Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1N.exe
-
Size
454KB
-
MD5
0dc14fe667d6a447a39cb365d54dcf30
-
SHA1
63b40ed8962ad44feaae2e2b3fc0af611cda3e95
-
SHA256
6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1
-
SHA512
3042b3878081ba3ba41a4b1360695dd78edda4549254565f6038ba8e6295191efa9021e8a30f7003c486c5766a559b9aa1a37e777b97113b3113426e3f09ac72
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/872-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-794-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-1186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-1314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-1330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1360 lrxrffx.exe 3108 9bhbhh.exe 3436 hnnhbn.exe 4820 pjvvj.exe 3368 tnbtnn.exe 1196 3rxxlfx.exe 1052 jpvpp.exe 3340 5vdvp.exe 2708 5nnnhh.exe 2408 rfrlffx.exe 3832 nbhhbb.exe 3468 9pddd.exe 2572 flrlffx.exe 4664 tnhbtn.exe 2516 jpdvp.exe 3164 9xfxfxl.exe 4052 tttnhh.exe 4436 pvdpj.exe 1292 3thhhn.exe 2524 3vpvp.exe 4624 llflfrf.exe 3256 jdjjv.exe 4564 dvvpj.exe 2556 fxrlfrr.exe 1628 thtnhh.exe 760 bttnhb.exe 1796 7rffxxr.exe 2288 1tbtnn.exe 4312 bhnbtt.exe 1904 ntbthh.exe 4404 jjpjj.exe 1516 9xlfxxr.exe 2460 nntnhh.exe 1776 rfxrrlf.exe 2300 1hnttt.exe 1068 tnhbbb.exe 3176 9vjjd.exe 1976 llrlfxr.exe 756 tbbttt.exe 2244 nbbtnt.exe 4528 jjppp.exe 1456 rrxfxlf.exe 4988 ntbtnn.exe 4692 vjvpp.exe 1568 nthhbb.exe 4168 pjpjd.exe 792 xrlfrrr.exe 3508 flxlllf.exe 4468 nhnhbb.exe 3328 5ppdp.exe 3244 lrrrfrr.exe 4340 thbhtn.exe 2740 hthbtt.exe 720 dpvdd.exe 2104 fxxlfxr.exe 4972 3tttbb.exe 1968 vdpjj.exe 2652 lllfrrl.exe 2896 rflxrrl.exe 2484 bhnbtt.exe 1364 dvjdv.exe 2364 5llfxfx.exe 396 frrlffx.exe 2520 ttbbtn.exe -
resource yara_rule behavioral2/memory/1360-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-748-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-794-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-1186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-1314-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 872 wrote to memory of 1360 872 6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1N.exe 83 PID 872 wrote to memory of 1360 872 6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1N.exe 83 PID 872 wrote to memory of 1360 872 6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1N.exe 83 PID 1360 wrote to memory of 3108 1360 lrxrffx.exe 84 PID 1360 wrote to memory of 3108 1360 lrxrffx.exe 84 PID 1360 wrote to memory of 3108 1360 lrxrffx.exe 84 PID 3108 wrote to memory of 3436 3108 9bhbhh.exe 85 PID 3108 wrote to memory of 3436 3108 9bhbhh.exe 85 PID 3108 wrote to memory of 3436 3108 9bhbhh.exe 85 PID 3436 wrote to memory of 4820 3436 hnnhbn.exe 86 PID 3436 wrote to memory of 4820 3436 hnnhbn.exe 86 PID 3436 wrote to memory of 4820 3436 hnnhbn.exe 86 PID 4820 wrote to memory of 3368 4820 pjvvj.exe 87 PID 4820 wrote to memory of 3368 4820 pjvvj.exe 87 PID 4820 wrote to memory of 3368 4820 pjvvj.exe 87 PID 3368 wrote to memory of 1196 3368 tnbtnn.exe 88 PID 3368 wrote to memory of 1196 3368 tnbtnn.exe 88 PID 3368 wrote to memory of 1196 3368 tnbtnn.exe 88 PID 1196 wrote to memory of 1052 1196 3rxxlfx.exe 89 PID 1196 wrote to memory of 1052 1196 3rxxlfx.exe 89 PID 1196 wrote to memory of 1052 1196 3rxxlfx.exe 89 PID 1052 wrote to memory of 3340 1052 jpvpp.exe 90 PID 1052 wrote to memory of 3340 1052 jpvpp.exe 90 PID 1052 wrote to memory of 3340 1052 jpvpp.exe 90 PID 3340 wrote to memory of 2708 3340 5vdvp.exe 91 PID 3340 wrote to memory of 2708 3340 5vdvp.exe 91 PID 3340 wrote to memory of 2708 3340 5vdvp.exe 91 PID 2708 wrote to memory of 2408 2708 5nnnhh.exe 92 PID 2708 wrote to memory of 2408 2708 5nnnhh.exe 92 PID 2708 wrote to memory of 2408 2708 5nnnhh.exe 92 PID 2408 wrote to memory of 3832 2408 rfrlffx.exe 93 PID 2408 wrote to memory of 3832 2408 rfrlffx.exe 93 PID 2408 wrote to memory of 3832 2408 rfrlffx.exe 93 PID 3832 wrote to memory of 3468 3832 nbhhbb.exe 94 PID 3832 wrote to memory of 3468 3832 nbhhbb.exe 94 PID 3832 wrote to memory of 3468 3832 nbhhbb.exe 94 PID 3468 wrote to memory of 2572 3468 9pddd.exe 95 PID 3468 wrote to memory of 2572 3468 9pddd.exe 95 PID 3468 wrote to memory of 2572 3468 9pddd.exe 95 PID 2572 wrote to memory of 4664 2572 flrlffx.exe 96 PID 2572 wrote to memory of 4664 2572 flrlffx.exe 96 PID 2572 wrote to memory of 4664 2572 flrlffx.exe 96 PID 4664 wrote to memory of 2516 4664 tnhbtn.exe 97 PID 4664 wrote to memory of 2516 4664 tnhbtn.exe 97 PID 4664 wrote to memory of 2516 4664 tnhbtn.exe 97 PID 2516 wrote to memory of 3164 2516 jpdvp.exe 98 PID 2516 wrote to memory of 3164 2516 jpdvp.exe 98 PID 2516 wrote to memory of 3164 2516 jpdvp.exe 98 PID 3164 wrote to memory of 4052 3164 9xfxfxl.exe 99 PID 3164 wrote to memory of 4052 3164 9xfxfxl.exe 99 PID 3164 wrote to memory of 4052 3164 9xfxfxl.exe 99 PID 4052 wrote to memory of 4436 4052 tttnhh.exe 100 PID 4052 wrote to memory of 4436 4052 tttnhh.exe 100 PID 4052 wrote to memory of 4436 4052 tttnhh.exe 100 PID 4436 wrote to memory of 1292 4436 pvdpj.exe 101 PID 4436 wrote to memory of 1292 4436 pvdpj.exe 101 PID 4436 wrote to memory of 1292 4436 pvdpj.exe 101 PID 1292 wrote to memory of 2524 1292 3thhhn.exe 102 PID 1292 wrote to memory of 2524 1292 3thhhn.exe 102 PID 1292 wrote to memory of 2524 1292 3thhhn.exe 102 PID 2524 wrote to memory of 4624 2524 3vpvp.exe 103 PID 2524 wrote to memory of 4624 2524 3vpvp.exe 103 PID 2524 wrote to memory of 4624 2524 3vpvp.exe 103 PID 4624 wrote to memory of 3256 4624 llflfrf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1N.exe"C:\Users\Admin\AppData\Local\Temp\6f816ce9cdad178863c836b8e933e5694c736431c4258a30ba280c0cf1d83ea1N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\lrxrffx.exec:\lrxrffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\9bhbhh.exec:\9bhbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\hnnhbn.exec:\hnnhbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\pjvvj.exec:\pjvvj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\tnbtnn.exec:\tnbtnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\3rxxlfx.exec:\3rxxlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\jpvpp.exec:\jpvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\5vdvp.exec:\5vdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\5nnnhh.exec:\5nnnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\rfrlffx.exec:\rfrlffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\nbhhbb.exec:\nbhhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\9pddd.exec:\9pddd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\flrlffx.exec:\flrlffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\tnhbtn.exec:\tnhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\jpdvp.exec:\jpdvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\9xfxfxl.exec:\9xfxfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\tttnhh.exec:\tttnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\pvdpj.exec:\pvdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\3thhhn.exec:\3thhhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\3vpvp.exec:\3vpvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\llflfrf.exec:\llflfrf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\jdjjv.exec:\jdjjv.exe23⤵
- Executes dropped EXE
PID:3256 -
\??\c:\dvvpj.exec:\dvvpj.exe24⤵
- Executes dropped EXE
PID:4564 -
\??\c:\fxrlfrr.exec:\fxrlfrr.exe25⤵
- Executes dropped EXE
PID:2556 -
\??\c:\thtnhh.exec:\thtnhh.exe26⤵
- Executes dropped EXE
PID:1628 -
\??\c:\bttnhb.exec:\bttnhb.exe27⤵
- Executes dropped EXE
PID:760 -
\??\c:\7rffxxr.exec:\7rffxxr.exe28⤵
- Executes dropped EXE
PID:1796 -
\??\c:\1tbtnn.exec:\1tbtnn.exe29⤵
- Executes dropped EXE
PID:2288 -
\??\c:\bhnbtt.exec:\bhnbtt.exe30⤵
- Executes dropped EXE
PID:4312 -
\??\c:\ntbthh.exec:\ntbthh.exe31⤵
- Executes dropped EXE
PID:1904 -
\??\c:\jjpjj.exec:\jjpjj.exe32⤵
- Executes dropped EXE
PID:4404 -
\??\c:\9xlfxxr.exec:\9xlfxxr.exe33⤵
- Executes dropped EXE
PID:1516 -
\??\c:\nntnhh.exec:\nntnhh.exe34⤵
- Executes dropped EXE
PID:2460 -
\??\c:\rfxrrlf.exec:\rfxrrlf.exe35⤵
- Executes dropped EXE
PID:1776 -
\??\c:\1hnttt.exec:\1hnttt.exe36⤵
- Executes dropped EXE
PID:2300 -
\??\c:\tnhbbb.exec:\tnhbbb.exe37⤵
- Executes dropped EXE
PID:1068 -
\??\c:\9vjjd.exec:\9vjjd.exe38⤵
- Executes dropped EXE
PID:3176 -
\??\c:\llrlfxr.exec:\llrlfxr.exe39⤵
- Executes dropped EXE
PID:1976 -
\??\c:\tbbttt.exec:\tbbttt.exe40⤵
- Executes dropped EXE
PID:756 -
\??\c:\nbbtnt.exec:\nbbtnt.exe41⤵
- Executes dropped EXE
PID:2244 -
\??\c:\jjppp.exec:\jjppp.exe42⤵
- Executes dropped EXE
PID:4528 -
\??\c:\rrxfxlf.exec:\rrxfxlf.exe43⤵
- Executes dropped EXE
PID:1456 -
\??\c:\ntbtnn.exec:\ntbtnn.exe44⤵
- Executes dropped EXE
PID:4988 -
\??\c:\vjvpp.exec:\vjvpp.exe45⤵
- Executes dropped EXE
PID:4692 -
\??\c:\nthhbb.exec:\nthhbb.exe46⤵
- Executes dropped EXE
PID:1568 -
\??\c:\pjpjd.exec:\pjpjd.exe47⤵
- Executes dropped EXE
PID:4168 -
\??\c:\xrlfrrr.exec:\xrlfrrr.exe48⤵
- Executes dropped EXE
PID:792 -
\??\c:\flxlllf.exec:\flxlllf.exe49⤵
- Executes dropped EXE
PID:3508 -
\??\c:\nhnhbb.exec:\nhnhbb.exe50⤵
- Executes dropped EXE
PID:4468 -
\??\c:\5ppdp.exec:\5ppdp.exe51⤵
- Executes dropped EXE
PID:3328 -
\??\c:\lrrrfrr.exec:\lrrrfrr.exe52⤵
- Executes dropped EXE
PID:3244 -
\??\c:\thbhtn.exec:\thbhtn.exe53⤵
- Executes dropped EXE
PID:4340 -
\??\c:\hthbtt.exec:\hthbtt.exe54⤵
- Executes dropped EXE
PID:2740 -
\??\c:\dpvdd.exec:\dpvdd.exe55⤵
- Executes dropped EXE
PID:720 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe56⤵
- Executes dropped EXE
PID:2104 -
\??\c:\3tttbb.exec:\3tttbb.exe57⤵
- Executes dropped EXE
PID:4972 -
\??\c:\vdpjj.exec:\vdpjj.exe58⤵
- Executes dropped EXE
PID:1968 -
\??\c:\lllfrrl.exec:\lllfrrl.exe59⤵
- Executes dropped EXE
PID:2652 -
\??\c:\rflxrrl.exec:\rflxrrl.exe60⤵
- Executes dropped EXE
PID:2896 -
\??\c:\bhnbtt.exec:\bhnbtt.exe61⤵
- Executes dropped EXE
PID:2484 -
\??\c:\dvjdv.exec:\dvjdv.exe62⤵
- Executes dropped EXE
PID:1364 -
\??\c:\5llfxfx.exec:\5llfxfx.exe63⤵
- Executes dropped EXE
PID:2364 -
\??\c:\frrlffx.exec:\frrlffx.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:396 -
\??\c:\ttbbtn.exec:\ttbbtn.exe65⤵
- Executes dropped EXE
PID:2520 -
\??\c:\7vvdv.exec:\7vvdv.exe66⤵PID:4116
-
\??\c:\rxffxxf.exec:\rxffxxf.exe67⤵PID:1936
-
\??\c:\flxxllx.exec:\flxxllx.exe68⤵PID:4880
-
\??\c:\1tnbnn.exec:\1tnbnn.exe69⤵PID:4536
-
\??\c:\vdpjd.exec:\vdpjd.exe70⤵PID:4364
-
\??\c:\5rfflfl.exec:\5rfflfl.exe71⤵PID:3692
-
\??\c:\nhnhbn.exec:\nhnhbn.exe72⤵PID:3052
-
\??\c:\pvdpd.exec:\pvdpd.exe73⤵PID:4436
-
\??\c:\pjdvd.exec:\pjdvd.exe74⤵PID:2256
-
\??\c:\fflfrrr.exec:\fflfrrr.exe75⤵PID:3092
-
\??\c:\hthhnt.exec:\hthhnt.exe76⤵PID:2908
-
\??\c:\tbtntt.exec:\tbtntt.exe77⤵PID:4132
-
\??\c:\pddpd.exec:\pddpd.exe78⤵PID:1896
-
\??\c:\xlrllll.exec:\xlrllll.exe79⤵PID:2316
-
\??\c:\bthbth.exec:\bthbth.exe80⤵PID:3160
-
\??\c:\ntbnbt.exec:\ntbnbt.exe81⤵PID:1192
-
\??\c:\pdjdd.exec:\pdjdd.exe82⤵PID:4564
-
\??\c:\ffflfrr.exec:\ffflfrr.exe83⤵PID:3000
-
\??\c:\hbbbnt.exec:\hbbbnt.exe84⤵PID:3968
-
\??\c:\dddvv.exec:\dddvv.exe85⤵PID:1628
-
\??\c:\jdjdv.exec:\jdjdv.exe86⤵PID:760
-
\??\c:\flxrfxx.exec:\flxrfxx.exe87⤵PID:2272
-
\??\c:\nbhtbb.exec:\nbhtbb.exe88⤵PID:3852
-
\??\c:\jvjpp.exec:\jvjpp.exe89⤵PID:1148
-
\??\c:\ffxrllf.exec:\ffxrllf.exe90⤵PID:1328
-
\??\c:\5nbnnn.exec:\5nbnnn.exe91⤵PID:384
-
\??\c:\jpdvd.exec:\jpdvd.exe92⤵PID:2552
-
\??\c:\5llxrrl.exec:\5llxrrl.exe93⤵PID:4392
-
\??\c:\hbhbbt.exec:\hbhbbt.exe94⤵PID:1880
-
\??\c:\1thhhb.exec:\1thhhb.exe95⤵PID:2460
-
\??\c:\pvpdj.exec:\pvpdj.exe96⤵PID:4120
-
\??\c:\xrfxrfx.exec:\xrfxrfx.exe97⤵PID:2972
-
\??\c:\hbhthb.exec:\hbhthb.exe98⤵PID:3876
-
\??\c:\3djvd.exec:\3djvd.exe99⤵PID:3176
-
\??\c:\vvdjv.exec:\vvdjv.exe100⤵PID:972
-
\??\c:\fxxrxrl.exec:\fxxrxrl.exe101⤵PID:756
-
\??\c:\thtnbb.exec:\thtnbb.exe102⤵PID:4788
-
\??\c:\5pjdp.exec:\5pjdp.exe103⤵PID:4140
-
\??\c:\xxxrlrr.exec:\xxxrlrr.exe104⤵PID:4524
-
\??\c:\fxlflll.exec:\fxlflll.exe105⤵PID:364
-
\??\c:\tbhbtt.exec:\tbhbtt.exe106⤵PID:3140
-
\??\c:\jddpd.exec:\jddpd.exe107⤵PID:3444
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe108⤵PID:1248
-
\??\c:\tnbtnn.exec:\tnbtnn.exe109⤵PID:916
-
\??\c:\btbtnh.exec:\btbtnh.exe110⤵PID:2100
-
\??\c:\jjpjj.exec:\jjpjj.exe111⤵PID:3508
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe112⤵PID:5036
-
\??\c:\tbbthn.exec:\tbbthn.exe113⤵PID:2404
-
\??\c:\pjvjd.exec:\pjvjd.exe114⤵PID:2848
-
\??\c:\xflrfxl.exec:\xflrfxl.exe115⤵PID:4340
-
\??\c:\bbtbht.exec:\bbtbht.exe116⤵PID:2740
-
\??\c:\btbnnh.exec:\btbnnh.exe117⤵PID:3436
-
\??\c:\ddjvj.exec:\ddjvj.exe118⤵PID:3644
-
\??\c:\xffxfxl.exec:\xffxfxl.exe119⤵PID:4972
-
\??\c:\tbbnht.exec:\tbbnht.exe120⤵PID:4900
-
\??\c:\dddvd.exec:\dddvd.exe121⤵PID:1780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-