Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0bN.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0bN.exe
-
Size
456KB
-
MD5
c37b11f7fcf6aacc1dab7519a8dd92a0
-
SHA1
56b15d97c28bde53ba0e3cd2c6d71e1aed19d9fe
-
SHA256
5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0b
-
SHA512
e7049c708361f30ed003dc21dc9be862b425b0bb686d343aef8c25fcd55e174f5eb819068a4b1a9b4807dc4b180b9783f960d3b0ee47a1f6cc5360fd732d4094
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRm:q7Tc2NYHUrAwfMp3CDRm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3684-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-1161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-1424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-1701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1616 bnnbnh.exe 3060 3jpdv.exe 3964 lllxlxr.exe 5032 bnnbnh.exe 4808 ddvjd.exe 3724 vjpvj.exe 2712 rlfrrlx.exe 372 5tnbth.exe 3016 5fxlrlx.exe 4904 dppvp.exe 3956 3vjvd.exe 2036 ttnbnh.exe 3644 lxfrlfl.exe 1784 jdddp.exe 4060 pppdp.exe 3356 rfxlfxl.exe 4644 tnbhbb.exe 5020 lxxlxrx.exe 3584 xlrrrlr.exe 1108 llxrfxr.exe 2984 fxxlfxl.exe 3248 ntnbnb.exe 4080 jvpdp.exe 1868 rfrrxrf.exe 2072 vpjvj.exe 4604 9nttht.exe 60 pppvj.exe 2604 xlrfrfx.exe 4592 bhhtht.exe 1352 3rxlxrf.exe 1136 9bthth.exe 4488 rfllrxf.exe 1936 vjpdv.exe 2216 fflxfxr.exe 2248 bhhthb.exe 5116 7jdpd.exe 4816 vjvpd.exe 1804 rflxrlf.exe 2256 nnthhb.exe 1924 3ddpd.exe 4012 rrrrlfx.exe 4920 btnbth.exe 116 ddvjv.exe 3440 1dvjd.exe 3964 rxxlfrl.exe 2636 1bnbbn.exe 1240 3hbnhb.exe 3532 jdjvd.exe 2808 llxlxxf.exe 4164 ttthhb.exe 4984 jvpdp.exe 1600 7jjpj.exe 32 rxxxlrl.exe 2288 bbhthb.exe 3476 jvvpd.exe 4456 1xfxlfr.exe 1156 xlfxllf.exe 3744 3bnhth.exe 4040 5vjpj.exe 3312 fxrxrlf.exe 3208 frrffxf.exe 3272 dvvjv.exe 2944 rflxrrl.exe 4224 rrrxxrr.exe -
resource yara_rule behavioral2/memory/3684-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-744-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xlrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3684 wrote to memory of 1616 3684 5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0bN.exe 83 PID 3684 wrote to memory of 1616 3684 5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0bN.exe 83 PID 3684 wrote to memory of 1616 3684 5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0bN.exe 83 PID 1616 wrote to memory of 3060 1616 bnnbnh.exe 84 PID 1616 wrote to memory of 3060 1616 bnnbnh.exe 84 PID 1616 wrote to memory of 3060 1616 bnnbnh.exe 84 PID 3060 wrote to memory of 3964 3060 3jpdv.exe 85 PID 3060 wrote to memory of 3964 3060 3jpdv.exe 85 PID 3060 wrote to memory of 3964 3060 3jpdv.exe 85 PID 3964 wrote to memory of 5032 3964 lllxlxr.exe 86 PID 3964 wrote to memory of 5032 3964 lllxlxr.exe 86 PID 3964 wrote to memory of 5032 3964 lllxlxr.exe 86 PID 5032 wrote to memory of 4808 5032 bnnbnh.exe 87 PID 5032 wrote to memory of 4808 5032 bnnbnh.exe 87 PID 5032 wrote to memory of 4808 5032 bnnbnh.exe 87 PID 4808 wrote to memory of 3724 4808 ddvjd.exe 88 PID 4808 wrote to memory of 3724 4808 ddvjd.exe 88 PID 4808 wrote to memory of 3724 4808 ddvjd.exe 88 PID 3724 wrote to memory of 2712 3724 vjpvj.exe 89 PID 3724 wrote to memory of 2712 3724 vjpvj.exe 89 PID 3724 wrote to memory of 2712 3724 vjpvj.exe 89 PID 2712 wrote to memory of 372 2712 rlfrrlx.exe 90 PID 2712 wrote to memory of 372 2712 rlfrrlx.exe 90 PID 2712 wrote to memory of 372 2712 rlfrrlx.exe 90 PID 372 wrote to memory of 3016 372 5tnbth.exe 91 PID 372 wrote to memory of 3016 372 5tnbth.exe 91 PID 372 wrote to memory of 3016 372 5tnbth.exe 91 PID 3016 wrote to memory of 4904 3016 5fxlrlx.exe 92 PID 3016 wrote to memory of 4904 3016 5fxlrlx.exe 92 PID 3016 wrote to memory of 4904 3016 5fxlrlx.exe 92 PID 4904 wrote to memory of 3956 4904 dppvp.exe 93 PID 4904 wrote to memory of 3956 4904 dppvp.exe 93 PID 4904 wrote to memory of 3956 4904 dppvp.exe 93 PID 3956 wrote to memory of 2036 3956 3vjvd.exe 94 PID 3956 wrote to memory of 2036 3956 3vjvd.exe 94 PID 3956 wrote to memory of 2036 3956 3vjvd.exe 94 PID 2036 wrote to memory of 3644 2036 ttnbnh.exe 95 PID 2036 wrote to memory of 3644 2036 ttnbnh.exe 95 PID 2036 wrote to memory of 3644 2036 ttnbnh.exe 95 PID 3644 wrote to memory of 1784 3644 lxfrlfl.exe 96 PID 3644 wrote to memory of 1784 3644 lxfrlfl.exe 96 PID 3644 wrote to memory of 1784 3644 lxfrlfl.exe 96 PID 1784 wrote to memory of 4060 1784 jdddp.exe 97 PID 1784 wrote to memory of 4060 1784 jdddp.exe 97 PID 1784 wrote to memory of 4060 1784 jdddp.exe 97 PID 4060 wrote to memory of 3356 4060 pppdp.exe 98 PID 4060 wrote to memory of 3356 4060 pppdp.exe 98 PID 4060 wrote to memory of 3356 4060 pppdp.exe 98 PID 3356 wrote to memory of 4644 3356 rfxlfxl.exe 99 PID 3356 wrote to memory of 4644 3356 rfxlfxl.exe 99 PID 3356 wrote to memory of 4644 3356 rfxlfxl.exe 99 PID 4644 wrote to memory of 5020 4644 tnbhbb.exe 100 PID 4644 wrote to memory of 5020 4644 tnbhbb.exe 100 PID 4644 wrote to memory of 5020 4644 tnbhbb.exe 100 PID 5020 wrote to memory of 3584 5020 lxxlxrx.exe 101 PID 5020 wrote to memory of 3584 5020 lxxlxrx.exe 101 PID 5020 wrote to memory of 3584 5020 lxxlxrx.exe 101 PID 3584 wrote to memory of 1108 3584 xlrrrlr.exe 102 PID 3584 wrote to memory of 1108 3584 xlrrrlr.exe 102 PID 3584 wrote to memory of 1108 3584 xlrrrlr.exe 102 PID 1108 wrote to memory of 2984 1108 llxrfxr.exe 103 PID 1108 wrote to memory of 2984 1108 llxrfxr.exe 103 PID 1108 wrote to memory of 2984 1108 llxrfxr.exe 103 PID 2984 wrote to memory of 3248 2984 fxxlfxl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0bN.exe"C:\Users\Admin\AppData\Local\Temp\5ae479976e0edc5b3bbd5a49cd052405162c44ee752b608829dedd5b5e0c0f0bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\bnnbnh.exec:\bnnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\3jpdv.exec:\3jpdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\lllxlxr.exec:\lllxlxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\bnnbnh.exec:\bnnbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\ddvjd.exec:\ddvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\vjpvj.exec:\vjpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\rlfrrlx.exec:\rlfrrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\5tnbth.exec:\5tnbth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\5fxlrlx.exec:\5fxlrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\dppvp.exec:\dppvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\3vjvd.exec:\3vjvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\ttnbnh.exec:\ttnbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\lxfrlfl.exec:\lxfrlfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\jdddp.exec:\jdddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\pppdp.exec:\pppdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\rfxlfxl.exec:\rfxlfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\tnbhbb.exec:\tnbhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\lxxlxrx.exec:\lxxlxrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\xlrrrlr.exec:\xlrrrlr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\llxrfxr.exec:\llxrfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\fxxlfxl.exec:\fxxlfxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\ntnbnb.exec:\ntnbnb.exe23⤵
- Executes dropped EXE
PID:3248 -
\??\c:\jvpdp.exec:\jvpdp.exe24⤵
- Executes dropped EXE
PID:4080 -
\??\c:\rfrrxrf.exec:\rfrrxrf.exe25⤵
- Executes dropped EXE
PID:1868 -
\??\c:\vpjvj.exec:\vpjvj.exe26⤵
- Executes dropped EXE
PID:2072 -
\??\c:\9nttht.exec:\9nttht.exe27⤵
- Executes dropped EXE
PID:4604 -
\??\c:\pppvj.exec:\pppvj.exe28⤵
- Executes dropped EXE
PID:60 -
\??\c:\xlrfrfx.exec:\xlrfrfx.exe29⤵
- Executes dropped EXE
PID:2604 -
\??\c:\bhhtht.exec:\bhhtht.exe30⤵
- Executes dropped EXE
PID:4592 -
\??\c:\3rxlxrf.exec:\3rxlxrf.exe31⤵
- Executes dropped EXE
PID:1352 -
\??\c:\9bthth.exec:\9bthth.exe32⤵
- Executes dropped EXE
PID:1136 -
\??\c:\rfllrxf.exec:\rfllrxf.exe33⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vjpdv.exec:\vjpdv.exe34⤵
- Executes dropped EXE
PID:1936 -
\??\c:\fflxfxr.exec:\fflxfxr.exe35⤵
- Executes dropped EXE
PID:2216 -
\??\c:\bhhthb.exec:\bhhthb.exe36⤵
- Executes dropped EXE
PID:2248 -
\??\c:\7jdpd.exec:\7jdpd.exe37⤵
- Executes dropped EXE
PID:5116 -
\??\c:\vjvpd.exec:\vjvpd.exe38⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rflxrlf.exec:\rflxrlf.exe39⤵
- Executes dropped EXE
PID:1804 -
\??\c:\nnthhb.exec:\nnthhb.exe40⤵
- Executes dropped EXE
PID:2256 -
\??\c:\3ddpd.exec:\3ddpd.exe41⤵
- Executes dropped EXE
PID:1924 -
\??\c:\rrrrlfx.exec:\rrrrlfx.exe42⤵
- Executes dropped EXE
PID:4012 -
\??\c:\btnbth.exec:\btnbth.exe43⤵
- Executes dropped EXE
PID:4920 -
\??\c:\ddvjv.exec:\ddvjv.exe44⤵
- Executes dropped EXE
PID:116 -
\??\c:\1dvjd.exec:\1dvjd.exe45⤵
- Executes dropped EXE
PID:3440 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe46⤵
- Executes dropped EXE
PID:3964 -
\??\c:\1bnbbn.exec:\1bnbbn.exe47⤵
- Executes dropped EXE
PID:2636 -
\??\c:\3hbnhb.exec:\3hbnhb.exe48⤵
- Executes dropped EXE
PID:1240 -
\??\c:\jdjvd.exec:\jdjvd.exe49⤵
- Executes dropped EXE
PID:3532 -
\??\c:\llxlxxf.exec:\llxlxxf.exe50⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ttthhb.exec:\ttthhb.exe51⤵
- Executes dropped EXE
PID:4164 -
\??\c:\jvpdp.exec:\jvpdp.exe52⤵
- Executes dropped EXE
PID:4984 -
\??\c:\7jjpj.exec:\7jjpj.exe53⤵
- Executes dropped EXE
PID:1600 -
\??\c:\rxxxlrl.exec:\rxxxlrl.exe54⤵
- Executes dropped EXE
PID:32 -
\??\c:\bbhthb.exec:\bbhthb.exe55⤵
- Executes dropped EXE
PID:2288 -
\??\c:\jvvpd.exec:\jvvpd.exe56⤵
- Executes dropped EXE
PID:3476 -
\??\c:\1xfxlfr.exec:\1xfxlfr.exe57⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xlfxllf.exec:\xlfxllf.exe58⤵
- Executes dropped EXE
PID:1156 -
\??\c:\3bnhth.exec:\3bnhth.exe59⤵
- Executes dropped EXE
PID:3744 -
\??\c:\5vjpj.exec:\5vjpj.exe60⤵
- Executes dropped EXE
PID:4040 -
\??\c:\fxrxrlf.exec:\fxrxrlf.exe61⤵
- Executes dropped EXE
PID:3312 -
\??\c:\frrffxf.exec:\frrffxf.exe62⤵
- Executes dropped EXE
PID:3208 -
\??\c:\dvvjv.exec:\dvvjv.exe63⤵
- Executes dropped EXE
PID:3272 -
\??\c:\rflxrrl.exec:\rflxrrl.exe64⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rrrxxrr.exec:\rrrxxrr.exe65⤵
- Executes dropped EXE
PID:4224 -
\??\c:\5nbnbt.exec:\5nbnbt.exe66⤵PID:4872
-
\??\c:\pjpvv.exec:\pjpvv.exe67⤵PID:540
-
\??\c:\5rrfrfx.exec:\5rrfrfx.exe68⤵PID:400
-
\??\c:\5tnhbt.exec:\5tnhbt.exe69⤵PID:3368
-
\??\c:\pdpdp.exec:\pdpdp.exe70⤵PID:228
-
\??\c:\frllxrf.exec:\frllxrf.exe71⤵PID:4824
-
\??\c:\7nbnbb.exec:\7nbnbb.exe72⤵PID:4956
-
\??\c:\7btntn.exec:\7btntn.exe73⤵PID:4080
-
\??\c:\vppdp.exec:\vppdp.exe74⤵PID:5092
-
\??\c:\rffrfxl.exec:\rffrfxl.exe75⤵PID:1612
-
\??\c:\bhhbnh.exec:\bhhbnh.exe76⤵PID:872
-
\??\c:\jpppj.exec:\jpppj.exe77⤵PID:2956
-
\??\c:\jpppj.exec:\jpppj.exe78⤵PID:4304
-
\??\c:\frrllxx.exec:\frrllxx.exe79⤵PID:3916
-
\??\c:\hbthtn.exec:\hbthtn.exe80⤵PID:3320
-
\??\c:\vvppp.exec:\vvppp.exe81⤵PID:2604
-
\??\c:\frrlrrf.exec:\frrlrrf.exe82⤵PID:4852
-
\??\c:\nhbnbt.exec:\nhbnbt.exe83⤵PID:5044
-
\??\c:\jdvvd.exec:\jdvvd.exe84⤵PID:4476
-
\??\c:\dvvjv.exec:\dvvjv.exe85⤵PID:1136
-
\??\c:\lffrffr.exec:\lffrffr.exe86⤵PID:4480
-
\??\c:\3hbnht.exec:\3hbnht.exe87⤵PID:2096
-
\??\c:\ppddj.exec:\ppddj.exe88⤵PID:2000
-
\??\c:\9rfxlrf.exec:\9rfxlrf.exe89⤵PID:1792
-
\??\c:\9fxlxrf.exec:\9fxlxrf.exe90⤵PID:5116
-
\??\c:\hhnhtn.exec:\hhnhtn.exe91⤵PID:3604
-
\??\c:\3pjvd.exec:\3pjvd.exe92⤵PID:4420
-
\??\c:\lfxlrlf.exec:\lfxlrlf.exe93⤵PID:5104
-
\??\c:\lxxlffx.exec:\lxxlffx.exe94⤵PID:4252
-
\??\c:\tttnbt.exec:\tttnbt.exe95⤵PID:4012
-
\??\c:\vpvjd.exec:\vpvjd.exe96⤵PID:1616
-
\??\c:\lxrxlfr.exec:\lxrxlfr.exe97⤵PID:3600
-
\??\c:\9bbnnt.exec:\9bbnnt.exe98⤵PID:4036
-
\??\c:\7jpdj.exec:\7jpdj.exe99⤵PID:3692
-
\??\c:\fllxfxl.exec:\fllxfxl.exe100⤵PID:3188
-
\??\c:\rlfxrlx.exec:\rlfxrlx.exe101⤵PID:4808
-
\??\c:\thnntb.exec:\thnntb.exe102⤵
- System Location Discovery: System Language Discovery
PID:3288 -
\??\c:\dvdvp.exec:\dvdvp.exe103⤵PID:3724
-
\??\c:\5fxxlfx.exec:\5fxxlfx.exe104⤵PID:2088
-
\??\c:\htbtnn.exec:\htbtnn.exe105⤵PID:3696
-
\??\c:\jddvp.exec:\jddvp.exe106⤵PID:3180
-
\??\c:\jdvjv.exec:\jdvjv.exe107⤵PID:1188
-
\??\c:\9xlxlxr.exec:\9xlxlxr.exe108⤵PID:5112
-
\??\c:\3nnhbt.exec:\3nnhbt.exe109⤵PID:4696
-
\??\c:\3tthtn.exec:\3tthtn.exe110⤵PID:4288
-
\??\c:\pvvdp.exec:\pvvdp.exe111⤵PID:3956
-
\??\c:\1ffrfxl.exec:\1ffrfxl.exe112⤵PID:5008
-
\??\c:\tthhht.exec:\tthhht.exe113⤵PID:3888
-
\??\c:\htbtnn.exec:\htbtnn.exe114⤵PID:636
-
\??\c:\jjdpd.exec:\jjdpd.exe115⤵PID:3312
-
\??\c:\9rrllll.exec:\9rrllll.exe116⤵PID:4400
-
\??\c:\7jdpv.exec:\7jdpv.exe117⤵PID:4060
-
\??\c:\dpvpd.exec:\dpvpd.exe118⤵PID:4644
-
\??\c:\llxffrr.exec:\llxffrr.exe119⤵PID:3432
-
\??\c:\9nthtn.exec:\9nthtn.exe120⤵PID:4872
-
\??\c:\pppdv.exec:\pppdv.exe121⤵PID:2364
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-