Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe
-
Size
453KB
-
MD5
1e2b62573b80ea2cd28e47c275b4b134
-
SHA1
bbeb5fb820a5483617467bd176e69b0f5f7b0834
-
SHA256
b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2
-
SHA512
b924fd7b30cdde181b37343dcf14ea251d15279b67c7cd3132668d0a2a0c58a70620040b88d801a0e9a03242d3383e94e6a6769dece56e02d60e5a7876ee4bb9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb0:q7Tc2NYHUrAwfMp3CDb0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/908-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-838-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-971-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-1157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-1198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-1229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1512 jpdvj.exe 2496 hnthhh.exe 3448 lxxxrll.exe 3180 vppjd.exe 644 nhnnhh.exe 4292 xlxrllf.exe 5052 lrxrrrl.exe 4408 llxxlrx.exe 3768 thnnbb.exe 4884 vvdvv.exe 4232 rfrxxxr.exe 3920 3ffxxxr.exe 4364 dpvpd.exe 4968 lllffxr.exe 5036 dpvjd.exe 3604 hhbbbt.exe 4640 vdjvp.exe 2488 fxffrrx.exe 408 7xfxrxr.exe 660 1nttbb.exe 648 jdddv.exe 1524 bttnhh.exe 2236 dpvpp.exe 1380 7rrllll.exe 2396 vpppj.exe 4368 djddp.exe 1748 rlxfxxr.exe 1300 dpvvv.exe 2480 jdvvp.exe 3996 frrrllx.exe 2908 fxrrlxx.exe 4756 nbbtbt.exe 872 hbbbtt.exe 4584 7ffxrxr.exe 632 hhhbbb.exe 1560 lrffxxx.exe 2228 htbbtn.exe 1788 pjjdd.exe 2728 xrrlfxr.exe 5012 bnbtnb.exe 2072 tttnhb.exe 2516 pvjdd.exe 3528 5fffxxr.exe 2976 tbhbbb.exe 2428 7vvpv.exe 1376 jpvpj.exe 1612 lflfxxr.exe 224 thhbbt.exe 3184 jdpvp.exe 4492 jjjjd.exe 2500 ffflflf.exe 3036 lrxflfr.exe 220 hntnnn.exe 536 vpddv.exe 4292 rxfxrrl.exe 3348 xxrlffl.exe 1776 ntbbbh.exe 3388 vdpjd.exe 3220 frrrlrl.exe 1172 xflfffx.exe 4232 hhhbbb.exe 1432 9ppdd.exe 4300 lflrrrl.exe 4472 rlxrffl.exe -
resource yara_rule behavioral2/memory/908-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-697-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-838-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 908 wrote to memory of 1512 908 b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe 83 PID 908 wrote to memory of 1512 908 b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe 83 PID 908 wrote to memory of 1512 908 b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe 83 PID 1512 wrote to memory of 2496 1512 jpdvj.exe 84 PID 1512 wrote to memory of 2496 1512 jpdvj.exe 84 PID 1512 wrote to memory of 2496 1512 jpdvj.exe 84 PID 2496 wrote to memory of 3448 2496 hnthhh.exe 85 PID 2496 wrote to memory of 3448 2496 hnthhh.exe 85 PID 2496 wrote to memory of 3448 2496 hnthhh.exe 85 PID 3448 wrote to memory of 3180 3448 lxxxrll.exe 86 PID 3448 wrote to memory of 3180 3448 lxxxrll.exe 86 PID 3448 wrote to memory of 3180 3448 lxxxrll.exe 86 PID 3180 wrote to memory of 644 3180 vppjd.exe 87 PID 3180 wrote to memory of 644 3180 vppjd.exe 87 PID 3180 wrote to memory of 644 3180 vppjd.exe 87 PID 644 wrote to memory of 4292 644 nhnnhh.exe 88 PID 644 wrote to memory of 4292 644 nhnnhh.exe 88 PID 644 wrote to memory of 4292 644 nhnnhh.exe 88 PID 4292 wrote to memory of 5052 4292 xlxrllf.exe 89 PID 4292 wrote to memory of 5052 4292 xlxrllf.exe 89 PID 4292 wrote to memory of 5052 4292 xlxrllf.exe 89 PID 5052 wrote to memory of 4408 5052 lrxrrrl.exe 90 PID 5052 wrote to memory of 4408 5052 lrxrrrl.exe 90 PID 5052 wrote to memory of 4408 5052 lrxrrrl.exe 90 PID 4408 wrote to memory of 3768 4408 llxxlrx.exe 91 PID 4408 wrote to memory of 3768 4408 llxxlrx.exe 91 PID 4408 wrote to memory of 3768 4408 llxxlrx.exe 91 PID 3768 wrote to memory of 4884 3768 thnnbb.exe 92 PID 3768 wrote to memory of 4884 3768 thnnbb.exe 92 PID 3768 wrote to memory of 4884 3768 thnnbb.exe 92 PID 4884 wrote to memory of 4232 4884 vvdvv.exe 93 PID 4884 wrote to memory of 4232 4884 vvdvv.exe 93 PID 4884 wrote to memory of 4232 4884 vvdvv.exe 93 PID 4232 wrote to memory of 3920 4232 rfrxxxr.exe 94 PID 4232 wrote to memory of 3920 4232 rfrxxxr.exe 94 PID 4232 wrote to memory of 3920 4232 rfrxxxr.exe 94 PID 3920 wrote to memory of 4364 3920 3ffxxxr.exe 95 PID 3920 wrote to memory of 4364 3920 3ffxxxr.exe 95 PID 3920 wrote to memory of 4364 3920 3ffxxxr.exe 95 PID 4364 wrote to memory of 4968 4364 dpvpd.exe 96 PID 4364 wrote to memory of 4968 4364 dpvpd.exe 96 PID 4364 wrote to memory of 4968 4364 dpvpd.exe 96 PID 4968 wrote to memory of 5036 4968 lllffxr.exe 97 PID 4968 wrote to memory of 5036 4968 lllffxr.exe 97 PID 4968 wrote to memory of 5036 4968 lllffxr.exe 97 PID 5036 wrote to memory of 3604 5036 dpvjd.exe 98 PID 5036 wrote to memory of 3604 5036 dpvjd.exe 98 PID 5036 wrote to memory of 3604 5036 dpvjd.exe 98 PID 3604 wrote to memory of 4640 3604 hhbbbt.exe 99 PID 3604 wrote to memory of 4640 3604 hhbbbt.exe 99 PID 3604 wrote to memory of 4640 3604 hhbbbt.exe 99 PID 4640 wrote to memory of 2488 4640 vdjvp.exe 100 PID 4640 wrote to memory of 2488 4640 vdjvp.exe 100 PID 4640 wrote to memory of 2488 4640 vdjvp.exe 100 PID 2488 wrote to memory of 408 2488 fxffrrx.exe 101 PID 2488 wrote to memory of 408 2488 fxffrrx.exe 101 PID 2488 wrote to memory of 408 2488 fxffrrx.exe 101 PID 408 wrote to memory of 660 408 7xfxrxr.exe 102 PID 408 wrote to memory of 660 408 7xfxrxr.exe 102 PID 408 wrote to memory of 660 408 7xfxrxr.exe 102 PID 660 wrote to memory of 648 660 1nttbb.exe 103 PID 660 wrote to memory of 648 660 1nttbb.exe 103 PID 660 wrote to memory of 648 660 1nttbb.exe 103 PID 648 wrote to memory of 1524 648 jdddv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe"C:\Users\Admin\AppData\Local\Temp\b5b9a838155ee9f2880603a8df59ceed0cb589d8ea1d02e6343749e785699be2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:908 -
\??\c:\jpdvj.exec:\jpdvj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\hnthhh.exec:\hnthhh.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
\??\c:\lxxxrll.exec:\lxxxrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3448 -
\??\c:\vppjd.exec:\vppjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
\??\c:\nhnnhh.exec:\nhnnhh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\xlxrllf.exec:\xlxrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\lrxrrrl.exec:\lrxrrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\llxxlrx.exec:\llxxlrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\thnnbb.exec:\thnnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3768 -
\??\c:\vvdvv.exec:\vvdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\rfrxxxr.exec:\rfrxxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\3ffxxxr.exec:\3ffxxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\dpvpd.exec:\dpvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\lllffxr.exec:\lllffxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\dpvjd.exec:\dpvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\hhbbbt.exec:\hhbbbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\vdjvp.exec:\vdjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\fxffrrx.exec:\fxffrrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\7xfxrxr.exec:\7xfxrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\1nttbb.exec:\1nttbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\jdddv.exec:\jdddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\bttnhh.exec:\bttnhh.exe23⤵
- Executes dropped EXE
PID:1524 -
\??\c:\dpvpp.exec:\dpvpp.exe24⤵
- Executes dropped EXE
PID:2236 -
\??\c:\7rrllll.exec:\7rrllll.exe25⤵
- Executes dropped EXE
PID:1380 -
\??\c:\vpppj.exec:\vpppj.exe26⤵
- Executes dropped EXE
PID:2396 -
\??\c:\djddp.exec:\djddp.exe27⤵
- Executes dropped EXE
PID:4368 -
\??\c:\rlxfxxr.exec:\rlxfxxr.exe28⤵
- Executes dropped EXE
PID:1748 -
\??\c:\dpvvv.exec:\dpvvv.exe29⤵
- Executes dropped EXE
PID:1300 -
\??\c:\jdvvp.exec:\jdvvp.exe30⤵
- Executes dropped EXE
PID:2480 -
\??\c:\frrrllx.exec:\frrrllx.exe31⤵
- Executes dropped EXE
PID:3996 -
\??\c:\fxrrlxx.exec:\fxrrlxx.exe32⤵
- Executes dropped EXE
PID:2908 -
\??\c:\nbbtbt.exec:\nbbtbt.exe33⤵
- Executes dropped EXE
PID:4756 -
\??\c:\hbbbtt.exec:\hbbbtt.exe34⤵
- Executes dropped EXE
PID:872 -
\??\c:\7ffxrxr.exec:\7ffxrxr.exe35⤵
- Executes dropped EXE
PID:4584 -
\??\c:\hhhbbb.exec:\hhhbbb.exe36⤵
- Executes dropped EXE
PID:632 -
\??\c:\lrffxxx.exec:\lrffxxx.exe37⤵
- Executes dropped EXE
PID:1560 -
\??\c:\htbbtn.exec:\htbbtn.exe38⤵
- Executes dropped EXE
PID:2228 -
\??\c:\pjjdd.exec:\pjjdd.exe39⤵
- Executes dropped EXE
PID:1788 -
\??\c:\xrrlfxr.exec:\xrrlfxr.exe40⤵
- Executes dropped EXE
PID:2728 -
\??\c:\bnbtnb.exec:\bnbtnb.exe41⤵
- Executes dropped EXE
PID:5012 -
\??\c:\tttnhb.exec:\tttnhb.exe42⤵
- Executes dropped EXE
PID:2072 -
\??\c:\pvjdd.exec:\pvjdd.exe43⤵
- Executes dropped EXE
PID:2516 -
\??\c:\5fffxxr.exec:\5fffxxr.exe44⤵
- Executes dropped EXE
PID:3528 -
\??\c:\tbhbbb.exec:\tbhbbb.exe45⤵
- Executes dropped EXE
PID:2976 -
\??\c:\ttbttt.exec:\ttbttt.exe46⤵PID:4340
-
\??\c:\7vvpv.exec:\7vvpv.exe47⤵
- Executes dropped EXE
PID:2428 -
\??\c:\jpvpj.exec:\jpvpj.exe48⤵
- Executes dropped EXE
PID:1376 -
\??\c:\lflfxxr.exec:\lflfxxr.exe49⤵
- Executes dropped EXE
PID:1612 -
\??\c:\thhbbt.exec:\thhbbt.exe50⤵
- Executes dropped EXE
PID:224 -
\??\c:\jdpvp.exec:\jdpvp.exe51⤵
- Executes dropped EXE
PID:3184 -
\??\c:\jjjjd.exec:\jjjjd.exe52⤵
- Executes dropped EXE
PID:4492 -
\??\c:\ffflflf.exec:\ffflflf.exe53⤵
- Executes dropped EXE
PID:2500 -
\??\c:\lrxflfr.exec:\lrxflfr.exe54⤵
- Executes dropped EXE
PID:3036 -
\??\c:\hntnnn.exec:\hntnnn.exe55⤵
- Executes dropped EXE
PID:220 -
\??\c:\vpddv.exec:\vpddv.exe56⤵
- Executes dropped EXE
PID:536 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe57⤵
- Executes dropped EXE
PID:4292 -
\??\c:\xxrlffl.exec:\xxrlffl.exe58⤵
- Executes dropped EXE
PID:3348 -
\??\c:\ntbbbh.exec:\ntbbbh.exe59⤵
- Executes dropped EXE
PID:1776 -
\??\c:\vdpjd.exec:\vdpjd.exe60⤵
- Executes dropped EXE
PID:3388 -
\??\c:\frrrlrl.exec:\frrrlrl.exe61⤵
- Executes dropped EXE
PID:3220 -
\??\c:\xflfffx.exec:\xflfffx.exe62⤵
- Executes dropped EXE
PID:1172 -
\??\c:\hhhbbb.exec:\hhhbbb.exe63⤵
- Executes dropped EXE
PID:4232 -
\??\c:\9ppdd.exec:\9ppdd.exe64⤵
- Executes dropped EXE
PID:1432 -
\??\c:\lflrrrl.exec:\lflrrrl.exe65⤵
- Executes dropped EXE
PID:4300 -
\??\c:\rlxrffl.exec:\rlxrffl.exe66⤵
- Executes dropped EXE
PID:4472 -
\??\c:\bhbbtt.exec:\bhbbtt.exe67⤵PID:4364
-
\??\c:\vpvvp.exec:\vpvvp.exe68⤵PID:800
-
\??\c:\xxffrrx.exec:\xxffrrx.exe69⤵PID:2332
-
\??\c:\bbhthn.exec:\bbhthn.exe70⤵PID:3836
-
\??\c:\hbnnhh.exec:\hbnnhh.exe71⤵PID:5000
-
\??\c:\vvdpj.exec:\vvdpj.exe72⤵PID:4512
-
\??\c:\frfxxxx.exec:\frfxxxx.exe73⤵PID:1392
-
\??\c:\nhbttt.exec:\nhbttt.exe74⤵PID:1984
-
\??\c:\bbnhnh.exec:\bbnhnh.exe75⤵PID:2288
-
\??\c:\ppjjd.exec:\ppjjd.exe76⤵PID:4400
-
\??\c:\rfllxxx.exec:\rfllxxx.exe77⤵PID:2060
-
\??\c:\tnttnh.exec:\tnttnh.exe78⤵PID:4944
-
\??\c:\dpdvp.exec:\dpdvp.exe79⤵PID:3340
-
\??\c:\jvvpp.exec:\jvvpp.exe80⤵PID:5004
-
\??\c:\3rffxxx.exec:\3rffxxx.exe81⤵PID:2820
-
\??\c:\thnhbb.exec:\thnhbb.exe82⤵PID:4024
-
\??\c:\pjppj.exec:\pjppj.exe83⤵PID:4776
-
\??\c:\pjdvv.exec:\pjdvv.exe84⤵PID:1856
-
\??\c:\rlflfxr.exec:\rlflfxr.exe85⤵PID:4760
-
\??\c:\tnnnhh.exec:\tnnnhh.exe86⤵PID:2984
-
\??\c:\pjjjd.exec:\pjjjd.exe87⤵PID:4980
-
\??\c:\jddvv.exec:\jddvv.exe88⤵PID:1168
-
\??\c:\fxfxrll.exec:\fxfxrll.exe89⤵PID:4032
-
\??\c:\9bnntt.exec:\9bnntt.exe90⤵PID:4908
-
\??\c:\jdjjd.exec:\jdjjd.exe91⤵PID:3524
-
\??\c:\9rxxllf.exec:\9rxxllf.exe92⤵PID:4740
-
\??\c:\rxllffx.exec:\rxllffx.exe93⤵PID:1484
-
\??\c:\ttbhhh.exec:\ttbhhh.exe94⤵PID:2480
-
\??\c:\vvdvd.exec:\vvdvd.exe95⤵PID:2568
-
\??\c:\jvjdj.exec:\jvjdj.exe96⤵PID:2544
-
\??\c:\frxxrrl.exec:\frxxrrl.exe97⤵PID:968
-
\??\c:\hbbttt.exec:\hbbttt.exe98⤵PID:4756
-
\??\c:\pdvpp.exec:\pdvpp.exe99⤵PID:448
-
\??\c:\7jjdv.exec:\7jjdv.exe100⤵PID:5040
-
\??\c:\fxllfxl.exec:\fxllfxl.exe101⤵PID:2644
-
\??\c:\htbtnn.exec:\htbtnn.exe102⤵PID:2436
-
\??\c:\bhhbtt.exec:\bhhbtt.exe103⤵PID:2880
-
\??\c:\vjpjj.exec:\vjpjj.exe104⤵PID:4028
-
\??\c:\xlrxrlf.exec:\xlrxrlf.exe105⤵PID:4552
-
\??\c:\btttnb.exec:\btttnb.exe106⤵PID:3912
-
\??\c:\nbhbtt.exec:\nbhbtt.exe107⤵PID:2116
-
\??\c:\5djdj.exec:\5djdj.exe108⤵PID:3616
-
\??\c:\9ffxfff.exec:\9ffxfff.exe109⤵PID:3672
-
\??\c:\tnntnb.exec:\tnntnb.exe110⤵PID:1816
-
\??\c:\hnbtnn.exec:\hnbtnn.exe111⤵PID:2408
-
\??\c:\jvppv.exec:\jvppv.exe112⤵PID:2428
-
\??\c:\rrrlfff.exec:\rrrlfff.exe113⤵PID:2588
-
\??\c:\bbbhbh.exec:\bbbhbh.exe114⤵PID:4284
-
\??\c:\nhthbh.exec:\nhthbh.exe115⤵PID:1992
-
\??\c:\3jvdv.exec:\3jvdv.exe116⤵PID:4180
-
\??\c:\xxxrrfx.exec:\xxxrrfx.exe117⤵PID:3288
-
\??\c:\lrxrlrr.exec:\lrxrlrr.exe118⤵PID:1264
-
\??\c:\hhnnhh.exec:\hhnnhh.exe119⤵PID:1180
-
\??\c:\vvvvp.exec:\vvvvp.exe120⤵PID:2636
-
\??\c:\pjdjv.exec:\pjdjv.exe121⤵PID:2124
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-