Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe
-
Size
456KB
-
MD5
714183fd35f02e3c36dd33b2ae0c167b
-
SHA1
a200a5211806ea86bf01d59864846228fb5f9608
-
SHA256
145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556
-
SHA512
d7a958dfb93c5a988c329769f67b49a814e67abc764f8bf710c907f4de5501bc1e854e1fccc7f3c8442594e0ceeb26ed55ea10aa86a6467281385525ea6cf252
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRh:q7Tc2NYHUrAwfMp3CDRh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3672-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-1125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 968 3llxrlf.exe 2796 tbbbnn.exe 1164 3xlrllr.exe 1440 nntnhh.exe 552 rlxrxxf.exe 3680 nhtttb.exe 2388 rfxrxxf.exe 4872 7xllrxl.exe 3352 nbnnhn.exe 3428 xlrrlll.exe 3460 rrrxfrr.exe 1496 nbhbbb.exe 4364 lfxrffr.exe 5024 nhhhhn.exe 4068 hbhbbt.exe 736 hnnhbt.exe 3824 ppvdd.exe 4420 vpvdd.exe 1676 jjpvv.exe 1492 3lrfxrr.exe 4280 hbhhbb.exe 4760 bbbtnn.exe 4648 tnhhtt.exe 3556 lflfxxx.exe 4300 tnhbhn.exe 512 jjjjd.exe 760 ddppj.exe 1848 7ffxxxr.exe 2488 pdvvv.exe 3076 nttnhh.exe 2976 llxrllr.exe 1336 xfllxfr.exe 3752 pvjjd.exe 1976 rlffllx.exe 1472 thbbbb.exe 1112 bbbthn.exe 3664 jdjvd.exe 5012 fxfxrxr.exe 2224 ttbtnn.exe 1952 pjjjv.exe 3340 vdvdd.exe 1216 fxlxfff.exe 3564 1tbttt.exe 112 tntttb.exe 2668 vpdvp.exe 2128 llxxffr.exe 1320 thnttt.exe 4972 ppppd.exe 3704 fxfxrxx.exe 3084 bhnhbb.exe 4532 bhnntb.exe 212 vpdvd.exe 4328 xxfrlrr.exe 3672 1bbtnn.exe 4492 vjvvj.exe 1684 7lrllff.exe 3464 bbbhhh.exe 3892 hbtnhh.exe 448 jddvj.exe 4384 frxlfxr.exe 4948 bbnhht.exe 4000 hbbttn.exe 860 1dvpd.exe 4252 xfffrrl.exe -
resource yara_rule behavioral2/memory/3672-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-606-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-841-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-1040-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3672 wrote to memory of 968 3672 145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe 82 PID 3672 wrote to memory of 968 3672 145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe 82 PID 3672 wrote to memory of 968 3672 145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe 82 PID 968 wrote to memory of 2796 968 3llxrlf.exe 83 PID 968 wrote to memory of 2796 968 3llxrlf.exe 83 PID 968 wrote to memory of 2796 968 3llxrlf.exe 83 PID 2796 wrote to memory of 1164 2796 tbbbnn.exe 84 PID 2796 wrote to memory of 1164 2796 tbbbnn.exe 84 PID 2796 wrote to memory of 1164 2796 tbbbnn.exe 84 PID 1164 wrote to memory of 1440 1164 3xlrllr.exe 85 PID 1164 wrote to memory of 1440 1164 3xlrllr.exe 85 PID 1164 wrote to memory of 1440 1164 3xlrllr.exe 85 PID 1440 wrote to memory of 552 1440 nntnhh.exe 86 PID 1440 wrote to memory of 552 1440 nntnhh.exe 86 PID 1440 wrote to memory of 552 1440 nntnhh.exe 86 PID 552 wrote to memory of 3680 552 rlxrxxf.exe 87 PID 552 wrote to memory of 3680 552 rlxrxxf.exe 87 PID 552 wrote to memory of 3680 552 rlxrxxf.exe 87 PID 3680 wrote to memory of 2388 3680 nhtttb.exe 88 PID 3680 wrote to memory of 2388 3680 nhtttb.exe 88 PID 3680 wrote to memory of 2388 3680 nhtttb.exe 88 PID 2388 wrote to memory of 4872 2388 rfxrxxf.exe 89 PID 2388 wrote to memory of 4872 2388 rfxrxxf.exe 89 PID 2388 wrote to memory of 4872 2388 rfxrxxf.exe 89 PID 4872 wrote to memory of 3352 4872 7xllrxl.exe 90 PID 4872 wrote to memory of 3352 4872 7xllrxl.exe 90 PID 4872 wrote to memory of 3352 4872 7xllrxl.exe 90 PID 3352 wrote to memory of 3428 3352 nbnnhn.exe 91 PID 3352 wrote to memory of 3428 3352 nbnnhn.exe 91 PID 3352 wrote to memory of 3428 3352 nbnnhn.exe 91 PID 3428 wrote to memory of 3460 3428 xlrrlll.exe 92 PID 3428 wrote to memory of 3460 3428 xlrrlll.exe 92 PID 3428 wrote to memory of 3460 3428 xlrrlll.exe 92 PID 3460 wrote to memory of 1496 3460 rrrxfrr.exe 93 PID 3460 wrote to memory of 1496 3460 rrrxfrr.exe 93 PID 3460 wrote to memory of 1496 3460 rrrxfrr.exe 93 PID 1496 wrote to memory of 4364 1496 nbhbbb.exe 94 PID 1496 wrote to memory of 4364 1496 nbhbbb.exe 94 PID 1496 wrote to memory of 4364 1496 nbhbbb.exe 94 PID 4364 wrote to memory of 5024 4364 lfxrffr.exe 95 PID 4364 wrote to memory of 5024 4364 lfxrffr.exe 95 PID 4364 wrote to memory of 5024 4364 lfxrffr.exe 95 PID 5024 wrote to memory of 4068 5024 nhhhhn.exe 96 PID 5024 wrote to memory of 4068 5024 nhhhhn.exe 96 PID 5024 wrote to memory of 4068 5024 nhhhhn.exe 96 PID 4068 wrote to memory of 736 4068 hbhbbt.exe 97 PID 4068 wrote to memory of 736 4068 hbhbbt.exe 97 PID 4068 wrote to memory of 736 4068 hbhbbt.exe 97 PID 736 wrote to memory of 3824 736 hnnhbt.exe 98 PID 736 wrote to memory of 3824 736 hnnhbt.exe 98 PID 736 wrote to memory of 3824 736 hnnhbt.exe 98 PID 3824 wrote to memory of 4420 3824 ppvdd.exe 99 PID 3824 wrote to memory of 4420 3824 ppvdd.exe 99 PID 3824 wrote to memory of 4420 3824 ppvdd.exe 99 PID 4420 wrote to memory of 1676 4420 vpvdd.exe 100 PID 4420 wrote to memory of 1676 4420 vpvdd.exe 100 PID 4420 wrote to memory of 1676 4420 vpvdd.exe 100 PID 1676 wrote to memory of 1492 1676 jjpvv.exe 101 PID 1676 wrote to memory of 1492 1676 jjpvv.exe 101 PID 1676 wrote to memory of 1492 1676 jjpvv.exe 101 PID 1492 wrote to memory of 4280 1492 3lrfxrr.exe 102 PID 1492 wrote to memory of 4280 1492 3lrfxrr.exe 102 PID 1492 wrote to memory of 4280 1492 3lrfxrr.exe 102 PID 4280 wrote to memory of 4760 4280 hbhhbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe"C:\Users\Admin\AppData\Local\Temp\145fc1d5506f42106e235a93790038e16f4a720853eb6ef219f4769eda16a556.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\3llxrlf.exec:\3llxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\tbbbnn.exec:\tbbbnn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\3xlrllr.exec:\3xlrllr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\nntnhh.exec:\nntnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\nhtttb.exec:\nhtttb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\rfxrxxf.exec:\rfxrxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\7xllrxl.exec:\7xllrxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\nbnnhn.exec:\nbnnhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\xlrrlll.exec:\xlrrlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\rrrxfrr.exec:\rrrxfrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\nbhbbb.exec:\nbhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\lfxrffr.exec:\lfxrffr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\nhhhhn.exec:\nhhhhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\hbhbbt.exec:\hbhbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\hnnhbt.exec:\hnnhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
\??\c:\ppvdd.exec:\ppvdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\vpvdd.exec:\vpvdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\jjpvv.exec:\jjpvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\3lrfxrr.exec:\3lrfxrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\hbhhbb.exec:\hbhhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\bbbtnn.exec:\bbbtnn.exe23⤵
- Executes dropped EXE
PID:4760 -
\??\c:\tnhhtt.exec:\tnhhtt.exe24⤵
- Executes dropped EXE
PID:4648 -
\??\c:\lflfxxx.exec:\lflfxxx.exe25⤵
- Executes dropped EXE
PID:3556 -
\??\c:\tnhbhn.exec:\tnhbhn.exe26⤵
- Executes dropped EXE
PID:4300 -
\??\c:\jjjjd.exec:\jjjjd.exe27⤵
- Executes dropped EXE
PID:512 -
\??\c:\ddppj.exec:\ddppj.exe28⤵
- Executes dropped EXE
PID:760 -
\??\c:\7ffxxxr.exec:\7ffxxxr.exe29⤵
- Executes dropped EXE
PID:1848 -
\??\c:\pdvvv.exec:\pdvvv.exe30⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nttnhh.exec:\nttnhh.exe31⤵
- Executes dropped EXE
PID:3076 -
\??\c:\llxrllr.exec:\llxrllr.exe32⤵
- Executes dropped EXE
PID:2976 -
\??\c:\xfllxfr.exec:\xfllxfr.exe33⤵
- Executes dropped EXE
PID:1336 -
\??\c:\pvjjd.exec:\pvjjd.exe34⤵
- Executes dropped EXE
PID:3752 -
\??\c:\rlffllx.exec:\rlffllx.exe35⤵
- Executes dropped EXE
PID:1976 -
\??\c:\thbbbb.exec:\thbbbb.exe36⤵
- Executes dropped EXE
PID:1472 -
\??\c:\bbbthn.exec:\bbbthn.exe37⤵
- Executes dropped EXE
PID:1112 -
\??\c:\jdjvd.exec:\jdjvd.exe38⤵
- Executes dropped EXE
PID:3664 -
\??\c:\fxfxrxr.exec:\fxfxrxr.exe39⤵
- Executes dropped EXE
PID:5012 -
\??\c:\ttbtnn.exec:\ttbtnn.exe40⤵
- Executes dropped EXE
PID:2224 -
\??\c:\pjjjv.exec:\pjjjv.exe41⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vdvdd.exec:\vdvdd.exe42⤵
- Executes dropped EXE
PID:3340 -
\??\c:\fxlxfff.exec:\fxlxfff.exe43⤵
- Executes dropped EXE
PID:1216 -
\??\c:\1tbttt.exec:\1tbttt.exe44⤵
- Executes dropped EXE
PID:3564 -
\??\c:\tntttb.exec:\tntttb.exe45⤵
- Executes dropped EXE
PID:112 -
\??\c:\vpdvp.exec:\vpdvp.exe46⤵
- Executes dropped EXE
PID:2668 -
\??\c:\llxxffr.exec:\llxxffr.exe47⤵
- Executes dropped EXE
PID:2128 -
\??\c:\thnttt.exec:\thnttt.exe48⤵
- Executes dropped EXE
PID:1320 -
\??\c:\ppppd.exec:\ppppd.exe49⤵
- Executes dropped EXE
PID:4972 -
\??\c:\fxfxrxx.exec:\fxfxrxx.exe50⤵
- Executes dropped EXE
PID:3704 -
\??\c:\bhnhbb.exec:\bhnhbb.exe51⤵
- Executes dropped EXE
PID:3084 -
\??\c:\bhnntb.exec:\bhnntb.exe52⤵
- Executes dropped EXE
PID:4532 -
\??\c:\vpdvd.exec:\vpdvd.exe53⤵
- Executes dropped EXE
PID:212 -
\??\c:\xxfrlrr.exec:\xxfrlrr.exe54⤵
- Executes dropped EXE
PID:4328 -
\??\c:\1bbtnn.exec:\1bbtnn.exe55⤵
- Executes dropped EXE
PID:3672 -
\??\c:\vjvvj.exec:\vjvvj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4492 -
\??\c:\7lrllff.exec:\7lrllff.exe57⤵
- Executes dropped EXE
PID:1684 -
\??\c:\bbbhhh.exec:\bbbhhh.exe58⤵
- Executes dropped EXE
PID:3464 -
\??\c:\hbtnhh.exec:\hbtnhh.exe59⤵
- Executes dropped EXE
PID:3892 -
\??\c:\jddvj.exec:\jddvj.exe60⤵
- Executes dropped EXE
PID:448 -
\??\c:\frxlfxr.exec:\frxlfxr.exe61⤵
- Executes dropped EXE
PID:4384 -
\??\c:\bbnhht.exec:\bbnhht.exe62⤵
- Executes dropped EXE
PID:4948 -
\??\c:\hbbttn.exec:\hbbttn.exe63⤵
- Executes dropped EXE
PID:4000 -
\??\c:\1dvpd.exec:\1dvpd.exe64⤵
- Executes dropped EXE
PID:860 -
\??\c:\xfffrrl.exec:\xfffrrl.exe65⤵
- Executes dropped EXE
PID:4252 -
\??\c:\nbnhnh.exec:\nbnhnh.exe66⤵PID:404
-
\??\c:\vdjdv.exec:\vdjdv.exe67⤵PID:2856
-
\??\c:\vjjdp.exec:\vjjdp.exe68⤵PID:2412
-
\??\c:\rffxllf.exec:\rffxllf.exe69⤵PID:3528
-
\??\c:\nhhnhh.exec:\nhhnhh.exe70⤵PID:4400
-
\??\c:\jjpdv.exec:\jjpdv.exe71⤵PID:1436
-
\??\c:\rffxlfx.exec:\rffxlfx.exe72⤵PID:1348
-
\??\c:\nhnbhh.exec:\nhnbhh.exe73⤵PID:5060
-
\??\c:\hhhbtt.exec:\hhhbtt.exe74⤵PID:4016
-
\??\c:\1pjdp.exec:\1pjdp.exe75⤵PID:5024
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe76⤵PID:4652
-
\??\c:\hhhhbb.exec:\hhhhbb.exe77⤵PID:4540
-
\??\c:\vpvpp.exec:\vpvpp.exe78⤵PID:4784
-
\??\c:\rffxlll.exec:\rffxlll.exe79⤵PID:336
-
\??\c:\hbbtnn.exec:\hbbtnn.exe80⤵PID:3228
-
\??\c:\9vjvv.exec:\9vjvv.exe81⤵PID:1288
-
\??\c:\dpjvd.exec:\dpjvd.exe82⤵PID:864
-
\??\c:\lxrrflf.exec:\lxrrflf.exe83⤵PID:4292
-
\??\c:\thhbbt.exec:\thhbbt.exe84⤵PID:5076
-
\??\c:\dvjdp.exec:\dvjdp.exe85⤵PID:3332
-
\??\c:\rlfxrlr.exec:\rlfxrlr.exe86⤵PID:4516
-
\??\c:\9rlfxrr.exec:\9rlfxrr.exe87⤵PID:2180
-
\??\c:\htbtbt.exec:\htbtbt.exe88⤵PID:4648
-
\??\c:\jdpjj.exec:\jdpjj.exe89⤵PID:3244
-
\??\c:\xxxfxfr.exec:\xxxfxfr.exe90⤵PID:3668
-
\??\c:\3fxrlfx.exec:\3fxrlfx.exe91⤵PID:3744
-
\??\c:\hhbnhh.exec:\hhbnhh.exe92⤵PID:2256
-
\??\c:\ddvpp.exec:\ddvpp.exe93⤵PID:5028
-
\??\c:\jvvpd.exec:\jvvpd.exe94⤵PID:3472
-
\??\c:\rlrfrlf.exec:\rlrfrlf.exe95⤵PID:2232
-
\??\c:\lxrlrlf.exec:\lxrlrlf.exe96⤵PID:2488
-
\??\c:\btbtnt.exec:\btbtnt.exe97⤵PID:5108
-
\??\c:\pvvdp.exec:\pvvdp.exe98⤵PID:3284
-
\??\c:\lfffrlf.exec:\lfffrlf.exe99⤵PID:984
-
\??\c:\5hbtnn.exec:\5hbtnn.exe100⤵PID:1260
-
\??\c:\dvpjv.exec:\dvpjv.exe101⤵PID:1716
-
\??\c:\frrlxrf.exec:\frrlxrf.exe102⤵PID:1904
-
\??\c:\lrxrllf.exec:\lrxrllf.exe103⤵PID:1472
-
\??\c:\bbnbnn.exec:\bbnbnn.exe104⤵PID:1112
-
\??\c:\bhbnbt.exec:\bhbnbt.exe105⤵PID:4256
-
\??\c:\jddpd.exec:\jddpd.exe106⤵PID:1244
-
\??\c:\xxxxfff.exec:\xxxxfff.exe107⤵PID:1788
-
\??\c:\ntttnt.exec:\ntttnt.exe108⤵PID:1952
-
\??\c:\jddvp.exec:\jddvp.exe109⤵PID:4656
-
\??\c:\djjdd.exec:\djjdd.exe110⤵PID:224
-
\??\c:\5llfrrl.exec:\5llfrrl.exe111⤵PID:3588
-
\??\c:\nbhbtt.exec:\nbhbtt.exe112⤵PID:112
-
\??\c:\bhnbnt.exec:\bhnbnt.exe113⤵PID:3012
-
\??\c:\vpjdp.exec:\vpjdp.exe114⤵PID:1508
-
\??\c:\rrrfxxr.exec:\rrrfxxr.exe115⤵PID:3636
-
\??\c:\7rfxffl.exec:\7rfxffl.exe116⤵PID:4592
-
\??\c:\nntnbt.exec:\nntnbt.exe117⤵
- System Location Discovery: System Language Discovery
PID:4136 -
\??\c:\pjppp.exec:\pjppp.exe118⤵PID:4308
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe119⤵PID:4356
-
\??\c:\hbbttn.exec:\hbbttn.exe120⤵PID:4812
-
\??\c:\ttnnhh.exec:\ttnnhh.exe121⤵PID:5020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-