Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f.exe
-
Size
453KB
-
MD5
4a50aec50881291c33b2e9731d648a20
-
SHA1
e0688793f7a506ebb688210a17e3aad747667a87
-
SHA256
b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f
-
SHA512
2379134392b5000224f477c5fe48f7d0d1fd43d81b9c9f851278aca6947f96737114c46c7b8f93b37409b1eef538931459439cde477d4be0b827b5e6c4cc562a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4164-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2132-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-719-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-1228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-1355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-1497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4480 tbbhhn.exe 5116 pjjdd.exe 3824 fxffxxr.exe 3648 flrfxfr.exe 1724 hthbtt.exe 3920 jjpjp.exe 3328 vdjdv.exe 4052 frfxxlf.exe 4972 hhbtnh.exe 1368 5vpjv.exe 3556 vjvjp.exe 3656 xflfxrr.exe 4200 btnbtn.exe 5020 7bhbbt.exe 4596 jvvpd.exe 3984 rxrlllr.exe 2664 htbnbt.exe 428 bnbtnh.exe 1444 3jvjp.exe 4832 lxlfxxx.exe 1728 fxxrlll.exe 4144 nbbtnh.exe 1280 pjdvj.exe 2268 jpvjd.exe 4960 xrrlfrr.exe 4508 tttnhh.exe 3536 nthtnn.exe 2360 vvdvp.exe 2128 lxrllff.exe 392 fxfxxrr.exe 2044 hbhnht.exe 4252 dppjj.exe 4780 frxrxrr.exe 4376 9rrrrrl.exe 4964 bthhbb.exe 1980 pjdvd.exe 940 lxxxrll.exe 2736 frlfrrl.exe 884 nbnhnh.exe 3856 vvdvp.exe 956 dpjjd.exe 4040 1xffllr.exe 1624 lrxrrrx.exe 2008 hntthn.exe 1640 vjpjv.exe 4412 frxrlff.exe 3320 flrlffx.exe 3788 hbbhbn.exe 3580 dpdvv.exe 1440 vdjdd.exe 4100 7lffxxx.exe 1652 hhhhbb.exe 1948 tnbnnh.exe 1672 pvdvp.exe 1332 frlfxrl.exe 1244 3llfxff.exe 1432 nbhbtt.exe 1460 pjdvv.exe 1596 pvdvj.exe 1896 rlllffx.exe 2448 5nhtnh.exe 4496 ntnbth.exe 720 pjpjd.exe 4164 rlllffx.exe -
resource yara_rule behavioral2/memory/4164-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2132-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-719-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-810-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-1228-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfffrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4164 wrote to memory of 4480 4164 b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f.exe 82 PID 4164 wrote to memory of 4480 4164 b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f.exe 82 PID 4164 wrote to memory of 4480 4164 b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f.exe 82 PID 4480 wrote to memory of 5116 4480 tbbhhn.exe 83 PID 4480 wrote to memory of 5116 4480 tbbhhn.exe 83 PID 4480 wrote to memory of 5116 4480 tbbhhn.exe 83 PID 5116 wrote to memory of 3824 5116 pjjdd.exe 84 PID 5116 wrote to memory of 3824 5116 pjjdd.exe 84 PID 5116 wrote to memory of 3824 5116 pjjdd.exe 84 PID 3824 wrote to memory of 3648 3824 fxffxxr.exe 85 PID 3824 wrote to memory of 3648 3824 fxffxxr.exe 85 PID 3824 wrote to memory of 3648 3824 fxffxxr.exe 85 PID 3648 wrote to memory of 1724 3648 flrfxfr.exe 86 PID 3648 wrote to memory of 1724 3648 flrfxfr.exe 86 PID 3648 wrote to memory of 1724 3648 flrfxfr.exe 86 PID 1724 wrote to memory of 3920 1724 hthbtt.exe 87 PID 1724 wrote to memory of 3920 1724 hthbtt.exe 87 PID 1724 wrote to memory of 3920 1724 hthbtt.exe 87 PID 3920 wrote to memory of 3328 3920 jjpjp.exe 88 PID 3920 wrote to memory of 3328 3920 jjpjp.exe 88 PID 3920 wrote to memory of 3328 3920 jjpjp.exe 88 PID 3328 wrote to memory of 4052 3328 vdjdv.exe 89 PID 3328 wrote to memory of 4052 3328 vdjdv.exe 89 PID 3328 wrote to memory of 4052 3328 vdjdv.exe 89 PID 4052 wrote to memory of 4972 4052 frfxxlf.exe 90 PID 4052 wrote to memory of 4972 4052 frfxxlf.exe 90 PID 4052 wrote to memory of 4972 4052 frfxxlf.exe 90 PID 4972 wrote to memory of 1368 4972 hhbtnh.exe 91 PID 4972 wrote to memory of 1368 4972 hhbtnh.exe 91 PID 4972 wrote to memory of 1368 4972 hhbtnh.exe 91 PID 1368 wrote to memory of 3556 1368 5vpjv.exe 92 PID 1368 wrote to memory of 3556 1368 5vpjv.exe 92 PID 1368 wrote to memory of 3556 1368 5vpjv.exe 92 PID 3556 wrote to memory of 3656 3556 vjvjp.exe 93 PID 3556 wrote to memory of 3656 3556 vjvjp.exe 93 PID 3556 wrote to memory of 3656 3556 vjvjp.exe 93 PID 3656 wrote to memory of 4200 3656 xflfxrr.exe 94 PID 3656 wrote to memory of 4200 3656 xflfxrr.exe 94 PID 3656 wrote to memory of 4200 3656 xflfxrr.exe 94 PID 4200 wrote to memory of 5020 4200 btnbtn.exe 158 PID 4200 wrote to memory of 5020 4200 btnbtn.exe 158 PID 4200 wrote to memory of 5020 4200 btnbtn.exe 158 PID 5020 wrote to memory of 4596 5020 7bhbbt.exe 96 PID 5020 wrote to memory of 4596 5020 7bhbbt.exe 96 PID 5020 wrote to memory of 4596 5020 7bhbbt.exe 96 PID 4596 wrote to memory of 3984 4596 jvvpd.exe 159 PID 4596 wrote to memory of 3984 4596 jvvpd.exe 159 PID 4596 wrote to memory of 3984 4596 jvvpd.exe 159 PID 3984 wrote to memory of 2664 3984 rxrlllr.exe 98 PID 3984 wrote to memory of 2664 3984 rxrlllr.exe 98 PID 3984 wrote to memory of 2664 3984 rxrlllr.exe 98 PID 2664 wrote to memory of 428 2664 htbnbt.exe 99 PID 2664 wrote to memory of 428 2664 htbnbt.exe 99 PID 2664 wrote to memory of 428 2664 htbnbt.exe 99 PID 428 wrote to memory of 1444 428 bnbtnh.exe 100 PID 428 wrote to memory of 1444 428 bnbtnh.exe 100 PID 428 wrote to memory of 1444 428 bnbtnh.exe 100 PID 1444 wrote to memory of 4832 1444 3jvjp.exe 101 PID 1444 wrote to memory of 4832 1444 3jvjp.exe 101 PID 1444 wrote to memory of 4832 1444 3jvjp.exe 101 PID 4832 wrote to memory of 1728 4832 lxlfxxx.exe 164 PID 4832 wrote to memory of 1728 4832 lxlfxxx.exe 164 PID 4832 wrote to memory of 1728 4832 lxlfxxx.exe 164 PID 1728 wrote to memory of 4144 1728 fxxrlll.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f.exe"C:\Users\Admin\AppData\Local\Temp\b5377ceca72ec3792eab6a8bb9f6d035cd46baa2ab4ad0dbeee106c32a2ecf9f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\tbbhhn.exec:\tbbhhn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\pjjdd.exec:\pjjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\fxffxxr.exec:\fxffxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\flrfxfr.exec:\flrfxfr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\hthbtt.exec:\hthbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
\??\c:\jjpjp.exec:\jjpjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\vdjdv.exec:\vdjdv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\frfxxlf.exec:\frfxxlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\hhbtnh.exec:\hhbtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\5vpjv.exec:\5vpjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\vjvjp.exec:\vjvjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\xflfxrr.exec:\xflfxrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\btnbtn.exec:\btnbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\7bhbbt.exec:\7bhbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\jvvpd.exec:\jvvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\rxrlllr.exec:\rxrlllr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\htbnbt.exec:\htbnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\bnbtnh.exec:\bnbtnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\3jvjp.exec:\3jvjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\lxlfxxx.exec:\lxlfxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\fxxrlll.exec:\fxxrlll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\nbbtnh.exec:\nbbtnh.exe23⤵
- Executes dropped EXE
PID:4144 -
\??\c:\pjdvj.exec:\pjdvj.exe24⤵
- Executes dropped EXE
PID:1280 -
\??\c:\jpvjd.exec:\jpvjd.exe25⤵
- Executes dropped EXE
PID:2268 -
\??\c:\xrrlfrr.exec:\xrrlfrr.exe26⤵
- Executes dropped EXE
PID:4960 -
\??\c:\tttnhh.exec:\tttnhh.exe27⤵
- Executes dropped EXE
PID:4508 -
\??\c:\nthtnn.exec:\nthtnn.exe28⤵
- Executes dropped EXE
PID:3536 -
\??\c:\vvdvp.exec:\vvdvp.exe29⤵
- Executes dropped EXE
PID:2360 -
\??\c:\lxrllff.exec:\lxrllff.exe30⤵
- Executes dropped EXE
PID:2128 -
\??\c:\fxfxxrr.exec:\fxfxxrr.exe31⤵
- Executes dropped EXE
PID:392 -
\??\c:\hbhnht.exec:\hbhnht.exe32⤵
- Executes dropped EXE
PID:2044 -
\??\c:\dppjj.exec:\dppjj.exe33⤵
- Executes dropped EXE
PID:4252 -
\??\c:\frxrxrr.exec:\frxrxrr.exe34⤵
- Executes dropped EXE
PID:4780 -
\??\c:\9rrrrrl.exec:\9rrrrrl.exe35⤵
- Executes dropped EXE
PID:4376 -
\??\c:\bthhbb.exec:\bthhbb.exe36⤵
- Executes dropped EXE
PID:4964 -
\??\c:\pjdvd.exec:\pjdvd.exe37⤵
- Executes dropped EXE
PID:1980 -
\??\c:\lxxxrll.exec:\lxxxrll.exe38⤵
- Executes dropped EXE
PID:940 -
\??\c:\frlfrrl.exec:\frlfrrl.exe39⤵
- Executes dropped EXE
PID:2736 -
\??\c:\nbnhnh.exec:\nbnhnh.exe40⤵
- Executes dropped EXE
PID:884 -
\??\c:\vvdvp.exec:\vvdvp.exe41⤵
- Executes dropped EXE
PID:3856 -
\??\c:\dpjjd.exec:\dpjjd.exe42⤵
- Executes dropped EXE
PID:956 -
\??\c:\1xffllr.exec:\1xffllr.exe43⤵
- Executes dropped EXE
PID:4040 -
\??\c:\lrxrrrx.exec:\lrxrrrx.exe44⤵
- Executes dropped EXE
PID:1624 -
\??\c:\hntthn.exec:\hntthn.exe45⤵
- Executes dropped EXE
PID:2008 -
\??\c:\vjpjv.exec:\vjpjv.exe46⤵
- Executes dropped EXE
PID:1640 -
\??\c:\frxrlff.exec:\frxrlff.exe47⤵
- Executes dropped EXE
PID:4412 -
\??\c:\flrlffx.exec:\flrlffx.exe48⤵
- Executes dropped EXE
PID:3320 -
\??\c:\hbbhbn.exec:\hbbhbn.exe49⤵
- Executes dropped EXE
PID:3788 -
\??\c:\dpdvv.exec:\dpdvv.exe50⤵
- Executes dropped EXE
PID:3580 -
\??\c:\vdjdd.exec:\vdjdd.exe51⤵
- Executes dropped EXE
PID:1440 -
\??\c:\7lffxxx.exec:\7lffxxx.exe52⤵
- Executes dropped EXE
PID:4100 -
\??\c:\hhhhbb.exec:\hhhhbb.exe53⤵
- Executes dropped EXE
PID:1652 -
\??\c:\tnbnnh.exec:\tnbnnh.exe54⤵
- Executes dropped EXE
PID:1948 -
\??\c:\pvdvp.exec:\pvdvp.exe55⤵
- Executes dropped EXE
PID:1672 -
\??\c:\frlfxrl.exec:\frlfxrl.exe56⤵
- Executes dropped EXE
PID:1332 -
\??\c:\3llfxff.exec:\3llfxff.exe57⤵
- Executes dropped EXE
PID:1244 -
\??\c:\nbhbtt.exec:\nbhbtt.exe58⤵
- Executes dropped EXE
PID:1432 -
\??\c:\pjdvv.exec:\pjdvv.exe59⤵
- Executes dropped EXE
PID:1460 -
\??\c:\pvdvj.exec:\pvdvj.exe60⤵
- Executes dropped EXE
PID:1596 -
\??\c:\rlllffx.exec:\rlllffx.exe61⤵
- Executes dropped EXE
PID:1896 -
\??\c:\5nhtnh.exec:\5nhtnh.exe62⤵
- Executes dropped EXE
PID:2448 -
\??\c:\ntnbth.exec:\ntnbth.exe63⤵
- Executes dropped EXE
PID:4496 -
\??\c:\pjpjd.exec:\pjpjd.exe64⤵
- Executes dropped EXE
PID:720 -
\??\c:\rlllffx.exec:\rlllffx.exe65⤵
- Executes dropped EXE
PID:4164 -
\??\c:\lxfxxlf.exec:\lxfxxlf.exe66⤵PID:3764
-
\??\c:\bbnbbn.exec:\bbnbbn.exe67⤵PID:872
-
\??\c:\jpvdj.exec:\jpvdj.exe68⤵
- System Location Discovery: System Language Discovery
PID:3296 -
\??\c:\vjpjj.exec:\vjpjj.exe69⤵PID:968
-
\??\c:\rxfxrlx.exec:\rxfxrlx.exe70⤵PID:3552
-
\??\c:\hbbttn.exec:\hbbttn.exe71⤵PID:4996
-
\??\c:\5tbtnn.exec:\5tbtnn.exe72⤵PID:2132
-
\??\c:\jdpjj.exec:\jdpjj.exe73⤵PID:3328
-
\??\c:\3fxrlrl.exec:\3fxrlrl.exe74⤵PID:3228
-
\??\c:\xrfrxrr.exec:\xrfrxrr.exe75⤵PID:916
-
\??\c:\ntntnb.exec:\ntntnb.exe76⤵PID:1368
-
\??\c:\vjjdv.exec:\vjjdv.exe77⤵PID:4012
-
\??\c:\3xfxfxf.exec:\3xfxfxf.exe78⤵PID:5020
-
\??\c:\thhbtn.exec:\thhbtn.exe79⤵PID:3984
-
\??\c:\jdjjp.exec:\jdjjp.exe80⤵PID:3992
-
\??\c:\rflfrrf.exec:\rflfrrf.exe81⤵PID:208
-
\??\c:\nhnhbb.exec:\nhnhbb.exe82⤵PID:1288
-
\??\c:\vdjjd.exec:\vdjjd.exe83⤵PID:4716
-
\??\c:\5xfflrx.exec:\5xfflrx.exe84⤵PID:1728
-
\??\c:\htttnh.exec:\htttnh.exe85⤵PID:4616
-
\??\c:\btbbtt.exec:\btbbtt.exe86⤵PID:2000
-
\??\c:\jvddv.exec:\jvddv.exe87⤵PID:1856
-
\??\c:\xrxrrll.exec:\xrxrrll.exe88⤵PID:4244
-
\??\c:\lffxxrr.exec:\lffxxrr.exe89⤵PID:1428
-
\??\c:\thtnhb.exec:\thtnhb.exe90⤵PID:1116
-
\??\c:\jdjvp.exec:\jdjvp.exe91⤵PID:1580
-
\??\c:\7xxlxrf.exec:\7xxlxrf.exe92⤵PID:2364
-
\??\c:\xflxrlf.exec:\xflxrlf.exe93⤵PID:4780
-
\??\c:\3nnhbt.exec:\3nnhbt.exe94⤵PID:5088
-
\??\c:\vvvpd.exec:\vvvpd.exe95⤵PID:1980
-
\??\c:\xrrlfxl.exec:\xrrlfxl.exe96⤵PID:1668
-
\??\c:\lxxlfrl.exec:\lxxlfrl.exe97⤵PID:2088
-
\??\c:\pdpjv.exec:\pdpjv.exe98⤵PID:1924
-
\??\c:\9dvjd.exec:\9dvjd.exe99⤵PID:3452
-
\??\c:\xxlfxfr.exec:\xxlfxfr.exe100⤵PID:1472
-
\??\c:\rxlfrlf.exec:\rxlfrlf.exe101⤵PID:2008
-
\??\c:\1rrrlxr.exec:\1rrrlxr.exe102⤵PID:1488
-
\??\c:\bnhnnb.exec:\bnhnnb.exe103⤵PID:3248
-
\??\c:\pddvv.exec:\pddvv.exe104⤵PID:1628
-
\??\c:\rrllffx.exec:\rrllffx.exe105⤵PID:3320
-
\??\c:\vjjjd.exec:\vjjjd.exe106⤵PID:2556
-
\??\c:\ffrfxxr.exec:\ffrfxxr.exe107⤵PID:1440
-
\??\c:\dvppp.exec:\dvppp.exe108⤵PID:2136
-
\??\c:\htbtnn.exec:\htbtnn.exe109⤵PID:1052
-
\??\c:\vjvpj.exec:\vjvpj.exe110⤵PID:4992
-
\??\c:\lrrxfrr.exec:\lrrxfrr.exe111⤵PID:1332
-
\??\c:\bnttnt.exec:\bnttnt.exe112⤵PID:1552
-
\??\c:\3lxrxxf.exec:\3lxrxxf.exe113⤵PID:1432
-
\??\c:\tbtnhh.exec:\tbtnhh.exe114⤵PID:4452
-
\??\c:\jdvpv.exec:\jdvpv.exe115⤵PID:4136
-
\??\c:\nnbtbb.exec:\nnbtbb.exe116⤵PID:2500
-
\??\c:\flrlffx.exec:\flrlffx.exe117⤵PID:2140
-
\??\c:\jpjdj.exec:\jpjdj.exe118⤵PID:1240
-
\??\c:\vjvpp.exec:\vjvpp.exe119⤵PID:2376
-
\??\c:\vjpjj.exec:\vjpjj.exe120⤵PID:4928
-
\??\c:\1flfxxr.exec:\1flfxxr.exe121⤵PID:4164
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-