Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 20:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80.exe
-
Size
453KB
-
MD5
84d8fb2366e1ed636ee8ff1635fd006c
-
SHA1
97af4a1a9c2226be99454a7034b4a1f69f7d9592
-
SHA256
1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80
-
SHA512
959d5a140e40c2a07614d64b9749f27e764f7a2d0ff8c958d3fec5c86a82df669ae68d692fbe1823919897f99c23da3cb89ee7828897586a495cbff1a67df541
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4324-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-614-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-786-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-1044-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2508 hbttnh.exe 5108 pddvp.exe 3056 xlxrlfl.exe 3656 nnnnnn.exe 4424 bthbhb.exe 4740 pppjd.exe 4352 xflxrrl.exe 456 5fxrlrl.exe 312 thtnhb.exe 5084 pjjdv.exe 3900 pjjdd.exe 5012 1rxxflr.exe 1144 hthbbb.exe 1264 hnthbb.exe 2416 dvjdv.exe 1728 lfffxxr.exe 692 lrfffff.exe 4092 3nbthh.exe 3064 ntbttn.exe 3060 3vjdj.exe 4712 5xllfff.exe 868 lflflfl.exe 4388 9hnhnn.exe 1976 vvvpj.exe 3616 vjpjp.exe 2136 9xxrrrl.exe 2836 nhhbtn.exe 3776 5nntnn.exe 436 jdddd.exe 840 lllfxxr.exe 3448 rlxxrrx.exe 1480 7ntntn.exe 3320 1pvpj.exe 2276 vjvpj.exe 3436 xxxxrxx.exe 3332 nhtthn.exe 4748 3tttnn.exe 1032 pjpvp.exe 2160 xxrlffx.exe 2216 fxxlxrl.exe 4564 hhhbbb.exe 876 jjjjv.exe 1404 vjvvp.exe 3296 9flfxxr.exe 4104 3nhhhh.exe 4768 jppjj.exe 412 7pvvp.exe 2372 flxrrll.exe 5108 hhbhhn.exe 3500 bntnhh.exe 1632 pvjdd.exe 2104 xrxrlll.exe 3304 httnhh.exe 4740 tnbtnt.exe 4532 dvjpp.exe 456 lfrlrlr.exe 1008 3rrxrrl.exe 628 1thbbb.exe 5112 vdjdv.exe 1564 pdjjv.exe 1408 1lrlllr.exe 1216 hbhhhb.exe 2268 9btbth.exe 1100 vppdv.exe -
resource yara_rule behavioral2/memory/4324-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-614-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-749-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffxlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4324 wrote to memory of 2508 4324 1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80.exe 83 PID 4324 wrote to memory of 2508 4324 1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80.exe 83 PID 4324 wrote to memory of 2508 4324 1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80.exe 83 PID 2508 wrote to memory of 5108 2508 hbttnh.exe 132 PID 2508 wrote to memory of 5108 2508 hbttnh.exe 132 PID 2508 wrote to memory of 5108 2508 hbttnh.exe 132 PID 5108 wrote to memory of 3056 5108 pddvp.exe 85 PID 5108 wrote to memory of 3056 5108 pddvp.exe 85 PID 5108 wrote to memory of 3056 5108 pddvp.exe 85 PID 3056 wrote to memory of 3656 3056 xlxrlfl.exe 86 PID 3056 wrote to memory of 3656 3056 xlxrlfl.exe 86 PID 3056 wrote to memory of 3656 3056 xlxrlfl.exe 86 PID 3656 wrote to memory of 4424 3656 nnnnnn.exe 87 PID 3656 wrote to memory of 4424 3656 nnnnnn.exe 87 PID 3656 wrote to memory of 4424 3656 nnnnnn.exe 87 PID 4424 wrote to memory of 4740 4424 bthbhb.exe 88 PID 4424 wrote to memory of 4740 4424 bthbhb.exe 88 PID 4424 wrote to memory of 4740 4424 bthbhb.exe 88 PID 4740 wrote to memory of 4352 4740 pppjd.exe 89 PID 4740 wrote to memory of 4352 4740 pppjd.exe 89 PID 4740 wrote to memory of 4352 4740 pppjd.exe 89 PID 4352 wrote to memory of 456 4352 xflxrrl.exe 90 PID 4352 wrote to memory of 456 4352 xflxrrl.exe 90 PID 4352 wrote to memory of 456 4352 xflxrrl.exe 90 PID 456 wrote to memory of 312 456 5fxrlrl.exe 91 PID 456 wrote to memory of 312 456 5fxrlrl.exe 91 PID 456 wrote to memory of 312 456 5fxrlrl.exe 91 PID 312 wrote to memory of 5084 312 thtnhb.exe 92 PID 312 wrote to memory of 5084 312 thtnhb.exe 92 PID 312 wrote to memory of 5084 312 thtnhb.exe 92 PID 5084 wrote to memory of 3900 5084 pjjdv.exe 93 PID 5084 wrote to memory of 3900 5084 pjjdv.exe 93 PID 5084 wrote to memory of 3900 5084 pjjdv.exe 93 PID 3900 wrote to memory of 5012 3900 pjjdd.exe 94 PID 3900 wrote to memory of 5012 3900 pjjdd.exe 94 PID 3900 wrote to memory of 5012 3900 pjjdd.exe 94 PID 5012 wrote to memory of 1144 5012 1rxxflr.exe 95 PID 5012 wrote to memory of 1144 5012 1rxxflr.exe 95 PID 5012 wrote to memory of 1144 5012 1rxxflr.exe 95 PID 1144 wrote to memory of 1264 1144 hthbbb.exe 96 PID 1144 wrote to memory of 1264 1144 hthbbb.exe 96 PID 1144 wrote to memory of 1264 1144 hthbbb.exe 96 PID 1264 wrote to memory of 2416 1264 hnthbb.exe 97 PID 1264 wrote to memory of 2416 1264 hnthbb.exe 97 PID 1264 wrote to memory of 2416 1264 hnthbb.exe 97 PID 2416 wrote to memory of 1728 2416 dvjdv.exe 98 PID 2416 wrote to memory of 1728 2416 dvjdv.exe 98 PID 2416 wrote to memory of 1728 2416 dvjdv.exe 98 PID 1728 wrote to memory of 692 1728 lfffxxr.exe 99 PID 1728 wrote to memory of 692 1728 lfffxxr.exe 99 PID 1728 wrote to memory of 692 1728 lfffxxr.exe 99 PID 692 wrote to memory of 4092 692 lrfffff.exe 100 PID 692 wrote to memory of 4092 692 lrfffff.exe 100 PID 692 wrote to memory of 4092 692 lrfffff.exe 100 PID 4092 wrote to memory of 3064 4092 3nbthh.exe 101 PID 4092 wrote to memory of 3064 4092 3nbthh.exe 101 PID 4092 wrote to memory of 3064 4092 3nbthh.exe 101 PID 3064 wrote to memory of 3060 3064 ntbttn.exe 102 PID 3064 wrote to memory of 3060 3064 ntbttn.exe 102 PID 3064 wrote to memory of 3060 3064 ntbttn.exe 102 PID 3060 wrote to memory of 4712 3060 3vjdj.exe 103 PID 3060 wrote to memory of 4712 3060 3vjdj.exe 103 PID 3060 wrote to memory of 4712 3060 3vjdj.exe 103 PID 4712 wrote to memory of 868 4712 5xllfff.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80.exe"C:\Users\Admin\AppData\Local\Temp\1df672b6546f798a5a5fc719b6c5433e8beea7a49ca7c032636f7a93aa7dcf80.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\hbttnh.exec:\hbttnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\pddvp.exec:\pddvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\xlxrlfl.exec:\xlxrlfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\nnnnnn.exec:\nnnnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\bthbhb.exec:\bthbhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\pppjd.exec:\pppjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\xflxrrl.exec:\xflxrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\5fxrlrl.exec:\5fxrlrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\thtnhb.exec:\thtnhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\pjjdv.exec:\pjjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\pjjdd.exec:\pjjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\1rxxflr.exec:\1rxxflr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\hthbbb.exec:\hthbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\hnthbb.exec:\hnthbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\dvjdv.exec:\dvjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\lfffxxr.exec:\lfffxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\lrfffff.exec:\lrfffff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\3nbthh.exec:\3nbthh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\ntbttn.exec:\ntbttn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\3vjdj.exec:\3vjdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\5xllfff.exec:\5xllfff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\lflflfl.exec:\lflflfl.exe23⤵
- Executes dropped EXE
PID:868 -
\??\c:\9hnhnn.exec:\9hnhnn.exe24⤵
- Executes dropped EXE
PID:4388 -
\??\c:\vvvpj.exec:\vvvpj.exe25⤵
- Executes dropped EXE
PID:1976 -
\??\c:\vjpjp.exec:\vjpjp.exe26⤵
- Executes dropped EXE
PID:3616 -
\??\c:\9xxrrrl.exec:\9xxrrrl.exe27⤵
- Executes dropped EXE
PID:2136 -
\??\c:\nhhbtn.exec:\nhhbtn.exe28⤵
- Executes dropped EXE
PID:2836 -
\??\c:\5nntnn.exec:\5nntnn.exe29⤵
- Executes dropped EXE
PID:3776 -
\??\c:\jdddd.exec:\jdddd.exe30⤵
- Executes dropped EXE
PID:436 -
\??\c:\lllfxxr.exec:\lllfxxr.exe31⤵
- Executes dropped EXE
PID:840 -
\??\c:\rlxxrrx.exec:\rlxxrrx.exe32⤵
- Executes dropped EXE
PID:3448 -
\??\c:\7ntntn.exec:\7ntntn.exe33⤵
- Executes dropped EXE
PID:1480 -
\??\c:\1pvpj.exec:\1pvpj.exe34⤵
- Executes dropped EXE
PID:3320 -
\??\c:\vjvpj.exec:\vjvpj.exe35⤵
- Executes dropped EXE
PID:2276 -
\??\c:\xxxxrxx.exec:\xxxxrxx.exe36⤵
- Executes dropped EXE
PID:3436 -
\??\c:\nhtthn.exec:\nhtthn.exe37⤵
- Executes dropped EXE
PID:3332 -
\??\c:\3tttnn.exec:\3tttnn.exe38⤵
- Executes dropped EXE
PID:4748 -
\??\c:\pjpvp.exec:\pjpvp.exe39⤵
- Executes dropped EXE
PID:1032 -
\??\c:\xxrlffx.exec:\xxrlffx.exe40⤵
- Executes dropped EXE
PID:2160 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe41⤵
- Executes dropped EXE
PID:2216 -
\??\c:\hhhbbb.exec:\hhhbbb.exe42⤵
- Executes dropped EXE
PID:4564 -
\??\c:\jjjjv.exec:\jjjjv.exe43⤵
- Executes dropped EXE
PID:876 -
\??\c:\vjvvp.exec:\vjvvp.exe44⤵
- Executes dropped EXE
PID:1404 -
\??\c:\9flfxxr.exec:\9flfxxr.exe45⤵
- Executes dropped EXE
PID:3296 -
\??\c:\1bhbtt.exec:\1bhbtt.exe46⤵PID:4276
-
\??\c:\3nhhhh.exec:\3nhhhh.exe47⤵
- Executes dropped EXE
PID:4104 -
\??\c:\jppjj.exec:\jppjj.exe48⤵
- Executes dropped EXE
PID:4768 -
\??\c:\7pvvp.exec:\7pvvp.exe49⤵
- Executes dropped EXE
PID:412 -
\??\c:\flxrrll.exec:\flxrrll.exe50⤵
- Executes dropped EXE
PID:2372 -
\??\c:\hhbhhn.exec:\hhbhhn.exe51⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bntnhh.exec:\bntnhh.exe52⤵
- Executes dropped EXE
PID:3500 -
\??\c:\pvjdd.exec:\pvjdd.exe53⤵
- Executes dropped EXE
PID:1632 -
\??\c:\xrxrlll.exec:\xrxrlll.exe54⤵
- Executes dropped EXE
PID:2104 -
\??\c:\httnhh.exec:\httnhh.exe55⤵
- Executes dropped EXE
PID:3304 -
\??\c:\tnbtnt.exec:\tnbtnt.exe56⤵
- Executes dropped EXE
PID:4740 -
\??\c:\dvjpp.exec:\dvjpp.exe57⤵
- Executes dropped EXE
PID:4532 -
\??\c:\lfrlrlr.exec:\lfrlrlr.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:456 -
\??\c:\3rrxrrl.exec:\3rrxrrl.exe59⤵
- Executes dropped EXE
PID:1008 -
\??\c:\1thbbb.exec:\1thbbb.exe60⤵
- Executes dropped EXE
PID:628 -
\??\c:\vdjdv.exec:\vdjdv.exe61⤵
- Executes dropped EXE
PID:5112 -
\??\c:\pdjjv.exec:\pdjjv.exe62⤵
- Executes dropped EXE
PID:1564 -
\??\c:\1lrlllr.exec:\1lrlllr.exe63⤵
- Executes dropped EXE
PID:1408 -
\??\c:\hbhhhb.exec:\hbhhhb.exe64⤵
- Executes dropped EXE
PID:1216 -
\??\c:\9btbth.exec:\9btbth.exe65⤵
- Executes dropped EXE
PID:2268 -
\??\c:\vppdv.exec:\vppdv.exe66⤵
- Executes dropped EXE
PID:1100 -
\??\c:\pppjd.exec:\pppjd.exe67⤵PID:5104
-
\??\c:\rrfxxxx.exec:\rrfxxxx.exe68⤵PID:4304
-
\??\c:\5bhbbh.exec:\5bhbbh.exe69⤵PID:548
-
\??\c:\nbnnhb.exec:\nbnnhb.exe70⤵PID:2648
-
\??\c:\3ppjp.exec:\3ppjp.exe71⤵PID:232
-
\??\c:\rlxxrff.exec:\rlxxrff.exe72⤵PID:868
-
\??\c:\thnhhb.exec:\thnhhb.exe73⤵PID:4388
-
\??\c:\tnbttt.exec:\tnbttt.exe74⤵PID:1548
-
\??\c:\rfxxrrl.exec:\rfxxrrl.exe75⤵PID:1140
-
\??\c:\ttbbbb.exec:\ttbbbb.exe76⤵PID:184
-
\??\c:\7ppjj.exec:\7ppjj.exe77⤵PID:4932
-
\??\c:\tbthtb.exec:\tbthtb.exe78⤵PID:808
-
\??\c:\ddvvp.exec:\ddvvp.exe79⤵PID:780
-
\??\c:\dvdvv.exec:\dvdvv.exe80⤵PID:1544
-
\??\c:\lxfxxfx.exec:\lxfxxfx.exe81⤵PID:4616
-
\??\c:\bbtnnn.exec:\bbtnnn.exe82⤵PID:5068
-
\??\c:\djpdp.exec:\djpdp.exe83⤵PID:3436
-
\??\c:\frxxllx.exec:\frxxllx.exe84⤵PID:3048
-
\??\c:\7nhbnh.exec:\7nhbnh.exe85⤵PID:3648
-
\??\c:\bbbbtt.exec:\bbbbtt.exe86⤵PID:1032
-
\??\c:\3fflxxl.exec:\3fflxxl.exe87⤵PID:3484
-
\??\c:\rlxxrrx.exec:\rlxxrrx.exe88⤵PID:3180
-
\??\c:\nnnbtn.exec:\nnnbtn.exe89⤵PID:2120
-
\??\c:\dvdpp.exec:\dvdpp.exe90⤵PID:1404
-
\??\c:\xrrfxrx.exec:\xrrfxrx.exe91⤵PID:3296
-
\??\c:\hnthbt.exec:\hnthbt.exe92⤵PID:1048
-
\??\c:\jjdjd.exec:\jjdjd.exe93⤵PID:1492
-
\??\c:\btbtnh.exec:\btbtnh.exe94⤵
- System Location Discovery: System Language Discovery
PID:888 -
\??\c:\5djvd.exec:\5djvd.exe95⤵PID:4476
-
\??\c:\fflxxrf.exec:\fflxxrf.exe96⤵PID:4912
-
\??\c:\3nthbt.exec:\3nthbt.exe97⤵PID:1500
-
\??\c:\nbhbtt.exec:\nbhbtt.exe98⤵PID:4324
-
\??\c:\pjjdp.exec:\pjjdp.exe99⤵PID:2800
-
\??\c:\5rrfrrf.exec:\5rrfrrf.exe100⤵PID:3664
-
\??\c:\httthh.exec:\httthh.exe101⤵PID:3668
-
\??\c:\djppv.exec:\djppv.exe102⤵PID:3952
-
\??\c:\3xxrfxr.exec:\3xxrfxr.exe103⤵PID:4000
-
\??\c:\ttbnbb.exec:\ttbnbb.exe104⤵PID:1440
-
\??\c:\dvvpj.exec:\dvvpj.exe105⤵PID:5040
-
\??\c:\lfxlxrl.exec:\lfxlxrl.exe106⤵PID:5004
-
\??\c:\hbbhtb.exec:\hbbhtb.exe107⤵PID:2780
-
\??\c:\1ddvp.exec:\1ddvp.exe108⤵PID:836
-
\??\c:\xrrllff.exec:\xrrllff.exe109⤵PID:1408
-
\??\c:\hhnbtn.exec:\hhnbtn.exe110⤵PID:4780
-
\??\c:\vppdp.exec:\vppdp.exe111⤵PID:3292
-
\??\c:\ffflxrl.exec:\ffflxrl.exe112⤵PID:116
-
\??\c:\pdvpj.exec:\pdvpj.exe113⤵PID:1204
-
\??\c:\rrfrfxr.exec:\rrfrfxr.exe114⤵PID:1100
-
\??\c:\nhbthb.exec:\nhbthb.exe115⤵PID:4760
-
\??\c:\1jvjd.exec:\1jvjd.exe116⤵PID:4868
-
\??\c:\bhtnht.exec:\bhtnht.exe117⤵PID:1088
-
\??\c:\3hbthh.exec:\3hbthh.exe118⤵PID:2896
-
\??\c:\jjdjv.exec:\jjdjv.exe119⤵PID:940
-
\??\c:\xrrlxrl.exec:\xrrlxrl.exe120⤵PID:2908
-
\??\c:\hbbttn.exec:\hbbttn.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-