Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 08:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf.exe
-
Size
454KB
-
MD5
447825776fd9a59b8af261b95d15cb99
-
SHA1
c9ddbfee7d8df52f5e44021ffe1f0191d1182eca
-
SHA256
bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf
-
SHA512
611621a4cc9572edf97d707992b75db77a09203f34cd50528a6f8aec1abfe71f705daec2b24958f2973924e99a464d722e73197ae4440ceaa880d34405e2f619
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1m:q7Tc2NYHUrAwfMp3CD1m
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4912-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2556 5nnbnn.exe 4460 ppddj.exe 3620 3jdvj.exe 4028 9lxlxrf.exe 2760 5tnhtn.exe 4536 vjdpp.exe 2284 dpppj.exe 2420 rffxrlr.exe 2580 nhbthn.exe 1188 5nnhtn.exe 1900 9pdpd.exe 2884 fflfrrr.exe 4132 xflxrlf.exe 1936 9bnhhb.exe 1708 jvddj.exe 4588 jvdpd.exe 3008 3fxrfxr.exe 5044 bhhthb.exe 3676 nthbtn.exe 3952 jvpjv.exe 4984 rxfxlfx.exe 4488 1tthnn.exe 2056 hbtnhb.exe 1576 dvdpv.exe 4920 rllfxrr.exe 1208 7hnnbt.exe 3500 9tbntn.exe 1072 pvvjj.exe 872 pdjvp.exe 1844 xrfrxxx.exe 3196 1hhthb.exe 4080 tbhthb.exe 3940 ddjvp.exe 5112 3xxrfxr.exe 3492 1fxlxrf.exe 1528 htthbt.exe 3700 dvjjv.exe 4508 pdjjv.exe 3788 lrxlfxr.exe 2736 hthhbt.exe 3588 thnhbb.exe 1200 dpdvd.exe 3852 pvdpv.exe 3100 7fxlfxr.exe 4968 1nthht.exe 1776 nnnhhn.exe 4300 5ddpd.exe 2296 xllfffr.exe 5116 xrrlxrl.exe 2556 hbtnbt.exe 4460 pddvp.exe 5028 vdjvp.exe 3816 7xrlrrl.exe 2200 fxxlfxr.exe 3200 7ttnbb.exe 1932 pjppj.exe 3496 5vpdp.exe 2580 lfxxfxl.exe 1188 tbhtnt.exe 1164 dvpjd.exe 3784 rlfxrxr.exe 2428 llxrxrl.exe 1984 btnnbt.exe 3068 9dpdv.exe -
resource yara_rule behavioral2/memory/4912-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-611-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-801-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xlxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4912 wrote to memory of 2556 4912 bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf.exe 83 PID 4912 wrote to memory of 2556 4912 bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf.exe 83 PID 4912 wrote to memory of 2556 4912 bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf.exe 83 PID 2556 wrote to memory of 4460 2556 5nnbnn.exe 133 PID 2556 wrote to memory of 4460 2556 5nnbnn.exe 133 PID 2556 wrote to memory of 4460 2556 5nnbnn.exe 133 PID 4460 wrote to memory of 3620 4460 ppddj.exe 85 PID 4460 wrote to memory of 3620 4460 ppddj.exe 85 PID 4460 wrote to memory of 3620 4460 ppddj.exe 85 PID 3620 wrote to memory of 4028 3620 3jdvj.exe 86 PID 3620 wrote to memory of 4028 3620 3jdvj.exe 86 PID 3620 wrote to memory of 4028 3620 3jdvj.exe 86 PID 4028 wrote to memory of 2760 4028 9lxlxrf.exe 87 PID 4028 wrote to memory of 2760 4028 9lxlxrf.exe 87 PID 4028 wrote to memory of 2760 4028 9lxlxrf.exe 87 PID 2760 wrote to memory of 4536 2760 5tnhtn.exe 88 PID 2760 wrote to memory of 4536 2760 5tnhtn.exe 88 PID 2760 wrote to memory of 4536 2760 5tnhtn.exe 88 PID 4536 wrote to memory of 2284 4536 vjdpp.exe 89 PID 4536 wrote to memory of 2284 4536 vjdpp.exe 89 PID 4536 wrote to memory of 2284 4536 vjdpp.exe 89 PID 2284 wrote to memory of 2420 2284 dpppj.exe 90 PID 2284 wrote to memory of 2420 2284 dpppj.exe 90 PID 2284 wrote to memory of 2420 2284 dpppj.exe 90 PID 2420 wrote to memory of 2580 2420 rffxrlr.exe 91 PID 2420 wrote to memory of 2580 2420 rffxrlr.exe 91 PID 2420 wrote to memory of 2580 2420 rffxrlr.exe 91 PID 2580 wrote to memory of 1188 2580 nhbthn.exe 92 PID 2580 wrote to memory of 1188 2580 nhbthn.exe 92 PID 2580 wrote to memory of 1188 2580 nhbthn.exe 92 PID 1188 wrote to memory of 1900 1188 5nnhtn.exe 93 PID 1188 wrote to memory of 1900 1188 5nnhtn.exe 93 PID 1188 wrote to memory of 1900 1188 5nnhtn.exe 93 PID 1900 wrote to memory of 2884 1900 9pdpd.exe 94 PID 1900 wrote to memory of 2884 1900 9pdpd.exe 94 PID 1900 wrote to memory of 2884 1900 9pdpd.exe 94 PID 2884 wrote to memory of 4132 2884 fflfrrr.exe 95 PID 2884 wrote to memory of 4132 2884 fflfrrr.exe 95 PID 2884 wrote to memory of 4132 2884 fflfrrr.exe 95 PID 4132 wrote to memory of 1936 4132 xflxrlf.exe 96 PID 4132 wrote to memory of 1936 4132 xflxrlf.exe 96 PID 4132 wrote to memory of 1936 4132 xflxrlf.exe 96 PID 1936 wrote to memory of 1708 1936 9bnhhb.exe 97 PID 1936 wrote to memory of 1708 1936 9bnhhb.exe 97 PID 1936 wrote to memory of 1708 1936 9bnhhb.exe 97 PID 1708 wrote to memory of 4588 1708 jvddj.exe 98 PID 1708 wrote to memory of 4588 1708 jvddj.exe 98 PID 1708 wrote to memory of 4588 1708 jvddj.exe 98 PID 4588 wrote to memory of 3008 4588 jvdpd.exe 99 PID 4588 wrote to memory of 3008 4588 jvdpd.exe 99 PID 4588 wrote to memory of 3008 4588 jvdpd.exe 99 PID 3008 wrote to memory of 5044 3008 3fxrfxr.exe 100 PID 3008 wrote to memory of 5044 3008 3fxrfxr.exe 100 PID 3008 wrote to memory of 5044 3008 3fxrfxr.exe 100 PID 5044 wrote to memory of 3676 5044 bhhthb.exe 101 PID 5044 wrote to memory of 3676 5044 bhhthb.exe 101 PID 5044 wrote to memory of 3676 5044 bhhthb.exe 101 PID 3676 wrote to memory of 3952 3676 nthbtn.exe 102 PID 3676 wrote to memory of 3952 3676 nthbtn.exe 102 PID 3676 wrote to memory of 3952 3676 nthbtn.exe 102 PID 3952 wrote to memory of 4984 3952 jvpjv.exe 152 PID 3952 wrote to memory of 4984 3952 jvpjv.exe 152 PID 3952 wrote to memory of 4984 3952 jvpjv.exe 152 PID 4984 wrote to memory of 4488 4984 rxfxlfx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf.exe"C:\Users\Admin\AppData\Local\Temp\bead6586be3766e954768b2351cc9fd72a58b7695ea64028b84ebe4e720d0daf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\5nnbnn.exec:\5nnbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\ppddj.exec:\ppddj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\3jdvj.exec:\3jdvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\9lxlxrf.exec:\9lxlxrf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\5tnhtn.exec:\5tnhtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\vjdpp.exec:\vjdpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\dpppj.exec:\dpppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\rffxrlr.exec:\rffxrlr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\nhbthn.exec:\nhbthn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2580 -
\??\c:\5nnhtn.exec:\5nnhtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\9pdpd.exec:\9pdpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1900 -
\??\c:\fflfrrr.exec:\fflfrrr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\xflxrlf.exec:\xflxrlf.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\9bnhhb.exec:\9bnhhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\jvddj.exec:\jvddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
\??\c:\jvdpd.exec:\jvdpd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\3fxrfxr.exec:\3fxrfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\bhhthb.exec:\bhhthb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\nthbtn.exec:\nthbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\jvpjv.exec:\jvpjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\1tthnn.exec:\1tthnn.exe23⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hbtnhb.exec:\hbtnhb.exe24⤵
- Executes dropped EXE
PID:2056 -
\??\c:\dvdpv.exec:\dvdpv.exe25⤵
- Executes dropped EXE
PID:1576 -
\??\c:\rllfxrr.exec:\rllfxrr.exe26⤵
- Executes dropped EXE
PID:4920 -
\??\c:\7hnnbt.exec:\7hnnbt.exe27⤵
- Executes dropped EXE
PID:1208 -
\??\c:\9tbntn.exec:\9tbntn.exe28⤵
- Executes dropped EXE
PID:3500 -
\??\c:\pvvjj.exec:\pvvjj.exe29⤵
- Executes dropped EXE
PID:1072 -
\??\c:\pdjvp.exec:\pdjvp.exe30⤵
- Executes dropped EXE
PID:872 -
\??\c:\xrfrxxx.exec:\xrfrxxx.exe31⤵
- Executes dropped EXE
PID:1844 -
\??\c:\1hhthb.exec:\1hhthb.exe32⤵
- Executes dropped EXE
PID:3196 -
\??\c:\tbhthb.exec:\tbhthb.exe33⤵
- Executes dropped EXE
PID:4080 -
\??\c:\ddjvp.exec:\ddjvp.exe34⤵
- Executes dropped EXE
PID:3940 -
\??\c:\3xxrfxr.exec:\3xxrfxr.exe35⤵
- Executes dropped EXE
PID:5112 -
\??\c:\1fxlxrf.exec:\1fxlxrf.exe36⤵
- Executes dropped EXE
PID:3492 -
\??\c:\htthbt.exec:\htthbt.exe37⤵
- Executes dropped EXE
PID:1528 -
\??\c:\dvjjv.exec:\dvjjv.exe38⤵
- Executes dropped EXE
PID:3700 -
\??\c:\pdjjv.exec:\pdjjv.exe39⤵
- Executes dropped EXE
PID:4508 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe40⤵
- Executes dropped EXE
PID:3788 -
\??\c:\hthhbt.exec:\hthhbt.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\thnhbb.exec:\thnhbb.exe42⤵
- Executes dropped EXE
PID:3588 -
\??\c:\dpdvd.exec:\dpdvd.exe43⤵
- Executes dropped EXE
PID:1200 -
\??\c:\pvdpv.exec:\pvdpv.exe44⤵
- Executes dropped EXE
PID:3852 -
\??\c:\7fxlfxr.exec:\7fxlfxr.exe45⤵
- Executes dropped EXE
PID:3100 -
\??\c:\1nthht.exec:\1nthht.exe46⤵
- Executes dropped EXE
PID:4968 -
\??\c:\nnnhhn.exec:\nnnhhn.exe47⤵
- Executes dropped EXE
PID:1776 -
\??\c:\5ddpd.exec:\5ddpd.exe48⤵
- Executes dropped EXE
PID:4300 -
\??\c:\xllfffr.exec:\xllfffr.exe49⤵
- Executes dropped EXE
PID:2296 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe50⤵
- Executes dropped EXE
PID:5116 -
\??\c:\hbtnbt.exec:\hbtnbt.exe51⤵
- Executes dropped EXE
PID:2556 -
\??\c:\pddvp.exec:\pddvp.exe52⤵
- Executes dropped EXE
PID:4460 -
\??\c:\vdjvp.exec:\vdjvp.exe53⤵
- Executes dropped EXE
PID:5028 -
\??\c:\7xrlrrl.exec:\7xrlrrl.exe54⤵
- Executes dropped EXE
PID:3816 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe55⤵
- Executes dropped EXE
PID:2200 -
\??\c:\7ttnbb.exec:\7ttnbb.exe56⤵
- Executes dropped EXE
PID:3200 -
\??\c:\pjppj.exec:\pjppj.exe57⤵
- Executes dropped EXE
PID:1932 -
\??\c:\5vpdp.exec:\5vpdp.exe58⤵
- Executes dropped EXE
PID:3496 -
\??\c:\lfxxfxl.exec:\lfxxfxl.exe59⤵
- Executes dropped EXE
PID:2580 -
\??\c:\tbhtnt.exec:\tbhtnt.exe60⤵
- Executes dropped EXE
PID:1188 -
\??\c:\dvpjd.exec:\dvpjd.exe61⤵
- Executes dropped EXE
PID:1164 -
\??\c:\rlfxrxr.exec:\rlfxrxr.exe62⤵
- Executes dropped EXE
PID:3784 -
\??\c:\llxrxrl.exec:\llxrxrl.exe63⤵
- Executes dropped EXE
PID:2428 -
\??\c:\btnnbt.exec:\btnnbt.exe64⤵
- Executes dropped EXE
PID:1984 -
\??\c:\9dpdv.exec:\9dpdv.exe65⤵
- Executes dropped EXE
PID:3068 -
\??\c:\flrxxlr.exec:\flrxxlr.exe66⤵PID:724
-
\??\c:\3ffxfxf.exec:\3ffxfxf.exe67⤵PID:1784
-
\??\c:\tnnbtn.exec:\tnnbtn.exe68⤵
- System Location Discovery: System Language Discovery
PID:5036 -
\??\c:\dddvd.exec:\dddvd.exe69⤵PID:5076
-
\??\c:\1vdjd.exec:\1vdjd.exe70⤵PID:3676
-
\??\c:\7xrlxrf.exec:\7xrlxrf.exe71⤵
- System Location Discovery: System Language Discovery
PID:4984 -
\??\c:\3hnhbt.exec:\3hnhbt.exe72⤵PID:2776
-
\??\c:\nbhhhh.exec:\nbhhhh.exe73⤵PID:2004
-
\??\c:\jjpjd.exec:\jjpjd.exe74⤵PID:3768
-
\??\c:\lrrlfxl.exec:\lrrlfxl.exe75⤵PID:5096
-
\??\c:\lflfrrf.exec:\lflfrrf.exe76⤵PID:1704
-
\??\c:\7tnbtn.exec:\7tnbtn.exe77⤵PID:1208
-
\??\c:\pdvpj.exec:\pdvpj.exe78⤵PID:1060
-
\??\c:\hnnbtn.exec:\hnnbtn.exe79⤵PID:3144
-
\??\c:\pjjdp.exec:\pjjdp.exe80⤵PID:396
-
\??\c:\ppvvd.exec:\ppvvd.exe81⤵PID:3940
-
\??\c:\5xfxrrr.exec:\5xfxrrr.exe82⤵PID:2924
-
\??\c:\httnbt.exec:\httnbt.exe83⤵PID:3156
-
\??\c:\djjdd.exec:\djjdd.exe84⤵PID:3700
-
\??\c:\3xrrfxl.exec:\3xrrfxl.exe85⤵PID:4508
-
\??\c:\tbhbnn.exec:\tbhbnn.exe86⤵PID:3416
-
\??\c:\jvvvp.exec:\jvvvp.exe87⤵PID:4944
-
\??\c:\3ffxlrr.exec:\3ffxlrr.exe88⤵PID:3848
-
\??\c:\nhnhbh.exec:\nhnhbh.exe89⤵PID:3852
-
\??\c:\5bbthb.exec:\5bbthb.exe90⤵PID:4240
-
\??\c:\7jpdp.exec:\7jpdp.exe91⤵PID:1776
-
\??\c:\frlxlfr.exec:\frlxlfr.exe92⤵PID:4300
-
\??\c:\1xfxlfx.exec:\1xfxlfx.exe93⤵PID:2792
-
\??\c:\htnhtn.exec:\htnhtn.exe94⤵PID:220
-
\??\c:\djjjd.exec:\djjjd.exe95⤵PID:1544
-
\??\c:\7bthtt.exec:\7bthtt.exe96⤵PID:3964
-
\??\c:\ttthbt.exec:\ttthbt.exe97⤵PID:3064
-
\??\c:\jdvpj.exec:\jdvpj.exe98⤵PID:2396
-
\??\c:\llfrrfl.exec:\llfrrfl.exe99⤵PID:4308
-
\??\c:\htbnhh.exec:\htbnhh.exe100⤵PID:3212
-
\??\c:\vvjjv.exec:\vvjjv.exe101⤵PID:2172
-
\??\c:\frrlrrl.exec:\frrlrrl.exe102⤵PID:3496
-
\??\c:\bhnhbt.exec:\bhnhbt.exe103⤵PID:5072
-
\??\c:\1pdvp.exec:\1pdvp.exe104⤵PID:4276
-
\??\c:\rfrllxx.exec:\rfrllxx.exe105⤵PID:1992
-
\??\c:\bnnhbt.exec:\bnnhbt.exe106⤵PID:2768
-
\??\c:\dppdv.exec:\dppdv.exe107⤵PID:804
-
\??\c:\3fxrllf.exec:\3fxrllf.exe108⤵PID:4420
-
\??\c:\1tthtn.exec:\1tthtn.exe109⤵PID:428
-
\??\c:\vddpj.exec:\vddpj.exe110⤵PID:2264
-
\??\c:\rfrfrlf.exec:\rfrfrlf.exe111⤵PID:1900
-
\??\c:\hnthbt.exec:\hnthbt.exe112⤵PID:2884
-
\??\c:\1vdvp.exec:\1vdvp.exe113⤵PID:4860
-
\??\c:\3llxlfx.exec:\3llxlfx.exe114⤵PID:2332
-
\??\c:\nbtnhb.exec:\nbtnhb.exe115⤵PID:3676
-
\??\c:\xrxfxxl.exec:\xrxfxxl.exe116⤵PID:4168
-
\??\c:\bnnttn.exec:\bnnttn.exe117⤵PID:3256
-
\??\c:\vjdpp.exec:\vjdpp.exe118⤵PID:404
-
\??\c:\jjppd.exec:\jjppd.exe119⤵PID:2484
-
\??\c:\fxrfrfx.exec:\fxrfrfx.exe120⤵PID:2004
-
\??\c:\vvpjp.exec:\vvpjp.exe121⤵PID:2348
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-