Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 21:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe
-
Size
453KB
-
MD5
30af677f840dab1de3a5aa63e3f959e1
-
SHA1
70ee9544183d8c91d638921b675318c39f17d9e7
-
SHA256
5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707
-
SHA512
d0b66a7c0cad8e46f6d2d0f8d9e1db532ad6a3e58a87a8421952c422f62054773ab383b7984ef8147d1a397e98d271240ea87b339986436f34c15108a5fd47a6
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeg:q7Tc2NYHUrAwfMp3CDg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2548-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-1554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4020 xfrxrfr.exe 4456 5jdpd.exe 4692 llrlxxf.exe 1788 hnbntb.exe 232 lflllxx.exe 1548 ttbbbb.exe 1896 tttttn.exe 4708 5vjjp.exe 3524 xlfflll.exe 744 nbbttn.exe 3152 3jdvp.exe 1012 ttnntt.exe 2000 nbtnhh.exe 4868 pjpjj.exe 752 vjpdd.exe 2404 djdvj.exe 1804 1xfxxff.exe 2260 9tbtnt.exe 4316 djdpv.exe 4416 lxfxxxr.exe 2232 ppppd.exe 4432 jdpvj.exe 1196 7hbtbb.exe 2220 nnhbbt.exe 4828 fxxffrf.exe 4472 9bnhht.exe 2740 lfxrllf.exe 912 9vjdj.exe 1288 3xfffll.exe 4936 thbbtb.exe 2872 nthhbn.exe 5100 vjppp.exe 4924 tbhbtt.exe 4388 hntttt.exe 4200 jvdjj.exe 3848 rlllffx.exe 4256 btnhbb.exe 2272 lxffxxx.exe 1636 1dvjd.exe 2976 xffxrlf.exe 3940 pvvvd.exe 2064 llxrrlr.exe 3104 hbbbbb.exe 2844 9jvpj.exe 4972 1pvpp.exe 5032 rlrlfff.exe 3520 ntbbhh.exe 4268 jvdvv.exe 428 pjjdv.exe 4528 frxrrll.exe 3952 nhnbhh.exe 3328 pdpjv.exe 4752 9rfxxff.exe 804 lfrxrrr.exe 5020 bhbbtb.exe 4152 ddjdv.exe 232 ppjjj.exe 2092 fflfxxx.exe 1616 hhhttt.exe 2284 vjppp.exe 4696 pdjvd.exe 4704 frxrfff.exe 3200 bhtnnn.exe 2280 vppjd.exe -
resource yara_rule behavioral2/memory/2548-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-807-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 4020 2548 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 83 PID 2548 wrote to memory of 4020 2548 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 83 PID 2548 wrote to memory of 4020 2548 5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe 83 PID 4020 wrote to memory of 4456 4020 xfrxrfr.exe 84 PID 4020 wrote to memory of 4456 4020 xfrxrfr.exe 84 PID 4020 wrote to memory of 4456 4020 xfrxrfr.exe 84 PID 4456 wrote to memory of 4692 4456 5jdpd.exe 85 PID 4456 wrote to memory of 4692 4456 5jdpd.exe 85 PID 4456 wrote to memory of 4692 4456 5jdpd.exe 85 PID 4692 wrote to memory of 1788 4692 llrlxxf.exe 86 PID 4692 wrote to memory of 1788 4692 llrlxxf.exe 86 PID 4692 wrote to memory of 1788 4692 llrlxxf.exe 86 PID 1788 wrote to memory of 232 1788 hnbntb.exe 87 PID 1788 wrote to memory of 232 1788 hnbntb.exe 87 PID 1788 wrote to memory of 232 1788 hnbntb.exe 87 PID 232 wrote to memory of 1548 232 lflllxx.exe 88 PID 232 wrote to memory of 1548 232 lflllxx.exe 88 PID 232 wrote to memory of 1548 232 lflllxx.exe 88 PID 1548 wrote to memory of 1896 1548 ttbbbb.exe 89 PID 1548 wrote to memory of 1896 1548 ttbbbb.exe 89 PID 1548 wrote to memory of 1896 1548 ttbbbb.exe 89 PID 1896 wrote to memory of 4708 1896 tttttn.exe 90 PID 1896 wrote to memory of 4708 1896 tttttn.exe 90 PID 1896 wrote to memory of 4708 1896 tttttn.exe 90 PID 4708 wrote to memory of 3524 4708 5vjjp.exe 91 PID 4708 wrote to memory of 3524 4708 5vjjp.exe 91 PID 4708 wrote to memory of 3524 4708 5vjjp.exe 91 PID 3524 wrote to memory of 744 3524 xlfflll.exe 92 PID 3524 wrote to memory of 744 3524 xlfflll.exe 92 PID 3524 wrote to memory of 744 3524 xlfflll.exe 92 PID 744 wrote to memory of 3152 744 nbbttn.exe 93 PID 744 wrote to memory of 3152 744 nbbttn.exe 93 PID 744 wrote to memory of 3152 744 nbbttn.exe 93 PID 3152 wrote to memory of 1012 3152 3jdvp.exe 94 PID 3152 wrote to memory of 1012 3152 3jdvp.exe 94 PID 3152 wrote to memory of 1012 3152 3jdvp.exe 94 PID 1012 wrote to memory of 2000 1012 ttnntt.exe 95 PID 1012 wrote to memory of 2000 1012 ttnntt.exe 95 PID 1012 wrote to memory of 2000 1012 ttnntt.exe 95 PID 2000 wrote to memory of 4868 2000 nbtnhh.exe 96 PID 2000 wrote to memory of 4868 2000 nbtnhh.exe 96 PID 2000 wrote to memory of 4868 2000 nbtnhh.exe 96 PID 4868 wrote to memory of 752 4868 pjpjj.exe 97 PID 4868 wrote to memory of 752 4868 pjpjj.exe 97 PID 4868 wrote to memory of 752 4868 pjpjj.exe 97 PID 752 wrote to memory of 2404 752 vjpdd.exe 98 PID 752 wrote to memory of 2404 752 vjpdd.exe 98 PID 752 wrote to memory of 2404 752 vjpdd.exe 98 PID 2404 wrote to memory of 1804 2404 djdvj.exe 99 PID 2404 wrote to memory of 1804 2404 djdvj.exe 99 PID 2404 wrote to memory of 1804 2404 djdvj.exe 99 PID 1804 wrote to memory of 2260 1804 1xfxxff.exe 100 PID 1804 wrote to memory of 2260 1804 1xfxxff.exe 100 PID 1804 wrote to memory of 2260 1804 1xfxxff.exe 100 PID 2260 wrote to memory of 4316 2260 9tbtnt.exe 101 PID 2260 wrote to memory of 4316 2260 9tbtnt.exe 101 PID 2260 wrote to memory of 4316 2260 9tbtnt.exe 101 PID 4316 wrote to memory of 4416 4316 djdpv.exe 102 PID 4316 wrote to memory of 4416 4316 djdpv.exe 102 PID 4316 wrote to memory of 4416 4316 djdpv.exe 102 PID 4416 wrote to memory of 2232 4416 lxfxxxr.exe 103 PID 4416 wrote to memory of 2232 4416 lxfxxxr.exe 103 PID 4416 wrote to memory of 2232 4416 lxfxxxr.exe 103 PID 2232 wrote to memory of 4432 2232 ppppd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe"C:\Users\Admin\AppData\Local\Temp\5815618ec8ffa011de184f396f389326ae2153c176e6e38624ebae4785f0a707.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\xfrxrfr.exec:\xfrxrfr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\5jdpd.exec:\5jdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\llrlxxf.exec:\llrlxxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\hnbntb.exec:\hnbntb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\lflllxx.exec:\lflllxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\ttbbbb.exec:\ttbbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\tttttn.exec:\tttttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\5vjjp.exec:\5vjjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\xlfflll.exec:\xlfflll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\nbbttn.exec:\nbbttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\3jdvp.exec:\3jdvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\ttnntt.exec:\ttnntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\nbtnhh.exec:\nbtnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\pjpjj.exec:\pjpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\vjpdd.exec:\vjpdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\djdvj.exec:\djdvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\1xfxxff.exec:\1xfxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\9tbtnt.exec:\9tbtnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\djdpv.exec:\djdpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\ppppd.exec:\ppppd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\jdpvj.exec:\jdpvj.exe23⤵
- Executes dropped EXE
PID:4432 -
\??\c:\7hbtbb.exec:\7hbtbb.exe24⤵
- Executes dropped EXE
PID:1196 -
\??\c:\nnhbbt.exec:\nnhbbt.exe25⤵
- Executes dropped EXE
PID:2220 -
\??\c:\fxxffrf.exec:\fxxffrf.exe26⤵
- Executes dropped EXE
PID:4828 -
\??\c:\9bnhht.exec:\9bnhht.exe27⤵
- Executes dropped EXE
PID:4472 -
\??\c:\lfxrllf.exec:\lfxrllf.exe28⤵
- Executes dropped EXE
PID:2740 -
\??\c:\9vjdj.exec:\9vjdj.exe29⤵
- Executes dropped EXE
PID:912 -
\??\c:\3xfffll.exec:\3xfffll.exe30⤵
- Executes dropped EXE
PID:1288 -
\??\c:\thbbtb.exec:\thbbtb.exe31⤵
- Executes dropped EXE
PID:4936 -
\??\c:\nthhbn.exec:\nthhbn.exe32⤵
- Executes dropped EXE
PID:2872 -
\??\c:\vjppp.exec:\vjppp.exe33⤵
- Executes dropped EXE
PID:5100 -
\??\c:\tbhbtt.exec:\tbhbtt.exe34⤵
- Executes dropped EXE
PID:4924 -
\??\c:\hntttt.exec:\hntttt.exe35⤵
- Executes dropped EXE
PID:4388 -
\??\c:\jvdjj.exec:\jvdjj.exe36⤵
- Executes dropped EXE
PID:4200 -
\??\c:\rlllffx.exec:\rlllffx.exe37⤵
- Executes dropped EXE
PID:3848 -
\??\c:\btnhbb.exec:\btnhbb.exe38⤵
- Executes dropped EXE
PID:4256 -
\??\c:\lxffxxx.exec:\lxffxxx.exe39⤵
- Executes dropped EXE
PID:2272 -
\??\c:\1dvjd.exec:\1dvjd.exe40⤵
- Executes dropped EXE
PID:1636 -
\??\c:\xffxrlf.exec:\xffxrlf.exe41⤵
- Executes dropped EXE
PID:2976 -
\??\c:\pvvvd.exec:\pvvvd.exe42⤵
- Executes dropped EXE
PID:3940 -
\??\c:\llxrrlr.exec:\llxrrlr.exe43⤵
- Executes dropped EXE
PID:2064 -
\??\c:\hbbbbb.exec:\hbbbbb.exe44⤵
- Executes dropped EXE
PID:3104 -
\??\c:\9jvpj.exec:\9jvpj.exe45⤵
- Executes dropped EXE
PID:2844 -
\??\c:\1pvpp.exec:\1pvpp.exe46⤵
- Executes dropped EXE
PID:4972 -
\??\c:\rlrlfff.exec:\rlrlfff.exe47⤵
- Executes dropped EXE
PID:5032 -
\??\c:\ntbbhh.exec:\ntbbhh.exe48⤵
- Executes dropped EXE
PID:3520 -
\??\c:\jvdvv.exec:\jvdvv.exe49⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pjjdv.exec:\pjjdv.exe50⤵
- Executes dropped EXE
PID:428 -
\??\c:\frxrrll.exec:\frxrrll.exe51⤵
- Executes dropped EXE
PID:4528 -
\??\c:\nhnbhh.exec:\nhnbhh.exe52⤵
- Executes dropped EXE
PID:3952 -
\??\c:\pdpjv.exec:\pdpjv.exe53⤵
- Executes dropped EXE
PID:3328 -
\??\c:\9rfxxff.exec:\9rfxxff.exe54⤵
- Executes dropped EXE
PID:4752 -
\??\c:\lfrxrrr.exec:\lfrxrrr.exe55⤵
- Executes dropped EXE
PID:804 -
\??\c:\bhbbtb.exec:\bhbbtb.exe56⤵
- Executes dropped EXE
PID:5020 -
\??\c:\ddjdv.exec:\ddjdv.exe57⤵
- Executes dropped EXE
PID:4152 -
\??\c:\ppjjj.exec:\ppjjj.exe58⤵
- Executes dropped EXE
PID:232 -
\??\c:\fflfxxx.exec:\fflfxxx.exe59⤵
- Executes dropped EXE
PID:2092 -
\??\c:\hhhttt.exec:\hhhttt.exe60⤵
- Executes dropped EXE
PID:1616 -
\??\c:\vjppp.exec:\vjppp.exe61⤵
- Executes dropped EXE
PID:2284 -
\??\c:\pdjvd.exec:\pdjvd.exe62⤵
- Executes dropped EXE
PID:4696 -
\??\c:\frxrfff.exec:\frxrfff.exe63⤵
- Executes dropped EXE
PID:4704 -
\??\c:\bhtnnn.exec:\bhtnnn.exe64⤵
- Executes dropped EXE
PID:3200 -
\??\c:\vppjd.exec:\vppjd.exe65⤵
- Executes dropped EXE
PID:2280 -
\??\c:\fxflrrr.exec:\fxflrrr.exe66⤵PID:4040
-
\??\c:\bntnnn.exec:\bntnnn.exe67⤵PID:1568
-
\??\c:\hhhbtt.exec:\hhhbtt.exe68⤵PID:3044
-
\??\c:\jjvpj.exec:\jjvpj.exe69⤵PID:2000
-
\??\c:\frrrlrl.exec:\frrrlrl.exe70⤵PID:5008
-
\??\c:\rfllrrr.exec:\rfllrrr.exe71⤵PID:4868
-
\??\c:\btnntb.exec:\btnntb.exe72⤵PID:2496
-
\??\c:\1djdv.exec:\1djdv.exe73⤵PID:2412
-
\??\c:\frfxxxx.exec:\frfxxxx.exe74⤵PID:1204
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe75⤵PID:3400
-
\??\c:\ntbtth.exec:\ntbtth.exe76⤵PID:1208
-
\??\c:\pjpjd.exec:\pjpjd.exe77⤵PID:4732
-
\??\c:\9jvdp.exec:\9jvdp.exe78⤵PID:1440
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe79⤵PID:4524
-
\??\c:\hbhbtn.exec:\hbhbtn.exe80⤵PID:4788
-
\??\c:\nnhnbh.exec:\nnhnbh.exe81⤵PID:3580
-
\??\c:\ddvpj.exec:\ddvpj.exe82⤵PID:1008
-
\??\c:\rrfxflr.exec:\rrfxflr.exe83⤵PID:2084
-
\??\c:\bnttnn.exec:\bnttnn.exe84⤵PID:4596
-
\??\c:\1hbthh.exec:\1hbthh.exe85⤵PID:4940
-
\??\c:\jdpjv.exec:\jdpjv.exe86⤵PID:4700
-
\??\c:\llxxrxr.exec:\llxxrxr.exe87⤵PID:2596
-
\??\c:\1xffffx.exec:\1xffffx.exe88⤵PID:2012
-
\??\c:\bthntt.exec:\bthntt.exe89⤵PID:912
-
\??\c:\1jvjd.exec:\1jvjd.exe90⤵PID:4140
-
\??\c:\lrflxfx.exec:\lrflxfx.exe91⤵PID:2724
-
\??\c:\nhtbtt.exec:\nhtbtt.exe92⤵PID:1272
-
\??\c:\tnbbtt.exec:\tnbbtt.exe93⤵PID:1864
-
\??\c:\ddddv.exec:\ddddv.exe94⤵PID:2872
-
\??\c:\xffrrrr.exec:\xffrrrr.exe95⤵PID:5100
-
\??\c:\xrlfxll.exec:\xrlfxll.exe96⤵PID:2188
-
\??\c:\nhtnbt.exec:\nhtnbt.exe97⤵PID:4312
-
\??\c:\jjvpj.exec:\jjvpj.exe98⤵PID:4200
-
\??\c:\3ddvp.exec:\3ddvp.exe99⤵PID:4888
-
\??\c:\fxllffx.exec:\fxllffx.exe100⤵PID:3892
-
\??\c:\1hhbbh.exec:\1hhbbh.exe101⤵PID:2964
-
\??\c:\dvdvv.exec:\dvdvv.exe102⤵PID:5064
-
\??\c:\9xxrlrl.exec:\9xxrlrl.exe103⤵PID:4060
-
\??\c:\tnnhhh.exec:\tnnhhh.exe104⤵PID:3124
-
\??\c:\bhtnhn.exec:\bhtnhn.exe105⤵PID:1188
-
\??\c:\1vjdv.exec:\1vjdv.exe106⤵PID:2192
-
\??\c:\flrlffx.exec:\flrlffx.exe107⤵PID:2356
-
\??\c:\5bnnhn.exec:\5bnnhn.exe108⤵PID:3796
-
\??\c:\5pjvv.exec:\5pjvv.exe109⤵PID:2196
-
\??\c:\jjpjp.exec:\jjpjp.exe110⤵PID:4740
-
\??\c:\xflflll.exec:\xflflll.exe111⤵PID:4264
-
\??\c:\hhhhnn.exec:\hhhhnn.exe112⤵PID:4268
-
\??\c:\jvddv.exec:\jvddv.exe113⤵PID:4384
-
\??\c:\7fxxlrl.exec:\7fxxlrl.exe114⤵PID:2212
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe115⤵PID:1040
-
\??\c:\btbttt.exec:\btbttt.exe116⤵PID:4692
-
\??\c:\djpvp.exec:\djpvp.exe117⤵PID:924
-
\??\c:\ffrrffr.exec:\ffrrffr.exe118⤵PID:464
-
\??\c:\xxxrlrl.exec:\xxxrlrl.exe119⤵PID:4996
-
\??\c:\btnnhn.exec:\btnnhn.exe120⤵PID:1548
-
\??\c:\9jppd.exec:\9jppd.exe121⤵PID:3772
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-