Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/12/2024, 03:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe
-
Size
453KB
-
MD5
753e78eb26b54a8d471d347345294786
-
SHA1
020f2bb342784d9937dc914f976f96cc763c3117
-
SHA256
d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559
-
SHA512
ba519fa5e6c919f1672e8f6032fdb9376647bc21fef68abade486b7ea93acf47e0600d86a41c44c400286c78222d2cd42872630f65428957a83ad95f254c2ea9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3636-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-1206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-1551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-1597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-1610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-1687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4588 jjjdd.exe 3872 lfxrxxr.exe 3880 dpdpd.exe 3988 frrlffx.exe 4380 httnhb.exe 4664 nttthh.exe 4404 1lrlllr.exe 3024 9ttnhn.exe 1552 lrrfrrx.exe 3108 ppdpp.exe 4568 pjpjd.exe 5004 pvjdv.exe 2768 7ttnbh.exe 2884 5jdpd.exe 428 7bthbb.exe 840 jjjdp.exe 1320 nttnbt.exe 3456 pdjjj.exe 1532 xlrflfr.exe 3076 jvpdv.exe 3228 bhtnhb.exe 3044 vddvj.exe 864 nhhthb.exe 4064 1hhthb.exe 4696 vjdvj.exe 3268 xllxlfx.exe 3304 jvjpp.exe 4140 5lxrxrx.exe 3064 jpdvj.exe 2312 lfxlxrf.exe 3428 nnthbb.exe 1248 xrrlxrl.exe 4012 jvppd.exe 2704 3rrfrlx.exe 1880 bbtnhb.exe 4672 hbbtbh.exe 4464 jpvpd.exe 4964 xlrflfr.exe 4228 nhnbtn.exe 3556 5dvjd.exe 4992 djjvd.exe 2428 rllxlfr.exe 1020 ntbbtn.exe 2444 hbbnbh.exe 3568 dppdv.exe 2072 9frfffr.exe 956 ntnhbt.exe 1212 pjpdj.exe 2948 xrlxxxl.exe 1856 tbthth.exe 4512 btthbt.exe 4624 dppjp.exe 2064 flffflf.exe 2516 9nbttn.exe 4044 3bnhhb.exe 920 vpjvj.exe 2536 frrfrlf.exe 5072 ttthth.exe 3280 vvddv.exe 3648 dvdvj.exe 1976 flrxfrf.exe 2080 btnbnh.exe 4976 9nhthb.exe 1472 jpvpv.exe -
resource yara_rule behavioral2/memory/3636-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-1206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-1391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-1551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-1597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-1610-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 4588 3636 d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe 83 PID 3636 wrote to memory of 4588 3636 d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe 83 PID 3636 wrote to memory of 4588 3636 d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe 83 PID 4588 wrote to memory of 3872 4588 jjjdd.exe 84 PID 4588 wrote to memory of 3872 4588 jjjdd.exe 84 PID 4588 wrote to memory of 3872 4588 jjjdd.exe 84 PID 3872 wrote to memory of 3880 3872 lfxrxxr.exe 85 PID 3872 wrote to memory of 3880 3872 lfxrxxr.exe 85 PID 3872 wrote to memory of 3880 3872 lfxrxxr.exe 85 PID 3880 wrote to memory of 3988 3880 dpdpd.exe 86 PID 3880 wrote to memory of 3988 3880 dpdpd.exe 86 PID 3880 wrote to memory of 3988 3880 dpdpd.exe 86 PID 3988 wrote to memory of 4380 3988 frrlffx.exe 87 PID 3988 wrote to memory of 4380 3988 frrlffx.exe 87 PID 3988 wrote to memory of 4380 3988 frrlffx.exe 87 PID 4380 wrote to memory of 4664 4380 httnhb.exe 88 PID 4380 wrote to memory of 4664 4380 httnhb.exe 88 PID 4380 wrote to memory of 4664 4380 httnhb.exe 88 PID 4664 wrote to memory of 4404 4664 nttthh.exe 89 PID 4664 wrote to memory of 4404 4664 nttthh.exe 89 PID 4664 wrote to memory of 4404 4664 nttthh.exe 89 PID 4404 wrote to memory of 3024 4404 1lrlllr.exe 90 PID 4404 wrote to memory of 3024 4404 1lrlllr.exe 90 PID 4404 wrote to memory of 3024 4404 1lrlllr.exe 90 PID 3024 wrote to memory of 1552 3024 9ttnhn.exe 91 PID 3024 wrote to memory of 1552 3024 9ttnhn.exe 91 PID 3024 wrote to memory of 1552 3024 9ttnhn.exe 91 PID 1552 wrote to memory of 3108 1552 lrrfrrx.exe 92 PID 1552 wrote to memory of 3108 1552 lrrfrrx.exe 92 PID 1552 wrote to memory of 3108 1552 lrrfrrx.exe 92 PID 3108 wrote to memory of 4568 3108 ppdpp.exe 93 PID 3108 wrote to memory of 4568 3108 ppdpp.exe 93 PID 3108 wrote to memory of 4568 3108 ppdpp.exe 93 PID 4568 wrote to memory of 5004 4568 pjpjd.exe 94 PID 4568 wrote to memory of 5004 4568 pjpjd.exe 94 PID 4568 wrote to memory of 5004 4568 pjpjd.exe 94 PID 5004 wrote to memory of 2768 5004 pvjdv.exe 95 PID 5004 wrote to memory of 2768 5004 pvjdv.exe 95 PID 5004 wrote to memory of 2768 5004 pvjdv.exe 95 PID 2768 wrote to memory of 2884 2768 7ttnbh.exe 96 PID 2768 wrote to memory of 2884 2768 7ttnbh.exe 96 PID 2768 wrote to memory of 2884 2768 7ttnbh.exe 96 PID 2884 wrote to memory of 428 2884 5jdpd.exe 97 PID 2884 wrote to memory of 428 2884 5jdpd.exe 97 PID 2884 wrote to memory of 428 2884 5jdpd.exe 97 PID 428 wrote to memory of 840 428 7bthbb.exe 98 PID 428 wrote to memory of 840 428 7bthbb.exe 98 PID 428 wrote to memory of 840 428 7bthbb.exe 98 PID 840 wrote to memory of 1320 840 jjjdp.exe 99 PID 840 wrote to memory of 1320 840 jjjdp.exe 99 PID 840 wrote to memory of 1320 840 jjjdp.exe 99 PID 1320 wrote to memory of 3456 1320 nttnbt.exe 100 PID 1320 wrote to memory of 3456 1320 nttnbt.exe 100 PID 1320 wrote to memory of 3456 1320 nttnbt.exe 100 PID 3456 wrote to memory of 1532 3456 pdjjj.exe 101 PID 3456 wrote to memory of 1532 3456 pdjjj.exe 101 PID 3456 wrote to memory of 1532 3456 pdjjj.exe 101 PID 1532 wrote to memory of 3076 1532 xlrflfr.exe 102 PID 1532 wrote to memory of 3076 1532 xlrflfr.exe 102 PID 1532 wrote to memory of 3076 1532 xlrflfr.exe 102 PID 3076 wrote to memory of 3228 3076 jvpdv.exe 103 PID 3076 wrote to memory of 3228 3076 jvpdv.exe 103 PID 3076 wrote to memory of 3228 3076 jvpdv.exe 103 PID 3228 wrote to memory of 3044 3228 bhtnhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe"C:\Users\Admin\AppData\Local\Temp\d805e4a1b0a00bc755b5221f54d1e1b0a3d352bcbb987b833cff1f618d787559.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\jjjdd.exec:\jjjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\lfxrxxr.exec:\lfxrxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\dpdpd.exec:\dpdpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\frrlffx.exec:\frrlffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\httnhb.exec:\httnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\nttthh.exec:\nttthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\1lrlllr.exec:\1lrlllr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\9ttnhn.exec:\9ttnhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\lrrfrrx.exec:\lrrfrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
\??\c:\ppdpp.exec:\ppdpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\pjpjd.exec:\pjpjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\pvjdv.exec:\pvjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\7ttnbh.exec:\7ttnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
\??\c:\5jdpd.exec:\5jdpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\7bthbb.exec:\7bthbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\jjjdp.exec:\jjjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\nttnbt.exec:\nttnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\pdjjj.exec:\pdjjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\xlrflfr.exec:\xlrflfr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\jvpdv.exec:\jvpdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\bhtnhb.exec:\bhtnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\vddvj.exec:\vddvj.exe23⤵
- Executes dropped EXE
PID:3044 -
\??\c:\nhhthb.exec:\nhhthb.exe24⤵
- Executes dropped EXE
PID:864 -
\??\c:\1hhthb.exec:\1hhthb.exe25⤵
- Executes dropped EXE
PID:4064 -
\??\c:\vjdvj.exec:\vjdvj.exe26⤵
- Executes dropped EXE
PID:4696 -
\??\c:\xllxlfx.exec:\xllxlfx.exe27⤵
- Executes dropped EXE
PID:3268 -
\??\c:\jvjpp.exec:\jvjpp.exe28⤵
- Executes dropped EXE
PID:3304 -
\??\c:\5lxrxrx.exec:\5lxrxrx.exe29⤵
- Executes dropped EXE
PID:4140 -
\??\c:\jpdvj.exec:\jpdvj.exe30⤵
- Executes dropped EXE
PID:3064 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe31⤵
- Executes dropped EXE
PID:2312 -
\??\c:\nnthbb.exec:\nnthbb.exe32⤵
- Executes dropped EXE
PID:3428 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe33⤵
- Executes dropped EXE
PID:1248 -
\??\c:\jvppd.exec:\jvppd.exe34⤵
- Executes dropped EXE
PID:4012 -
\??\c:\3rrfrlx.exec:\3rrfrlx.exe35⤵
- Executes dropped EXE
PID:2704 -
\??\c:\bbtnhb.exec:\bbtnhb.exe36⤵
- Executes dropped EXE
PID:1880 -
\??\c:\hbbtbh.exec:\hbbtbh.exe37⤵
- Executes dropped EXE
PID:4672 -
\??\c:\jpvpd.exec:\jpvpd.exe38⤵
- Executes dropped EXE
PID:4464 -
\??\c:\xlrflfr.exec:\xlrflfr.exe39⤵
- Executes dropped EXE
PID:4964 -
\??\c:\nhnbtn.exec:\nhnbtn.exe40⤵
- Executes dropped EXE
PID:4228 -
\??\c:\5dvjd.exec:\5dvjd.exe41⤵
- Executes dropped EXE
PID:3556 -
\??\c:\djjvd.exec:\djjvd.exe42⤵
- Executes dropped EXE
PID:4992 -
\??\c:\rllxlfr.exec:\rllxlfr.exe43⤵
- Executes dropped EXE
PID:2428 -
\??\c:\ntbbtn.exec:\ntbbtn.exe44⤵
- Executes dropped EXE
PID:1020 -
\??\c:\hbbnbh.exec:\hbbnbh.exe45⤵
- Executes dropped EXE
PID:2444 -
\??\c:\dppdv.exec:\dppdv.exe46⤵
- Executes dropped EXE
PID:3568 -
\??\c:\9frfffr.exec:\9frfffr.exe47⤵
- Executes dropped EXE
PID:2072 -
\??\c:\ntnhbt.exec:\ntnhbt.exe48⤵
- Executes dropped EXE
PID:956 -
\??\c:\pjpdj.exec:\pjpdj.exe49⤵
- Executes dropped EXE
PID:1212 -
\??\c:\xrlxxxl.exec:\xrlxxxl.exe50⤵
- Executes dropped EXE
PID:2948 -
\??\c:\tbthth.exec:\tbthth.exe51⤵
- Executes dropped EXE
PID:1856 -
\??\c:\btthbt.exec:\btthbt.exe52⤵
- Executes dropped EXE
PID:4512 -
\??\c:\dppjp.exec:\dppjp.exe53⤵
- Executes dropped EXE
PID:4624 -
\??\c:\flffflf.exec:\flffflf.exe54⤵
- Executes dropped EXE
PID:2064 -
\??\c:\9nbttn.exec:\9nbttn.exe55⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3bnhhb.exec:\3bnhhb.exe56⤵
- Executes dropped EXE
PID:4044 -
\??\c:\vpjvj.exec:\vpjvj.exe57⤵
- Executes dropped EXE
PID:920 -
\??\c:\frrfrlf.exec:\frrfrlf.exe58⤵
- Executes dropped EXE
PID:2536 -
\??\c:\ttthth.exec:\ttthth.exe59⤵
- Executes dropped EXE
PID:5072 -
\??\c:\vvddv.exec:\vvddv.exe60⤵
- Executes dropped EXE
PID:3280 -
\??\c:\dvdvj.exec:\dvdvj.exe61⤵
- Executes dropped EXE
PID:3648 -
\??\c:\flrxfrf.exec:\flrxfrf.exe62⤵
- Executes dropped EXE
PID:1976 -
\??\c:\btnbnh.exec:\btnbnh.exe63⤵
- Executes dropped EXE
PID:2080 -
\??\c:\9nhthb.exec:\9nhthb.exe64⤵
- Executes dropped EXE
PID:4976 -
\??\c:\jpvpv.exec:\jpvpv.exe65⤵
- Executes dropped EXE
PID:1472 -
\??\c:\lfxlrlx.exec:\lfxlrlx.exe66⤵PID:3656
-
\??\c:\ntthbn.exec:\ntthbn.exe67⤵PID:1548
-
\??\c:\pdjdp.exec:\pdjdp.exe68⤵PID:4780
-
\??\c:\djpjv.exec:\djpjv.exe69⤵PID:1944
-
\??\c:\ffxrlfx.exec:\ffxrlfx.exe70⤵PID:4892
-
\??\c:\nhnhnh.exec:\nhnhnh.exe71⤵PID:4100
-
\??\c:\pdvpd.exec:\pdvpd.exe72⤵PID:1960
-
\??\c:\lfllxrx.exec:\lfllxrx.exe73⤵PID:2372
-
\??\c:\nhhbnh.exec:\nhhbnh.exe74⤵PID:3164
-
\??\c:\tnbtht.exec:\tnbtht.exe75⤵PID:1260
-
\??\c:\jdvpd.exec:\jdvpd.exe76⤵PID:3552
-
\??\c:\xxlfrlf.exec:\xxlfrlf.exe77⤵PID:3436
-
\??\c:\hnbnhh.exec:\hnbnhh.exe78⤵PID:1528
-
\??\c:\dvddj.exec:\dvddj.exe79⤵PID:5012
-
\??\c:\vppjd.exec:\vppjd.exe80⤵PID:2844
-
\??\c:\fffffxl.exec:\fffffxl.exe81⤵PID:2872
-
\??\c:\7hnhbb.exec:\7hnhbb.exe82⤵PID:4232
-
\??\c:\vvvpj.exec:\vvvpj.exe83⤵PID:1288
-
\??\c:\jdjjj.exec:\jdjjj.exe84⤵
- System Location Discovery: System Language Discovery
PID:1676 -
\??\c:\lffxlll.exec:\lffxlll.exe85⤵PID:2824
-
\??\c:\nbhbnh.exec:\nbhbnh.exe86⤵PID:1560
-
\??\c:\vdvjd.exec:\vdvjd.exe87⤵PID:3680
-
\??\c:\ffffxlr.exec:\ffffxlr.exe88⤵PID:1496
-
\??\c:\nhhhbb.exec:\nhhhbb.exe89⤵PID:3720
-
\??\c:\jddvj.exec:\jddvj.exe90⤵PID:2840
-
\??\c:\3fxxlxl.exec:\3fxxlxl.exe91⤵PID:4520
-
\??\c:\7thbnh.exec:\7thbnh.exe92⤵PID:5100
-
\??\c:\htbnhb.exec:\htbnhb.exe93⤵PID:2864
-
\??\c:\dpjjj.exec:\dpjjj.exe94⤵PID:1828
-
\??\c:\3lfxffx.exec:\3lfxffx.exe95⤵PID:736
-
\??\c:\bntnhh.exec:\bntnhh.exe96⤵PID:3428
-
\??\c:\vpvpp.exec:\vpvpp.exe97⤵PID:1292
-
\??\c:\lllfxxr.exec:\lllfxxr.exe98⤵PID:3964
-
\??\c:\lrxrffr.exec:\lrxrffr.exe99⤵PID:776
-
\??\c:\hbtnhh.exec:\hbtnhh.exe100⤵PID:4136
-
\??\c:\dvdvv.exec:\dvdvv.exe101⤵PID:1308
-
\??\c:\fxffrxx.exec:\fxffrxx.exe102⤵PID:992
-
\??\c:\rxfxrlf.exec:\rxfxrlf.exe103⤵PID:1500
-
\??\c:\nhhnbn.exec:\nhhnbn.exe104⤵PID:4964
-
\??\c:\jjpjv.exec:\jjpjv.exe105⤵PID:852
-
\??\c:\jppjd.exec:\jppjd.exe106⤵PID:388
-
\??\c:\xxllrrx.exec:\xxllrrx.exe107⤵PID:1784
-
\??\c:\tbttnn.exec:\tbttnn.exe108⤵PID:3528
-
\??\c:\vpjdv.exec:\vpjdv.exe109⤵PID:3976
-
\??\c:\jppdp.exec:\jppdp.exe110⤵PID:464
-
\??\c:\3xrfrfx.exec:\3xrfrfx.exe111⤵PID:3568
-
\??\c:\nhtttt.exec:\nhtttt.exe112⤵PID:1684
-
\??\c:\3pjvj.exec:\3pjvj.exe113⤵PID:4244
-
\??\c:\xrxrlll.exec:\xrxrlll.exe114⤵PID:2964
-
\??\c:\hbhhnn.exec:\hbhhnn.exe115⤵PID:4700
-
\??\c:\vjjvp.exec:\vjjvp.exe116⤵PID:4524
-
\??\c:\pvdvv.exec:\pvdvv.exe117⤵PID:4544
-
\??\c:\fxxrffx.exec:\fxxrffx.exe118⤵PID:4540
-
\??\c:\ttbtnt.exec:\ttbtnt.exe119⤵PID:5112
-
\??\c:\vvppd.exec:\vvppd.exe120⤵PID:3872
-
\??\c:\5vvjj.exec:\5vvjj.exe121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-