Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 06:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe
-
Size
454KB
-
MD5
f484a319108eca7ca1710eca7f592c02
-
SHA1
f0fbb191a4c381ac71ab372f64a47e93a118b917
-
SHA256
5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855
-
SHA512
8e040a478bc96482d3196f9273d70677b20408b4176e052bd2bfee45de655eb8851993f5d086f3831a98696ac77b7fd39822f355be3d5e917df14206c164018b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe3:q7Tc2NYHUrAwfMp3CD3
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4892-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-672-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-1287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2796 rllxfxl.exe 1664 bttnhh.exe 3948 ddvpj.exe 4076 rllxrlf.exe 4436 tntnnn.exe 4488 bnbbtt.exe 2944 pjjvp.exe 1008 xrxrllf.exe 4868 fxllrrx.exe 3472 5hnhbb.exe 2916 jjjdd.exe 2664 5rlfxxl.exe 672 rlrflff.exe 2364 9bhnbh.exe 3548 vjjdp.exe 3824 hhbnhb.exe 348 jvdpd.exe 4772 lxfrfrr.exe 2040 tbbtnn.exe 2920 1pvpj.exe 4756 rllffxx.exe 3460 btttnh.exe 712 jpvpp.exe 2996 rxfxlfx.exe 3032 9llrfrl.exe 2408 thnbtn.exe 3124 1ntnht.exe 4416 xxlfxxr.exe 4800 hbhbbb.exe 4712 jvdvp.exe 3828 ffxxxrr.exe 5004 hbbhbb.exe 4584 ddpdv.exe 2620 ffxfxxr.exe 1388 1hnhbb.exe 1132 dpvjd.exe 4316 rflfffx.exe 1488 3hhthb.exe 1320 5dddv.exe 4912 rrxrlxr.exe 1832 rrrlfff.exe 4528 1ththn.exe 2368 pvvpp.exe 5020 lxxlfxr.exe 3916 nhhhbb.exe 468 nbbthb.exe 3652 1ppjv.exe 2656 rxfxrlf.exe 2256 tnbbtb.exe 4744 pdvjv.exe 4404 lrfflxf.exe 2512 7nthtn.exe 2848 bthnhb.exe 876 vjdpp.exe 2028 3ffxrrr.exe 1028 llffxxx.exe 3512 hnhhbb.exe 3340 djdvj.exe 3452 rxxfrfr.exe 2944 tthbtt.exe 2424 nntntt.exe 2348 pdjjd.exe 4868 vddpv.exe 4328 xffxfxr.exe -
resource yara_rule behavioral2/memory/4892-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-668-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-672-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-712-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4892 wrote to memory of 2796 4892 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 83 PID 4892 wrote to memory of 2796 4892 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 83 PID 4892 wrote to memory of 2796 4892 5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe 83 PID 2796 wrote to memory of 1664 2796 rllxfxl.exe 84 PID 2796 wrote to memory of 1664 2796 rllxfxl.exe 84 PID 2796 wrote to memory of 1664 2796 rllxfxl.exe 84 PID 1664 wrote to memory of 3948 1664 bttnhh.exe 85 PID 1664 wrote to memory of 3948 1664 bttnhh.exe 85 PID 1664 wrote to memory of 3948 1664 bttnhh.exe 85 PID 3948 wrote to memory of 4076 3948 ddvpj.exe 86 PID 3948 wrote to memory of 4076 3948 ddvpj.exe 86 PID 3948 wrote to memory of 4076 3948 ddvpj.exe 86 PID 4076 wrote to memory of 4436 4076 rllxrlf.exe 87 PID 4076 wrote to memory of 4436 4076 rllxrlf.exe 87 PID 4076 wrote to memory of 4436 4076 rllxrlf.exe 87 PID 4436 wrote to memory of 4488 4436 tntnnn.exe 88 PID 4436 wrote to memory of 4488 4436 tntnnn.exe 88 PID 4436 wrote to memory of 4488 4436 tntnnn.exe 88 PID 4488 wrote to memory of 2944 4488 bnbbtt.exe 89 PID 4488 wrote to memory of 2944 4488 bnbbtt.exe 89 PID 4488 wrote to memory of 2944 4488 bnbbtt.exe 89 PID 2944 wrote to memory of 1008 2944 pjjvp.exe 90 PID 2944 wrote to memory of 1008 2944 pjjvp.exe 90 PID 2944 wrote to memory of 1008 2944 pjjvp.exe 90 PID 1008 wrote to memory of 4868 1008 xrxrllf.exe 91 PID 1008 wrote to memory of 4868 1008 xrxrllf.exe 91 PID 1008 wrote to memory of 4868 1008 xrxrllf.exe 91 PID 4868 wrote to memory of 3472 4868 fxllrrx.exe 92 PID 4868 wrote to memory of 3472 4868 fxllrrx.exe 92 PID 4868 wrote to memory of 3472 4868 fxllrrx.exe 92 PID 3472 wrote to memory of 2916 3472 5hnhbb.exe 93 PID 3472 wrote to memory of 2916 3472 5hnhbb.exe 93 PID 3472 wrote to memory of 2916 3472 5hnhbb.exe 93 PID 2916 wrote to memory of 2664 2916 jjjdd.exe 94 PID 2916 wrote to memory of 2664 2916 jjjdd.exe 94 PID 2916 wrote to memory of 2664 2916 jjjdd.exe 94 PID 2664 wrote to memory of 672 2664 5rlfxxl.exe 95 PID 2664 wrote to memory of 672 2664 5rlfxxl.exe 95 PID 2664 wrote to memory of 672 2664 5rlfxxl.exe 95 PID 672 wrote to memory of 2364 672 rlrflff.exe 96 PID 672 wrote to memory of 2364 672 rlrflff.exe 96 PID 672 wrote to memory of 2364 672 rlrflff.exe 96 PID 2364 wrote to memory of 3548 2364 9bhnbh.exe 97 PID 2364 wrote to memory of 3548 2364 9bhnbh.exe 97 PID 2364 wrote to memory of 3548 2364 9bhnbh.exe 97 PID 3548 wrote to memory of 3824 3548 vjjdp.exe 98 PID 3548 wrote to memory of 3824 3548 vjjdp.exe 98 PID 3548 wrote to memory of 3824 3548 vjjdp.exe 98 PID 3824 wrote to memory of 348 3824 hhbnhb.exe 99 PID 3824 wrote to memory of 348 3824 hhbnhb.exe 99 PID 3824 wrote to memory of 348 3824 hhbnhb.exe 99 PID 348 wrote to memory of 4772 348 jvdpd.exe 100 PID 348 wrote to memory of 4772 348 jvdpd.exe 100 PID 348 wrote to memory of 4772 348 jvdpd.exe 100 PID 4772 wrote to memory of 2040 4772 lxfrfrr.exe 101 PID 4772 wrote to memory of 2040 4772 lxfrfrr.exe 101 PID 4772 wrote to memory of 2040 4772 lxfrfrr.exe 101 PID 2040 wrote to memory of 2920 2040 tbbtnn.exe 102 PID 2040 wrote to memory of 2920 2040 tbbtnn.exe 102 PID 2040 wrote to memory of 2920 2040 tbbtnn.exe 102 PID 2920 wrote to memory of 4756 2920 1pvpj.exe 103 PID 2920 wrote to memory of 4756 2920 1pvpj.exe 103 PID 2920 wrote to memory of 4756 2920 1pvpj.exe 103 PID 4756 wrote to memory of 3460 4756 rllffxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"C:\Users\Admin\AppData\Local\Temp\5230e5a9806148932ed518eabe4d57c7073f312f8b051f5dfb32faf148e44855.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\rllxfxl.exec:\rllxfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\bttnhh.exec:\bttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
\??\c:\ddvpj.exec:\ddvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\rllxrlf.exec:\rllxrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\tntnnn.exec:\tntnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\bnbbtt.exec:\bnbbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\pjjvp.exec:\pjjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xrxrllf.exec:\xrxrllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008 -
\??\c:\fxllrrx.exec:\fxllrrx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\5hnhbb.exec:\5hnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\jjjdd.exec:\jjjdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
\??\c:\5rlfxxl.exec:\5rlfxxl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\rlrflff.exec:\rlrflff.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\9bhnbh.exec:\9bhnbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\vjjdp.exec:\vjjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\hhbnhb.exec:\hhbnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\jvdpd.exec:\jvdpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\lxfrfrr.exec:\lxfrfrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\tbbtnn.exec:\tbbtnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\1pvpj.exec:\1pvpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\rllffxx.exec:\rllffxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\btttnh.exec:\btttnh.exe23⤵
- Executes dropped EXE
PID:3460 -
\??\c:\jpvpp.exec:\jpvpp.exe24⤵
- Executes dropped EXE
PID:712 -
\??\c:\rxfxlfx.exec:\rxfxlfx.exe25⤵
- Executes dropped EXE
PID:2996 -
\??\c:\9llrfrl.exec:\9llrfrl.exe26⤵
- Executes dropped EXE
PID:3032 -
\??\c:\thnbtn.exec:\thnbtn.exe27⤵
- Executes dropped EXE
PID:2408 -
\??\c:\1ntnht.exec:\1ntnht.exe28⤵
- Executes dropped EXE
PID:3124 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe29⤵
- Executes dropped EXE
PID:4416 -
\??\c:\hbhbbb.exec:\hbhbbb.exe30⤵
- Executes dropped EXE
PID:4800 -
\??\c:\jvdvp.exec:\jvdvp.exe31⤵
- Executes dropped EXE
PID:4712 -
\??\c:\ffxxxrr.exec:\ffxxxrr.exe32⤵
- Executes dropped EXE
PID:3828 -
\??\c:\hbbhbb.exec:\hbbhbb.exe33⤵
- Executes dropped EXE
PID:5004 -
\??\c:\ddpdv.exec:\ddpdv.exe34⤵
- Executes dropped EXE
PID:4584 -
\??\c:\ffxfxxr.exec:\ffxfxxr.exe35⤵
- Executes dropped EXE
PID:2620 -
\??\c:\1hnhbb.exec:\1hnhbb.exe36⤵
- Executes dropped EXE
PID:1388 -
\??\c:\dpvjd.exec:\dpvjd.exe37⤵
- Executes dropped EXE
PID:1132 -
\??\c:\rflfffx.exec:\rflfffx.exe38⤵
- Executes dropped EXE
PID:4316 -
\??\c:\3hhthb.exec:\3hhthb.exe39⤵
- Executes dropped EXE
PID:1488 -
\??\c:\5dddv.exec:\5dddv.exe40⤵
- Executes dropped EXE
PID:1320 -
\??\c:\rrxrlxr.exec:\rrxrlxr.exe41⤵
- Executes dropped EXE
PID:4912 -
\??\c:\rrrlfff.exec:\rrrlfff.exe42⤵
- Executes dropped EXE
PID:1832 -
\??\c:\1ththn.exec:\1ththn.exe43⤵
- Executes dropped EXE
PID:4528 -
\??\c:\pvvpp.exec:\pvvpp.exe44⤵
- Executes dropped EXE
PID:2368 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe45⤵
- Executes dropped EXE
PID:5020 -
\??\c:\nhhhbb.exec:\nhhhbb.exe46⤵
- Executes dropped EXE
PID:3916 -
\??\c:\nbbthb.exec:\nbbthb.exe47⤵
- Executes dropped EXE
PID:468 -
\??\c:\1ppjv.exec:\1ppjv.exe48⤵
- Executes dropped EXE
PID:3652 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe49⤵
- Executes dropped EXE
PID:2656 -
\??\c:\tnbbtb.exec:\tnbbtb.exe50⤵
- Executes dropped EXE
PID:2256 -
\??\c:\pdvjv.exec:\pdvjv.exe51⤵
- Executes dropped EXE
PID:4744 -
\??\c:\lrfflxf.exec:\lrfflxf.exe52⤵
- Executes dropped EXE
PID:4404 -
\??\c:\7nthtn.exec:\7nthtn.exe53⤵
- Executes dropped EXE
PID:2512 -
\??\c:\bthnhb.exec:\bthnhb.exe54⤵
- Executes dropped EXE
PID:2848 -
\??\c:\vjdpp.exec:\vjdpp.exe55⤵
- Executes dropped EXE
PID:876 -
\??\c:\3ffxrrr.exec:\3ffxrrr.exe56⤵
- Executes dropped EXE
PID:2028 -
\??\c:\llffxxx.exec:\llffxxx.exe57⤵
- Executes dropped EXE
PID:1028 -
\??\c:\hnhhbb.exec:\hnhhbb.exe58⤵
- Executes dropped EXE
PID:3512 -
\??\c:\djdvj.exec:\djdvj.exe59⤵
- Executes dropped EXE
PID:3340 -
\??\c:\rxxfrfr.exec:\rxxfrfr.exe60⤵
- Executes dropped EXE
PID:3452 -
\??\c:\tthbtt.exec:\tthbtt.exe61⤵
- Executes dropped EXE
PID:2944 -
\??\c:\nntntt.exec:\nntntt.exe62⤵
- Executes dropped EXE
PID:2424 -
\??\c:\pdjjd.exec:\pdjjd.exe63⤵
- Executes dropped EXE
PID:2348 -
\??\c:\vddpv.exec:\vddpv.exe64⤵
- Executes dropped EXE
PID:4868 -
\??\c:\xffxfxr.exec:\xffxfxr.exe65⤵
- Executes dropped EXE
PID:4328 -
\??\c:\3btthb.exec:\3btthb.exe66⤵PID:3472
-
\??\c:\7bnhbt.exec:\7bnhbt.exe67⤵PID:788
-
\??\c:\djjpd.exec:\djjpd.exe68⤵PID:4968
-
\??\c:\jddjd.exec:\jddjd.exe69⤵PID:1996
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe70⤵PID:464
-
\??\c:\thnbbb.exec:\thnbbb.exe71⤵PID:1964
-
\??\c:\pvjdp.exec:\pvjdp.exe72⤵PID:1764
-
\??\c:\xlrxxll.exec:\xlrxxll.exe73⤵PID:3068
-
\??\c:\llfxllr.exec:\llfxllr.exe74⤵PID:2020
-
\??\c:\thnhtt.exec:\thnhtt.exe75⤵PID:2732
-
\??\c:\jpppp.exec:\jpppp.exe76⤵PID:4616
-
\??\c:\jdjvp.exec:\jdjvp.exe77⤵PID:4772
-
\??\c:\xlrxlxf.exec:\xlrxlxf.exe78⤵PID:3300
-
\??\c:\httnhb.exec:\httnhb.exe79⤵PID:2536
-
\??\c:\nhhbhh.exec:\nhhbhh.exe80⤵PID:2776
-
\??\c:\ddjjj.exec:\ddjjj.exe81⤵PID:3688
-
\??\c:\rffxrlx.exec:\rffxrlx.exe82⤵PID:2456
-
\??\c:\lffxlfx.exec:\lffxlfx.exe83⤵PID:1500
-
\??\c:\bthtnh.exec:\bthtnh.exe84⤵PID:4896
-
\??\c:\dvvpj.exec:\dvvpj.exe85⤵
- System Location Discovery: System Language Discovery
PID:2532 -
\??\c:\dpvpj.exec:\dpvpj.exe86⤵PID:3032
-
\??\c:\lrxxllx.exec:\lrxxllx.exe87⤵PID:4796
-
\??\c:\hnthbn.exec:\hnthbn.exe88⤵PID:2324
-
\??\c:\thhbtt.exec:\thhbtt.exe89⤵PID:2868
-
\??\c:\vppjv.exec:\vppjv.exe90⤵PID:1904
-
\??\c:\frxrllf.exec:\frxrllf.exe91⤵PID:3912
-
\??\c:\5xrlffx.exec:\5xrlffx.exe92⤵PID:916
-
\??\c:\bbbbhh.exec:\bbbbhh.exe93⤵PID:4712
-
\??\c:\fxrlfff.exec:\fxrlfff.exe94⤵PID:768
-
\??\c:\fxrxrff.exec:\fxrxrff.exe95⤵PID:5092
-
\??\c:\vpjdj.exec:\vpjdj.exe96⤵PID:5052
-
\??\c:\ffxrllf.exec:\ffxrllf.exe97⤵PID:4584
-
\??\c:\pvvjd.exec:\pvvjd.exe98⤵PID:3952
-
\??\c:\xxrlxfr.exec:\xxrlxfr.exe99⤵PID:4784
-
\??\c:\rllfxxr.exec:\rllfxxr.exe100⤵PID:5012
-
\??\c:\jddpj.exec:\jddpj.exe101⤵PID:1180
-
\??\c:\rxlfrrl.exec:\rxlfrrl.exe102⤵PID:892
-
\??\c:\thnhbb.exec:\thnhbb.exe103⤵PID:3384
-
\??\c:\pppjv.exec:\pppjv.exe104⤵PID:872
-
\??\c:\5rrxlll.exec:\5rrxlll.exe105⤵PID:4044
-
\??\c:\vvjjp.exec:\vvjjp.exe106⤵PID:4196
-
\??\c:\jvjvp.exec:\jvjvp.exe107⤵PID:2788
-
\??\c:\lfrllll.exec:\lfrllll.exe108⤵PID:3852
-
\??\c:\nhhbtt.exec:\nhhbtt.exe109⤵PID:1384
-
\??\c:\pvjvp.exec:\pvjvp.exe110⤵PID:1004
-
\??\c:\lfrfffl.exec:\lfrfffl.exe111⤵PID:2472
-
\??\c:\rrrlffx.exec:\rrrlffx.exe112⤵PID:3080
-
\??\c:\htbbtt.exec:\htbbtt.exe113⤵PID:3652
-
\??\c:\3vvpd.exec:\3vvpd.exe114⤵PID:2656
-
\??\c:\5rxlfxl.exec:\5rxlfxl.exe115⤵PID:4604
-
\??\c:\7hnnhh.exec:\7hnnhh.exe116⤵PID:4276
-
\??\c:\bnnbnb.exec:\bnnbnb.exe117⤵PID:4272
-
\??\c:\7jdvj.exec:\7jdvj.exe118⤵PID:5032
-
\??\c:\9hhhtn.exec:\9hhhtn.exe119⤵PID:3444
-
\??\c:\hntnbb.exec:\hntnbb.exe120⤵PID:2796
-
\??\c:\1ppjv.exec:\1ppjv.exe121⤵PID:4752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-