Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 02:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe
-
Size
348KB
-
MD5
cfe37d94b619b82303018cdcf2568d42
-
SHA1
7cb5917f0bae5492d442140e769b832ad7c3030b
-
SHA256
c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6
-
SHA512
c066c3290c16a1d0ba43bf53a88b834a40a97bed7d7f8c4b5574af798699e4e294a31760fdfe96692f80517232b84df88c9d47d110f4df05d23c7331a9e52e59
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAa0:l7TcbWXZshJX2VGdb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1004-4-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4236-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2096-24-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4208-31-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2956-313-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1436-323-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/392-332-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5032-300-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1300-294-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3660-289-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5108-275-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4740-269-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3816-265-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1036-257-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1544-250-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/228-240-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4840-236-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4204-233-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3284-229-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2472-216-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/768-205-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2508-196-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1480-191-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2380-187-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/672-181-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4148-177-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1728-169-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4848-163-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1108-154-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/880-141-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2264-134-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1628-129-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3340-118-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3344-112-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3932-96-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3036-90-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2900-84-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2144-74-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1020-67-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1436-62-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4968-56-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2444-49-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2816-43-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1448-37-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2300-20-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5068-19-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4124-357-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1156-379-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4064-383-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2288-417-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3240-421-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1544-437-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4744-480-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1872-505-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1692-656-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2644-703-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4984-757-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3944-758-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3868-790-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2332-833-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2816-1123-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4420-1145-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4236 7vpjd.exe 5068 5fxrxxx.exe 2300 ntbhhh.exe 2096 bbhbtn.exe 4208 pvdpj.exe 1448 dvdvp.exe 2816 lxfrlfx.exe 2444 7hhtnn.exe 4968 5hnhbt.exe 1436 jddvv.exe 1020 pppvp.exe 2144 9frrlxr.exe 224 xllfxrr.exe 2900 nhhttn.exe 3036 btbttn.exe 3932 vdjdv.exe 1120 7dvpj.exe 3216 xrrlxrl.exe 3344 thnntt.exe 3340 tbhbbt.exe 4504 djpjd.exe 1628 vdjdd.exe 2264 7lrlfxx.exe 880 9xrxrxr.exe 3204 btthbb.exe 1108 hntnhb.exe 2568 jpvpj.exe 4848 jvvvj.exe 1728 5xrlfxr.exe 4148 nbhbth.exe 672 1ttnhh.exe 2380 pjpjp.exe 1480 jjjdv.exe 2508 lxfxxfx.exe 4672 xlrrffx.exe 1384 htttnt.exe 768 nhnhnh.exe 1012 pjddv.exe 4528 jvvpj.exe 2472 llrfxrl.exe 3096 nhnhtt.exe 4816 nhhbnn.exe 2716 dppvj.exe 3284 djpjd.exe 4204 xxrrflr.exe 4840 5xfxxrr.exe 228 9hnhbb.exe 5084 ttbtnh.exe 3224 dpjdv.exe 1544 vjjdv.exe 1904 fxfxrxr.exe 1036 xllfxlf.exe 3712 tntntn.exe 3816 pddvj.exe 4500 vvdvp.exe 4740 lxxrxlr.exe 5108 llrlfxr.exe 4260 3nhbtn.exe 2040 bbhbbb.exe 336 vvpjd.exe 3660 rxlfrxl.exe 1300 xrxxrxr.exe 2420 nbhhhh.exe 5032 bhhbtn.exe -
resource yara_rule behavioral2/memory/1004-4-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4236-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5068-12-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2096-24-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4208-31-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2956-313-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1436-323-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/392-332-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5032-300-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1300-294-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3660-289-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5108-275-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4740-269-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3816-265-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1036-257-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1544-250-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/228-240-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4840-236-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4204-233-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3284-229-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2472-216-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/768-205-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2508-196-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1480-191-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2380-187-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/672-181-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4148-177-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1728-169-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4848-163-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1108-154-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/880-141-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2264-134-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1628-129-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3340-118-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3344-112-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3932-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3036-90-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2900-84-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2144-74-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1020-67-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1436-62-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4968-56-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2444-49-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2816-43-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1448-37-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2300-20-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5068-19-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4124-357-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1156-379-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4064-383-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2288-417-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3240-421-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1544-437-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4744-480-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1872-505-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1692-656-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2644-703-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4984-757-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3944-758-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3868-790-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2332-833-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2816-1123-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4420-1145-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3640-1279-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1004 wrote to memory of 4236 1004 c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe 84 PID 1004 wrote to memory of 4236 1004 c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe 84 PID 1004 wrote to memory of 4236 1004 c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe 84 PID 4236 wrote to memory of 5068 4236 7vpjd.exe 85 PID 4236 wrote to memory of 5068 4236 7vpjd.exe 85 PID 4236 wrote to memory of 5068 4236 7vpjd.exe 85 PID 5068 wrote to memory of 2300 5068 5fxrxxx.exe 86 PID 5068 wrote to memory of 2300 5068 5fxrxxx.exe 86 PID 5068 wrote to memory of 2300 5068 5fxrxxx.exe 86 PID 2300 wrote to memory of 2096 2300 ntbhhh.exe 87 PID 2300 wrote to memory of 2096 2300 ntbhhh.exe 87 PID 2300 wrote to memory of 2096 2300 ntbhhh.exe 87 PID 2096 wrote to memory of 4208 2096 bbhbtn.exe 88 PID 2096 wrote to memory of 4208 2096 bbhbtn.exe 88 PID 2096 wrote to memory of 4208 2096 bbhbtn.exe 88 PID 4208 wrote to memory of 1448 4208 pvdpj.exe 89 PID 4208 wrote to memory of 1448 4208 pvdpj.exe 89 PID 4208 wrote to memory of 1448 4208 pvdpj.exe 89 PID 1448 wrote to memory of 2816 1448 dvdvp.exe 90 PID 1448 wrote to memory of 2816 1448 dvdvp.exe 90 PID 1448 wrote to memory of 2816 1448 dvdvp.exe 90 PID 2816 wrote to memory of 2444 2816 lxfrlfx.exe 91 PID 2816 wrote to memory of 2444 2816 lxfrlfx.exe 91 PID 2816 wrote to memory of 2444 2816 lxfrlfx.exe 91 PID 2444 wrote to memory of 4968 2444 7hhtnn.exe 92 PID 2444 wrote to memory of 4968 2444 7hhtnn.exe 92 PID 2444 wrote to memory of 4968 2444 7hhtnn.exe 92 PID 4968 wrote to memory of 1436 4968 5hnhbt.exe 93 PID 4968 wrote to memory of 1436 4968 5hnhbt.exe 93 PID 4968 wrote to memory of 1436 4968 5hnhbt.exe 93 PID 1436 wrote to memory of 1020 1436 jddvv.exe 94 PID 1436 wrote to memory of 1020 1436 jddvv.exe 94 PID 1436 wrote to memory of 1020 1436 jddvv.exe 94 PID 1020 wrote to memory of 2144 1020 pppvp.exe 95 PID 1020 wrote to memory of 2144 1020 pppvp.exe 95 PID 1020 wrote to memory of 2144 1020 pppvp.exe 95 PID 2144 wrote to memory of 224 2144 9frrlxr.exe 96 PID 2144 wrote to memory of 224 2144 9frrlxr.exe 96 PID 2144 wrote to memory of 224 2144 9frrlxr.exe 96 PID 224 wrote to memory of 2900 224 xllfxrr.exe 97 PID 224 wrote to memory of 2900 224 xllfxrr.exe 97 PID 224 wrote to memory of 2900 224 xllfxrr.exe 97 PID 2900 wrote to memory of 3036 2900 nhhttn.exe 98 PID 2900 wrote to memory of 3036 2900 nhhttn.exe 98 PID 2900 wrote to memory of 3036 2900 nhhttn.exe 98 PID 3036 wrote to memory of 3932 3036 btbttn.exe 99 PID 3036 wrote to memory of 3932 3036 btbttn.exe 99 PID 3036 wrote to memory of 3932 3036 btbttn.exe 99 PID 3932 wrote to memory of 1120 3932 vdjdv.exe 100 PID 3932 wrote to memory of 1120 3932 vdjdv.exe 100 PID 3932 wrote to memory of 1120 3932 vdjdv.exe 100 PID 1120 wrote to memory of 3216 1120 7dvpj.exe 161 PID 1120 wrote to memory of 3216 1120 7dvpj.exe 161 PID 1120 wrote to memory of 3216 1120 7dvpj.exe 161 PID 3216 wrote to memory of 3344 3216 xrrlxrl.exe 102 PID 3216 wrote to memory of 3344 3216 xrrlxrl.exe 102 PID 3216 wrote to memory of 3344 3216 xrrlxrl.exe 102 PID 3344 wrote to memory of 3340 3344 thnntt.exe 103 PID 3344 wrote to memory of 3340 3344 thnntt.exe 103 PID 3344 wrote to memory of 3340 3344 thnntt.exe 103 PID 3340 wrote to memory of 4504 3340 tbhbbt.exe 104 PID 3340 wrote to memory of 4504 3340 tbhbbt.exe 104 PID 3340 wrote to memory of 4504 3340 tbhbbt.exe 104 PID 4504 wrote to memory of 1628 4504 djpjd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe"C:\Users\Admin\AppData\Local\Temp\c5d86e61764613234eaa1b89a072cbf49c567e4cc81e0a400526386aeaa82ba6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\7vpjd.exec:\7vpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\5fxrxxx.exec:\5fxrxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
\??\c:\ntbhhh.exec:\ntbhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\bbhbtn.exec:\bbhbtn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\pvdpj.exec:\pvdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\dvdvp.exec:\dvdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\lxfrlfx.exec:\lxfrlfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\7hhtnn.exec:\7hhtnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\5hnhbt.exec:\5hnhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\jddvv.exec:\jddvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\pppvp.exec:\pppvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\9frrlxr.exec:\9frrlxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\xllfxrr.exec:\xllfxrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\nhhttn.exec:\nhhttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\btbttn.exec:\btbttn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\vdjdv.exec:\vdjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\7dvpj.exec:\7dvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\thnntt.exec:\thnntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3344 -
\??\c:\tbhbbt.exec:\tbhbbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\djpjd.exec:\djpjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\vdjdd.exec:\vdjdd.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
\??\c:\7lrlfxx.exec:\7lrlfxx.exe24⤵
- Executes dropped EXE
PID:2264 -
\??\c:\9xrxrxr.exec:\9xrxrxr.exe25⤵
- Executes dropped EXE
PID:880 -
\??\c:\btthbb.exec:\btthbb.exe26⤵
- Executes dropped EXE
PID:3204 -
\??\c:\hntnhb.exec:\hntnhb.exe27⤵
- Executes dropped EXE
PID:1108 -
\??\c:\jpvpj.exec:\jpvpj.exe28⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jvvvj.exec:\jvvvj.exe29⤵
- Executes dropped EXE
PID:4848 -
\??\c:\5xrlfxr.exec:\5xrlfxr.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nbhbth.exec:\nbhbth.exe31⤵
- Executes dropped EXE
PID:4148 -
\??\c:\1ttnhh.exec:\1ttnhh.exe32⤵
- Executes dropped EXE
PID:672 -
\??\c:\pjpjp.exec:\pjpjp.exe33⤵
- Executes dropped EXE
PID:2380 -
\??\c:\jjjdv.exec:\jjjdv.exe34⤵
- Executes dropped EXE
PID:1480 -
\??\c:\lxfxxfx.exec:\lxfxxfx.exe35⤵
- Executes dropped EXE
PID:2508 -
\??\c:\xlrrffx.exec:\xlrrffx.exe36⤵
- Executes dropped EXE
PID:4672 -
\??\c:\htttnt.exec:\htttnt.exe37⤵
- Executes dropped EXE
PID:1384 -
\??\c:\nhnhnh.exec:\nhnhnh.exe38⤵
- Executes dropped EXE
PID:768 -
\??\c:\pjddv.exec:\pjddv.exe39⤵
- Executes dropped EXE
PID:1012 -
\??\c:\jvvpj.exec:\jvvpj.exe40⤵
- Executes dropped EXE
PID:4528 -
\??\c:\llrfxrl.exec:\llrfxrl.exe41⤵
- Executes dropped EXE
PID:2472 -
\??\c:\nhnhtt.exec:\nhnhtt.exe42⤵
- Executes dropped EXE
PID:3096 -
\??\c:\nhhbnn.exec:\nhhbnn.exe43⤵
- Executes dropped EXE
PID:4816 -
\??\c:\dppvj.exec:\dppvj.exe44⤵
- Executes dropped EXE
PID:2716 -
\??\c:\djpjd.exec:\djpjd.exe45⤵
- Executes dropped EXE
PID:3284 -
\??\c:\xxrrflr.exec:\xxrrflr.exe46⤵
- Executes dropped EXE
PID:4204 -
\??\c:\5xfxxrr.exec:\5xfxxrr.exe47⤵
- Executes dropped EXE
PID:4840 -
\??\c:\9hnhbb.exec:\9hnhbb.exe48⤵
- Executes dropped EXE
PID:228 -
\??\c:\ttbtnh.exec:\ttbtnh.exe49⤵
- Executes dropped EXE
PID:5084 -
\??\c:\dpjdv.exec:\dpjdv.exe50⤵
- Executes dropped EXE
PID:3224 -
\??\c:\vjjdv.exec:\vjjdv.exe51⤵
- Executes dropped EXE
PID:1544 -
\??\c:\fxfxrxr.exec:\fxfxrxr.exe52⤵
- Executes dropped EXE
PID:1904 -
\??\c:\xllfxlf.exec:\xllfxlf.exe53⤵
- Executes dropped EXE
PID:1036 -
\??\c:\tntntn.exec:\tntntn.exe54⤵
- Executes dropped EXE
PID:3712 -
\??\c:\pddvj.exec:\pddvj.exe55⤵
- Executes dropped EXE
PID:3816 -
\??\c:\vvdvp.exec:\vvdvp.exe56⤵
- Executes dropped EXE
PID:4500 -
\??\c:\lxxrxlr.exec:\lxxrxlr.exe57⤵
- Executes dropped EXE
PID:4740 -
\??\c:\llrlfxr.exec:\llrlfxr.exe58⤵
- Executes dropped EXE
PID:5108 -
\??\c:\3nhbtn.exec:\3nhbtn.exe59⤵
- Executes dropped EXE
PID:4260 -
\??\c:\bbhbbb.exec:\bbhbbb.exe60⤵
- Executes dropped EXE
PID:2040 -
\??\c:\vvpjd.exec:\vvpjd.exe61⤵
- Executes dropped EXE
PID:336 -
\??\c:\rxlfrxl.exec:\rxlfrxl.exe62⤵
- Executes dropped EXE
PID:3660 -
\??\c:\xrxxrxr.exec:\xrxxrxr.exe63⤵
- Executes dropped EXE
PID:1300 -
\??\c:\nbhhhh.exec:\nbhhhh.exe64⤵
- Executes dropped EXE
PID:2420 -
\??\c:\bhhbtn.exec:\bhhbtn.exe65⤵
- Executes dropped EXE
PID:5032 -
\??\c:\vddvp.exec:\vddvp.exe66⤵PID:516
-
\??\c:\3jjdp.exec:\3jjdp.exe67⤵PID:2260
-
\??\c:\rflxrrf.exec:\rflxrrf.exe68⤵PID:5012
-
\??\c:\ntbbtn.exec:\ntbbtn.exe69⤵PID:2956
-
\??\c:\nntnnn.exec:\nntnnn.exe70⤵PID:2100
-
\??\c:\dpvpj.exec:\dpvpj.exe71⤵PID:780
-
\??\c:\dpvpp.exec:\dpvpp.exe72⤵PID:1436
-
\??\c:\rxfrllf.exec:\rxfrllf.exe73⤵PID:848
-
\??\c:\9rlfrrl.exec:\9rlfrrl.exe74⤵PID:2144
-
\??\c:\5bnbtb.exec:\5bnbtb.exe75⤵PID:392
-
\??\c:\vvvvd.exec:\vvvvd.exe76⤵PID:976
-
\??\c:\dvjpp.exec:\dvjpp.exe77⤵PID:4900
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe78⤵
- System Location Discovery: System Language Discovery
PID:1120 -
\??\c:\bbnhhh.exec:\bbnhhh.exe79⤵PID:3216
-
\??\c:\nntnhb.exec:\nntnhb.exe80⤵PID:184
-
\??\c:\jpdjp.exec:\jpdjp.exe81⤵PID:1836
-
\??\c:\frrlflf.exec:\frrlflf.exe82⤵PID:4124
-
\??\c:\3hnhnn.exec:\3hnhnn.exe83⤵PID:3652
-
\??\c:\dvpvp.exec:\dvpvp.exe84⤵PID:756
-
\??\c:\pdddv.exec:\pdddv.exe85⤵PID:1756
-
\??\c:\xrflflx.exec:\xrflflx.exe86⤵PID:348
-
\??\c:\1bhbtt.exec:\1bhbtt.exe87⤵PID:4908
-
\??\c:\nhhbbb.exec:\nhhbbb.exe88⤵PID:4460
-
\??\c:\1rllffx.exec:\1rllffx.exe89⤵PID:1156
-
\??\c:\tnnnhh.exec:\tnnnhh.exe90⤵PID:4064
-
\??\c:\bhnbth.exec:\bhnbth.exe91⤵PID:4996
-
\??\c:\dddvp.exec:\dddvp.exe92⤵PID:3972
-
\??\c:\xlflfxr.exec:\xlflfxr.exe93⤵PID:2508
-
\??\c:\rllxrrl.exec:\rllxrrl.exe94⤵PID:4672
-
\??\c:\thnhbb.exec:\thnhbb.exe95⤵PID:3948
-
\??\c:\3jvpp.exec:\3jvpp.exe96⤵PID:404
-
\??\c:\hntnbb.exec:\hntnbb.exe97⤵PID:4092
-
\??\c:\lxxxrrl.exec:\lxxxrrl.exe98⤵PID:3112
-
\??\c:\tnhbbt.exec:\tnhbbt.exe99⤵PID:3568
-
\??\c:\3ddpj.exec:\3ddpj.exe100⤵PID:3488
-
\??\c:\7vpjd.exec:\7vpjd.exe101⤵PID:2288
-
\??\c:\3xlfxxr.exec:\3xlfxxr.exe102⤵PID:3240
-
\??\c:\nhtntn.exec:\nhtntn.exe103⤵PID:4288
-
\??\c:\vpjdv.exec:\vpjdv.exe104⤵PID:208
-
\??\c:\jddpj.exec:\jddpj.exe105⤵PID:3872
-
\??\c:\rllfrrl.exec:\rllfrrl.exe106⤵PID:1664
-
\??\c:\thtthh.exec:\thtthh.exe107⤵PID:1544
-
\??\c:\dvvpp.exec:\dvvpp.exe108⤵PID:1140
-
\??\c:\rllxllf.exec:\rllxllf.exe109⤵PID:3332
-
\??\c:\3bhbtn.exec:\3bhbtn.exe110⤵PID:2432
-
\??\c:\dvjvj.exec:\dvjvj.exe111⤵PID:4396
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe112⤵PID:3188
-
\??\c:\htbbtt.exec:\htbbtt.exe113⤵PID:3816
-
\??\c:\flxrfxl.exec:\flxrfxl.exe114⤵PID:4916
-
\??\c:\xllxrfx.exec:\xllxrfx.exe115⤵PID:4284
-
\??\c:\tbbnbb.exec:\tbbnbb.exe116⤵PID:2056
-
\??\c:\pppdp.exec:\pppdp.exe117⤵PID:2600
-
\??\c:\nnnbtn.exec:\nnnbtn.exe118⤵PID:2328
-
\??\c:\pjvjv.exec:\pjvjv.exe119⤵PID:2856
-
\??\c:\vjdvd.exec:\vjdvd.exe120⤵PID:3592
-
\??\c:\rrfrfxr.exec:\rrfrfxr.exe121⤵PID:4744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-