Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48.exe
-
Size
454KB
-
MD5
777e2fb3d9406a28d986e5438055a9c6
-
SHA1
d8abf12cbb2d35e6565fa47fc39db2faf25bf18f
-
SHA256
c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48
-
SHA512
665f29c6292d287067f73eb813d97f4081b118e4cd69ab1e0ff7d10c707b37698b7bd49d6e5f873a3aac029017262f9bb5c6a1f6564800442a40fc661f693b89
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/1280-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-851-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-1419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1492 hbthbn.exe 1620 3jjjj.exe 2344 rfrflff.exe 3864 9xrfxrf.exe 4632 nbtbhh.exe 4924 pdjdd.exe 4864 xlxlllx.exe 224 nbhnnt.exe 4056 pppjd.exe 4636 lrrfxrf.exe 1808 ntbtnn.exe 4984 jvvpj.exe 4576 nnhbnh.exe 4756 llfrrll.exe 2856 xfxfxxl.exe 1688 djddj.exe 3984 dpvjj.exe 2440 flrlxxr.exe 3232 7dpjd.exe 3892 rxfrffl.exe 4376 tnhbnh.exe 3000 jddpj.exe 2260 dpddp.exe 2212 5tbnnh.exe 4652 dvpdv.exe 1204 9llfxxx.exe 3048 bhnnbb.exe 1308 hbthbn.exe 1980 pjjvp.exe 4200 bbhttt.exe 1892 jddpd.exe 2852 fflfrlf.exe 4440 rllfrlf.exe 2772 dpppd.exe 2180 xrrlxxl.exe 3896 thhtnn.exe 4000 7tthbb.exe 1368 pjdpd.exe 2240 rxxrfrx.exe 2096 9rrfxrf.exe 2284 nnnhtn.exe 948 btnbnt.exe 2432 jvjvp.exe 636 5rlfxrl.exe 2684 xfrxffl.exe 2616 nhtnnb.exe 3024 btnhtn.exe 4148 ddvjv.exe 3960 xxxrffx.exe 772 xxfrlfx.exe 4596 btthnh.exe 2052 tnhtnb.exe 544 7dvdv.exe 3532 3xrfrlx.exe 3932 nbthht.exe 1564 jpjpv.exe 5052 bthbnt.exe 3592 bbbbnb.exe 2008 jjjdj.exe 4560 rlfrfxl.exe 1304 pvvjv.exe 872 frrfxrf.exe 224 9ttnhb.exe 4056 7pdvp.exe -
resource yara_rule behavioral2/memory/1280-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-599-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1492 1280 c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48.exe 83 PID 1280 wrote to memory of 1492 1280 c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48.exe 83 PID 1280 wrote to memory of 1492 1280 c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48.exe 83 PID 1492 wrote to memory of 1620 1492 hbthbn.exe 84 PID 1492 wrote to memory of 1620 1492 hbthbn.exe 84 PID 1492 wrote to memory of 1620 1492 hbthbn.exe 84 PID 1620 wrote to memory of 2344 1620 3jjjj.exe 85 PID 1620 wrote to memory of 2344 1620 3jjjj.exe 85 PID 1620 wrote to memory of 2344 1620 3jjjj.exe 85 PID 2344 wrote to memory of 3864 2344 rfrflff.exe 86 PID 2344 wrote to memory of 3864 2344 rfrflff.exe 86 PID 2344 wrote to memory of 3864 2344 rfrflff.exe 86 PID 3864 wrote to memory of 4632 3864 9xrfxrf.exe 87 PID 3864 wrote to memory of 4632 3864 9xrfxrf.exe 87 PID 3864 wrote to memory of 4632 3864 9xrfxrf.exe 87 PID 4632 wrote to memory of 4924 4632 nbtbhh.exe 88 PID 4632 wrote to memory of 4924 4632 nbtbhh.exe 88 PID 4632 wrote to memory of 4924 4632 nbtbhh.exe 88 PID 4924 wrote to memory of 4864 4924 pdjdd.exe 89 PID 4924 wrote to memory of 4864 4924 pdjdd.exe 89 PID 4924 wrote to memory of 4864 4924 pdjdd.exe 89 PID 4864 wrote to memory of 224 4864 xlxlllx.exe 90 PID 4864 wrote to memory of 224 4864 xlxlllx.exe 90 PID 4864 wrote to memory of 224 4864 xlxlllx.exe 90 PID 224 wrote to memory of 4056 224 nbhnnt.exe 91 PID 224 wrote to memory of 4056 224 nbhnnt.exe 91 PID 224 wrote to memory of 4056 224 nbhnnt.exe 91 PID 4056 wrote to memory of 4636 4056 pppjd.exe 92 PID 4056 wrote to memory of 4636 4056 pppjd.exe 92 PID 4056 wrote to memory of 4636 4056 pppjd.exe 92 PID 4636 wrote to memory of 1808 4636 lrrfxrf.exe 93 PID 4636 wrote to memory of 1808 4636 lrrfxrf.exe 93 PID 4636 wrote to memory of 1808 4636 lrrfxrf.exe 93 PID 1808 wrote to memory of 4984 1808 ntbtnn.exe 94 PID 1808 wrote to memory of 4984 1808 ntbtnn.exe 94 PID 1808 wrote to memory of 4984 1808 ntbtnn.exe 94 PID 4984 wrote to memory of 4576 4984 jvvpj.exe 95 PID 4984 wrote to memory of 4576 4984 jvvpj.exe 95 PID 4984 wrote to memory of 4576 4984 jvvpj.exe 95 PID 4576 wrote to memory of 4756 4576 nnhbnh.exe 96 PID 4576 wrote to memory of 4756 4576 nnhbnh.exe 96 PID 4576 wrote to memory of 4756 4576 nnhbnh.exe 96 PID 4756 wrote to memory of 2856 4756 llfrrll.exe 97 PID 4756 wrote to memory of 2856 4756 llfrrll.exe 97 PID 4756 wrote to memory of 2856 4756 llfrrll.exe 97 PID 2856 wrote to memory of 1688 2856 xfxfxxl.exe 98 PID 2856 wrote to memory of 1688 2856 xfxfxxl.exe 98 PID 2856 wrote to memory of 1688 2856 xfxfxxl.exe 98 PID 1688 wrote to memory of 3984 1688 djddj.exe 99 PID 1688 wrote to memory of 3984 1688 djddj.exe 99 PID 1688 wrote to memory of 3984 1688 djddj.exe 99 PID 3984 wrote to memory of 2440 3984 dpvjj.exe 100 PID 3984 wrote to memory of 2440 3984 dpvjj.exe 100 PID 3984 wrote to memory of 2440 3984 dpvjj.exe 100 PID 2440 wrote to memory of 3232 2440 flrlxxr.exe 101 PID 2440 wrote to memory of 3232 2440 flrlxxr.exe 101 PID 2440 wrote to memory of 3232 2440 flrlxxr.exe 101 PID 3232 wrote to memory of 3892 3232 7dpjd.exe 102 PID 3232 wrote to memory of 3892 3232 7dpjd.exe 102 PID 3232 wrote to memory of 3892 3232 7dpjd.exe 102 PID 3892 wrote to memory of 4376 3892 rxfrffl.exe 103 PID 3892 wrote to memory of 4376 3892 rxfrffl.exe 103 PID 3892 wrote to memory of 4376 3892 rxfrffl.exe 103 PID 4376 wrote to memory of 3000 4376 tnhbnh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48.exe"C:\Users\Admin\AppData\Local\Temp\c5b8f7028f12b6e34bb206528e08643cbf502556c33f5c5be34b15f31b96dd48.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\hbthbn.exec:\hbthbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\3jjjj.exec:\3jjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\rfrflff.exec:\rfrflff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\9xrfxrf.exec:\9xrfxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\nbtbhh.exec:\nbtbhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\pdjdd.exec:\pdjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\xlxlllx.exec:\xlxlllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\nbhnnt.exec:\nbhnnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\pppjd.exec:\pppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\lrrfxrf.exec:\lrrfxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\ntbtnn.exec:\ntbtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1808 -
\??\c:\jvvpj.exec:\jvvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\nnhbnh.exec:\nnhbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\llfrrll.exec:\llfrrll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\xfxfxxl.exec:\xfxfxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\djddj.exec:\djddj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\dpvjj.exec:\dpvjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\flrlxxr.exec:\flrlxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\7dpjd.exec:\7dpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\rxfrffl.exec:\rxfrffl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\tnhbnh.exec:\tnhbnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\jddpj.exec:\jddpj.exe23⤵
- Executes dropped EXE
PID:3000 -
\??\c:\dpddp.exec:\dpddp.exe24⤵
- Executes dropped EXE
PID:2260 -
\??\c:\5tbnnh.exec:\5tbnnh.exe25⤵
- Executes dropped EXE
PID:2212 -
\??\c:\dvpdv.exec:\dvpdv.exe26⤵
- Executes dropped EXE
PID:4652 -
\??\c:\9llfxxx.exec:\9llfxxx.exe27⤵
- Executes dropped EXE
PID:1204 -
\??\c:\bhnnbb.exec:\bhnnbb.exe28⤵
- Executes dropped EXE
PID:3048 -
\??\c:\hbthbn.exec:\hbthbn.exe29⤵
- Executes dropped EXE
PID:1308 -
\??\c:\pjjvp.exec:\pjjvp.exe30⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bbhttt.exec:\bbhttt.exe31⤵
- Executes dropped EXE
PID:4200 -
\??\c:\jddpd.exec:\jddpd.exe32⤵
- Executes dropped EXE
PID:1892 -
\??\c:\fflfrlf.exec:\fflfrlf.exe33⤵
- Executes dropped EXE
PID:2852 -
\??\c:\rllfrlf.exec:\rllfrlf.exe34⤵
- Executes dropped EXE
PID:4440 -
\??\c:\dpppd.exec:\dpppd.exe35⤵
- Executes dropped EXE
PID:2772 -
\??\c:\xrrlxxl.exec:\xrrlxxl.exe36⤵
- Executes dropped EXE
PID:2180 -
\??\c:\thhtnn.exec:\thhtnn.exe37⤵
- Executes dropped EXE
PID:3896 -
\??\c:\7tthbb.exec:\7tthbb.exe38⤵
- Executes dropped EXE
PID:4000 -
\??\c:\pjdpd.exec:\pjdpd.exe39⤵
- Executes dropped EXE
PID:1368 -
\??\c:\rxxrfrx.exec:\rxxrfrx.exe40⤵
- Executes dropped EXE
PID:2240 -
\??\c:\9rrfxrf.exec:\9rrfxrf.exe41⤵
- Executes dropped EXE
PID:2096 -
\??\c:\nnnhtn.exec:\nnnhtn.exe42⤵
- Executes dropped EXE
PID:2284 -
\??\c:\btnbnt.exec:\btnbnt.exe43⤵
- Executes dropped EXE
PID:948 -
\??\c:\jvjvp.exec:\jvjvp.exe44⤵
- Executes dropped EXE
PID:2432 -
\??\c:\5rlfxrl.exec:\5rlfxrl.exe45⤵
- Executes dropped EXE
PID:636 -
\??\c:\xfrxffl.exec:\xfrxffl.exe46⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nhtnnb.exec:\nhtnnb.exe47⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btnhtn.exec:\btnhtn.exe48⤵
- Executes dropped EXE
PID:3024 -
\??\c:\ddvjv.exec:\ddvjv.exe49⤵
- Executes dropped EXE
PID:4148 -
\??\c:\xxxrffx.exec:\xxxrffx.exe50⤵
- Executes dropped EXE
PID:3960 -
\??\c:\xxfrlfx.exec:\xxfrlfx.exe51⤵
- Executes dropped EXE
PID:772 -
\??\c:\btthnh.exec:\btthnh.exe52⤵
- Executes dropped EXE
PID:4596 -
\??\c:\tnhtnb.exec:\tnhtnb.exe53⤵
- Executes dropped EXE
PID:2052 -
\??\c:\7dvdv.exec:\7dvdv.exe54⤵
- Executes dropped EXE
PID:544 -
\??\c:\3xrfrlx.exec:\3xrfrlx.exe55⤵
- Executes dropped EXE
PID:3532 -
\??\c:\nbthht.exec:\nbthht.exe56⤵
- Executes dropped EXE
PID:3932 -
\??\c:\jpjpv.exec:\jpjpv.exe57⤵
- Executes dropped EXE
PID:1564 -
\??\c:\bthbnt.exec:\bthbnt.exe58⤵
- Executes dropped EXE
PID:5052 -
\??\c:\bbbbnb.exec:\bbbbnb.exe59⤵
- Executes dropped EXE
PID:3592 -
\??\c:\jjjdj.exec:\jjjdj.exe60⤵
- Executes dropped EXE
PID:2008 -
\??\c:\rlfrfxl.exec:\rlfrfxl.exe61⤵
- Executes dropped EXE
PID:4560 -
\??\c:\pvvjv.exec:\pvvjv.exe62⤵
- Executes dropped EXE
PID:1304 -
\??\c:\frrfxrf.exec:\frrfxrf.exe63⤵
- Executes dropped EXE
PID:872 -
\??\c:\9ttnhb.exec:\9ttnhb.exe64⤵
- Executes dropped EXE
PID:224 -
\??\c:\7pdvp.exec:\7pdvp.exe65⤵
- Executes dropped EXE
PID:4056 -
\??\c:\7llxlfr.exec:\7llxlfr.exe66⤵
- System Location Discovery: System Language Discovery
PID:2944 -
\??\c:\btntbn.exec:\btntbn.exe67⤵PID:4636
-
\??\c:\dvvpj.exec:\dvvpj.exe68⤵PID:3804
-
\??\c:\btbnnn.exec:\btbnnn.exe69⤵PID:4332
-
\??\c:\vdpjv.exec:\vdpjv.exe70⤵PID:1372
-
\??\c:\lrrlxfl.exec:\lrrlxfl.exe71⤵PID:2172
-
\??\c:\nbnhnh.exec:\nbnhnh.exe72⤵PID:1380
-
\??\c:\ddjdj.exec:\ddjdj.exe73⤵PID:3988
-
\??\c:\9ffrfrl.exec:\9ffrfrl.exe74⤵PID:4792
-
\??\c:\nbthtn.exec:\nbthtn.exe75⤵PID:1688
-
\??\c:\djppp.exec:\djppp.exe76⤵PID:4780
-
\??\c:\flrxlfx.exec:\flrxlfx.exe77⤵PID:3168
-
\??\c:\lllxxxl.exec:\lllxxxl.exe78⤵PID:4728
-
\??\c:\nbbthb.exec:\nbbthb.exe79⤵PID:1048
-
\??\c:\dppvj.exec:\dppvj.exe80⤵PID:2024
-
\??\c:\flxlxrx.exec:\flxlxrx.exe81⤵PID:4428
-
\??\c:\hbbbhh.exec:\hbbbhh.exe82⤵PID:4196
-
\??\c:\jddjd.exec:\jddjd.exe83⤵PID:5108
-
\??\c:\thnhbt.exec:\thnhbt.exe84⤵PID:4548
-
\??\c:\jdjdv.exec:\jdjdv.exe85⤵PID:3036
-
\??\c:\fffrfxl.exec:\fffrfxl.exe86⤵PID:1676
-
\??\c:\thhhbt.exec:\thhhbt.exe87⤵PID:4592
-
\??\c:\ntbnhb.exec:\ntbnhb.exe88⤵PID:2556
-
\??\c:\jdjvj.exec:\jdjvj.exe89⤵PID:2636
-
\??\c:\frfxxxr.exec:\frfxxxr.exe90⤵PID:2064
-
\??\c:\nthhhb.exec:\nthhhb.exe91⤵PID:1528
-
\??\c:\pdddv.exec:\pdddv.exe92⤵PID:3360
-
\??\c:\vppvj.exec:\vppvj.exe93⤵PID:1764
-
\??\c:\rllllfx.exec:\rllllfx.exe94⤵PID:2980
-
\??\c:\htbhtt.exec:\htbhtt.exe95⤵PID:2328
-
\??\c:\dvpdp.exec:\dvpdp.exe96⤵PID:3052
-
\??\c:\dvvpd.exec:\dvvpd.exe97⤵PID:1376
-
\??\c:\lrxrfrf.exec:\lrxrfrf.exe98⤵PID:3604
-
\??\c:\hbhbhb.exec:\hbhbhb.exe99⤵PID:4344
-
\??\c:\dppdp.exec:\dppdp.exe100⤵PID:3896
-
\??\c:\7fxrffx.exec:\7fxrffx.exe101⤵PID:5020
-
\??\c:\lxrfrxl.exec:\lxrfrxl.exe102⤵PID:820
-
\??\c:\9bbnbt.exec:\9bbnbt.exe103⤵PID:3124
-
\??\c:\ddjjd.exec:\ddjjd.exe104⤵PID:2940
-
\??\c:\lfrrllx.exec:\lfrrllx.exe105⤵PID:468
-
\??\c:\hhhnnh.exec:\hhhnnh.exe106⤵PID:1612
-
\??\c:\thhthb.exec:\thhthb.exe107⤵PID:3452
-
\??\c:\vjjdj.exec:\vjjdj.exe108⤵PID:4100
-
\??\c:\xflffxr.exec:\xflffxr.exe109⤵PID:2684
-
\??\c:\3rxxlxl.exec:\3rxxlxl.exe110⤵PID:516
-
\??\c:\9tthhb.exec:\9tthhb.exe111⤵PID:4272
-
\??\c:\dvjjv.exec:\dvjjv.exe112⤵PID:4236
-
\??\c:\1vvvj.exec:\1vvvj.exe113⤵PID:4708
-
\??\c:\ffxfxxl.exec:\ffxfxxl.exe114⤵PID:2756
-
\??\c:\7btnhb.exec:\7btnhb.exe115⤵PID:2956
-
\??\c:\3tbthb.exec:\3tbthb.exe116⤵PID:3004
-
\??\c:\pdvjp.exec:\pdvjp.exe117⤵PID:1280
-
\??\c:\xllxlfx.exec:\xllxlfx.exe118⤵PID:3732
-
\??\c:\rxxxlfx.exec:\rxxxlfx.exe119⤵PID:3092
-
\??\c:\bhnbth.exec:\bhnbth.exe120⤵PID:1696
-
\??\c:\jjdjp.exec:\jjdjp.exe121⤵PID:1960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-