Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99.exe
-
Size
456KB
-
MD5
21d91a165fd73477d96156e970f81c99
-
SHA1
56b1c7b662e31a5172176fd1dd437c1724e80da2
-
SHA256
5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99
-
SHA512
e6206520f8daa58b67a1f2d3128befd74af1f3a5aab006bd065822f61a1c6964c22b299c706c9a175790588097a832fe6719ea9194d30c41f26280761802b0ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbely:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2872-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-865-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-1307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 808 bnnbnh.exe 3052 ppddv.exe 2320 rffrlfx.exe 1960 hbthth.exe 2788 djjdp.exe 372 xrlxrfx.exe 2816 fxlfrxx.exe 3508 pdpjv.exe 2304 vppdp.exe 1940 jjpjj.exe 3688 nbtnbb.exe 4144 xxrrllf.exe 1132 bhbthb.exe 4192 dddpd.exe 4976 rxxlxrl.exe 4472 3tttnh.exe 4768 pdpjj.exe 4128 tbhbtn.exe 3504 lrrlxrf.exe 3732 tbhbtn.exe 1556 1vdvp.exe 2756 hnthbt.exe 512 1vdpv.exe 3608 3tbntn.exe 532 vpjdv.exe 1276 pvjdv.exe 2944 9lfrfxl.exe 552 rxrlfxr.exe 4248 thbnbt.exe 3332 vpjdv.exe 2372 xrrlffx.exe 1852 xlrrrlx.exe 3816 frrrrfl.exe 2076 rxllxrf.exe 4828 lrxrlff.exe 5080 jvjdp.exe 2984 lxxlfxr.exe 4844 hbhbbt.exe 1572 bhnbhb.exe 4380 jvjdd.exe 4808 flrlxrf.exe 3784 5bhbbb.exe 4440 pjjjp.exe 2032 vjjvp.exe 2400 frxxllf.exe 3052 bbbtnn.exe 1612 pvdpj.exe 2200 xffxllx.exe 1976 thhbbt.exe 2968 bbhthb.exe 2420 7jdvp.exe 2788 rrxlxrl.exe 4068 thhhbt.exe 4816 hhhbbt.exe 3452 pvvpp.exe 3516 jdpdj.exe 1112 frrxrlx.exe 2052 hhhhbn.exe 2868 jpjdj.exe 996 vvvdp.exe 2224 xxfxxrl.exe 1132 htbtnn.exe 1036 9vpjv.exe 2092 flrlxxr.exe -
resource yara_rule behavioral2/memory/2872-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-686-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 808 2872 5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99.exe 82 PID 2872 wrote to memory of 808 2872 5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99.exe 82 PID 2872 wrote to memory of 808 2872 5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99.exe 82 PID 808 wrote to memory of 3052 808 bnnbnh.exe 83 PID 808 wrote to memory of 3052 808 bnnbnh.exe 83 PID 808 wrote to memory of 3052 808 bnnbnh.exe 83 PID 3052 wrote to memory of 2320 3052 ppddv.exe 84 PID 3052 wrote to memory of 2320 3052 ppddv.exe 84 PID 3052 wrote to memory of 2320 3052 ppddv.exe 84 PID 2320 wrote to memory of 1960 2320 rffrlfx.exe 85 PID 2320 wrote to memory of 1960 2320 rffrlfx.exe 85 PID 2320 wrote to memory of 1960 2320 rffrlfx.exe 85 PID 1960 wrote to memory of 2788 1960 hbthth.exe 86 PID 1960 wrote to memory of 2788 1960 hbthth.exe 86 PID 1960 wrote to memory of 2788 1960 hbthth.exe 86 PID 2788 wrote to memory of 372 2788 djjdp.exe 87 PID 2788 wrote to memory of 372 2788 djjdp.exe 87 PID 2788 wrote to memory of 372 2788 djjdp.exe 87 PID 372 wrote to memory of 2816 372 xrlxrfx.exe 88 PID 372 wrote to memory of 2816 372 xrlxrfx.exe 88 PID 372 wrote to memory of 2816 372 xrlxrfx.exe 88 PID 2816 wrote to memory of 3508 2816 fxlfrxx.exe 89 PID 2816 wrote to memory of 3508 2816 fxlfrxx.exe 89 PID 2816 wrote to memory of 3508 2816 fxlfrxx.exe 89 PID 3508 wrote to memory of 2304 3508 pdpjv.exe 90 PID 3508 wrote to memory of 2304 3508 pdpjv.exe 90 PID 3508 wrote to memory of 2304 3508 pdpjv.exe 90 PID 2304 wrote to memory of 1940 2304 vppdp.exe 91 PID 2304 wrote to memory of 1940 2304 vppdp.exe 91 PID 2304 wrote to memory of 1940 2304 vppdp.exe 91 PID 1940 wrote to memory of 3688 1940 jjpjj.exe 92 PID 1940 wrote to memory of 3688 1940 jjpjj.exe 92 PID 1940 wrote to memory of 3688 1940 jjpjj.exe 92 PID 3688 wrote to memory of 4144 3688 nbtnbb.exe 93 PID 3688 wrote to memory of 4144 3688 nbtnbb.exe 93 PID 3688 wrote to memory of 4144 3688 nbtnbb.exe 93 PID 4144 wrote to memory of 1132 4144 xxrrllf.exe 94 PID 4144 wrote to memory of 1132 4144 xxrrllf.exe 94 PID 4144 wrote to memory of 1132 4144 xxrrllf.exe 94 PID 1132 wrote to memory of 4192 1132 bhbthb.exe 95 PID 1132 wrote to memory of 4192 1132 bhbthb.exe 95 PID 1132 wrote to memory of 4192 1132 bhbthb.exe 95 PID 4192 wrote to memory of 4976 4192 dddpd.exe 96 PID 4192 wrote to memory of 4976 4192 dddpd.exe 96 PID 4192 wrote to memory of 4976 4192 dddpd.exe 96 PID 4976 wrote to memory of 4472 4976 rxxlxrl.exe 97 PID 4976 wrote to memory of 4472 4976 rxxlxrl.exe 97 PID 4976 wrote to memory of 4472 4976 rxxlxrl.exe 97 PID 4472 wrote to memory of 4768 4472 3tttnh.exe 98 PID 4472 wrote to memory of 4768 4472 3tttnh.exe 98 PID 4472 wrote to memory of 4768 4472 3tttnh.exe 98 PID 4768 wrote to memory of 4128 4768 pdpjj.exe 99 PID 4768 wrote to memory of 4128 4768 pdpjj.exe 99 PID 4768 wrote to memory of 4128 4768 pdpjj.exe 99 PID 4128 wrote to memory of 3504 4128 tbhbtn.exe 100 PID 4128 wrote to memory of 3504 4128 tbhbtn.exe 100 PID 4128 wrote to memory of 3504 4128 tbhbtn.exe 100 PID 3504 wrote to memory of 3732 3504 lrrlxrf.exe 101 PID 3504 wrote to memory of 3732 3504 lrrlxrf.exe 101 PID 3504 wrote to memory of 3732 3504 lrrlxrf.exe 101 PID 3732 wrote to memory of 1556 3732 tbhbtn.exe 102 PID 3732 wrote to memory of 1556 3732 tbhbtn.exe 102 PID 3732 wrote to memory of 1556 3732 tbhbtn.exe 102 PID 1556 wrote to memory of 2756 1556 1vdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99.exe"C:\Users\Admin\AppData\Local\Temp\5451285e1b1c8200dd0e172ef2a4c3f752b949ff724c60865067ff7c84b54d99.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\bnnbnh.exec:\bnnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\ppddv.exec:\ppddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\rffrlfx.exec:\rffrlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\hbthth.exec:\hbthth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\djjdp.exec:\djjdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\xrlxrfx.exec:\xrlxrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\fxlfrxx.exec:\fxlfrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\pdpjv.exec:\pdpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\vppdp.exec:\vppdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\jjpjj.exec:\jjpjj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\nbtnbb.exec:\nbtnbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
\??\c:\xxrrllf.exec:\xxrrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\bhbthb.exec:\bhbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\dddpd.exec:\dddpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\rxxlxrl.exec:\rxxlxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\3tttnh.exec:\3tttnh.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\pdpjj.exec:\pdpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\tbhbtn.exec:\tbhbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\lrrlxrf.exec:\lrrlxrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\tbhbtn.exec:\tbhbtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\1vdvp.exec:\1vdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\hnthbt.exec:\hnthbt.exe23⤵
- Executes dropped EXE
PID:2756 -
\??\c:\1vdpv.exec:\1vdpv.exe24⤵
- Executes dropped EXE
PID:512 -
\??\c:\3tbntn.exec:\3tbntn.exe25⤵
- Executes dropped EXE
PID:3608 -
\??\c:\vpjdv.exec:\vpjdv.exe26⤵
- Executes dropped EXE
PID:532 -
\??\c:\pvjdv.exec:\pvjdv.exe27⤵
- Executes dropped EXE
PID:1276 -
\??\c:\9lfrfxl.exec:\9lfrfxl.exe28⤵
- Executes dropped EXE
PID:2944 -
\??\c:\rxrlfxr.exec:\rxrlfxr.exe29⤵
- Executes dropped EXE
PID:552 -
\??\c:\thbnbt.exec:\thbnbt.exe30⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vpjdv.exec:\vpjdv.exe31⤵
- Executes dropped EXE
PID:3332 -
\??\c:\xrrlffx.exec:\xrrlffx.exe32⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xlrrrlx.exec:\xlrrrlx.exe33⤵
- Executes dropped EXE
PID:1852 -
\??\c:\frrrrfl.exec:\frrrrfl.exe34⤵
- Executes dropped EXE
PID:3816 -
\??\c:\rxllxrf.exec:\rxllxrf.exe35⤵
- Executes dropped EXE
PID:2076 -
\??\c:\lrxrlff.exec:\lrxrlff.exe36⤵
- Executes dropped EXE
PID:4828 -
\??\c:\jvjdp.exec:\jvjdp.exe37⤵
- Executes dropped EXE
PID:5080 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe38⤵
- Executes dropped EXE
PID:2984 -
\??\c:\hbhbbt.exec:\hbhbbt.exe39⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bhnbhb.exec:\bhnbhb.exe40⤵
- Executes dropped EXE
PID:1572 -
\??\c:\jvjdd.exec:\jvjdd.exe41⤵
- Executes dropped EXE
PID:4380 -
\??\c:\flrlxrf.exec:\flrlxrf.exe42⤵
- Executes dropped EXE
PID:4808 -
\??\c:\5bhbbb.exec:\5bhbbb.exe43⤵
- Executes dropped EXE
PID:3784 -
\??\c:\pjjjp.exec:\pjjjp.exe44⤵
- Executes dropped EXE
PID:4440 -
\??\c:\vjjvp.exec:\vjjvp.exe45⤵
- Executes dropped EXE
PID:2032 -
\??\c:\frxxllf.exec:\frxxllf.exe46⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bbbtnn.exec:\bbbtnn.exe47⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pvdpj.exec:\pvdpj.exe48⤵
- Executes dropped EXE
PID:1612 -
\??\c:\xffxllx.exec:\xffxllx.exe49⤵
- Executes dropped EXE
PID:2200 -
\??\c:\thhbbt.exec:\thhbbt.exe50⤵
- Executes dropped EXE
PID:1976 -
\??\c:\bbhthb.exec:\bbhthb.exe51⤵
- Executes dropped EXE
PID:2968 -
\??\c:\7jdvp.exec:\7jdvp.exe52⤵
- Executes dropped EXE
PID:2420 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe53⤵
- Executes dropped EXE
PID:2788 -
\??\c:\thhhbt.exec:\thhhbt.exe54⤵
- Executes dropped EXE
PID:4068 -
\??\c:\hhhbbt.exec:\hhhbbt.exe55⤵
- Executes dropped EXE
PID:4816 -
\??\c:\pvvpp.exec:\pvvpp.exe56⤵
- Executes dropped EXE
PID:3452 -
\??\c:\jdpdj.exec:\jdpdj.exe57⤵
- Executes dropped EXE
PID:3516 -
\??\c:\frrxrlx.exec:\frrxrlx.exe58⤵
- Executes dropped EXE
PID:1112 -
\??\c:\hhhhbn.exec:\hhhhbn.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jpjdj.exec:\jpjdj.exe60⤵
- Executes dropped EXE
PID:2868 -
\??\c:\vvvdp.exec:\vvvdp.exe61⤵
- Executes dropped EXE
PID:996 -
\??\c:\xxfxxrl.exec:\xxfxxrl.exe62⤵
- Executes dropped EXE
PID:2224 -
\??\c:\htbtnn.exec:\htbtnn.exe63⤵
- Executes dropped EXE
PID:1132 -
\??\c:\9vpjv.exec:\9vpjv.exe64⤵
- Executes dropped EXE
PID:1036 -
\??\c:\flrlxxr.exec:\flrlxxr.exe65⤵
- Executes dropped EXE
PID:2092 -
\??\c:\xlrlxxl.exec:\xlrlxxl.exe66⤵PID:3864
-
\??\c:\ttbtnh.exec:\ttbtnh.exe67⤵PID:3656
-
\??\c:\pdjdd.exec:\pdjdd.exe68⤵PID:4604
-
\??\c:\5llxxxx.exec:\5llxxxx.exe69⤵
- System Location Discovery: System Language Discovery
PID:1972 -
\??\c:\thnhtn.exec:\thnhtn.exe70⤵PID:404
-
\??\c:\pddvj.exec:\pddvj.exe71⤵PID:2820
-
\??\c:\fxxlfxr.exec:\fxxlfxr.exe72⤵PID:1596
-
\??\c:\htnbnb.exec:\htnbnb.exe73⤵PID:1832
-
\??\c:\3jpjp.exec:\3jpjp.exe74⤵PID:2472
-
\??\c:\rlfxfxr.exec:\rlfxfxr.exe75⤵PID:1076
-
\??\c:\bnthhb.exec:\bnthhb.exe76⤵PID:3820
-
\??\c:\ddddv.exec:\ddddv.exe77⤵PID:3092
-
\??\c:\dddpp.exec:\dddpp.exe78⤵PID:4820
-
\??\c:\xxfxxrl.exec:\xxfxxrl.exe79⤵PID:4900
-
\??\c:\thhbtn.exec:\thhbtn.exe80⤵PID:532
-
\??\c:\3vdvv.exec:\3vdvv.exe81⤵PID:2456
-
\??\c:\fffxlfx.exec:\fffxlfx.exe82⤵PID:3884
-
\??\c:\7btthh.exec:\7btthh.exe83⤵PID:612
-
\??\c:\vjjdp.exec:\vjjdp.exe84⤵PID:552
-
\??\c:\rrxlxxx.exec:\rrxlxxx.exe85⤵PID:2988
-
\??\c:\flrfrlx.exec:\flrfrlx.exe86⤵PID:556
-
\??\c:\ntbnhb.exec:\ntbnhb.exe87⤵PID:4468
-
\??\c:\tnnnbh.exec:\tnnnbh.exe88⤵PID:4560
-
\??\c:\vppdv.exec:\vppdv.exe89⤵PID:4904
-
\??\c:\rxflxrf.exec:\rxflxrf.exe90⤵PID:3964
-
\??\c:\lrlfrfx.exec:\lrlfrfx.exe91⤵PID:1476
-
\??\c:\thbbnh.exec:\thbbnh.exe92⤵PID:2716
-
\??\c:\jdvjv.exec:\jdvjv.exe93⤵PID:3348
-
\??\c:\lxrfrfr.exec:\lxrfrfr.exe94⤵PID:1192
-
\??\c:\rxxlfxr.exec:\rxxlfxr.exe95⤵PID:3868
-
\??\c:\nbbhhb.exec:\nbbhhb.exe96⤵PID:3120
-
\??\c:\pjdvp.exec:\pjdvp.exe97⤵PID:4704
-
\??\c:\fxrlxxl.exec:\fxrlxxl.exe98⤵PID:4276
-
\??\c:\7rrfrlx.exec:\7rrfrlx.exe99⤵PID:3784
-
\??\c:\nbbtnh.exec:\nbbtnh.exe100⤵PID:4412
-
\??\c:\htttnt.exec:\htttnt.exe101⤵PID:1152
-
\??\c:\3jdpd.exec:\3jdpd.exe102⤵PID:4856
-
\??\c:\fxrllll.exec:\fxrllll.exe103⤵PID:4552
-
\??\c:\xlrllff.exec:\xlrllff.exe104⤵PID:4528
-
\??\c:\dpvpp.exec:\dpvpp.exe105⤵PID:2116
-
\??\c:\flrlfxr.exec:\flrlfxr.exe106⤵PID:3080
-
\??\c:\7flrxlr.exec:\7flrxlr.exe107⤵PID:704
-
\??\c:\nbhbbt.exec:\nbhbbt.exe108⤵PID:4376
-
\??\c:\jdjvp.exec:\jdjvp.exe109⤵PID:3056
-
\??\c:\1rxrffx.exec:\1rxrffx.exe110⤵PID:3832
-
\??\c:\htbttn.exec:\htbttn.exe111⤵PID:2416
-
\??\c:\hbtnbt.exec:\hbtnbt.exe112⤵PID:3520
-
\??\c:\pddvd.exec:\pddvd.exe113⤵PID:3452
-
\??\c:\lrxlffx.exec:\lrxlffx.exe114⤵PID:212
-
\??\c:\bbhhnh.exec:\bbhhnh.exe115⤵PID:1672
-
\??\c:\7ddvp.exec:\7ddvp.exe116⤵PID:1940
-
\??\c:\7vpdv.exec:\7vpdv.exe117⤵PID:4252
-
\??\c:\rfxrrrr.exec:\rfxrrrr.exe118⤵PID:2596
-
\??\c:\hthbhh.exec:\hthbhh.exe119⤵PID:972
-
\??\c:\jpvpd.exec:\jpvpd.exe120⤵PID:1568
-
\??\c:\rfrlllr.exec:\rfrlllr.exe121⤵PID:4192
-
\??\c:\hbhbtt.exec:\hbhbtt.exe122⤵PID:4740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-