Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 04:00
Behavioral task
behavioral1
Sample
414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exe
-
Size
88KB
-
MD5
b335a746c82b1ce3728cab35dc3b1e64
-
SHA1
a8091ef3d90b56035109605127d618063f88afdf
-
SHA256
414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d
-
SHA512
357c1783a91ebc7cafe5188dafa5888f4bbc9c7c406c30484aee71e046acfd3ab2a7e651c2276b33c14cd6bcb8f8f731be6b1a6321287af6e930ffb1b153855b
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8yaVskCzYBbKd+XsWgADf1tE7hW1AI:9hOmTsF93UYfwC6GIoutyaVszyKd+XYE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
Processes:
resource yara_rule behavioral2/memory/2388-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3496-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4896-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4216-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3464-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2280-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1388-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-160-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1308-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4052-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5048-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2252-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/232-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1472-301-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-305-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3044-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5060-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4220-347-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2672-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-391-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/788-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/520-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4320-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4988-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/216-469-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-500-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-556-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/384-627-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-649-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-830-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-876-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1308-922-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-1130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
Processes:
nhnhnh.exevpjjj.exe3xrrllx.exebnnbht.exejpjdd.exellxlfxl.exethnhhh.exevddpd.exexflxlfx.exebnnhbt.exentnhtn.exedpvjv.exellflxxx.exethnbnh.exe9dpjp.exe7ppjd.exexrfxxxl.exebtbttt.exe7pjvv.exejddvv.exepjjdv.exelxxrfxl.exethtnbb.exetnhbth.exepjdvv.exe9jdpd.exerlxrxxl.exehbntnt.exe9bbthn.exejpjdp.exefrfrfxr.exelfffrlf.exehhtnbt.exevdpdj.exeflfrllf.exetnbbbn.exebnbhtt.exedjdvj.exe1bhnhh.exenbtbnh.exepvjdv.exexxrfrlr.exenhthbt.exejjjdj.exepdjvv.exefrlflfx.exexfxrrlx.exetbbtnh.exejdvjd.exepjdpd.exerxxrrxx.exebntbbh.exeththnh.exejpdvj.exexrflxlf.exefrxlxxf.exetnnbnb.exe3thhnh.exeddvpd.exexflflrx.exeffxlffr.exehttnhb.exenbhbhh.exejjvjd.exepid Process 3672 nhnhnh.exe 3648 vpjjj.exe 4548 3xrrllx.exe 1872 bnnbht.exe 3636 jpjdd.exe 4324 llxlfxl.exe 3172 thnhhh.exe 1672 vddpd.exe 1964 xflxlfx.exe 3496 bnnhbt.exe 4704 ntnhtn.exe 4940 dpvjv.exe 1472 llflxxx.exe 4896 thnbnh.exe 4216 9dpjp.exe 4080 7ppjd.exe 3464 xrfxxxl.exe 2280 btbttt.exe 4884 7pjvv.exe 2040 jddvv.exe 2144 pjjdv.exe 1388 lxxrfxl.exe 4664 thtnbb.exe 3440 tnhbth.exe 4740 pjdvv.exe 4152 9jdpd.exe 2688 rlxrxxl.exe 1356 hbntnt.exe 4832 9bbthn.exe 1212 jpjdp.exe 1308 frfrfxr.exe 2672 lfffrlf.exe 2472 hhtnbt.exe 3516 vdpdj.exe 4024 flfrllf.exe 4052 tnbbbn.exe 5048 bnbhtt.exe 2816 djdvj.exe 3420 1bhnhh.exe 1548 nbtbnh.exe 1728 pvjdv.exe 5024 xxrfrlr.exe 4320 nhthbt.exe 2252 jjjdj.exe 2612 pdjvv.exe 4040 frlflfx.exe 5056 xfxrrlx.exe 4200 tbbtnh.exe 224 jdvjd.exe 4572 pjdpd.exe 4756 rxxrrxx.exe 844 bntbbh.exe 1592 ththnh.exe 3172 jpdvj.exe 1520 xrflxlf.exe 1012 frxlxxf.exe 3952 tnnbnb.exe 1564 3thhnh.exe 1448 ddvpd.exe 2192 xflflrx.exe 232 ffxlffr.exe 2140 httnhb.exe 4236 nbhbhh.exe 1472 jjvjd.exe -
Processes:
resource yara_rule behavioral2/memory/2388-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c94-3.dat upx behavioral2/memory/2388-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3672-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-9.dat upx behavioral2/files/0x0007000000023c9c-13.dat upx behavioral2/memory/3648-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4548-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-22.dat upx behavioral2/memory/1872-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-28.dat upx behavioral2/memory/1872-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-34.dat upx behavioral2/memory/3636-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-43.dat upx behavioral2/memory/4324-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3172-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-46.dat upx behavioral2/files/0x0007000000023ca2-52.dat upx behavioral2/memory/1672-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-58.dat upx behavioral2/files/0x0007000000023ca4-66.dat upx behavioral2/memory/3496-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-69.dat upx behavioral2/memory/4704-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca6-76.dat upx behavioral2/memory/1472-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-81.dat upx behavioral2/memory/4896-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-89.dat upx behavioral2/memory/4216-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-93.dat upx behavioral2/memory/4216-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-101.dat upx behavioral2/files/0x0007000000023cab-104.dat upx behavioral2/memory/3464-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-110.dat upx behavioral2/files/0x0007000000023cad-117.dat upx behavioral2/memory/4884-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2280-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2040-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-124.dat upx behavioral2/memory/2144-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4884-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-130.dat upx behavioral2/memory/1388-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4664-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-142.dat upx behavioral2/files/0x0007000000023cb0-135.dat upx behavioral2/files/0x0007000000023cb2-147.dat upx behavioral2/memory/4740-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-152.dat upx behavioral2/files/0x0007000000023cb5-158.dat upx behavioral2/memory/4152-160-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-164.dat upx behavioral2/files/0x0007000000023cb7-170.dat upx behavioral2/memory/4832-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c98-176.dat upx behavioral2/files/0x0007000000023cb8-181.dat upx behavioral2/memory/1308-187-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb9-185.dat upx behavioral2/memory/2472-193-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2672-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3516-200-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1lfxrff.exetthttb.exeppjdj.exerlrrlrl.exevdpdj.exe3vvvp.exe7vjvj.exejdpvj.exe3nthnt.exerflxfxf.exe7pjvd.exetttnbt.exetbbttt.exe7xxrlxx.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lfxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nthnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxrlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exenhnhnh.exevpjjj.exe3xrrllx.exebnnbht.exejpjdd.exellxlfxl.exethnhhh.exevddpd.exexflxlfx.exebnnhbt.exentnhtn.exedpvjv.exellflxxx.exethnbnh.exe9dpjp.exe7ppjd.exexrfxxxl.exebtbttt.exe7pjvv.exejddvv.exepjjdv.exedescription pid Process procid_target PID 2388 wrote to memory of 3672 2388 414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exe 82 PID 2388 wrote to memory of 3672 2388 414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exe 82 PID 2388 wrote to memory of 3672 2388 414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exe 82 PID 3672 wrote to memory of 3648 3672 nhnhnh.exe 83 PID 3672 wrote to memory of 3648 3672 nhnhnh.exe 83 PID 3672 wrote to memory of 3648 3672 nhnhnh.exe 83 PID 3648 wrote to memory of 4548 3648 vpjjj.exe 84 PID 3648 wrote to memory of 4548 3648 vpjjj.exe 84 PID 3648 wrote to memory of 4548 3648 vpjjj.exe 84 PID 4548 wrote to memory of 1872 4548 3xrrllx.exe 85 PID 4548 wrote to memory of 1872 4548 3xrrllx.exe 85 PID 4548 wrote to memory of 1872 4548 3xrrllx.exe 85 PID 1872 wrote to memory of 3636 1872 bnnbht.exe 86 PID 1872 wrote to memory of 3636 1872 bnnbht.exe 86 PID 1872 wrote to memory of 3636 1872 bnnbht.exe 86 PID 3636 wrote to memory of 4324 3636 jpjdd.exe 87 PID 3636 wrote to memory of 4324 3636 jpjdd.exe 87 PID 3636 wrote to memory of 4324 3636 jpjdd.exe 87 PID 4324 wrote to memory of 3172 4324 llxlfxl.exe 88 PID 4324 wrote to memory of 3172 4324 llxlfxl.exe 88 PID 4324 wrote to memory of 3172 4324 llxlfxl.exe 88 PID 3172 wrote to memory of 1672 3172 thnhhh.exe 89 PID 3172 wrote to memory of 1672 3172 thnhhh.exe 89 PID 3172 wrote to memory of 1672 3172 thnhhh.exe 89 PID 1672 wrote to memory of 1964 1672 vddpd.exe 90 PID 1672 wrote to memory of 1964 1672 vddpd.exe 90 PID 1672 wrote to memory of 1964 1672 vddpd.exe 90 PID 1964 wrote to memory of 3496 1964 xflxlfx.exe 91 PID 1964 wrote to memory of 3496 1964 xflxlfx.exe 91 PID 1964 wrote to memory of 3496 1964 xflxlfx.exe 91 PID 3496 wrote to memory of 4704 3496 bnnhbt.exe 92 PID 3496 wrote to memory of 4704 3496 bnnhbt.exe 92 PID 3496 wrote to memory of 4704 3496 bnnhbt.exe 92 PID 4704 wrote to memory of 4940 4704 ntnhtn.exe 93 PID 4704 wrote to memory of 4940 4704 ntnhtn.exe 93 PID 4704 wrote to memory of 4940 4704 ntnhtn.exe 93 PID 4940 wrote to memory of 1472 4940 dpvjv.exe 94 PID 4940 wrote to memory of 1472 4940 dpvjv.exe 94 PID 4940 wrote to memory of 1472 4940 dpvjv.exe 94 PID 1472 wrote to memory of 4896 1472 llflxxx.exe 95 PID 1472 wrote to memory of 4896 1472 llflxxx.exe 95 PID 1472 wrote to memory of 4896 1472 llflxxx.exe 95 PID 4896 wrote to memory of 4216 4896 thnbnh.exe 96 PID 4896 wrote to memory of 4216 4896 thnbnh.exe 96 PID 4896 wrote to memory of 4216 4896 thnbnh.exe 96 PID 4216 wrote to memory of 4080 4216 9dpjp.exe 97 PID 4216 wrote to memory of 4080 4216 9dpjp.exe 97 PID 4216 wrote to memory of 4080 4216 9dpjp.exe 97 PID 4080 wrote to memory of 3464 4080 7ppjd.exe 98 PID 4080 wrote to memory of 3464 4080 7ppjd.exe 98 PID 4080 wrote to memory of 3464 4080 7ppjd.exe 98 PID 3464 wrote to memory of 2280 3464 xrfxxxl.exe 99 PID 3464 wrote to memory of 2280 3464 xrfxxxl.exe 99 PID 3464 wrote to memory of 2280 3464 xrfxxxl.exe 99 PID 2280 wrote to memory of 4884 2280 btbttt.exe 100 PID 2280 wrote to memory of 4884 2280 btbttt.exe 100 PID 2280 wrote to memory of 4884 2280 btbttt.exe 100 PID 4884 wrote to memory of 2040 4884 7pjvv.exe 101 PID 4884 wrote to memory of 2040 4884 7pjvv.exe 101 PID 4884 wrote to memory of 2040 4884 7pjvv.exe 101 PID 2040 wrote to memory of 2144 2040 jddvv.exe 102 PID 2040 wrote to memory of 2144 2040 jddvv.exe 102 PID 2040 wrote to memory of 2144 2040 jddvv.exe 102 PID 2144 wrote to memory of 1388 2144 pjjdv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exe"C:\Users\Admin\AppData\Local\Temp\414544bf9d6d4f8f475e6209f028fee379caa1752659ce5996d521a50119a51d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\nhnhnh.exec:\nhnhnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\vpjjj.exec:\vpjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\3xrrllx.exec:\3xrrllx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\bnnbht.exec:\bnnbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\jpjdd.exec:\jpjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\llxlfxl.exec:\llxlfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\thnhhh.exec:\thnhhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\vddpd.exec:\vddpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\xflxlfx.exec:\xflxlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\bnnhbt.exec:\bnnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\ntnhtn.exec:\ntnhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\dpvjv.exec:\dpvjv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\llflxxx.exec:\llflxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\thnbnh.exec:\thnbnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\9dpjp.exec:\9dpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\7ppjd.exec:\7ppjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\xrfxxxl.exec:\xrfxxxl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\btbttt.exec:\btbttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\7pjvv.exec:\7pjvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\jddvv.exec:\jddvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\pjjdv.exec:\pjjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\lxxrfxl.exec:\lxxrfxl.exe23⤵
- Executes dropped EXE
PID:1388 -
\??\c:\thtnbb.exec:\thtnbb.exe24⤵
- Executes dropped EXE
PID:4664 -
\??\c:\tnhbth.exec:\tnhbth.exe25⤵
- Executes dropped EXE
PID:3440 -
\??\c:\pjdvv.exec:\pjdvv.exe26⤵
- Executes dropped EXE
PID:4740 -
\??\c:\9jdpd.exec:\9jdpd.exe27⤵
- Executes dropped EXE
PID:4152 -
\??\c:\rlxrxxl.exec:\rlxrxxl.exe28⤵
- Executes dropped EXE
PID:2688 -
\??\c:\hbntnt.exec:\hbntnt.exe29⤵
- Executes dropped EXE
PID:1356 -
\??\c:\9bbthn.exec:\9bbthn.exe30⤵
- Executes dropped EXE
PID:4832 -
\??\c:\jpjdp.exec:\jpjdp.exe31⤵
- Executes dropped EXE
PID:1212 -
\??\c:\frfrfxr.exec:\frfrfxr.exe32⤵
- Executes dropped EXE
PID:1308 -
\??\c:\lfffrlf.exec:\lfffrlf.exe33⤵
- Executes dropped EXE
PID:2672 -
\??\c:\hhtnbt.exec:\hhtnbt.exe34⤵
- Executes dropped EXE
PID:2472 -
\??\c:\vdpdj.exec:\vdpdj.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516 -
\??\c:\flfrllf.exec:\flfrllf.exe36⤵
- Executes dropped EXE
PID:4024 -
\??\c:\tnbbbn.exec:\tnbbbn.exe37⤵
- Executes dropped EXE
PID:4052 -
\??\c:\bnbhtt.exec:\bnbhtt.exe38⤵
- Executes dropped EXE
PID:5048 -
\??\c:\djdvj.exec:\djdvj.exe39⤵
- Executes dropped EXE
PID:2816 -
\??\c:\1bhnhh.exec:\1bhnhh.exe40⤵
- Executes dropped EXE
PID:3420 -
\??\c:\nbtbnh.exec:\nbtbnh.exe41⤵
- Executes dropped EXE
PID:1548 -
\??\c:\pvjdv.exec:\pvjdv.exe42⤵
- Executes dropped EXE
PID:1728 -
\??\c:\xxrfrlr.exec:\xxrfrlr.exe43⤵
- Executes dropped EXE
PID:5024 -
\??\c:\nhthbt.exec:\nhthbt.exe44⤵
- Executes dropped EXE
PID:4320 -
\??\c:\jjjdj.exec:\jjjdj.exe45⤵
- Executes dropped EXE
PID:2252 -
\??\c:\pdjvv.exec:\pdjvv.exe46⤵
- Executes dropped EXE
PID:2612 -
\??\c:\frlflfx.exec:\frlflfx.exe47⤵
- Executes dropped EXE
PID:4040 -
\??\c:\xfxrrlx.exec:\xfxrrlx.exe48⤵
- Executes dropped EXE
PID:5056 -
\??\c:\tbbtnh.exec:\tbbtnh.exe49⤵
- Executes dropped EXE
PID:4200 -
\??\c:\jdvjd.exec:\jdvjd.exe50⤵
- Executes dropped EXE
PID:224 -
\??\c:\pjdpd.exec:\pjdpd.exe51⤵
- Executes dropped EXE
PID:4572 -
\??\c:\rxxrrxx.exec:\rxxrrxx.exe52⤵
- Executes dropped EXE
PID:4756 -
\??\c:\bntbbh.exec:\bntbbh.exe53⤵
- Executes dropped EXE
PID:844 -
\??\c:\ththnh.exec:\ththnh.exe54⤵
- Executes dropped EXE
PID:1592 -
\??\c:\jpdvj.exec:\jpdvj.exe55⤵
- Executes dropped EXE
PID:3172 -
\??\c:\xrflxlf.exec:\xrflxlf.exe56⤵
- Executes dropped EXE
PID:1520 -
\??\c:\frxlxxf.exec:\frxlxxf.exe57⤵
- Executes dropped EXE
PID:1012 -
\??\c:\tnnbnb.exec:\tnnbnb.exe58⤵
- Executes dropped EXE
PID:3952 -
\??\c:\3thhnh.exec:\3thhnh.exe59⤵
- Executes dropped EXE
PID:1564 -
\??\c:\ddvpd.exec:\ddvpd.exe60⤵
- Executes dropped EXE
PID:1448 -
\??\c:\xflflrx.exec:\xflflrx.exe61⤵
- Executes dropped EXE
PID:2192 -
\??\c:\ffxlffr.exec:\ffxlffr.exe62⤵
- Executes dropped EXE
PID:232 -
\??\c:\httnhb.exec:\httnhb.exe63⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nbhbhh.exec:\nbhbhh.exe64⤵
- Executes dropped EXE
PID:4236 -
\??\c:\jjvjd.exec:\jjvjd.exe65⤵
- Executes dropped EXE
PID:1472 -
\??\c:\llfxlfx.exec:\llfxlfx.exe66⤵PID:3548
-
\??\c:\flfxrlf.exec:\flfxrlf.exe67⤵PID:1516
-
\??\c:\7hhhbt.exec:\7hhhbt.exe68⤵PID:3532
-
\??\c:\pdjjd.exec:\pdjjd.exe69⤵PID:3288
-
\??\c:\vvddd.exec:\vvddd.exe70⤵PID:3044
-
\??\c:\3lllxxr.exec:\3lllxxr.exe71⤵PID:5060
-
\??\c:\nbnnnn.exec:\nbnnnn.exe72⤵PID:2720
-
\??\c:\jjvjp.exec:\jjvjp.exe73⤵PID:3016
-
\??\c:\5frlxrr.exec:\5frlxrr.exe74⤵PID:3852
-
\??\c:\fxxrxrx.exec:\fxxrxrx.exe75⤵PID:760
-
\??\c:\bnhhtt.exec:\bnhhtt.exe76⤵PID:1500
-
\??\c:\vdppj.exec:\vdppj.exe77⤵PID:4948
-
\??\c:\fxffrrl.exec:\fxffrrl.exe78⤵PID:4220
-
\??\c:\7xllffx.exec:\7xllffx.exe79⤵PID:4428
-
\??\c:\1nnnbb.exec:\1nnnbb.exe80⤵PID:1052
-
\??\c:\vddvv.exec:\vddvv.exe81⤵PID:3988
-
\??\c:\pjjdv.exec:\pjjdv.exe82⤵PID:3216
-
\??\c:\lflfxrl.exec:\lflfxrl.exe83⤵PID:4644
-
\??\c:\lfrlxlr.exec:\lfrlxlr.exe84⤵PID:2044
-
\??\c:\ntnhhb.exec:\ntnhhb.exe85⤵PID:3240
-
\??\c:\dvvpv.exec:\dvvpv.exe86⤵PID:2484
-
\??\c:\xxlxrlx.exec:\xxlxrlx.exe87⤵PID:2508
-
\??\c:\fxffxlr.exec:\fxffxlr.exe88⤵PID:3684
-
\??\c:\tbnbbb.exec:\tbnbbb.exe89⤵PID:2212
-
\??\c:\jjjdd.exec:\jjjdd.exe90⤵PID:2672
-
\??\c:\pvvvp.exec:\pvvvp.exe91⤵PID:4864
-
\??\c:\xlxlfxl.exec:\xlxlfxl.exe92⤵PID:4632
-
\??\c:\hnnttb.exec:\hnnttb.exe93⤵PID:756
-
\??\c:\hntttt.exec:\hntttt.exe94⤵PID:2020
-
\??\c:\1djjj.exec:\1djjj.exe95⤵PID:4972
-
\??\c:\xfxrfxr.exec:\xfxrfxr.exe96⤵PID:552
-
\??\c:\lrxxxfr.exec:\lrxxxfr.exe97⤵PID:788
-
\??\c:\hhhhbb.exec:\hhhhbb.exe98⤵PID:4340
-
\??\c:\vjpjv.exec:\vjpjv.exe99⤵PID:4016
-
\??\c:\jdvpj.exec:\jdvpj.exe100⤵PID:4508
-
\??\c:\xrlfxxx.exec:\xrlfxxx.exe101⤵PID:520
-
\??\c:\9btnnn.exec:\9btnnn.exe102⤵PID:3528
-
\??\c:\bbnntt.exec:\bbnntt.exe103⤵PID:2100
-
\??\c:\jppvp.exec:\jppvp.exe104⤵PID:2492
-
\??\c:\xxrlxrl.exec:\xxrlxrl.exe105⤵PID:1728
-
\??\c:\9xxllfr.exec:\9xxllfr.exe106⤵PID:5024
-
\??\c:\thbhhn.exec:\thbhhn.exe107⤵PID:4320
-
\??\c:\7jdvj.exec:\7jdvj.exe108⤵PID:4988
-
\??\c:\vpjvv.exec:\vpjvv.exe109⤵PID:3668
-
\??\c:\9xrfrfx.exec:\9xrfrfx.exe110⤵PID:1160
-
\??\c:\tnbnbt.exec:\tnbnbt.exe111⤵PID:556
-
\??\c:\bbtnhb.exec:\bbtnhb.exe112⤵PID:3108
-
\??\c:\3jddp.exec:\3jddp.exe113⤵PID:3184
-
\??\c:\dvjdp.exec:\dvjdp.exe114⤵PID:3940
-
\??\c:\rxlfrlx.exec:\rxlfrlx.exe115⤵PID:216
-
\??\c:\thnnth.exec:\thnnth.exe116⤵PID:644
-
\??\c:\1tnhtn.exec:\1tnhtn.exe117⤵PID:1592
-
\??\c:\vvpjd.exec:\vvpjd.exe118⤵PID:8
-
\??\c:\5xrfrll.exec:\5xrfrll.exe119⤵PID:1088
-
\??\c:\lfllrlr.exec:\lfllrlr.exe120⤵PID:1068
-
\??\c:\nbnhnh.exec:\nbnhnh.exe121⤵PID:544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-