Analysis
-
max time kernel
120s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe
-
Size
454KB
-
MD5
92b85edd63f3f3b9ff3d3cf26e07a98d
-
SHA1
e2a4f3706f63af38adf2890f940c3b8368bafaec
-
SHA256
745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a
-
SHA512
5b40eee4c56632dfe41ab3deb9dd6afa2a69c08611cf71466bda6da6e627456dd4a0de109042977c1f1ce0c22303f071f65be27a93e16a02113dec4c3d796dd7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1728-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1228-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-822-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-1401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-1718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3044 rxrrlfx.exe 4532 nntnhb.exe 1132 thhbth.exe 3428 tnhnnn.exe 3616 1lxrrxf.exe 1160 nnttnh.exe 4008 tbnnhh.exe 2124 vpvvp.exe 2228 bthhhb.exe 3096 3lrrlll.exe 4872 jvdpp.exe 1596 hbnhnn.exe 2712 dppjv.exe 1368 nhbnhh.exe 5028 vjdpd.exe 4576 nhhtnh.exe 4940 rffxrrl.exe 1628 bntnhh.exe 3312 vpppd.exe 396 rllfrrl.exe 3896 vpvjj.exe 1188 fxrlxrl.exe 840 pvddj.exe 1684 3nhbbh.exe 4844 pjjvj.exe 3916 nbhbtt.exe 1176 rrxxlll.exe 1620 3pjpj.exe 524 hnthbt.exe 1292 pvdvj.exe 2112 7ppvp.exe 1540 ttbnbn.exe 4372 dpjvj.exe 2308 xxfrfrr.exe 3124 1bbtth.exe 2300 vdpdv.exe 1892 jdpjv.exe 5072 5lfrlxl.exe 1772 9bbntt.exe 5032 tbtbtt.exe 1232 5jvjd.exe 2716 frrfrll.exe 2336 xxlxrfx.exe 4548 thhtnh.exe 2528 dpdpv.exe 1812 dddvj.exe 5040 xxfxfxl.exe 1460 nbtnhb.exe 4880 pjdvp.exe 4472 vjjjd.exe 4340 7rxrllr.exe 4956 htbtnn.exe 1484 jpdvp.exe 1720 lxlrlrl.exe 2364 bnnhbt.exe 4936 jvdpv.exe 1112 9vdvj.exe 3448 rfrxlfx.exe 3504 ntnbnb.exe 2972 jvjdv.exe 1160 xllfrlx.exe 3768 jvdvp.exe 884 rflfffx.exe 2124 nhnbnh.exe -
resource yara_rule behavioral2/memory/1728-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-822-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-883-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 3044 1728 745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe 81 PID 1728 wrote to memory of 3044 1728 745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe 81 PID 1728 wrote to memory of 3044 1728 745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe 81 PID 3044 wrote to memory of 4532 3044 rxrrlfx.exe 82 PID 3044 wrote to memory of 4532 3044 rxrrlfx.exe 82 PID 3044 wrote to memory of 4532 3044 rxrrlfx.exe 82 PID 4532 wrote to memory of 1132 4532 nntnhb.exe 83 PID 4532 wrote to memory of 1132 4532 nntnhb.exe 83 PID 4532 wrote to memory of 1132 4532 nntnhb.exe 83 PID 1132 wrote to memory of 3428 1132 thhbth.exe 84 PID 1132 wrote to memory of 3428 1132 thhbth.exe 84 PID 1132 wrote to memory of 3428 1132 thhbth.exe 84 PID 3428 wrote to memory of 3616 3428 tnhnnn.exe 85 PID 3428 wrote to memory of 3616 3428 tnhnnn.exe 85 PID 3428 wrote to memory of 3616 3428 tnhnnn.exe 85 PID 3616 wrote to memory of 1160 3616 1lxrrxf.exe 86 PID 3616 wrote to memory of 1160 3616 1lxrrxf.exe 86 PID 3616 wrote to memory of 1160 3616 1lxrrxf.exe 86 PID 1160 wrote to memory of 4008 1160 nnttnh.exe 87 PID 1160 wrote to memory of 4008 1160 nnttnh.exe 87 PID 1160 wrote to memory of 4008 1160 nnttnh.exe 87 PID 4008 wrote to memory of 2124 4008 tbnnhh.exe 88 PID 4008 wrote to memory of 2124 4008 tbnnhh.exe 88 PID 4008 wrote to memory of 2124 4008 tbnnhh.exe 88 PID 2124 wrote to memory of 2228 2124 vpvvp.exe 89 PID 2124 wrote to memory of 2228 2124 vpvvp.exe 89 PID 2124 wrote to memory of 2228 2124 vpvvp.exe 89 PID 2228 wrote to memory of 3096 2228 bthhhb.exe 90 PID 2228 wrote to memory of 3096 2228 bthhhb.exe 90 PID 2228 wrote to memory of 3096 2228 bthhhb.exe 90 PID 3096 wrote to memory of 4872 3096 3lrrlll.exe 91 PID 3096 wrote to memory of 4872 3096 3lrrlll.exe 91 PID 3096 wrote to memory of 4872 3096 3lrrlll.exe 91 PID 4872 wrote to memory of 1596 4872 jvdpp.exe 92 PID 4872 wrote to memory of 1596 4872 jvdpp.exe 92 PID 4872 wrote to memory of 1596 4872 jvdpp.exe 92 PID 1596 wrote to memory of 2712 1596 hbnhnn.exe 93 PID 1596 wrote to memory of 2712 1596 hbnhnn.exe 93 PID 1596 wrote to memory of 2712 1596 hbnhnn.exe 93 PID 2712 wrote to memory of 1368 2712 dppjv.exe 94 PID 2712 wrote to memory of 1368 2712 dppjv.exe 94 PID 2712 wrote to memory of 1368 2712 dppjv.exe 94 PID 1368 wrote to memory of 5028 1368 nhbnhh.exe 95 PID 1368 wrote to memory of 5028 1368 nhbnhh.exe 95 PID 1368 wrote to memory of 5028 1368 nhbnhh.exe 95 PID 5028 wrote to memory of 4576 5028 vjdpd.exe 96 PID 5028 wrote to memory of 4576 5028 vjdpd.exe 96 PID 5028 wrote to memory of 4576 5028 vjdpd.exe 96 PID 4576 wrote to memory of 4940 4576 nhhtnh.exe 97 PID 4576 wrote to memory of 4940 4576 nhhtnh.exe 97 PID 4576 wrote to memory of 4940 4576 nhhtnh.exe 97 PID 4940 wrote to memory of 1628 4940 rffxrrl.exe 98 PID 4940 wrote to memory of 1628 4940 rffxrrl.exe 98 PID 4940 wrote to memory of 1628 4940 rffxrrl.exe 98 PID 1628 wrote to memory of 3312 1628 bntnhh.exe 99 PID 1628 wrote to memory of 3312 1628 bntnhh.exe 99 PID 1628 wrote to memory of 3312 1628 bntnhh.exe 99 PID 3312 wrote to memory of 396 3312 vpppd.exe 100 PID 3312 wrote to memory of 396 3312 vpppd.exe 100 PID 3312 wrote to memory of 396 3312 vpppd.exe 100 PID 396 wrote to memory of 3896 396 rllfrrl.exe 101 PID 396 wrote to memory of 3896 396 rllfrrl.exe 101 PID 396 wrote to memory of 3896 396 rllfrrl.exe 101 PID 3896 wrote to memory of 1188 3896 vpvjj.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe"C:\Users\Admin\AppData\Local\Temp\745d0ab5d3f4b9698bfcfa17ed46f082d37b8ad0c65c396ee863790334a3f30a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\rxrrlfx.exec:\rxrrlfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\nntnhb.exec:\nntnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\thhbth.exec:\thhbth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\tnhnnn.exec:\tnhnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\1lxrrxf.exec:\1lxrrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\nnttnh.exec:\nnttnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\tbnnhh.exec:\tbnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\vpvvp.exec:\vpvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\bthhhb.exec:\bthhhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\3lrrlll.exec:\3lrrlll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\jvdpp.exec:\jvdpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\hbnhnn.exec:\hbnhnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
\??\c:\dppjv.exec:\dppjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\nhbnhh.exec:\nhbnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\vjdpd.exec:\vjdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\nhhtnh.exec:\nhhtnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\rffxrrl.exec:\rffxrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\bntnhh.exec:\bntnhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\vpppd.exec:\vpppd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\rllfrrl.exec:\rllfrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\vpvjj.exec:\vpvjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\fxrlxrl.exec:\fxrlxrl.exe23⤵
- Executes dropped EXE
PID:1188 -
\??\c:\pvddj.exec:\pvddj.exe24⤵
- Executes dropped EXE
PID:840 -
\??\c:\3nhbbh.exec:\3nhbbh.exe25⤵
- Executes dropped EXE
PID:1684 -
\??\c:\pjjvj.exec:\pjjvj.exe26⤵
- Executes dropped EXE
PID:4844 -
\??\c:\nbhbtt.exec:\nbhbtt.exe27⤵
- Executes dropped EXE
PID:3916 -
\??\c:\rrxxlll.exec:\rrxxlll.exe28⤵
- Executes dropped EXE
PID:1176 -
\??\c:\3pjpj.exec:\3pjpj.exe29⤵
- Executes dropped EXE
PID:1620 -
\??\c:\hnthbt.exec:\hnthbt.exe30⤵
- Executes dropped EXE
PID:524 -
\??\c:\pvdvj.exec:\pvdvj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1292 -
\??\c:\7ppvp.exec:\7ppvp.exe32⤵
- Executes dropped EXE
PID:2112 -
\??\c:\ttbnbn.exec:\ttbnbn.exe33⤵
- Executes dropped EXE
PID:1540 -
\??\c:\dpjvj.exec:\dpjvj.exe34⤵
- Executes dropped EXE
PID:4372 -
\??\c:\xxfrfrr.exec:\xxfrfrr.exe35⤵
- Executes dropped EXE
PID:2308 -
\??\c:\1bbtth.exec:\1bbtth.exe36⤵
- Executes dropped EXE
PID:3124 -
\??\c:\vdpdv.exec:\vdpdv.exe37⤵
- Executes dropped EXE
PID:2300 -
\??\c:\jdpjv.exec:\jdpjv.exe38⤵
- Executes dropped EXE
PID:1892 -
\??\c:\5lfrlxl.exec:\5lfrlxl.exe39⤵
- Executes dropped EXE
PID:5072 -
\??\c:\9bbntt.exec:\9bbntt.exe40⤵
- Executes dropped EXE
PID:1772 -
\??\c:\tbtbtt.exec:\tbtbtt.exe41⤵
- Executes dropped EXE
PID:5032 -
\??\c:\5jvjd.exec:\5jvjd.exe42⤵
- Executes dropped EXE
PID:1232 -
\??\c:\frrfrll.exec:\frrfrll.exe43⤵
- Executes dropped EXE
PID:2716 -
\??\c:\xxlxrfx.exec:\xxlxrfx.exe44⤵
- Executes dropped EXE
PID:2336 -
\??\c:\thhtnh.exec:\thhtnh.exe45⤵
- Executes dropped EXE
PID:4548 -
\??\c:\dpdpv.exec:\dpdpv.exe46⤵
- Executes dropped EXE
PID:2528 -
\??\c:\dddvj.exec:\dddvj.exe47⤵
- Executes dropped EXE
PID:1812 -
\??\c:\xxfxfxl.exec:\xxfxfxl.exe48⤵
- Executes dropped EXE
PID:5040 -
\??\c:\nbtnhb.exec:\nbtnhb.exe49⤵
- Executes dropped EXE
PID:1460 -
\??\c:\pjdvp.exec:\pjdvp.exe50⤵
- Executes dropped EXE
PID:4880 -
\??\c:\vjjjd.exec:\vjjjd.exe51⤵
- Executes dropped EXE
PID:4472 -
\??\c:\7rxrllr.exec:\7rxrllr.exe52⤵
- Executes dropped EXE
PID:4340 -
\??\c:\htbtnn.exec:\htbtnn.exe53⤵
- Executes dropped EXE
PID:4956 -
\??\c:\jpdvp.exec:\jpdvp.exe54⤵
- Executes dropped EXE
PID:1484 -
\??\c:\lxlrlrl.exec:\lxlrlrl.exe55⤵
- Executes dropped EXE
PID:1720 -
\??\c:\bnnhbt.exec:\bnnhbt.exe56⤵
- Executes dropped EXE
PID:2364 -
\??\c:\jvdpv.exec:\jvdpv.exe57⤵
- Executes dropped EXE
PID:4936 -
\??\c:\9vdvj.exec:\9vdvj.exe58⤵
- Executes dropped EXE
PID:1112 -
\??\c:\rfrxlfx.exec:\rfrxlfx.exe59⤵
- Executes dropped EXE
PID:3448 -
\??\c:\ntnbnb.exec:\ntnbnb.exe60⤵
- Executes dropped EXE
PID:3504 -
\??\c:\jvjdv.exec:\jvjdv.exe61⤵
- Executes dropped EXE
PID:2972 -
\??\c:\xllfrlx.exec:\xllfrlx.exe62⤵
- Executes dropped EXE
PID:1160 -
\??\c:\jvdvp.exec:\jvdvp.exe63⤵
- Executes dropped EXE
PID:3768 -
\??\c:\rflfffx.exec:\rflfffx.exe64⤵
- Executes dropped EXE
PID:884 -
\??\c:\nhnbnh.exec:\nhnbnh.exe65⤵
- Executes dropped EXE
PID:2124 -
\??\c:\ttbttt.exec:\ttbttt.exe66⤵PID:4772
-
\??\c:\dvvvp.exec:\dvvvp.exe67⤵PID:4040
-
\??\c:\rlxrrlr.exec:\rlxrrlr.exe68⤵PID:4152
-
\??\c:\nbtbnb.exec:\nbtbnb.exe69⤵PID:3096
-
\??\c:\9vpjj.exec:\9vpjj.exe70⤵PID:3052
-
\??\c:\xxxrlrl.exec:\xxxrlrl.exe71⤵PID:3020
-
\??\c:\bhthtn.exec:\bhthtn.exe72⤵PID:4676
-
\??\c:\bbbhhh.exec:\bbbhhh.exe73⤵PID:2992
-
\??\c:\jvvpd.exec:\jvvpd.exe74⤵PID:2552
-
\??\c:\7xfxlfl.exec:\7xfxlfl.exe75⤵PID:4884
-
\??\c:\btbttt.exec:\btbttt.exe76⤵PID:4104
-
\??\c:\dpvpd.exec:\dpvpd.exe77⤵PID:4396
-
\??\c:\frfffff.exec:\frfffff.exe78⤵PID:764
-
\??\c:\rxxxrlr.exec:\rxxxrlr.exe79⤵
- System Location Discovery: System Language Discovery
PID:4832 -
\??\c:\nbbtnh.exec:\nbbtnh.exe80⤵PID:2120
-
\??\c:\vjjvp.exec:\vjjvp.exe81⤵PID:220
-
\??\c:\lffxrll.exec:\lffxrll.exe82⤵PID:3152
-
\??\c:\tnhhtn.exec:\tnhhtn.exe83⤵PID:3316
-
\??\c:\pjpjj.exec:\pjpjj.exe84⤵PID:4448
-
\??\c:\rffxrlx.exec:\rffxrlx.exe85⤵PID:840
-
\??\c:\tntnnn.exec:\tntnnn.exe86⤵PID:2628
-
\??\c:\tntntn.exec:\tntntn.exe87⤵PID:3076
-
\??\c:\pjvvd.exec:\pjvvd.exe88⤵PID:1128
-
\??\c:\3rxrxxf.exec:\3rxrxxf.exe89⤵PID:2680
-
\??\c:\bhnnhb.exec:\bhnnhb.exe90⤵PID:2184
-
\??\c:\dvjpd.exec:\dvjpd.exe91⤵PID:1620
-
\??\c:\dvvvv.exec:\dvvvv.exe92⤵PID:908
-
\??\c:\frxrllf.exec:\frxrllf.exe93⤵PID:4116
-
\??\c:\thbtnh.exec:\thbtnh.exe94⤵PID:3620
-
\??\c:\jvvjd.exec:\jvvjd.exe95⤵PID:1292
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe96⤵PID:4904
-
\??\c:\fxxlxrf.exec:\fxxlxrf.exe97⤵PID:1228
-
\??\c:\hbnbbb.exec:\hbnbbb.exe98⤵PID:1388
-
\??\c:\7ppdv.exec:\7ppdv.exe99⤵
- System Location Discovery: System Language Discovery
PID:2432 -
\??\c:\ppvpj.exec:\ppvpj.exe100⤵PID:3500
-
\??\c:\xxxlffx.exec:\xxxlffx.exe101⤵PID:1912
-
\??\c:\3nhhtt.exec:\3nhhtt.exe102⤵PID:2508
-
\??\c:\dddvp.exec:\dddvp.exe103⤵PID:4184
-
\??\c:\lflffxx.exec:\lflffxx.exe104⤵PID:3272
-
\??\c:\lrlxrlf.exec:\lrlxrlf.exe105⤵PID:3816
-
\??\c:\thhbth.exec:\thhbth.exe106⤵PID:1688
-
\??\c:\1ttnbb.exec:\1ttnbb.exe107⤵PID:4784
-
\??\c:\3jvjd.exec:\3jvjd.exe108⤵PID:2492
-
\??\c:\rllfxxx.exec:\rllfxxx.exe109⤵PID:2212
-
\??\c:\tbbthb.exec:\tbbthb.exe110⤵PID:336
-
\??\c:\tnhnhh.exec:\tnhnhh.exe111⤵PID:2896
-
\??\c:\jpvpd.exec:\jpvpd.exe112⤵PID:408
-
\??\c:\jddvp.exec:\jddvp.exe113⤵PID:4776
-
\??\c:\9lffxfx.exec:\9lffxfx.exe114⤵PID:1700
-
\??\c:\nhnhhb.exec:\nhnhhb.exe115⤵PID:3056
-
\??\c:\hthbhh.exec:\hthbhh.exe116⤵PID:4340
-
\??\c:\pvjjj.exec:\pvjjj.exe117⤵PID:1280
-
\??\c:\lflfllr.exec:\lflfllr.exe118⤵PID:448
-
\??\c:\htbtnn.exec:\htbtnn.exe119⤵PID:1148
-
\??\c:\btbbth.exec:\btbbth.exe120⤵PID:3288
-
\??\c:\vvvvp.exec:\vvvvp.exe121⤵PID:2652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-