Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 03:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe
-
Size
453KB
-
MD5
25270dba82b4387dce3ee39afb168b5e
-
SHA1
53e312f75105cbb6c9f9a24e25916a48648f3f55
-
SHA256
9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028
-
SHA512
01955c33abdd340645e44caf784420c6042b5d2df06dca6214c781adcfc0278f0ecc832856b42b1f6d60b2462940c3f2813403b6d9b30436ee713f3497af6afc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4632-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3844-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-835-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-881-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-977-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-1552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4632 rffffll.exe 4316 nthbhh.exe 3124 vppjd.exe 4020 xrrrrrx.exe 1884 9hbnht.exe 976 9pjdv.exe 4856 nbbtnh.exe 4564 jjvvp.exe 4156 1xxfrlx.exe 4076 bhbbnt.exe 2400 jdpjv.exe 536 xfrfrlr.exe 1924 hthbnh.exe 4888 vppdj.exe 1652 1hnbnb.exe 3592 xrrxllx.exe 2064 9tnnbh.exe 4064 ttnhbn.exe 2116 dvdpv.exe 3332 fllrlff.exe 1784 9hhnbt.exe 1032 flfrlrl.exe 1532 5ttttn.exe 4672 vjdpj.exe 1692 9lrlxfx.exe 1960 pdjdd.exe 5004 nnnhtn.exe 3196 jddpd.exe 3844 hbhtnn.exe 436 dddvp.exe 880 rlxlxrf.exe 556 nhnbhb.exe 4276 1jdpd.exe 3708 xxfrfxl.exe 2856 nhbtht.exe 2032 jjddv.exe 532 lflxrlf.exe 3464 rxlfrrl.exe 1912 bnthbb.exe 984 vpdvp.exe 2624 3flxrlr.exe 1716 rfxffxr.exe 4392 ntbnbt.exe 972 ppjdv.exe 3608 frrrlfx.exe 3648 lxxxllf.exe 1952 5tbnbb.exe 3092 dpvjd.exe 3124 7llxfxr.exe 2836 7rrlfff.exe 2920 btthtn.exe 1884 vjpdv.exe 2928 7fxlxlx.exe 4164 3nbthh.exe 2520 1jdpv.exe 4432 pjdpv.exe 1400 rllflrr.exe 404 xxxxlrf.exe 1552 7tbnhh.exe 4924 3pdpd.exe 2292 1ddpp.exe 4552 rffxrlr.exe 4028 btbtbt.exe 3364 1vvjd.exe -
resource yara_rule behavioral2/memory/4632-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3844-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-835-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-881-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-885-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3744 wrote to memory of 4632 3744 9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe 82 PID 3744 wrote to memory of 4632 3744 9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe 82 PID 3744 wrote to memory of 4632 3744 9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe 82 PID 4632 wrote to memory of 4316 4632 rffffll.exe 83 PID 4632 wrote to memory of 4316 4632 rffffll.exe 83 PID 4632 wrote to memory of 4316 4632 rffffll.exe 83 PID 4316 wrote to memory of 3124 4316 nthbhh.exe 84 PID 4316 wrote to memory of 3124 4316 nthbhh.exe 84 PID 4316 wrote to memory of 3124 4316 nthbhh.exe 84 PID 3124 wrote to memory of 4020 3124 vppjd.exe 85 PID 3124 wrote to memory of 4020 3124 vppjd.exe 85 PID 3124 wrote to memory of 4020 3124 vppjd.exe 85 PID 4020 wrote to memory of 1884 4020 xrrrrrx.exe 86 PID 4020 wrote to memory of 1884 4020 xrrrrrx.exe 86 PID 4020 wrote to memory of 1884 4020 xrrrrrx.exe 86 PID 1884 wrote to memory of 976 1884 9hbnht.exe 87 PID 1884 wrote to memory of 976 1884 9hbnht.exe 87 PID 1884 wrote to memory of 976 1884 9hbnht.exe 87 PID 976 wrote to memory of 4856 976 9pjdv.exe 88 PID 976 wrote to memory of 4856 976 9pjdv.exe 88 PID 976 wrote to memory of 4856 976 9pjdv.exe 88 PID 4856 wrote to memory of 4564 4856 nbbtnh.exe 89 PID 4856 wrote to memory of 4564 4856 nbbtnh.exe 89 PID 4856 wrote to memory of 4564 4856 nbbtnh.exe 89 PID 4564 wrote to memory of 4156 4564 jjvvp.exe 90 PID 4564 wrote to memory of 4156 4564 jjvvp.exe 90 PID 4564 wrote to memory of 4156 4564 jjvvp.exe 90 PID 4156 wrote to memory of 4076 4156 1xxfrlx.exe 91 PID 4156 wrote to memory of 4076 4156 1xxfrlx.exe 91 PID 4156 wrote to memory of 4076 4156 1xxfrlx.exe 91 PID 4076 wrote to memory of 2400 4076 bhbbnt.exe 92 PID 4076 wrote to memory of 2400 4076 bhbbnt.exe 92 PID 4076 wrote to memory of 2400 4076 bhbbnt.exe 92 PID 2400 wrote to memory of 536 2400 jdpjv.exe 93 PID 2400 wrote to memory of 536 2400 jdpjv.exe 93 PID 2400 wrote to memory of 536 2400 jdpjv.exe 93 PID 536 wrote to memory of 1924 536 xfrfrlr.exe 94 PID 536 wrote to memory of 1924 536 xfrfrlr.exe 94 PID 536 wrote to memory of 1924 536 xfrfrlr.exe 94 PID 1924 wrote to memory of 4888 1924 hthbnh.exe 95 PID 1924 wrote to memory of 4888 1924 hthbnh.exe 95 PID 1924 wrote to memory of 4888 1924 hthbnh.exe 95 PID 4888 wrote to memory of 1652 4888 vppdj.exe 96 PID 4888 wrote to memory of 1652 4888 vppdj.exe 96 PID 4888 wrote to memory of 1652 4888 vppdj.exe 96 PID 1652 wrote to memory of 3592 1652 1hnbnb.exe 97 PID 1652 wrote to memory of 3592 1652 1hnbnb.exe 97 PID 1652 wrote to memory of 3592 1652 1hnbnb.exe 97 PID 3592 wrote to memory of 2064 3592 xrrxllx.exe 98 PID 3592 wrote to memory of 2064 3592 xrrxllx.exe 98 PID 3592 wrote to memory of 2064 3592 xrrxllx.exe 98 PID 2064 wrote to memory of 4064 2064 9tnnbh.exe 99 PID 2064 wrote to memory of 4064 2064 9tnnbh.exe 99 PID 2064 wrote to memory of 4064 2064 9tnnbh.exe 99 PID 4064 wrote to memory of 2116 4064 ttnhbn.exe 100 PID 4064 wrote to memory of 2116 4064 ttnhbn.exe 100 PID 4064 wrote to memory of 2116 4064 ttnhbn.exe 100 PID 2116 wrote to memory of 3332 2116 dvdpv.exe 101 PID 2116 wrote to memory of 3332 2116 dvdpv.exe 101 PID 2116 wrote to memory of 3332 2116 dvdpv.exe 101 PID 3332 wrote to memory of 1784 3332 fllrlff.exe 102 PID 3332 wrote to memory of 1784 3332 fllrlff.exe 102 PID 3332 wrote to memory of 1784 3332 fllrlff.exe 102 PID 1784 wrote to memory of 1032 1784 9hhnbt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe"C:\Users\Admin\AppData\Local\Temp\9570346b269aa867e821c88325699e8eefb2310b3c94118e745c5dd7db3a6028.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\rffffll.exec:\rffffll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\nthbhh.exec:\nthbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\vppjd.exec:\vppjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\xrrrrrx.exec:\xrrrrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\9hbnht.exec:\9hbnht.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\9pjdv.exec:\9pjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\nbbtnh.exec:\nbbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\jjvvp.exec:\jjvvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\1xxfrlx.exec:\1xxfrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\bhbbnt.exec:\bhbbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\jdpjv.exec:\jdpjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\xfrfrlr.exec:\xfrfrlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\hthbnh.exec:\hthbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\vppdj.exec:\vppdj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\1hnbnb.exec:\1hnbnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\xrrxllx.exec:\xrrxllx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\9tnnbh.exec:\9tnnbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\ttnhbn.exec:\ttnhbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\dvdpv.exec:\dvdpv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\fllrlff.exec:\fllrlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\9hhnbt.exec:\9hhnbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\flfrlrl.exec:\flfrlrl.exe23⤵
- Executes dropped EXE
PID:1032 -
\??\c:\5ttttn.exec:\5ttttn.exe24⤵
- Executes dropped EXE
PID:1532 -
\??\c:\vjdpj.exec:\vjdpj.exe25⤵
- Executes dropped EXE
PID:4672 -
\??\c:\9lrlxfx.exec:\9lrlxfx.exe26⤵
- Executes dropped EXE
PID:1692 -
\??\c:\pdjdd.exec:\pdjdd.exe27⤵
- Executes dropped EXE
PID:1960 -
\??\c:\nnnhtn.exec:\nnnhtn.exe28⤵
- Executes dropped EXE
PID:5004 -
\??\c:\jddpd.exec:\jddpd.exe29⤵
- Executes dropped EXE
PID:3196 -
\??\c:\hbhtnn.exec:\hbhtnn.exe30⤵
- Executes dropped EXE
PID:3844 -
\??\c:\dddvp.exec:\dddvp.exe31⤵
- Executes dropped EXE
PID:436 -
\??\c:\rlxlxrf.exec:\rlxlxrf.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\nhnbhb.exec:\nhnbhb.exe33⤵
- Executes dropped EXE
PID:556 -
\??\c:\1jdpd.exec:\1jdpd.exe34⤵
- Executes dropped EXE
PID:4276 -
\??\c:\xxfrfxl.exec:\xxfrfxl.exe35⤵
- Executes dropped EXE
PID:3708 -
\??\c:\nhbtht.exec:\nhbtht.exe36⤵
- Executes dropped EXE
PID:2856 -
\??\c:\jjddv.exec:\jjddv.exe37⤵
- Executes dropped EXE
PID:2032 -
\??\c:\lflxrlf.exec:\lflxrlf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:532 -
\??\c:\rxlfrrl.exec:\rxlfrrl.exe39⤵
- Executes dropped EXE
PID:3464 -
\??\c:\bnthbb.exec:\bnthbb.exe40⤵
- Executes dropped EXE
PID:1912 -
\??\c:\vpdvp.exec:\vpdvp.exe41⤵
- Executes dropped EXE
PID:984 -
\??\c:\3flxrlr.exec:\3flxrlr.exe42⤵
- Executes dropped EXE
PID:2624 -
\??\c:\rfxffxr.exec:\rfxffxr.exe43⤵
- Executes dropped EXE
PID:1716 -
\??\c:\ntbnbt.exec:\ntbnbt.exe44⤵
- Executes dropped EXE
PID:4392 -
\??\c:\ppjdv.exec:\ppjdv.exe45⤵
- Executes dropped EXE
PID:972 -
\??\c:\frrrlfx.exec:\frrrlfx.exe46⤵
- Executes dropped EXE
PID:3608 -
\??\c:\lxxxllf.exec:\lxxxllf.exe47⤵
- Executes dropped EXE
PID:3648 -
\??\c:\5tbnbb.exec:\5tbnbb.exe48⤵
- Executes dropped EXE
PID:1952 -
\??\c:\dpvjd.exec:\dpvjd.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3092 -
\??\c:\7llxfxr.exec:\7llxfxr.exe50⤵
- Executes dropped EXE
PID:3124 -
\??\c:\7rrlfff.exec:\7rrlfff.exe51⤵
- Executes dropped EXE
PID:2836 -
\??\c:\btthtn.exec:\btthtn.exe52⤵
- Executes dropped EXE
PID:2920 -
\??\c:\vjpdv.exec:\vjpdv.exe53⤵
- Executes dropped EXE
PID:1884 -
\??\c:\7fxlxlx.exec:\7fxlxlx.exe54⤵
- Executes dropped EXE
PID:2928 -
\??\c:\3nbthh.exec:\3nbthh.exe55⤵
- Executes dropped EXE
PID:4164 -
\??\c:\1jdpv.exec:\1jdpv.exe56⤵
- Executes dropped EXE
PID:2520 -
\??\c:\pjdpv.exec:\pjdpv.exe57⤵
- Executes dropped EXE
PID:4432 -
\??\c:\rllflrr.exec:\rllflrr.exe58⤵
- Executes dropped EXE
PID:1400 -
\??\c:\xxxxlrf.exec:\xxxxlrf.exe59⤵
- Executes dropped EXE
PID:404 -
\??\c:\7tbnhh.exec:\7tbnhh.exe60⤵
- Executes dropped EXE
PID:1552 -
\??\c:\3pdpd.exec:\3pdpd.exe61⤵
- Executes dropped EXE
PID:4924 -
\??\c:\1ddpp.exec:\1ddpp.exe62⤵
- Executes dropped EXE
PID:2292 -
\??\c:\rffxrlr.exec:\rffxrlr.exe63⤵
- Executes dropped EXE
PID:4552 -
\??\c:\btbtbt.exec:\btbtbt.exe64⤵
- Executes dropped EXE
PID:4028 -
\??\c:\1vvjd.exec:\1vvjd.exe65⤵
- Executes dropped EXE
PID:3364 -
\??\c:\9ppjj.exec:\9ppjj.exe66⤵PID:1036
-
\??\c:\lrxrfxl.exec:\lrxrfxl.exe67⤵PID:2944
-
\??\c:\nbhttn.exec:\nbhttn.exe68⤵PID:3644
-
\??\c:\nhbnht.exec:\nhbnht.exe69⤵PID:4828
-
\??\c:\pvvpv.exec:\pvvpv.exe70⤵PID:3416
-
\??\c:\rlfrrrl.exec:\rlfrrrl.exe71⤵PID:1900
-
\??\c:\hbtntn.exec:\hbtntn.exe72⤵PID:3084
-
\??\c:\7vpjv.exec:\7vpjv.exe73⤵PID:1468
-
\??\c:\rflxlfr.exec:\rflxlfr.exe74⤵PID:2388
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe75⤵PID:2280
-
\??\c:\1hnbnh.exec:\1hnbnh.exe76⤵PID:2736
-
\??\c:\pvvdp.exec:\pvvdp.exe77⤵PID:4032
-
\??\c:\9vdpv.exec:\9vdpv.exe78⤵PID:4328
-
\??\c:\lxfrrll.exec:\lxfrrll.exe79⤵PID:4996
-
\??\c:\9tthbt.exec:\9tthbt.exe80⤵PID:3792
-
\??\c:\djvvd.exec:\djvvd.exe81⤵PID:2952
-
\??\c:\1jdpp.exec:\1jdpp.exe82⤵PID:2816
-
\??\c:\frrffxl.exec:\frrffxl.exe83⤵PID:4456
-
\??\c:\hhbthb.exec:\hhbthb.exe84⤵PID:1236
-
\??\c:\pjdjj.exec:\pjdjj.exe85⤵PID:4600
-
\??\c:\9llxfxx.exec:\9llxfxx.exe86⤵PID:4120
-
\??\c:\nbbhhb.exec:\nbbhhb.exe87⤵PID:3488
-
\??\c:\5dvjv.exec:\5dvjv.exe88⤵PID:5116
-
\??\c:\1vpdj.exec:\1vpdj.exe89⤵
- System Location Discovery: System Language Discovery
PID:4580 -
\??\c:\lflxrll.exec:\lflxrll.exe90⤵PID:5020
-
\??\c:\nnbhbn.exec:\nnbhbn.exe91⤵PID:1832
-
\??\c:\5vpdv.exec:\5vpdv.exe92⤵PID:4964
-
\??\c:\xrlxlxr.exec:\xrlxlxr.exe93⤵PID:2060
-
\??\c:\xrlrfxr.exec:\xrlrfxr.exe94⤵PID:2088
-
\??\c:\3bthtn.exec:\3bthtn.exe95⤵PID:5076
-
\??\c:\jvvjd.exec:\jvvjd.exe96⤵PID:4784
-
\??\c:\rxfxlxr.exec:\rxfxlxr.exe97⤵PID:4112
-
\??\c:\htbnnh.exec:\htbnnh.exe98⤵PID:4544
-
\??\c:\jjjvp.exec:\jjjvp.exe99⤵PID:4276
-
\??\c:\7rrlxxr.exec:\7rrlxxr.exe100⤵PID:3708
-
\??\c:\fflxlxr.exec:\fflxlxr.exe101⤵PID:2856
-
\??\c:\thbthb.exec:\thbthb.exe102⤵PID:2032
-
\??\c:\7ddpd.exec:\7ddpd.exe103⤵PID:532
-
\??\c:\xrxllxl.exec:\xrxllxl.exe104⤵PID:4152
-
\??\c:\5hhthb.exec:\5hhthb.exe105⤵PID:4324
-
\??\c:\nhbbtn.exec:\nhbbtn.exe106⤵PID:1972
-
\??\c:\jjjpp.exec:\jjjpp.exe107⤵PID:4588
-
\??\c:\lxrfrfr.exec:\lxrfrfr.exe108⤵PID:2676
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe109⤵PID:4424
-
\??\c:\tnhbth.exec:\tnhbth.exe110⤵PID:4896
-
\??\c:\vppdv.exec:\vppdv.exe111⤵PID:944
-
\??\c:\lxxlxlx.exec:\lxxlxlx.exe112⤵PID:3836
-
\??\c:\9bhhtt.exec:\9bhhtt.exe113⤵PID:1564
-
\??\c:\btntnh.exec:\btntnh.exe114⤵PID:3620
-
\??\c:\dpjdv.exec:\dpjdv.exe115⤵PID:2316
-
\??\c:\xxxlxrf.exec:\xxxlxrf.exe116⤵PID:4792
-
\??\c:\tbbnbt.exec:\tbbnbt.exe117⤵PID:468
-
\??\c:\nnnbnn.exec:\nnnbnn.exe118⤵PID:2848
-
\??\c:\7ddpp.exec:\7ddpp.exe119⤵PID:3368
-
\??\c:\lflxxrf.exec:\lflxxrf.exe120⤵PID:3400
-
\??\c:\3bnhbt.exec:\3bnhbt.exe121⤵PID:1752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-