Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 20:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe
-
Size
453KB
-
MD5
f95e69e5fc628ec55c522b2128e8bafc
-
SHA1
af783c9c79fe3f85fd6e6433dbe562104cc0995f
-
SHA256
5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672
-
SHA512
e69f440a4e123733a7b202c682a79867ae07fb772f9538999481c7147d0c1e84256f288dd88feecf60347a014d6ee9516c33079028bcbff73fcb2a7fa9e56816
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2908-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/608-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-1190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-1706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-1864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2908 xxfffff.exe 1932 ntnhbb.exe 3672 htbbtb.exe 4412 5rfffff.exe 2392 xfllrlr.exe 828 jjjdd.exe 548 7xxrllf.exe 3412 rrrlxxx.exe 4204 7hnhhh.exe 608 ttttnt.exe 4608 vdjjd.exe 4000 frxxxff.exe 4840 httnnt.exe 2076 xrrrxxx.exe 2272 bhnhbb.exe 1860 ffffxxr.exe 2336 hnbttn.exe 2800 vvjdd.exe 4996 bbnhnn.exe 2804 7bnnnt.exe 4120 pjjjv.exe 4356 fllfxxx.exe 2548 hhnttb.exe 4464 pvddj.exe 3768 1hnhbb.exe 684 rxffllf.exe 2260 3bhbtt.exe 4436 jvvvp.exe 452 hhnntt.exe 2736 ppppp.exe 864 tttnnn.exe 1028 fflfxfx.exe 1468 nbbttt.exe 1728 lrrlflf.exe 4928 bthbbb.exe 1716 pdjdj.exe 4824 lrrrllx.exe 3816 3hhhtb.exe 2820 pjppp.exe 1328 3lxxxxf.exe 3608 tnbbbb.exe 720 5ffllfx.exe 704 ttbtnb.exe 444 ddppj.exe 2212 xrrrrxr.exe 2176 fflrlrr.exe 2380 bbnnhh.exe 2376 jjppv.exe 2412 rlrrrrl.exe 3204 5tbttt.exe 2908 5dvpd.exe 1896 pdddv.exe 4296 frlfxrl.exe 1224 tbbbbt.exe 5044 5bbttt.exe 4412 5jvvp.exe 1400 5rlfxxr.exe 3576 ttnbth.exe 4960 nnthhb.exe 3648 9djvv.exe 320 rfxrffr.exe 3360 tbnhbb.exe 4204 ddjvv.exe 2852 ddvpj.exe -
resource yara_rule behavioral2/memory/2908-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/608-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-832-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4556 wrote to memory of 2908 4556 5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe 83 PID 4556 wrote to memory of 2908 4556 5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe 83 PID 4556 wrote to memory of 2908 4556 5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe 83 PID 2908 wrote to memory of 1932 2908 xxfffff.exe 84 PID 2908 wrote to memory of 1932 2908 xxfffff.exe 84 PID 2908 wrote to memory of 1932 2908 xxfffff.exe 84 PID 1932 wrote to memory of 3672 1932 ntnhbb.exe 85 PID 1932 wrote to memory of 3672 1932 ntnhbb.exe 85 PID 1932 wrote to memory of 3672 1932 ntnhbb.exe 85 PID 3672 wrote to memory of 4412 3672 htbbtb.exe 86 PID 3672 wrote to memory of 4412 3672 htbbtb.exe 86 PID 3672 wrote to memory of 4412 3672 htbbtb.exe 86 PID 4412 wrote to memory of 2392 4412 5rfffff.exe 87 PID 4412 wrote to memory of 2392 4412 5rfffff.exe 87 PID 4412 wrote to memory of 2392 4412 5rfffff.exe 87 PID 2392 wrote to memory of 828 2392 xfllrlr.exe 88 PID 2392 wrote to memory of 828 2392 xfllrlr.exe 88 PID 2392 wrote to memory of 828 2392 xfllrlr.exe 88 PID 828 wrote to memory of 548 828 jjjdd.exe 89 PID 828 wrote to memory of 548 828 jjjdd.exe 89 PID 828 wrote to memory of 548 828 jjjdd.exe 89 PID 548 wrote to memory of 3412 548 7xxrllf.exe 90 PID 548 wrote to memory of 3412 548 7xxrllf.exe 90 PID 548 wrote to memory of 3412 548 7xxrllf.exe 90 PID 3412 wrote to memory of 4204 3412 rrrlxxx.exe 91 PID 3412 wrote to memory of 4204 3412 rrrlxxx.exe 91 PID 3412 wrote to memory of 4204 3412 rrrlxxx.exe 91 PID 4204 wrote to memory of 608 4204 7hnhhh.exe 92 PID 4204 wrote to memory of 608 4204 7hnhhh.exe 92 PID 4204 wrote to memory of 608 4204 7hnhhh.exe 92 PID 608 wrote to memory of 4608 608 ttttnt.exe 93 PID 608 wrote to memory of 4608 608 ttttnt.exe 93 PID 608 wrote to memory of 4608 608 ttttnt.exe 93 PID 4608 wrote to memory of 4000 4608 vdjjd.exe 94 PID 4608 wrote to memory of 4000 4608 vdjjd.exe 94 PID 4608 wrote to memory of 4000 4608 vdjjd.exe 94 PID 4000 wrote to memory of 4840 4000 frxxxff.exe 95 PID 4000 wrote to memory of 4840 4000 frxxxff.exe 95 PID 4000 wrote to memory of 4840 4000 frxxxff.exe 95 PID 4840 wrote to memory of 2076 4840 httnnt.exe 96 PID 4840 wrote to memory of 2076 4840 httnnt.exe 96 PID 4840 wrote to memory of 2076 4840 httnnt.exe 96 PID 2076 wrote to memory of 2272 2076 xrrrxxx.exe 97 PID 2076 wrote to memory of 2272 2076 xrrrxxx.exe 97 PID 2076 wrote to memory of 2272 2076 xrrrxxx.exe 97 PID 2272 wrote to memory of 1860 2272 bhnhbb.exe 98 PID 2272 wrote to memory of 1860 2272 bhnhbb.exe 98 PID 2272 wrote to memory of 1860 2272 bhnhbb.exe 98 PID 1860 wrote to memory of 2336 1860 ffffxxr.exe 99 PID 1860 wrote to memory of 2336 1860 ffffxxr.exe 99 PID 1860 wrote to memory of 2336 1860 ffffxxr.exe 99 PID 2336 wrote to memory of 2800 2336 hnbttn.exe 100 PID 2336 wrote to memory of 2800 2336 hnbttn.exe 100 PID 2336 wrote to memory of 2800 2336 hnbttn.exe 100 PID 2800 wrote to memory of 4996 2800 vvjdd.exe 101 PID 2800 wrote to memory of 4996 2800 vvjdd.exe 101 PID 2800 wrote to memory of 4996 2800 vvjdd.exe 101 PID 4996 wrote to memory of 2804 4996 bbnhnn.exe 102 PID 4996 wrote to memory of 2804 4996 bbnhnn.exe 102 PID 4996 wrote to memory of 2804 4996 bbnhnn.exe 102 PID 2804 wrote to memory of 4120 2804 7bnnnt.exe 103 PID 2804 wrote to memory of 4120 2804 7bnnnt.exe 103 PID 2804 wrote to memory of 4120 2804 7bnnnt.exe 103 PID 4120 wrote to memory of 4356 4120 pjjjv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe"C:\Users\Admin\AppData\Local\Temp\5e587d3a9efd1e0291dc24258e1016bd7453c197b9c1d03443d48138507c5672.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\xxfffff.exec:\xxfffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\ntnhbb.exec:\ntnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\htbbtb.exec:\htbbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\5rfffff.exec:\5rfffff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\xfllrlr.exec:\xfllrlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\jjjdd.exec:\jjjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\7xxrllf.exec:\7xxrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\rrrlxxx.exec:\rrrlxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\7hnhhh.exec:\7hnhhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\ttttnt.exec:\ttttnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:608 -
\??\c:\vdjjd.exec:\vdjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\frxxxff.exec:\frxxxff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\httnnt.exec:\httnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\xrrrxxx.exec:\xrrrxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\bhnhbb.exec:\bhnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
\??\c:\ffffxxr.exec:\ffffxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\hnbttn.exec:\hnbttn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\vvjdd.exec:\vvjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\bbnhnn.exec:\bbnhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\7bnnnt.exec:\7bnnnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\pjjjv.exec:\pjjjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\fllfxxx.exec:\fllfxxx.exe23⤵
- Executes dropped EXE
PID:4356 -
\??\c:\hhnttb.exec:\hhnttb.exe24⤵
- Executes dropped EXE
PID:2548 -
\??\c:\pvddj.exec:\pvddj.exe25⤵
- Executes dropped EXE
PID:4464 -
\??\c:\1hnhbb.exec:\1hnhbb.exe26⤵
- Executes dropped EXE
PID:3768 -
\??\c:\rxffllf.exec:\rxffllf.exe27⤵
- Executes dropped EXE
PID:684 -
\??\c:\3bhbtt.exec:\3bhbtt.exe28⤵
- Executes dropped EXE
PID:2260 -
\??\c:\jvvvp.exec:\jvvvp.exe29⤵
- Executes dropped EXE
PID:4436 -
\??\c:\hhnntt.exec:\hhnntt.exe30⤵
- Executes dropped EXE
PID:452 -
\??\c:\ppppp.exec:\ppppp.exe31⤵
- Executes dropped EXE
PID:2736 -
\??\c:\tttnnn.exec:\tttnnn.exe32⤵
- Executes dropped EXE
PID:864 -
\??\c:\fflfxfx.exec:\fflfxfx.exe33⤵
- Executes dropped EXE
PID:1028 -
\??\c:\nbbttt.exec:\nbbttt.exe34⤵
- Executes dropped EXE
PID:1468 -
\??\c:\lrrlflf.exec:\lrrlflf.exe35⤵
- Executes dropped EXE
PID:1728 -
\??\c:\bthbbb.exec:\bthbbb.exe36⤵
- Executes dropped EXE
PID:4928 -
\??\c:\pdjdj.exec:\pdjdj.exe37⤵
- Executes dropped EXE
PID:1716 -
\??\c:\lrrrllx.exec:\lrrrllx.exe38⤵
- Executes dropped EXE
PID:4824 -
\??\c:\3hhhtb.exec:\3hhhtb.exe39⤵
- Executes dropped EXE
PID:3816 -
\??\c:\pjppp.exec:\pjppp.exe40⤵
- Executes dropped EXE
PID:2820 -
\??\c:\3lxxxxf.exec:\3lxxxxf.exe41⤵
- Executes dropped EXE
PID:1328 -
\??\c:\tnbbbb.exec:\tnbbbb.exe42⤵
- Executes dropped EXE
PID:3608 -
\??\c:\5ffllfx.exec:\5ffllfx.exe43⤵
- Executes dropped EXE
PID:720 -
\??\c:\ttbtnb.exec:\ttbtnb.exe44⤵
- Executes dropped EXE
PID:704 -
\??\c:\ddppj.exec:\ddppj.exe45⤵
- Executes dropped EXE
PID:444 -
\??\c:\xrrrrxr.exec:\xrrrrxr.exe46⤵
- Executes dropped EXE
PID:2212 -
\??\c:\fflrlrr.exec:\fflrlrr.exe47⤵
- Executes dropped EXE
PID:2176 -
\??\c:\bbnnhh.exec:\bbnnhh.exe48⤵
- Executes dropped EXE
PID:2380 -
\??\c:\jjppv.exec:\jjppv.exe49⤵
- Executes dropped EXE
PID:2376 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe50⤵
- Executes dropped EXE
PID:2412 -
\??\c:\rrrrrxf.exec:\rrrrrxf.exe51⤵PID:2812
-
\??\c:\5tbttt.exec:\5tbttt.exe52⤵
- Executes dropped EXE
PID:3204 -
\??\c:\5dvpd.exec:\5dvpd.exe53⤵
- Executes dropped EXE
PID:2908 -
\??\c:\pdddv.exec:\pdddv.exe54⤵
- Executes dropped EXE
PID:1896 -
\??\c:\frlfxrl.exec:\frlfxrl.exe55⤵
- Executes dropped EXE
PID:4296 -
\??\c:\tbbbbt.exec:\tbbbbt.exe56⤵
- Executes dropped EXE
PID:1224 -
\??\c:\5bbttt.exec:\5bbttt.exe57⤵
- Executes dropped EXE
PID:5044 -
\??\c:\5jvvp.exec:\5jvvp.exe58⤵
- Executes dropped EXE
PID:4412 -
\??\c:\5rlfxxr.exec:\5rlfxxr.exe59⤵
- Executes dropped EXE
PID:1400 -
\??\c:\ttnbth.exec:\ttnbth.exe60⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nnthhb.exec:\nnthhb.exe61⤵
- Executes dropped EXE
PID:4960 -
\??\c:\9djvv.exec:\9djvv.exe62⤵
- Executes dropped EXE
PID:3648 -
\??\c:\rfxrffr.exec:\rfxrffr.exe63⤵
- Executes dropped EXE
PID:320 -
\??\c:\tbnhbb.exec:\tbnhbb.exe64⤵
- Executes dropped EXE
PID:3360 -
\??\c:\ddjvv.exec:\ddjvv.exe65⤵
- Executes dropped EXE
PID:4204 -
\??\c:\ddvpj.exec:\ddvpj.exe66⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe67⤵PID:956
-
\??\c:\1bbtnh.exec:\1bbtnh.exe68⤵PID:3476
-
\??\c:\7pjdv.exec:\7pjdv.exe69⤵PID:4288
-
\??\c:\3lxrffr.exec:\3lxrffr.exe70⤵PID:936
-
\??\c:\thnhbb.exec:\thnhbb.exe71⤵PID:4952
-
\??\c:\5tnhtt.exec:\5tnhtt.exe72⤵PID:3888
-
\??\c:\jjdvj.exec:\jjdvj.exe73⤵PID:1792
-
\??\c:\fxxlxxl.exec:\fxxlxxl.exe74⤵PID:4076
-
\??\c:\hbthtn.exec:\hbthtn.exe75⤵PID:2600
-
\??\c:\htthbt.exec:\htthbt.exe76⤵PID:2800
-
\??\c:\pjdpd.exec:\pjdpd.exe77⤵PID:620
-
\??\c:\llxlxfl.exec:\llxlxfl.exe78⤵PID:2804
-
\??\c:\9bhhnh.exec:\9bhhnh.exe79⤵PID:3424
-
\??\c:\ddppj.exec:\ddppj.exe80⤵PID:5016
-
\??\c:\fllllrl.exec:\fllllrl.exe81⤵PID:4356
-
\??\c:\lfrxlxf.exec:\lfrxlxf.exe82⤵PID:3156
-
\??\c:\9hbthn.exec:\9hbthn.exe83⤵PID:2004
-
\??\c:\dddvp.exec:\dddvp.exe84⤵PID:2524
-
\??\c:\pvvdv.exec:\pvvdv.exe85⤵PID:4404
-
\??\c:\frxrxxx.exec:\frxrxxx.exe86⤵PID:2236
-
\??\c:\nnhtnb.exec:\nnhtnb.exe87⤵PID:2912
-
\??\c:\vvvpj.exec:\vvvpj.exe88⤵PID:1892
-
\??\c:\1flfxxx.exec:\1flfxxx.exe89⤵PID:4512
-
\??\c:\fxxlrlf.exec:\fxxlrlf.exe90⤵PID:4976
-
\??\c:\tnbbhb.exec:\tnbbhb.exe91⤵PID:1724
-
\??\c:\ppdvj.exec:\ppdvj.exe92⤵PID:3596
-
\??\c:\ppjdv.exec:\ppjdv.exe93⤵PID:3084
-
\??\c:\lffxlfx.exec:\lffxlfx.exe94⤵PID:1404
-
\??\c:\tttntt.exec:\tttntt.exe95⤵PID:2864
-
\??\c:\vpppj.exec:\vpppj.exe96⤵PID:4640
-
\??\c:\frllffx.exec:\frllffx.exe97⤵PID:3876
-
\??\c:\hbtnhb.exec:\hbtnhb.exe98⤵PID:1952
-
\??\c:\htbtnh.exec:\htbtnh.exe99⤵PID:4812
-
\??\c:\dvjjd.exec:\dvjjd.exe100⤵PID:2400
-
\??\c:\3flllrr.exec:\3flllrr.exe101⤵PID:1548
-
\??\c:\frrrxxx.exec:\frrrxxx.exe102⤵PID:2240
-
\??\c:\hnnnhh.exec:\hnnnhh.exe103⤵PID:3956
-
\??\c:\ppjjj.exec:\ppjjj.exe104⤵PID:4328
-
\??\c:\3rfflrx.exec:\3rfflrx.exe105⤵PID:3100
-
\??\c:\hhnnhn.exec:\hhnnhn.exe106⤵PID:3912
-
\??\c:\nhnnhh.exec:\nhnnhh.exe107⤵PID:112
-
\??\c:\djppj.exec:\djppj.exe108⤵PID:2588
-
\??\c:\3rrrrxf.exec:\3rrrrxf.exe109⤵PID:8
-
\??\c:\rfllllf.exec:\rfllllf.exe110⤵PID:1976
-
\??\c:\7hhhht.exec:\7hhhht.exe111⤵PID:2384
-
\??\c:\ddppp.exec:\ddppp.exe112⤵PID:1336
-
\??\c:\xfllffl.exec:\xfllffl.exe113⤵PID:4388
-
\??\c:\3hntbb.exec:\3hntbb.exe114⤵PID:2988
-
\??\c:\tbbbtb.exec:\tbbbtb.exe115⤵PID:1052
-
\??\c:\vdddv.exec:\vdddv.exe116⤵PID:1988
-
\??\c:\1llfxxx.exec:\1llfxxx.exe117⤵PID:3584
-
\??\c:\bhnnhh.exec:\bhnnhh.exe118⤵PID:4908
-
\??\c:\pdppd.exec:\pdppd.exe119⤵PID:4104
-
\??\c:\9jppj.exec:\9jppj.exe120⤵PID:212
-
\??\c:\1rlxrxf.exec:\1rlxrxf.exe121⤵PID:116
-
\??\c:\bhtttt.exec:\bhtttt.exe122⤵PID:1528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-