Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe
-
Size
454KB
-
MD5
7da8d92eb3239e2873cf55d9f78f7ddf
-
SHA1
b5c1e180310c363376c267f6a43782a692b5b605
-
SHA256
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7
-
SHA512
6e7a6290916e0cace2e773c3ae5209117ef4bacc7cf9eb12a33ef4ae895af297fbf97df131e4caa707ddc4c17eafe3e4bcbfe4f5806f1c2a6562a02172d5e19f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet7:q7Tc2NYHUrAwfMp3CDt7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3916-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-845-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-949-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-965-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-1015-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-1570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-1936-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 228 lxllffx.exe 884 5nnnhn.exe 3132 fffxffx.exe 4704 7llxxrl.exe 3652 ddddj.exe 4504 3bhbtb.exe 2168 jjpvv.exe 2572 nhbttn.exe 4012 jvvpj.exe 3368 bttbtb.exe 1712 dpvpj.exe 4996 3lxlfxx.exe 4924 5vjdd.exe 3588 jjjdp.exe 2588 5bbnhh.exe 1128 3pjdp.exe 4264 nhhhbb.exe 5032 3tthtn.exe 2204 lrlxrlx.exe 508 tbbtnn.exe 1872 thtnth.exe 1908 rflfxxx.exe 3348 bnbnht.exe 4776 pvvjv.exe 1360 5lfxllf.exe 1756 hbtbtn.exe 2052 9vvpj.exe 232 jvpdv.exe 1172 7rrffrf.exe 2612 frfrxfx.exe 4288 fxxlfxr.exe 3196 bhhbnh.exe 2620 tthbtt.exe 4216 vpvjv.exe 4456 fxfxrrl.exe 4304 xlllfff.exe 860 3tthbn.exe 4152 pjpvp.exe 2444 9rrfrlr.exe 5068 bnnhhn.exe 2716 5dpdp.exe 4472 rffrfxr.exe 1576 hbnhth.exe 1092 1vpvj.exe 228 lxrfrfx.exe 4844 nbhtnh.exe 760 hhhbnn.exe 3132 jddvv.exe 3824 vvvvp.exe 4468 xrrllfx.exe 3652 7bthbh.exe 2436 pdddj.exe 868 9vvpj.exe 5012 xrrxrll.exe 2572 nhhnbh.exe 1380 dvjdd.exe 3760 rrxrlll.exe 2256 tbhbtn.exe 2532 5vvvv.exe 3276 1rrfxxl.exe 2836 nhbnhh.exe 2304 7jjdj.exe 4924 jppjv.exe 3868 rflxrfx.exe -
resource yara_rule behavioral2/memory/3916-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-845-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-945-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-949-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-965-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-1002-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-1461-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 228 3916 9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe 82 PID 3916 wrote to memory of 228 3916 9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe 82 PID 3916 wrote to memory of 228 3916 9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe 82 PID 228 wrote to memory of 884 228 lxllffx.exe 83 PID 228 wrote to memory of 884 228 lxllffx.exe 83 PID 228 wrote to memory of 884 228 lxllffx.exe 83 PID 884 wrote to memory of 3132 884 5nnnhn.exe 84 PID 884 wrote to memory of 3132 884 5nnnhn.exe 84 PID 884 wrote to memory of 3132 884 5nnnhn.exe 84 PID 3132 wrote to memory of 4704 3132 fffxffx.exe 85 PID 3132 wrote to memory of 4704 3132 fffxffx.exe 85 PID 3132 wrote to memory of 4704 3132 fffxffx.exe 85 PID 4704 wrote to memory of 3652 4704 7llxxrl.exe 86 PID 4704 wrote to memory of 3652 4704 7llxxrl.exe 86 PID 4704 wrote to memory of 3652 4704 7llxxrl.exe 86 PID 3652 wrote to memory of 4504 3652 ddddj.exe 87 PID 3652 wrote to memory of 4504 3652 ddddj.exe 87 PID 3652 wrote to memory of 4504 3652 ddddj.exe 87 PID 4504 wrote to memory of 2168 4504 3bhbtb.exe 88 PID 4504 wrote to memory of 2168 4504 3bhbtb.exe 88 PID 4504 wrote to memory of 2168 4504 3bhbtb.exe 88 PID 2168 wrote to memory of 2572 2168 jjpvv.exe 89 PID 2168 wrote to memory of 2572 2168 jjpvv.exe 89 PID 2168 wrote to memory of 2572 2168 jjpvv.exe 89 PID 2572 wrote to memory of 4012 2572 nhbttn.exe 90 PID 2572 wrote to memory of 4012 2572 nhbttn.exe 90 PID 2572 wrote to memory of 4012 2572 nhbttn.exe 90 PID 4012 wrote to memory of 3368 4012 jvvpj.exe 91 PID 4012 wrote to memory of 3368 4012 jvvpj.exe 91 PID 4012 wrote to memory of 3368 4012 jvvpj.exe 91 PID 3368 wrote to memory of 1712 3368 bttbtb.exe 92 PID 3368 wrote to memory of 1712 3368 bttbtb.exe 92 PID 3368 wrote to memory of 1712 3368 bttbtb.exe 92 PID 1712 wrote to memory of 4996 1712 dpvpj.exe 93 PID 1712 wrote to memory of 4996 1712 dpvpj.exe 93 PID 1712 wrote to memory of 4996 1712 dpvpj.exe 93 PID 4996 wrote to memory of 4924 4996 3lxlfxx.exe 94 PID 4996 wrote to memory of 4924 4996 3lxlfxx.exe 94 PID 4996 wrote to memory of 4924 4996 3lxlfxx.exe 94 PID 4924 wrote to memory of 3588 4924 5vjdd.exe 95 PID 4924 wrote to memory of 3588 4924 5vjdd.exe 95 PID 4924 wrote to memory of 3588 4924 5vjdd.exe 95 PID 3588 wrote to memory of 2588 3588 jjjdp.exe 96 PID 3588 wrote to memory of 2588 3588 jjjdp.exe 96 PID 3588 wrote to memory of 2588 3588 jjjdp.exe 96 PID 2588 wrote to memory of 1128 2588 5bbnhh.exe 97 PID 2588 wrote to memory of 1128 2588 5bbnhh.exe 97 PID 2588 wrote to memory of 1128 2588 5bbnhh.exe 97 PID 1128 wrote to memory of 4264 1128 3pjdp.exe 98 PID 1128 wrote to memory of 4264 1128 3pjdp.exe 98 PID 1128 wrote to memory of 4264 1128 3pjdp.exe 98 PID 4264 wrote to memory of 5032 4264 nhhhbb.exe 99 PID 4264 wrote to memory of 5032 4264 nhhhbb.exe 99 PID 4264 wrote to memory of 5032 4264 nhhhbb.exe 99 PID 5032 wrote to memory of 2204 5032 3tthtn.exe 100 PID 5032 wrote to memory of 2204 5032 3tthtn.exe 100 PID 5032 wrote to memory of 2204 5032 3tthtn.exe 100 PID 2204 wrote to memory of 508 2204 lrlxrlx.exe 101 PID 2204 wrote to memory of 508 2204 lrlxrlx.exe 101 PID 2204 wrote to memory of 508 2204 lrlxrlx.exe 101 PID 508 wrote to memory of 1872 508 tbbtnn.exe 102 PID 508 wrote to memory of 1872 508 tbbtnn.exe 102 PID 508 wrote to memory of 1872 508 tbbtnn.exe 102 PID 1872 wrote to memory of 1908 1872 thtnth.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe"C:\Users\Admin\AppData\Local\Temp\9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\lxllffx.exec:\lxllffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\5nnnhn.exec:\5nnnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\fffxffx.exec:\fffxffx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\7llxxrl.exec:\7llxxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\ddddj.exec:\ddddj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\3bhbtb.exec:\3bhbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\jjpvv.exec:\jjpvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\nhbttn.exec:\nhbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\jvvpj.exec:\jvvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\bttbtb.exec:\bttbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\dpvpj.exec:\dpvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\3lxlfxx.exec:\3lxlfxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\5vjdd.exec:\5vjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\jjjdp.exec:\jjjdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\5bbnhh.exec:\5bbnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\3pjdp.exec:\3pjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\nhhhbb.exec:\nhhhbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\3tthtn.exec:\3tthtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\lrlxrlx.exec:\lrlxrlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204 -
\??\c:\tbbtnn.exec:\tbbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:508 -
\??\c:\thtnth.exec:\thtnth.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\rflfxxx.exec:\rflfxxx.exe23⤵
- Executes dropped EXE
PID:1908 -
\??\c:\bnbnht.exec:\bnbnht.exe24⤵
- Executes dropped EXE
PID:3348 -
\??\c:\pvvjv.exec:\pvvjv.exe25⤵
- Executes dropped EXE
PID:4776 -
\??\c:\5lfxllf.exec:\5lfxllf.exe26⤵
- Executes dropped EXE
PID:1360 -
\??\c:\hbtbtn.exec:\hbtbtn.exe27⤵
- Executes dropped EXE
PID:1756 -
\??\c:\9vvpj.exec:\9vvpj.exe28⤵
- Executes dropped EXE
PID:2052 -
\??\c:\jvpdv.exec:\jvpdv.exe29⤵
- Executes dropped EXE
PID:232 -
\??\c:\7rrffrf.exec:\7rrffrf.exe30⤵
- Executes dropped EXE
PID:1172 -
\??\c:\frfrxfx.exec:\frfrxfx.exe31⤵
- Executes dropped EXE
PID:2612 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe32⤵
- Executes dropped EXE
PID:4288 -
\??\c:\bhhbnh.exec:\bhhbnh.exe33⤵
- Executes dropped EXE
PID:3196 -
\??\c:\tthbtt.exec:\tthbtt.exe34⤵
- Executes dropped EXE
PID:2620 -
\??\c:\vpvjv.exec:\vpvjv.exe35⤵
- Executes dropped EXE
PID:4216 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe36⤵
- Executes dropped EXE
PID:4456 -
\??\c:\xlllfff.exec:\xlllfff.exe37⤵
- Executes dropped EXE
PID:4304 -
\??\c:\3tthbn.exec:\3tthbn.exe38⤵
- Executes dropped EXE
PID:860 -
\??\c:\pjpvp.exec:\pjpvp.exe39⤵
- Executes dropped EXE
PID:4152 -
\??\c:\9rrfrlr.exec:\9rrfrlr.exe40⤵
- Executes dropped EXE
PID:2444 -
\??\c:\bnnhhn.exec:\bnnhhn.exe41⤵
- Executes dropped EXE
PID:5068 -
\??\c:\5dpdp.exec:\5dpdp.exe42⤵
- Executes dropped EXE
PID:2716 -
\??\c:\rffrfxr.exec:\rffrfxr.exe43⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hbnhth.exec:\hbnhth.exe44⤵
- Executes dropped EXE
PID:1576 -
\??\c:\nhbnbn.exec:\nhbnbn.exe45⤵PID:4088
-
\??\c:\1vpvj.exec:\1vpvj.exe46⤵
- Executes dropped EXE
PID:1092 -
\??\c:\lxrfrfx.exec:\lxrfrfx.exe47⤵
- Executes dropped EXE
PID:228 -
\??\c:\nbhtnh.exec:\nbhtnh.exe48⤵
- Executes dropped EXE
PID:4844 -
\??\c:\hhhbnn.exec:\hhhbnn.exe49⤵
- Executes dropped EXE
PID:760 -
\??\c:\jddvv.exec:\jddvv.exe50⤵
- Executes dropped EXE
PID:3132 -
\??\c:\vvvvp.exec:\vvvvp.exe51⤵
- Executes dropped EXE
PID:3824 -
\??\c:\xrrllfx.exec:\xrrllfx.exe52⤵
- Executes dropped EXE
PID:4468 -
\??\c:\7bthbh.exec:\7bthbh.exe53⤵
- Executes dropped EXE
PID:3652 -
\??\c:\pdddj.exec:\pdddj.exe54⤵
- Executes dropped EXE
PID:2436 -
\??\c:\9vvpj.exec:\9vvpj.exe55⤵
- Executes dropped EXE
PID:868 -
\??\c:\xrrxrll.exec:\xrrxrll.exe56⤵
- Executes dropped EXE
PID:5012 -
\??\c:\nhhnbh.exec:\nhhnbh.exe57⤵
- Executes dropped EXE
PID:2572 -
\??\c:\dvjdd.exec:\dvjdd.exe58⤵
- Executes dropped EXE
PID:1380 -
\??\c:\rrxrlll.exec:\rrxrlll.exe59⤵
- Executes dropped EXE
PID:3760 -
\??\c:\tbhbtn.exec:\tbhbtn.exe60⤵
- Executes dropped EXE
PID:2256 -
\??\c:\5vvvv.exec:\5vvvv.exe61⤵
- Executes dropped EXE
PID:2532 -
\??\c:\1rrfxxl.exec:\1rrfxxl.exe62⤵
- Executes dropped EXE
PID:3276 -
\??\c:\nhbnhh.exec:\nhbnhh.exe63⤵
- Executes dropped EXE
PID:2836 -
\??\c:\7jjdj.exec:\7jjdj.exe64⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jppjv.exec:\jppjv.exe65⤵
- Executes dropped EXE
PID:4924 -
\??\c:\rflxrfx.exec:\rflxrfx.exe66⤵
- Executes dropped EXE
PID:3868 -
\??\c:\1nhhbb.exec:\1nhhbb.exe67⤵PID:2680
-
\??\c:\vddpj.exec:\vddpj.exe68⤵PID:3640
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe69⤵PID:3876
-
\??\c:\3ttntn.exec:\3ttntn.exe70⤵PID:3860
-
\??\c:\9vjjp.exec:\9vjjp.exe71⤵PID:5032
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe72⤵PID:2636
-
\??\c:\ttnnhb.exec:\ttnnhb.exe73⤵PID:4080
-
\??\c:\bnnntt.exec:\bnnntt.exe74⤵PID:1056
-
\??\c:\pjjvp.exec:\pjjvp.exe75⤵PID:8
-
\??\c:\xfxrlfr.exec:\xfxrlfr.exe76⤵PID:4884
-
\??\c:\lffxlfr.exec:\lffxlfr.exe77⤵PID:2540
-
\??\c:\nhtttt.exec:\nhtttt.exe78⤵PID:4404
-
\??\c:\9pppj.exec:\9pppj.exe79⤵PID:2948
-
\??\c:\jvpdp.exec:\jvpdp.exe80⤵PID:1360
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe81⤵PID:1580
-
\??\c:\9hhbbt.exec:\9hhbbt.exe82⤵PID:2384
-
\??\c:\nbhthb.exec:\nbhthb.exe83⤵PID:1972
-
\??\c:\vjdpj.exec:\vjdpj.exe84⤵PID:1568
-
\??\c:\frlfrlf.exec:\frlfrlf.exe85⤵PID:1172
-
\??\c:\5bbnnh.exec:\5bbnnh.exe86⤵PID:4348
-
\??\c:\1nhbnn.exec:\1nhbnn.exe87⤵PID:4796
-
\??\c:\djjdv.exec:\djjdv.exe88⤵PID:3920
-
\??\c:\3ffrfxl.exec:\3ffrfxl.exe89⤵PID:464
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe90⤵PID:3196
-
\??\c:\hththb.exec:\hththb.exe91⤵PID:5076
-
\??\c:\jvpjv.exec:\jvpjv.exe92⤵PID:4376
-
\??\c:\lrrlfxl.exec:\lrrlfxl.exe93⤵PID:4344
-
\??\c:\bnnhbb.exec:\bnnhbb.exe94⤵PID:3836
-
\??\c:\dvjdv.exec:\dvjdv.exe95⤵PID:2312
-
\??\c:\5vjvj.exec:\5vjvj.exe96⤵PID:2080
-
\??\c:\fxrlfrr.exec:\fxrlfrr.exe97⤵PID:1552
-
\??\c:\9hhbtt.exec:\9hhbtt.exe98⤵PID:2940
-
\??\c:\bhhhhh.exec:\bhhhhh.exe99⤵PID:1348
-
\??\c:\jvdvv.exec:\jvdvv.exe100⤵PID:2872
-
\??\c:\frfrrll.exec:\frfrrll.exe101⤵PID:212
-
\??\c:\5hbthh.exec:\5hbthh.exe102⤵PID:2224
-
\??\c:\9pvjj.exec:\9pvjj.exe103⤵PID:2324
-
\??\c:\jvpjd.exec:\jvpjd.exe104⤵PID:4788
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe105⤵PID:3008
-
\??\c:\nnthtn.exec:\nnthtn.exe106⤵PID:3160
-
\??\c:\tnnbhb.exec:\tnnbhb.exe107⤵PID:1372
-
\??\c:\vpdvp.exec:\vpdvp.exe108⤵PID:3956
-
\??\c:\lrrrlff.exec:\lrrrlff.exe109⤵PID:2828
-
\??\c:\bhnbtt.exec:\bhnbtt.exe110⤵PID:3188
-
\??\c:\5tnhhh.exec:\5tnhhh.exe111⤵PID:3652
-
\??\c:\jvdpj.exec:\jvdpj.exe112⤵PID:2892
-
\??\c:\rflfrrl.exec:\rflfrrl.exe113⤵PID:4488
-
\??\c:\btthtn.exec:\btthtn.exe114⤵PID:2472
-
\??\c:\pjdvj.exec:\pjdvj.exe115⤵PID:4244
-
\??\c:\jdvpj.exec:\jdvpj.exe116⤵PID:2572
-
\??\c:\rxflrrf.exec:\rxflrrf.exe117⤵PID:4496
-
\??\c:\tbhbtt.exec:\tbhbtt.exe118⤵PID:2844
-
\??\c:\nnthth.exec:\nnthth.exe119⤵PID:4588
-
\??\c:\1vppj.exec:\1vppj.exe120⤵PID:2496
-
\??\c:\xrrrlff.exec:\xrrrlff.exe121⤵PID:1956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-