Analysis
-
max time kernel
120s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 09:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe
-
Size
456KB
-
MD5
96d736de445423e91092d64062b8c150
-
SHA1
026654d8464b98668913aa9f16807ef1d7a6ea75
-
SHA256
f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846feb
-
SHA512
2990c6e7dd161cb084fb2b0c2f05bc0e5c3872463f78c916d5b7674aa43c84248ac32adf9e2c7412e67e77566685389d1b3549a4970d3a6abdb9f7aea9b78821
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRy:q7Tc2NYHUrAwfMp3CDRy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1424-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-1224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-1412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3380 ppdvp.exe 1704 bthbbb.exe 2312 1djjd.exe 2288 lxrrxxx.exe 1968 7hnhhn.exe 4308 tbhbbt.exe 3840 vddvp.exe 1492 rrxrrrr.exe 2380 nnbbhb.exe 4592 bnbbtt.exe 4648 pjpvv.exe 4540 lxrxlfr.exe 1344 flfxrlf.exe 2916 nnnhhh.exe 2756 pjpjd.exe 3516 pdjdv.exe 712 lrflflf.exe 2064 nthbhb.exe 5044 jvjdd.exe 1216 vdpjd.exe 2732 lxrxrrl.exe 4544 5hnnhn.exe 1548 tntnhh.exe 2644 jddvp.exe 740 7rxrllf.exe 1048 lfrlllr.exe 2520 1nnhbh.exe 1440 7pvjd.exe 2480 jvvvp.exe 1656 lflfxxr.exe 4876 nnbtnh.exe 1244 jdjvp.exe 624 dvdvv.exe 1648 fxfxffl.exe 4028 nthhhn.exe 3056 bnnnht.exe 3244 dvdpp.exe 4508 lxrfrxx.exe 2304 nbhbtn.exe 3664 nhntnt.exe 2352 vvvvv.exe 1724 lfflxff.exe 4636 thbtbh.exe 4408 vvddd.exe 4356 rrrlxxx.exe 3100 nnttbb.exe 636 1hbtbb.exe 2776 jddvp.exe 4360 jdppd.exe 3752 rxlxrlf.exe 4036 httnhh.exe 3480 nhhbtn.exe 4660 vvvvv.exe 2112 1xrrllf.exe 2652 llxrllf.exe 2536 tttttt.exe 1632 ddddv.exe 640 dvppj.exe 1452 rfxxrlf.exe 3444 nthhbn.exe 2404 bnnhnh.exe 4312 vjppj.exe 4472 rrrxrxr.exe 3428 rflfxxr.exe -
resource yara_rule behavioral2/memory/1424-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-1224-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxrxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1424 wrote to memory of 3380 1424 f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe 82 PID 1424 wrote to memory of 3380 1424 f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe 82 PID 1424 wrote to memory of 3380 1424 f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe 82 PID 3380 wrote to memory of 1704 3380 ppdvp.exe 83 PID 3380 wrote to memory of 1704 3380 ppdvp.exe 83 PID 3380 wrote to memory of 1704 3380 ppdvp.exe 83 PID 1704 wrote to memory of 2312 1704 bthbbb.exe 84 PID 1704 wrote to memory of 2312 1704 bthbbb.exe 84 PID 1704 wrote to memory of 2312 1704 bthbbb.exe 84 PID 2312 wrote to memory of 2288 2312 1djjd.exe 85 PID 2312 wrote to memory of 2288 2312 1djjd.exe 85 PID 2312 wrote to memory of 2288 2312 1djjd.exe 85 PID 2288 wrote to memory of 1968 2288 lxrrxxx.exe 86 PID 2288 wrote to memory of 1968 2288 lxrrxxx.exe 86 PID 2288 wrote to memory of 1968 2288 lxrrxxx.exe 86 PID 1968 wrote to memory of 4308 1968 7hnhhn.exe 87 PID 1968 wrote to memory of 4308 1968 7hnhhn.exe 87 PID 1968 wrote to memory of 4308 1968 7hnhhn.exe 87 PID 4308 wrote to memory of 3840 4308 tbhbbt.exe 88 PID 4308 wrote to memory of 3840 4308 tbhbbt.exe 88 PID 4308 wrote to memory of 3840 4308 tbhbbt.exe 88 PID 3840 wrote to memory of 1492 3840 vddvp.exe 89 PID 3840 wrote to memory of 1492 3840 vddvp.exe 89 PID 3840 wrote to memory of 1492 3840 vddvp.exe 89 PID 1492 wrote to memory of 2380 1492 rrxrrrr.exe 90 PID 1492 wrote to memory of 2380 1492 rrxrrrr.exe 90 PID 1492 wrote to memory of 2380 1492 rrxrrrr.exe 90 PID 2380 wrote to memory of 4592 2380 nnbbhb.exe 91 PID 2380 wrote to memory of 4592 2380 nnbbhb.exe 91 PID 2380 wrote to memory of 4592 2380 nnbbhb.exe 91 PID 4592 wrote to memory of 4648 4592 bnbbtt.exe 92 PID 4592 wrote to memory of 4648 4592 bnbbtt.exe 92 PID 4592 wrote to memory of 4648 4592 bnbbtt.exe 92 PID 4648 wrote to memory of 4540 4648 pjpvv.exe 93 PID 4648 wrote to memory of 4540 4648 pjpvv.exe 93 PID 4648 wrote to memory of 4540 4648 pjpvv.exe 93 PID 4540 wrote to memory of 1344 4540 lxrxlfr.exe 94 PID 4540 wrote to memory of 1344 4540 lxrxlfr.exe 94 PID 4540 wrote to memory of 1344 4540 lxrxlfr.exe 94 PID 1344 wrote to memory of 2916 1344 flfxrlf.exe 95 PID 1344 wrote to memory of 2916 1344 flfxrlf.exe 95 PID 1344 wrote to memory of 2916 1344 flfxrlf.exe 95 PID 2916 wrote to memory of 2756 2916 nnnhhh.exe 96 PID 2916 wrote to memory of 2756 2916 nnnhhh.exe 96 PID 2916 wrote to memory of 2756 2916 nnnhhh.exe 96 PID 2756 wrote to memory of 3516 2756 pjpjd.exe 97 PID 2756 wrote to memory of 3516 2756 pjpjd.exe 97 PID 2756 wrote to memory of 3516 2756 pjpjd.exe 97 PID 3516 wrote to memory of 712 3516 pdjdv.exe 98 PID 3516 wrote to memory of 712 3516 pdjdv.exe 98 PID 3516 wrote to memory of 712 3516 pdjdv.exe 98 PID 712 wrote to memory of 2064 712 lrflflf.exe 99 PID 712 wrote to memory of 2064 712 lrflflf.exe 99 PID 712 wrote to memory of 2064 712 lrflflf.exe 99 PID 2064 wrote to memory of 5044 2064 nthbhb.exe 100 PID 2064 wrote to memory of 5044 2064 nthbhb.exe 100 PID 2064 wrote to memory of 5044 2064 nthbhb.exe 100 PID 5044 wrote to memory of 1216 5044 jvjdd.exe 101 PID 5044 wrote to memory of 1216 5044 jvjdd.exe 101 PID 5044 wrote to memory of 1216 5044 jvjdd.exe 101 PID 1216 wrote to memory of 2732 1216 vdpjd.exe 102 PID 1216 wrote to memory of 2732 1216 vdpjd.exe 102 PID 1216 wrote to memory of 2732 1216 vdpjd.exe 102 PID 2732 wrote to memory of 4544 2732 lxrxrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe"C:\Users\Admin\AppData\Local\Temp\f510cdb1ac1b9d15bc300944279c5e57ff0887a007e3bdb4482907edbe846febN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\ppdvp.exec:\ppdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\bthbbb.exec:\bthbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\1djjd.exec:\1djjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\lxrrxxx.exec:\lxrrxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\7hnhhn.exec:\7hnhhn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\tbhbbt.exec:\tbhbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\vddvp.exec:\vddvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\rrxrrrr.exec:\rrxrrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\nnbbhb.exec:\nnbbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\bnbbtt.exec:\bnbbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\pjpvv.exec:\pjpvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\lxrxlfr.exec:\lxrxlfr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\flfxrlf.exec:\flfxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\nnnhhh.exec:\nnnhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\pjpjd.exec:\pjpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\pdjdv.exec:\pdjdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\lrflflf.exec:\lrflflf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\nthbhb.exec:\nthbhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\jvjdd.exec:\jvjdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\vdpjd.exec:\vdpjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1216 -
\??\c:\lxrxrrl.exec:\lxrxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\5hnnhn.exec:\5hnnhn.exe23⤵
- Executes dropped EXE
PID:4544 -
\??\c:\tntnhh.exec:\tntnhh.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\jddvp.exec:\jddvp.exe25⤵
- Executes dropped EXE
PID:2644 -
\??\c:\7rxrllf.exec:\7rxrllf.exe26⤵
- Executes dropped EXE
PID:740 -
\??\c:\lfrlllr.exec:\lfrlllr.exe27⤵
- Executes dropped EXE
PID:1048 -
\??\c:\1nnhbh.exec:\1nnhbh.exe28⤵
- Executes dropped EXE
PID:2520 -
\??\c:\7pvjd.exec:\7pvjd.exe29⤵
- Executes dropped EXE
PID:1440 -
\??\c:\jvvvp.exec:\jvvvp.exe30⤵
- Executes dropped EXE
PID:2480 -
\??\c:\lflfxxr.exec:\lflfxxr.exe31⤵
- Executes dropped EXE
PID:1656 -
\??\c:\nnbtnh.exec:\nnbtnh.exe32⤵
- Executes dropped EXE
PID:4876 -
\??\c:\jdjvp.exec:\jdjvp.exe33⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dvdvv.exec:\dvdvv.exe34⤵
- Executes dropped EXE
PID:624 -
\??\c:\fxfxffl.exec:\fxfxffl.exe35⤵
- Executes dropped EXE
PID:1648 -
\??\c:\nthhhn.exec:\nthhhn.exe36⤵
- Executes dropped EXE
PID:4028 -
\??\c:\bnnnht.exec:\bnnnht.exe37⤵
- Executes dropped EXE
PID:3056 -
\??\c:\dvdpp.exec:\dvdpp.exe38⤵
- Executes dropped EXE
PID:3244 -
\??\c:\lxrfrxx.exec:\lxrfrxx.exe39⤵
- Executes dropped EXE
PID:4508 -
\??\c:\nbhbtn.exec:\nbhbtn.exe40⤵
- Executes dropped EXE
PID:2304 -
\??\c:\nhntnt.exec:\nhntnt.exe41⤵
- Executes dropped EXE
PID:3664 -
\??\c:\vvvvv.exec:\vvvvv.exe42⤵
- Executes dropped EXE
PID:2352 -
\??\c:\lfflxff.exec:\lfflxff.exe43⤵
- Executes dropped EXE
PID:1724 -
\??\c:\thbtbh.exec:\thbtbh.exe44⤵
- Executes dropped EXE
PID:4636 -
\??\c:\vvddd.exec:\vvddd.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\rrrlxxx.exec:\rrrlxxx.exe46⤵
- Executes dropped EXE
PID:4356 -
\??\c:\nnttbb.exec:\nnttbb.exe47⤵
- Executes dropped EXE
PID:3100 -
\??\c:\1hbtbb.exec:\1hbtbb.exe48⤵
- Executes dropped EXE
PID:636 -
\??\c:\jddvp.exec:\jddvp.exe49⤵
- Executes dropped EXE
PID:2776 -
\??\c:\jdppd.exec:\jdppd.exe50⤵
- Executes dropped EXE
PID:4360 -
\??\c:\rxlxrlf.exec:\rxlxrlf.exe51⤵
- Executes dropped EXE
PID:3752 -
\??\c:\httnhh.exec:\httnhh.exe52⤵
- Executes dropped EXE
PID:4036 -
\??\c:\nhhbtn.exec:\nhhbtn.exe53⤵
- Executes dropped EXE
PID:3480 -
\??\c:\vvvvv.exec:\vvvvv.exe54⤵
- Executes dropped EXE
PID:4660 -
\??\c:\1xrrllf.exec:\1xrrllf.exe55⤵
- Executes dropped EXE
PID:2112 -
\??\c:\llxrllf.exec:\llxrllf.exe56⤵
- Executes dropped EXE
PID:2652 -
\??\c:\tttttt.exec:\tttttt.exe57⤵
- Executes dropped EXE
PID:2536 -
\??\c:\ddddv.exec:\ddddv.exe58⤵
- Executes dropped EXE
PID:1632 -
\??\c:\dvppj.exec:\dvppj.exe59⤵
- Executes dropped EXE
PID:640 -
\??\c:\rfxxrlf.exec:\rfxxrlf.exe60⤵
- Executes dropped EXE
PID:1452 -
\??\c:\nthhbn.exec:\nthhbn.exe61⤵
- Executes dropped EXE
PID:3444 -
\??\c:\bnnhnh.exec:\bnnhnh.exe62⤵
- Executes dropped EXE
PID:2404 -
\??\c:\vjppj.exec:\vjppj.exe63⤵
- Executes dropped EXE
PID:4312 -
\??\c:\rrrxrxr.exec:\rrrxrxr.exe64⤵
- Executes dropped EXE
PID:4472 -
\??\c:\rflfxxr.exec:\rflfxxr.exe65⤵
- Executes dropped EXE
PID:3428 -
\??\c:\bbnhbb.exec:\bbnhbb.exe66⤵PID:2200
-
\??\c:\vpddj.exec:\vpddj.exe67⤵PID:1824
-
\??\c:\jvjvv.exec:\jvjvv.exe68⤵
- System Location Discovery: System Language Discovery
PID:4476 -
\??\c:\xrrffxx.exec:\xrrffxx.exe69⤵PID:708
-
\??\c:\lxlflfx.exec:\lxlflfx.exe70⤵PID:5068
-
\??\c:\nbttnh.exec:\nbttnh.exe71⤵PID:3112
-
\??\c:\jdpvv.exec:\jdpvv.exe72⤵PID:3436
-
\??\c:\lfrlffx.exec:\lfrlffx.exe73⤵PID:3484
-
\??\c:\rfllfff.exec:\rfllfff.exe74⤵PID:1940
-
\??\c:\7bhbtt.exec:\7bhbtt.exe75⤵PID:4732
-
\??\c:\bntnhb.exec:\bntnhb.exe76⤵PID:2380
-
\??\c:\jjjdj.exec:\jjjdj.exe77⤵PID:4796
-
\??\c:\ffllllr.exec:\ffllllr.exe78⤵PID:544
-
\??\c:\xrfrxxx.exec:\xrfrxxx.exe79⤵PID:2564
-
\??\c:\9xxlffx.exec:\9xxlffx.exe80⤵PID:4552
-
\??\c:\btbtbh.exec:\btbtbh.exe81⤵PID:220
-
\??\c:\3bbbtt.exec:\3bbbtt.exe82⤵PID:3940
-
\??\c:\jdjjp.exec:\jdjjp.exe83⤵PID:1396
-
\??\c:\rllflfl.exec:\rllflfl.exe84⤵PID:2988
-
\??\c:\nhhbtn.exec:\nhhbtn.exe85⤵PID:3588
-
\??\c:\pjppj.exec:\pjppj.exe86⤵PID:3708
-
\??\c:\flrrrff.exec:\flrrrff.exe87⤵PID:2636
-
\??\c:\1ttnhh.exec:\1ttnhh.exe88⤵PID:740
-
\??\c:\bhnbbt.exec:\bhnbbt.exe89⤵PID:5076
-
\??\c:\vpdjj.exec:\vpdjj.exe90⤵PID:4064
-
\??\c:\3rllllf.exec:\3rllllf.exe91⤵PID:1572
-
\??\c:\btbbtt.exec:\btbbtt.exe92⤵PID:836
-
\??\c:\jdddj.exec:\jdddj.exe93⤵PID:2832
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe94⤵PID:864
-
\??\c:\nhhtnt.exec:\nhhtnt.exe95⤵PID:2116
-
\??\c:\djddj.exec:\djddj.exe96⤵PID:4744
-
\??\c:\frrlfff.exec:\frrlfff.exe97⤵PID:2280
-
\??\c:\xlrlffx.exec:\xlrlffx.exe98⤵PID:1084
-
\??\c:\nhnntt.exec:\nhnntt.exe99⤵PID:3244
-
\??\c:\ppjdj.exec:\ppjdj.exe100⤵PID:3344
-
\??\c:\rrlfrff.exec:\rrlfrff.exe101⤵PID:3664
-
\??\c:\hbbnhh.exec:\hbbnhh.exe102⤵PID:4584
-
\??\c:\jpvpj.exec:\jpvpj.exe103⤵PID:2328
-
\??\c:\3xxrrxr.exec:\3xxrrxr.exe104⤵PID:4408
-
\??\c:\lxffffx.exec:\lxffffx.exe105⤵PID:2784
-
\??\c:\nhhhhh.exec:\nhhhhh.exe106⤵PID:2168
-
\??\c:\1xrllxx.exec:\1xrllxx.exe107⤵PID:380
-
\??\c:\xrxrlrx.exec:\xrxrlrx.exe108⤵PID:1592
-
\??\c:\btbtht.exec:\btbtht.exe109⤵PID:3956
-
\??\c:\pdjdd.exec:\pdjdd.exe110⤵PID:3480
-
\??\c:\1jdvp.exec:\1jdvp.exe111⤵PID:1056
-
\??\c:\3vdjj.exec:\3vdjj.exe112⤵PID:1960
-
\??\c:\ddjjd.exec:\ddjjd.exe113⤵PID:3372
-
\??\c:\nbhbnn.exec:\nbhbnn.exe114⤵PID:1540
-
\??\c:\tnnnnh.exec:\tnnnnh.exe115⤵PID:652
-
\??\c:\frrlffx.exec:\frrlffx.exe116⤵PID:3580
-
\??\c:\1ttntn.exec:\1ttntn.exe117⤵PID:4632
-
\??\c:\ffrxxxf.exec:\ffrxxxf.exe118⤵PID:1908
-
\??\c:\xxllffx.exec:\xxllffx.exe119⤵PID:4512
-
\??\c:\htnhbh.exec:\htnhbh.exe120⤵PID:2404
-
\??\c:\btbtnn.exec:\btbtnn.exe121⤵PID:4548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-