Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe
-
Size
454KB
-
MD5
936d3d5d4af618d96c44c5a27ece8760
-
SHA1
c1cf85c1208ec5485d3c8f499ba71189832c492a
-
SHA256
0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80e
-
SHA512
f3ad4872ccb5327f06b47cbd656eb8315f0502faf6938ced7b5ed2eeda833833fd2f5647abbeaec93c1272a87a938a7b516f5a4433f2b9a372b5658dd31136ae
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeZ:q7Tc2NYHUrAwfMp3CDZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4856-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-730-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-1259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-1895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3324 bhbthb.exe 4740 5pppj.exe 1012 7xrfxrf.exe 1664 1thbtt.exe 4936 3hbnhb.exe 2160 pppjj.exe 2216 3fflrrl.exe 2260 hnnhtb.exe 2964 vjpdv.exe 2864 nnnntb.exe 2032 dpvjj.exe 2788 htbtnh.exe 3200 lxlxrlx.exe 3068 9ttnbt.exe 3688 djpjd.exe 2512 hnnbnb.exe 3036 ntthnh.exe 4256 5dvpd.exe 1832 lfrfrlf.exe 4744 1pjvp.exe 1072 lfrrlrr.exe 1520 nnnnht.exe 4512 lffrfxl.exe 1916 tbbnbb.exe 4772 vdjdv.exe 2884 3xrfrlx.exe 4980 5rlxlfx.exe 4332 llfrlfr.exe 3144 9hbtnh.exe 1524 vddvj.exe 2360 lffxxrr.exe 4764 pdvjv.exe 2492 xlfxlfr.exe 464 1pjdv.exe 4696 jvdvp.exe 1080 7llfrlx.exe 2232 rrflffl.exe 3384 7tthbb.exe 3884 9vddd.exe 4392 5frlflf.exe 4708 bntnhh.exe 4324 bnhbnh.exe 1660 pdjdp.exe 548 lrrfrlf.exe 2632 bnbthb.exe 4888 dpjvj.exe 3652 vddvp.exe 2368 xlfrxrl.exe 4472 9ttbbb.exe 4312 dvjdp.exe 4104 xrxlfxx.exe 3016 lflxrfx.exe 1172 5hnbbn.exe 2216 1jpjp.exe 1436 lxrrffx.exe 2976 hbbtbt.exe 4612 bnthbt.exe 1904 7jddp.exe 4268 frlfrfx.exe 2996 hhbthb.exe 2788 pjpjj.exe 2932 jppdp.exe 3200 xllfrrl.exe 5084 bhhbth.exe -
resource yara_rule behavioral2/memory/4856-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-730-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-784-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-861-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffxffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3324 4856 0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe 82 PID 4856 wrote to memory of 3324 4856 0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe 82 PID 4856 wrote to memory of 3324 4856 0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe 82 PID 3324 wrote to memory of 4740 3324 bhbthb.exe 83 PID 3324 wrote to memory of 4740 3324 bhbthb.exe 83 PID 3324 wrote to memory of 4740 3324 bhbthb.exe 83 PID 4740 wrote to memory of 1012 4740 5pppj.exe 84 PID 4740 wrote to memory of 1012 4740 5pppj.exe 84 PID 4740 wrote to memory of 1012 4740 5pppj.exe 84 PID 1012 wrote to memory of 1664 1012 7xrfxrf.exe 85 PID 1012 wrote to memory of 1664 1012 7xrfxrf.exe 85 PID 1012 wrote to memory of 1664 1012 7xrfxrf.exe 85 PID 1664 wrote to memory of 4936 1664 1thbtt.exe 86 PID 1664 wrote to memory of 4936 1664 1thbtt.exe 86 PID 1664 wrote to memory of 4936 1664 1thbtt.exe 86 PID 4936 wrote to memory of 2160 4936 3hbnhb.exe 87 PID 4936 wrote to memory of 2160 4936 3hbnhb.exe 87 PID 4936 wrote to memory of 2160 4936 3hbnhb.exe 87 PID 2160 wrote to memory of 2216 2160 pppjj.exe 88 PID 2160 wrote to memory of 2216 2160 pppjj.exe 88 PID 2160 wrote to memory of 2216 2160 pppjj.exe 88 PID 2216 wrote to memory of 2260 2216 3fflrrl.exe 89 PID 2216 wrote to memory of 2260 2216 3fflrrl.exe 89 PID 2216 wrote to memory of 2260 2216 3fflrrl.exe 89 PID 2260 wrote to memory of 2964 2260 hnnhtb.exe 90 PID 2260 wrote to memory of 2964 2260 hnnhtb.exe 90 PID 2260 wrote to memory of 2964 2260 hnnhtb.exe 90 PID 2964 wrote to memory of 2864 2964 vjpdv.exe 91 PID 2964 wrote to memory of 2864 2964 vjpdv.exe 91 PID 2964 wrote to memory of 2864 2964 vjpdv.exe 91 PID 2864 wrote to memory of 2032 2864 nnnntb.exe 92 PID 2864 wrote to memory of 2032 2864 nnnntb.exe 92 PID 2864 wrote to memory of 2032 2864 nnnntb.exe 92 PID 2032 wrote to memory of 2788 2032 dpvjj.exe 93 PID 2032 wrote to memory of 2788 2032 dpvjj.exe 93 PID 2032 wrote to memory of 2788 2032 dpvjj.exe 93 PID 2788 wrote to memory of 3200 2788 htbtnh.exe 94 PID 2788 wrote to memory of 3200 2788 htbtnh.exe 94 PID 2788 wrote to memory of 3200 2788 htbtnh.exe 94 PID 3200 wrote to memory of 3068 3200 lxlxrlx.exe 95 PID 3200 wrote to memory of 3068 3200 lxlxrlx.exe 95 PID 3200 wrote to memory of 3068 3200 lxlxrlx.exe 95 PID 3068 wrote to memory of 3688 3068 9ttnbt.exe 96 PID 3068 wrote to memory of 3688 3068 9ttnbt.exe 96 PID 3068 wrote to memory of 3688 3068 9ttnbt.exe 96 PID 3688 wrote to memory of 2512 3688 djpjd.exe 97 PID 3688 wrote to memory of 2512 3688 djpjd.exe 97 PID 3688 wrote to memory of 2512 3688 djpjd.exe 97 PID 2512 wrote to memory of 3036 2512 hnnbnb.exe 98 PID 2512 wrote to memory of 3036 2512 hnnbnb.exe 98 PID 2512 wrote to memory of 3036 2512 hnnbnb.exe 98 PID 3036 wrote to memory of 4256 3036 ntthnh.exe 99 PID 3036 wrote to memory of 4256 3036 ntthnh.exe 99 PID 3036 wrote to memory of 4256 3036 ntthnh.exe 99 PID 4256 wrote to memory of 1832 4256 5dvpd.exe 100 PID 4256 wrote to memory of 1832 4256 5dvpd.exe 100 PID 4256 wrote to memory of 1832 4256 5dvpd.exe 100 PID 1832 wrote to memory of 4744 1832 lfrfrlf.exe 101 PID 1832 wrote to memory of 4744 1832 lfrfrlf.exe 101 PID 1832 wrote to memory of 4744 1832 lfrfrlf.exe 101 PID 4744 wrote to memory of 1072 4744 1pjvp.exe 102 PID 4744 wrote to memory of 1072 4744 1pjvp.exe 102 PID 4744 wrote to memory of 1072 4744 1pjvp.exe 102 PID 1072 wrote to memory of 1520 1072 lfrrlrr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe"C:\Users\Admin\AppData\Local\Temp\0bef587b5cdc7f40dfe1d1bad162d78a10e2391ea6eda75d05ffb8a53f34c80eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\bhbthb.exec:\bhbthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\5pppj.exec:\5pppj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\7xrfxrf.exec:\7xrfxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\1thbtt.exec:\1thbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\3hbnhb.exec:\3hbnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\pppjj.exec:\pppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\3fflrrl.exec:\3fflrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\hnnhtb.exec:\hnnhtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\vjpdv.exec:\vjpdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\nnnntb.exec:\nnnntb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\dpvjj.exec:\dpvjj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\htbtnh.exec:\htbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\lxlxrlx.exec:\lxlxrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3200 -
\??\c:\9ttnbt.exec:\9ttnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\djpjd.exec:\djpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\hnnbnb.exec:\hnnbnb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\ntthnh.exec:\ntthnh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\5dvpd.exec:\5dvpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\lfrfrlf.exec:\lfrfrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832 -
\??\c:\1pjvp.exec:\1pjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\lfrrlrr.exec:\lfrrlrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\nnnnht.exec:\nnnnht.exe23⤵
- Executes dropped EXE
PID:1520 -
\??\c:\lffrfxl.exec:\lffrfxl.exe24⤵
- Executes dropped EXE
PID:4512 -
\??\c:\tbbnbb.exec:\tbbnbb.exe25⤵
- Executes dropped EXE
PID:1916 -
\??\c:\vdjdv.exec:\vdjdv.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4772 -
\??\c:\3xrfrlx.exec:\3xrfrlx.exe27⤵
- Executes dropped EXE
PID:2884 -
\??\c:\5rlxlfx.exec:\5rlxlfx.exe28⤵
- Executes dropped EXE
PID:4980 -
\??\c:\llfrlfr.exec:\llfrlfr.exe29⤵
- Executes dropped EXE
PID:4332 -
\??\c:\9hbtnh.exec:\9hbtnh.exe30⤵
- Executes dropped EXE
PID:3144 -
\??\c:\vddvj.exec:\vddvj.exe31⤵
- Executes dropped EXE
PID:1524 -
\??\c:\lffxxrr.exec:\lffxxrr.exe32⤵
- Executes dropped EXE
PID:2360 -
\??\c:\pdvjv.exec:\pdvjv.exe33⤵
- Executes dropped EXE
PID:4764 -
\??\c:\xlfxlfr.exec:\xlfxlfr.exe34⤵
- Executes dropped EXE
PID:2492 -
\??\c:\1pjdv.exec:\1pjdv.exe35⤵
- Executes dropped EXE
PID:464 -
\??\c:\jvdvp.exec:\jvdvp.exe36⤵
- Executes dropped EXE
PID:4696 -
\??\c:\7llfrlx.exec:\7llfrlx.exe37⤵
- Executes dropped EXE
PID:1080 -
\??\c:\rrflffl.exec:\rrflffl.exe38⤵
- Executes dropped EXE
PID:2232 -
\??\c:\7tthbb.exec:\7tthbb.exe39⤵
- Executes dropped EXE
PID:3384 -
\??\c:\9vddd.exec:\9vddd.exe40⤵
- Executes dropped EXE
PID:3884 -
\??\c:\5frlflf.exec:\5frlflf.exe41⤵
- Executes dropped EXE
PID:4392 -
\??\c:\bntnhh.exec:\bntnhh.exe42⤵
- Executes dropped EXE
PID:4708 -
\??\c:\bnhbnh.exec:\bnhbnh.exe43⤵
- Executes dropped EXE
PID:4324 -
\??\c:\pdjdp.exec:\pdjdp.exe44⤵
- Executes dropped EXE
PID:1660 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe45⤵
- Executes dropped EXE
PID:548 -
\??\c:\bnbthb.exec:\bnbthb.exe46⤵
- Executes dropped EXE
PID:2632 -
\??\c:\dpjvj.exec:\dpjvj.exe47⤵
- Executes dropped EXE
PID:4888 -
\??\c:\vddvp.exec:\vddvp.exe48⤵
- Executes dropped EXE
PID:3652 -
\??\c:\xlfrxrl.exec:\xlfrxrl.exe49⤵
- Executes dropped EXE
PID:2368 -
\??\c:\9ttbbb.exec:\9ttbbb.exe50⤵
- Executes dropped EXE
PID:4472 -
\??\c:\dvjdp.exec:\dvjdp.exe51⤵
- Executes dropped EXE
PID:4312 -
\??\c:\xrxlfxx.exec:\xrxlfxx.exe52⤵
- Executes dropped EXE
PID:4104 -
\??\c:\lflxrfx.exec:\lflxrfx.exe53⤵
- Executes dropped EXE
PID:3016 -
\??\c:\5hnbbn.exec:\5hnbbn.exe54⤵
- Executes dropped EXE
PID:1172 -
\??\c:\1jpjp.exec:\1jpjp.exe55⤵
- Executes dropped EXE
PID:2216 -
\??\c:\lxrrffx.exec:\lxrrffx.exe56⤵
- Executes dropped EXE
PID:1436 -
\??\c:\hbbtbt.exec:\hbbtbt.exe57⤵
- Executes dropped EXE
PID:2976 -
\??\c:\bnthbt.exec:\bnthbt.exe58⤵
- Executes dropped EXE
PID:4612 -
\??\c:\7jddp.exec:\7jddp.exe59⤵
- Executes dropped EXE
PID:1904 -
\??\c:\frlfrfx.exec:\frlfrfx.exe60⤵
- Executes dropped EXE
PID:4268 -
\??\c:\hhbthb.exec:\hhbthb.exe61⤵
- Executes dropped EXE
PID:2996 -
\??\c:\pjpjj.exec:\pjpjj.exe62⤵
- Executes dropped EXE
PID:2788 -
\??\c:\jppdp.exec:\jppdp.exe63⤵
- Executes dropped EXE
PID:2932 -
\??\c:\xllfrrl.exec:\xllfrrl.exe64⤵
- Executes dropped EXE
PID:3200 -
\??\c:\bhhbth.exec:\bhhbth.exe65⤵
- Executes dropped EXE
PID:5084 -
\??\c:\vjjdv.exec:\vjjdv.exe66⤵PID:3520
-
\??\c:\7ffxxrr.exec:\7ffxxrr.exe67⤵PID:912
-
\??\c:\tnhbtt.exec:\tnhbtt.exe68⤵PID:2512
-
\??\c:\ppvpj.exec:\ppvpj.exe69⤵PID:4044
-
\??\c:\dppdv.exec:\dppdv.exe70⤵PID:4072
-
\??\c:\frlxrlx.exec:\frlxrlx.exe71⤵PID:4148
-
\??\c:\hhnbbt.exec:\hhnbbt.exe72⤵PID:3556
-
\??\c:\vppvj.exec:\vppvj.exe73⤵PID:1288
-
\??\c:\7lrlxxf.exec:\7lrlxxf.exe74⤵PID:508
-
\??\c:\llrllff.exec:\llrllff.exe75⤵PID:1452
-
\??\c:\thhnhh.exec:\thhnhh.exe76⤵PID:1540
-
\??\c:\5rxxlxl.exec:\5rxxlxl.exe77⤵PID:2136
-
\??\c:\rxxrffr.exec:\rxxrffr.exe78⤵PID:732
-
\??\c:\hnnbnh.exec:\hnnbnh.exe79⤵
- System Location Discovery: System Language Discovery
PID:4524 -
\??\c:\hbnhtb.exec:\hbnhtb.exe80⤵PID:1112
-
\??\c:\jjjdj.exec:\jjjdj.exe81⤵PID:632
-
\??\c:\fxrflfx.exec:\fxrflfx.exe82⤵PID:4552
-
\??\c:\xrxlflf.exec:\xrxlflf.exe83⤵PID:4960
-
\??\c:\nhbtnt.exec:\nhbtnt.exe84⤵PID:3816
-
\??\c:\vvvjj.exec:\vvvjj.exe85⤵PID:5100
-
\??\c:\rxrlxrl.exec:\rxrlxrl.exe86⤵PID:2756
-
\??\c:\1bbhbb.exec:\1bbhbb.exe87⤵PID:4088
-
\??\c:\tnbbnn.exec:\tnbbnn.exe88⤵PID:660
-
\??\c:\3ppjd.exec:\3ppjd.exe89⤵PID:3144
-
\??\c:\rfrffff.exec:\rfrffff.exe90⤵PID:1444
-
\??\c:\xlxrfxl.exec:\xlxrfxl.exe91⤵PID:5108
-
\??\c:\3nhthb.exec:\3nhthb.exe92⤵PID:4572
-
\??\c:\djpjv.exec:\djpjv.exe93⤵PID:4764
-
\??\c:\lfxrllf.exec:\lfxrllf.exe94⤵PID:1776
-
\??\c:\rllfxrl.exec:\rllfxrl.exe95⤵PID:100
-
\??\c:\bnhbtn.exec:\bnhbtn.exe96⤵PID:1192
-
\??\c:\pjdvd.exec:\pjdvd.exe97⤵PID:4004
-
\??\c:\pdvpd.exec:\pdvpd.exe98⤵PID:4968
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe99⤵PID:1692
-
\??\c:\bttnbb.exec:\bttnbb.exe100⤵PID:3792
-
\??\c:\tbhthb.exec:\tbhthb.exe101⤵PID:1264
-
\??\c:\9jjdp.exec:\9jjdp.exe102⤵
- System Location Discovery: System Language Discovery
PID:4392 -
\??\c:\rxrfrll.exec:\rxrfrll.exe103⤵PID:4708
-
\??\c:\bnnnnh.exec:\bnnnnh.exe104⤵PID:1304
-
\??\c:\jddvj.exec:\jddvj.exe105⤵PID:2388
-
\??\c:\5xxrllf.exec:\5xxrllf.exe106⤵PID:4100
-
\??\c:\hthbnh.exec:\hthbnh.exe107⤵PID:1376
-
\??\c:\tnnbtn.exec:\tnnbtn.exe108⤵PID:4892
-
\??\c:\dpvpj.exec:\dpvpj.exe109⤵PID:2148
-
\??\c:\3rlflfr.exec:\3rlflfr.exe110⤵PID:3616
-
\??\c:\7tnhtn.exec:\7tnhtn.exe111⤵PID:3900
-
\??\c:\thnhnh.exec:\thnhnh.exe112⤵PID:3948
-
\??\c:\jddpd.exec:\jddpd.exe113⤵PID:2344
-
\??\c:\xrxrffx.exec:\xrxrffx.exe114⤵PID:316
-
\??\c:\hthhbb.exec:\hthhbb.exe115⤵PID:460
-
\??\c:\ntbbnh.exec:\ntbbnh.exe116⤵PID:2260
-
\??\c:\dddpj.exec:\dddpj.exe117⤵PID:1912
-
\??\c:\fxxrxrr.exec:\fxxrxrr.exe118⤵PID:1436
-
\??\c:\thbtnh.exec:\thbtnh.exe119⤵PID:2976
-
\??\c:\1ddvp.exec:\1ddvp.exe120⤵PID:1976
-
\??\c:\1vpjd.exec:\1vpjd.exe121⤵PID:1928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-