Analysis
-
max time kernel
120s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/09/2024, 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5b68df54699a5e79c8055bcc740f4c0N.exe
Resource
win7-20240705-en
windows7-x64
6 signatures
120 seconds
General
-
Target
a5b68df54699a5e79c8055bcc740f4c0N.exe
-
Size
486KB
-
MD5
a5b68df54699a5e79c8055bcc740f4c0
-
SHA1
9fdfd3f11e5806ba3c02a69ff9994a4a4416ffd5
-
SHA256
07f7b4eaf910a946d5feca5715ec46488b0fa47a29fee11aacce2585519cbb9e
-
SHA512
e4c8a30fc83140027bda28676349cc5d649ff372490acdb59e705463fc1d2a01a0823f7bb533823d0562aa6c6ca95ff96e99008344480617df3ecfc6bf900a1a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwu1b26X1wjhtSizjnv:q7Tc2NYHUrAwqzcR
Malware Config
Signatures
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2560-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5152-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5532-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5128-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5184-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6140-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5856-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5956-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5924-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5908-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5836-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5760-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5452-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5632-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5384-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5508-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5984-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5920-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5844-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5444-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5288-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5360-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5940-922-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5632-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-1189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5128 3bhhhh.exe 5152 rlxrxxf.exe 5532 nntthh.exe 2200 5bbtnn.exe 4572 xrrllxr.exe 2716 ntttnn.exe 2280 vdjdp.exe 1816 vpvpd.exe 4404 rrfxrrr.exe 5184 hbtnbt.exe 6140 3thbtt.exe 6056 nhhthb.exe 5856 vpvpd.exe 5924 xfxrlfx.exe 5956 vpvpj.exe 6116 tnbttt.exe 5908 pjjvp.exe 5836 bnnnhh.exe 5516 pdjvp.exe 1468 xrlxrlf.exe 3916 vdpdv.exe 4880 rlrlllf.exe 5760 7ppvp.exe 2020 9rxxlrf.exe 3180 7hnhhh.exe 2308 fxfxrrf.exe 2128 jdjdv.exe 464 pjpvp.exe 3484 rrrflff.exe 5104 nbhbnh.exe 5724 tntbtb.exe 5256 3vdpv.exe 3660 fxxrlff.exe 3344 xfxlfxr.exe 4016 dvvjv.exe 552 lrxlxfr.exe 1920 5hhtnh.exe 5452 9pddj.exe 3460 pdvdd.exe 4924 fffffff.exe 3040 hntthn.exe 2828 vvvdv.exe 2336 lfrlfxx.exe 1472 rfrrrrr.exe 5632 ttttnh.exe 2684 lrffrrl.exe 4628 bttnhh.exe 4292 5jdvj.exe 2900 xrxrrlr.exe 4804 nhnbhb.exe 908 pdjpv.exe 5384 lrrrfxr.exe 732 lffrxrx.exe 1020 dvvjd.exe 1100 lffrlfl.exe 1672 9nhbnh.exe 4768 vjjdv.exe 1724 xxlfxxr.exe 4236 hhhnnt.exe 2148 1jvpj.exe 2452 lllfxrl.exe 2396 htbttn.exe 3440 hbbbtt.exe 3480 ffrlrrf.exe -
resource yara_rule behavioral2/memory/2560-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5152-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5532-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5128-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6140-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5184-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6140-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5856-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5924-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5956-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5924-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5908-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5908-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5836-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5760-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5760-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5452-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5632-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5384-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5508-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6080-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5984-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5912-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5920-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5844-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5444-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5288-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-620-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxfx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2560 wrote to memory of 5128 2560 a5b68df54699a5e79c8055bcc740f4c0N.exe 85 PID 2560 wrote to memory of 5128 2560 a5b68df54699a5e79c8055bcc740f4c0N.exe 85 PID 2560 wrote to memory of 5128 2560 a5b68df54699a5e79c8055bcc740f4c0N.exe 85 PID 5128 wrote to memory of 5152 5128 3bhhhh.exe 86 PID 5128 wrote to memory of 5152 5128 3bhhhh.exe 86 PID 5128 wrote to memory of 5152 5128 3bhhhh.exe 86 PID 5152 wrote to memory of 5532 5152 rlxrxxf.exe 87 PID 5152 wrote to memory of 5532 5152 rlxrxxf.exe 87 PID 5152 wrote to memory of 5532 5152 rlxrxxf.exe 87 PID 5532 wrote to memory of 2200 5532 nntthh.exe 89 PID 5532 wrote to memory of 2200 5532 nntthh.exe 89 PID 5532 wrote to memory of 2200 5532 nntthh.exe 89 PID 2200 wrote to memory of 4572 2200 5bbtnn.exe 90 PID 2200 wrote to memory of 4572 2200 5bbtnn.exe 90 PID 2200 wrote to memory of 4572 2200 5bbtnn.exe 90 PID 4572 wrote to memory of 2716 4572 xrrllxr.exe 91 PID 4572 wrote to memory of 2716 4572 xrrllxr.exe 91 PID 4572 wrote to memory of 2716 4572 xrrllxr.exe 91 PID 2716 wrote to memory of 2280 2716 ntttnn.exe 92 PID 2716 wrote to memory of 2280 2716 ntttnn.exe 92 PID 2716 wrote to memory of 2280 2716 ntttnn.exe 92 PID 2280 wrote to memory of 1816 2280 vdjdp.exe 93 PID 2280 wrote to memory of 1816 2280 vdjdp.exe 93 PID 2280 wrote to memory of 1816 2280 vdjdp.exe 93 PID 1816 wrote to memory of 4404 1816 vpvpd.exe 94 PID 1816 wrote to memory of 4404 1816 vpvpd.exe 94 PID 1816 wrote to memory of 4404 1816 vpvpd.exe 94 PID 4404 wrote to memory of 5184 4404 rrfxrrr.exe 95 PID 4404 wrote to memory of 5184 4404 rrfxrrr.exe 95 PID 4404 wrote to memory of 5184 4404 rrfxrrr.exe 95 PID 5184 wrote to memory of 6140 5184 hbtnbt.exe 96 PID 5184 wrote to memory of 6140 5184 hbtnbt.exe 96 PID 5184 wrote to memory of 6140 5184 hbtnbt.exe 96 PID 6140 wrote to memory of 6056 6140 3thbtt.exe 97 PID 6140 wrote to memory of 6056 6140 3thbtt.exe 97 PID 6140 wrote to memory of 6056 6140 3thbtt.exe 97 PID 6056 wrote to memory of 5856 6056 nhhthb.exe 98 PID 6056 wrote to memory of 5856 6056 nhhthb.exe 98 PID 6056 wrote to memory of 5856 6056 nhhthb.exe 98 PID 5856 wrote to memory of 5924 5856 vpvpd.exe 99 PID 5856 wrote to memory of 5924 5856 vpvpd.exe 99 PID 5856 wrote to memory of 5924 5856 vpvpd.exe 99 PID 5924 wrote to memory of 5956 5924 xfxrlfx.exe 100 PID 5924 wrote to memory of 5956 5924 xfxrlfx.exe 100 PID 5924 wrote to memory of 5956 5924 xfxrlfx.exe 100 PID 5956 wrote to memory of 6116 5956 vpvpj.exe 101 PID 5956 wrote to memory of 6116 5956 vpvpj.exe 101 PID 5956 wrote to memory of 6116 5956 vpvpj.exe 101 PID 6116 wrote to memory of 5908 6116 tnbttt.exe 102 PID 6116 wrote to memory of 5908 6116 tnbttt.exe 102 PID 6116 wrote to memory of 5908 6116 tnbttt.exe 102 PID 5908 wrote to memory of 5836 5908 pjjvp.exe 103 PID 5908 wrote to memory of 5836 5908 pjjvp.exe 103 PID 5908 wrote to memory of 5836 5908 pjjvp.exe 103 PID 5836 wrote to memory of 5516 5836 bnnnhh.exe 104 PID 5836 wrote to memory of 5516 5836 bnnnhh.exe 104 PID 5836 wrote to memory of 5516 5836 bnnnhh.exe 104 PID 5516 wrote to memory of 1468 5516 pdjvp.exe 105 PID 5516 wrote to memory of 1468 5516 pdjvp.exe 105 PID 5516 wrote to memory of 1468 5516 pdjvp.exe 105 PID 1468 wrote to memory of 3916 1468 xrlxrlf.exe 106 PID 1468 wrote to memory of 3916 1468 xrlxrlf.exe 106 PID 1468 wrote to memory of 3916 1468 xrlxrlf.exe 106 PID 3916 wrote to memory of 4880 3916 vdpdv.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5b68df54699a5e79c8055bcc740f4c0N.exe"C:\Users\Admin\AppData\Local\Temp\a5b68df54699a5e79c8055bcc740f4c0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\3bhhhh.exec:\3bhhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5128 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5152 -
\??\c:\nntthh.exec:\nntthh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5532 -
\??\c:\5bbtnn.exec:\5bbtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200 -
\??\c:\xrrllxr.exec:\xrrllxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\ntttnn.exec:\ntttnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\vdjdp.exec:\vdjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\vpvpd.exec:\vpvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\rrfxrrr.exec:\rrfxrrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\hbtnbt.exec:\hbtnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5184 -
\??\c:\3thbtt.exec:\3thbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6140 -
\??\c:\nhhthb.exec:\nhhthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6056 -
\??\c:\vpvpd.exec:\vpvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5856 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5924 -
\??\c:\vpvpj.exec:\vpvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5956 -
\??\c:\tnbttt.exec:\tnbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6116 -
\??\c:\pjjvp.exec:\pjjvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5908 -
\??\c:\bnnnhh.exec:\bnnnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5836 -
\??\c:\pdjvp.exec:\pdjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5516 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\vdpdv.exec:\vdpdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\rlrlllf.exec:\rlrlllf.exe23⤵
- Executes dropped EXE
PID:4880 -
\??\c:\7ppvp.exec:\7ppvp.exe24⤵
- Executes dropped EXE
PID:5760 -
\??\c:\9rxxlrf.exec:\9rxxlrf.exe25⤵
- Executes dropped EXE
PID:2020 -
\??\c:\7hnhhh.exec:\7hnhhh.exe26⤵
- Executes dropped EXE
PID:3180 -
\??\c:\fxfxrrf.exec:\fxfxrrf.exe27⤵
- Executes dropped EXE
PID:2308 -
\??\c:\jdjdv.exec:\jdjdv.exe28⤵
- Executes dropped EXE
PID:2128 -
\??\c:\pjpvp.exec:\pjpvp.exe29⤵
- Executes dropped EXE
PID:464 -
\??\c:\rrrflff.exec:\rrrflff.exe30⤵
- Executes dropped EXE
PID:3484 -
\??\c:\nbhbnh.exec:\nbhbnh.exe31⤵
- Executes dropped EXE
PID:5104 -
\??\c:\tntbtb.exec:\tntbtb.exe32⤵
- Executes dropped EXE
PID:5724 -
\??\c:\3vdpv.exec:\3vdpv.exe33⤵
- Executes dropped EXE
PID:5256 -
\??\c:\fxxrlff.exec:\fxxrlff.exe34⤵
- Executes dropped EXE
PID:3660 -
\??\c:\xfxlfxr.exec:\xfxlfxr.exe35⤵
- Executes dropped EXE
PID:3344 -
\??\c:\dvvjv.exec:\dvvjv.exe36⤵
- Executes dropped EXE
PID:4016 -
\??\c:\lrxlxfr.exec:\lrxlxfr.exe37⤵
- Executes dropped EXE
PID:552 -
\??\c:\5hhtnh.exec:\5hhtnh.exe38⤵
- Executes dropped EXE
PID:1920 -
\??\c:\9pddj.exec:\9pddj.exe39⤵
- Executes dropped EXE
PID:5452 -
\??\c:\pdvdd.exec:\pdvdd.exe40⤵
- Executes dropped EXE
PID:3460 -
\??\c:\fffffff.exec:\fffffff.exe41⤵
- Executes dropped EXE
PID:4924 -
\??\c:\hntthn.exec:\hntthn.exe42⤵
- Executes dropped EXE
PID:3040 -
\??\c:\vvvdv.exec:\vvvdv.exe43⤵
- Executes dropped EXE
PID:2828 -
\??\c:\lfrlfxx.exec:\lfrlfxx.exe44⤵
- Executes dropped EXE
PID:2336 -
\??\c:\rfrrrrr.exec:\rfrrrrr.exe45⤵
- Executes dropped EXE
PID:1472 -
\??\c:\ttttnh.exec:\ttttnh.exe46⤵
- Executes dropped EXE
PID:5632 -
\??\c:\lrffrrl.exec:\lrffrrl.exe47⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bttnhh.exec:\bttnhh.exe48⤵
- Executes dropped EXE
PID:4628 -
\??\c:\5jdvj.exec:\5jdvj.exe49⤵
- Executes dropped EXE
PID:4292 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe50⤵
- Executes dropped EXE
PID:2900 -
\??\c:\nhnbhb.exec:\nhnbhb.exe51⤵
- Executes dropped EXE
PID:4804 -
\??\c:\pdjpv.exec:\pdjpv.exe52⤵
- Executes dropped EXE
PID:908 -
\??\c:\lrrrfxr.exec:\lrrrfxr.exe53⤵
- Executes dropped EXE
PID:5384 -
\??\c:\lffrxrx.exec:\lffrxrx.exe54⤵
- Executes dropped EXE
PID:732 -
\??\c:\dvvjd.exec:\dvvjd.exe55⤵
- Executes dropped EXE
PID:1020 -
\??\c:\lffrlfl.exec:\lffrlfl.exe56⤵
- Executes dropped EXE
PID:1100 -
\??\c:\9nhbnh.exec:\9nhbnh.exe57⤵
- Executes dropped EXE
PID:1672 -
\??\c:\vjjdv.exec:\vjjdv.exe58⤵
- Executes dropped EXE
PID:4768 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe59⤵
- Executes dropped EXE
PID:1724 -
\??\c:\hhhnnt.exec:\hhhnnt.exe60⤵
- Executes dropped EXE
PID:4236 -
\??\c:\1jvpj.exec:\1jvpj.exe61⤵
- Executes dropped EXE
PID:2148 -
\??\c:\lllfxrl.exec:\lllfxrl.exe62⤵
- Executes dropped EXE
PID:2452 -
\??\c:\htbttn.exec:\htbttn.exe63⤵
- Executes dropped EXE
PID:2396 -
\??\c:\hbbbtt.exec:\hbbbtt.exe64⤵
- Executes dropped EXE
PID:3440 -
\??\c:\ffrlrrf.exec:\ffrlrrf.exe65⤵
- Executes dropped EXE
PID:3480 -
\??\c:\nbhbnn.exec:\nbhbnn.exe66⤵PID:3960
-
\??\c:\9jdpp.exec:\9jdpp.exe67⤵PID:3568
-
\??\c:\hbhbnn.exec:\hbhbnn.exe68⤵PID:5016
-
\??\c:\3fffxff.exec:\3fffxff.exe69⤵PID:2636
-
\??\c:\ddppv.exec:\ddppv.exe70⤵PID:2604
-
\??\c:\dvddv.exec:\dvddv.exe71⤵PID:972
-
\??\c:\3xrrfll.exec:\3xrrfll.exe72⤵PID:1208
-
\??\c:\ttbtnn.exec:\ttbtnn.exe73⤵PID:4360
-
\??\c:\thnhbt.exec:\thnhbt.exe74⤵PID:4344
-
\??\c:\jdjpp.exec:\jdjpp.exe75⤵PID:2332
-
\??\c:\lxllllx.exec:\lxllllx.exe76⤵PID:5172
-
\??\c:\bnthbt.exec:\bnthbt.exe77⤵PID:5152
-
\??\c:\ddjdd.exec:\ddjdd.exe78⤵PID:5548
-
\??\c:\jjvvp.exec:\jjvvp.exe79⤵PID:5508
-
\??\c:\fxxrrrl.exec:\fxxrrrl.exe80⤵PID:2212
-
\??\c:\bttnnh.exec:\bttnnh.exe81⤵PID:5440
-
\??\c:\bbttbn.exec:\bbttbn.exe82⤵PID:5536
-
\??\c:\3vvpd.exec:\3vvpd.exe83⤵PID:2304
-
\??\c:\xfrffxr.exec:\xfrffxr.exe84⤵PID:2172
-
\??\c:\lxlffxr.exec:\lxlffxr.exe85⤵PID:3808
-
\??\c:\7hhbbh.exec:\7hhbbh.exe86⤵PID:4400
-
\??\c:\jdvpj.exec:\jdvpj.exe87⤵PID:5984
-
\??\c:\7vddv.exec:\7vddv.exe88⤵PID:6080
-
\??\c:\xlrlfrl.exec:\xlrlfrl.exe89⤵PID:5912
-
\??\c:\bntntt.exec:\bntntt.exe90⤵PID:5920
-
\??\c:\5ntnhh.exec:\5ntnhh.exe91⤵PID:5992
-
\??\c:\dvdvv.exec:\dvdvv.exe92⤵PID:5956
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe93⤵PID:1604
-
\??\c:\9ttnhh.exec:\9ttnhh.exe94⤵PID:5816
-
\??\c:\pvjjd.exec:\pvjjd.exe95⤵
- System Location Discovery: System Language Discovery
PID:5832 -
\??\c:\xlfxrrf.exec:\xlfxrrf.exe96⤵PID:5844
-
\??\c:\3tthbt.exec:\3tthbt.exe97⤵PID:3612
-
\??\c:\htnbtn.exec:\htnbtn.exe98⤵PID:456
-
\??\c:\vjvpd.exec:\vjvpd.exe99⤵PID:1468
-
\??\c:\7fxfxfx.exec:\7fxfxfx.exe100⤵PID:3916
-
\??\c:\1tbtnn.exec:\1tbtnn.exe101⤵PID:3572
-
\??\c:\vpdpj.exec:\vpdpj.exe102⤵PID:3464
-
\??\c:\ppjdd.exec:\ppjdd.exe103⤵PID:624
-
\??\c:\5flxllx.exec:\5flxllx.exe104⤵PID:2020
-
\??\c:\tnhhhh.exec:\tnhhhh.exe105⤵PID:3008
-
\??\c:\jjpvj.exec:\jjpvj.exe106⤵PID:5444
-
\??\c:\vvjvv.exec:\vvjvv.exe107⤵PID:4956
-
\??\c:\lxlfxfx.exec:\lxlfxfx.exe108⤵PID:3116
-
\??\c:\hbbbhb.exec:\hbbbhb.exe109⤵PID:4456
-
\??\c:\jdjjd.exec:\jdjjd.exe110⤵PID:3672
-
\??\c:\dvvpj.exec:\dvvpj.exe111⤵PID:3484
-
\??\c:\rrlfxrr.exec:\rrlfxrr.exe112⤵PID:5736
-
\??\c:\tnnhnn.exec:\tnnhnn.exe113⤵PID:5264
-
\??\c:\dvjdj.exec:\dvjdj.exe114⤵PID:3632
-
\??\c:\vvvpv.exec:\vvvpv.exe115⤵PID:5676
-
\??\c:\frxxrlx.exec:\frxxrlx.exe116⤵PID:4212
-
\??\c:\tntnbb.exec:\tntnbb.exe117⤵PID:5652
-
\??\c:\ddppd.exec:\ddppd.exe118⤵PID:4444
-
\??\c:\xrrrlff.exec:\xrrrlff.exe119⤵PID:5004
-
\??\c:\lfllrlr.exec:\lfllrlr.exe120⤵PID:552
-
\??\c:\btnhbb.exec:\btnhbb.exe121⤵PID:436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-