\??\c:\dppdj.exec:\dppdj.exe106⤵PID:2172
-
\??\c:\llrlxxx.exec:\llrlxxx.exe107⤵PID:4840
-
\??\c:\tnnbtn.exec:\tnnbtn.exe108⤵PID:4044
-
\??\c:\jddvj.exec:\jddvj.exe109⤵PID:3120
-
\??\c:\jpvpd.exec:\jpvpd.exe110⤵PID:888
-
\??\c:\flllfff.exec:\flllfff.exe111⤵PID:3856
-
\??\c:\bhhbbh.exec:\bhhbbh.exe112⤵PID:4232
-
\??\c:\tbhbtn.exec:\tbhbtn.exe113⤵PID:4476
-
\??\c:\djpdv.exec:\djpdv.exe114⤵PID:5024
-
\??\c:\xlrrlfx.exec:\xlrrlfx.exe115⤵PID:5112
-
\??\c:\fxfllff.exec:\fxfllff.exe116⤵PID:1592
-
\??\c:\bnttbt.exec:\bnttbt.exe117⤵PID:1728
-
\??\c:\dvvpj.exec:\dvvpj.exe118⤵PID:5008
-
\??\c:\3jjjd.exec:\3jjjd.exe119⤵PID:4324
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe120⤵PID:2276
-
\??\c:\tbhhbh.exec:\tbhhbh.exe121⤵PID:4500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-