Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b.exe
-
Size
453KB
-
MD5
1f18a39f64c405302d33862feb183041
-
SHA1
e921b71888ca626c810b7875287a99ff6416e1d5
-
SHA256
a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b
-
SHA512
364ed5da6860bfd6d46a9de40574de77c999796455bf06f3420bb92795cfdcd0e5b10ceb4856105d0d09e68fd872013e55be4601b1f33dce5318ebf1c0ffbb4e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1200-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-1012-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-1617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 220 rllffxx.exe 1576 bhnbbh.exe 2900 nnthnh.exe 5084 xxllffx.exe 2024 jvjdv.exe 2168 xxxxffl.exe 5072 9jdjd.exe 1592 xxrrlll.exe 1056 nhnhbb.exe 512 ddvpp.exe 4420 pvvvp.exe 964 hhbttt.exe 4964 ffllrrf.exe 3028 tthbbb.exe 1852 1xlfrlr.exe 4932 bhhbtt.exe 1140 ppvpv.exe 1088 btbtth.exe 892 xrrfxxr.exe 4508 nntnhb.exe 2428 dvdvv.exe 3140 xflfrfr.exe 4628 bbbbnn.exe 2936 vpppj.exe 4020 flfxrlf.exe 3176 rxlxxfx.exe 3496 7dpdd.exe 4612 tttnhh.exe 2248 jdjdv.exe 4808 bnnhbt.exe 3592 5rxxrxr.exe 3972 9ttnnn.exe 4880 lxflllf.exe 5036 5fxlflf.exe 2972 1bnnhn.exe 3624 dppjj.exe 4888 lxxxrrr.exe 1040 bhnhnn.exe 5108 hhhnhn.exe 548 ffrrlll.exe 4132 nhttnn.exe 3388 nnhhbb.exe 220 ppdvd.exe 3476 rrlrrrr.exe 3772 dvppd.exe 4416 1lxrllf.exe 3012 ttbtnn.exe 1800 djvpp.exe 4752 frxllrl.exe 1696 rxrlffl.exe 4760 tnhbnh.exe 1368 vvpjv.exe 624 fxrffll.exe 2080 hhbbtt.exe 1880 pdvjd.exe 4900 fxxfxxx.exe 3060 7tbbhh.exe 848 jdvjd.exe 1820 lxrlxrf.exe 3740 lfffllr.exe 4436 bhtnbt.exe 2144 jdvjd.exe 4992 llxxrxx.exe 960 1lllffx.exe -
resource yara_rule behavioral2/memory/1200-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-827-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 220 1200 a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b.exe 83 PID 1200 wrote to memory of 220 1200 a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b.exe 83 PID 1200 wrote to memory of 220 1200 a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b.exe 83 PID 220 wrote to memory of 1576 220 rllffxx.exe 84 PID 220 wrote to memory of 1576 220 rllffxx.exe 84 PID 220 wrote to memory of 1576 220 rllffxx.exe 84 PID 1576 wrote to memory of 2900 1576 bhnbbh.exe 85 PID 1576 wrote to memory of 2900 1576 bhnbbh.exe 85 PID 1576 wrote to memory of 2900 1576 bhnbbh.exe 85 PID 2900 wrote to memory of 5084 2900 nnthnh.exe 86 PID 2900 wrote to memory of 5084 2900 nnthnh.exe 86 PID 2900 wrote to memory of 5084 2900 nnthnh.exe 86 PID 5084 wrote to memory of 2024 5084 xxllffx.exe 87 PID 5084 wrote to memory of 2024 5084 xxllffx.exe 87 PID 5084 wrote to memory of 2024 5084 xxllffx.exe 87 PID 2024 wrote to memory of 2168 2024 jvjdv.exe 88 PID 2024 wrote to memory of 2168 2024 jvjdv.exe 88 PID 2024 wrote to memory of 2168 2024 jvjdv.exe 88 PID 2168 wrote to memory of 5072 2168 xxxxffl.exe 89 PID 2168 wrote to memory of 5072 2168 xxxxffl.exe 89 PID 2168 wrote to memory of 5072 2168 xxxxffl.exe 89 PID 5072 wrote to memory of 1592 5072 9jdjd.exe 90 PID 5072 wrote to memory of 1592 5072 9jdjd.exe 90 PID 5072 wrote to memory of 1592 5072 9jdjd.exe 90 PID 1592 wrote to memory of 1056 1592 xxrrlll.exe 91 PID 1592 wrote to memory of 1056 1592 xxrrlll.exe 91 PID 1592 wrote to memory of 1056 1592 xxrrlll.exe 91 PID 1056 wrote to memory of 512 1056 nhnhbb.exe 92 PID 1056 wrote to memory of 512 1056 nhnhbb.exe 92 PID 1056 wrote to memory of 512 1056 nhnhbb.exe 92 PID 512 wrote to memory of 4420 512 ddvpp.exe 93 PID 512 wrote to memory of 4420 512 ddvpp.exe 93 PID 512 wrote to memory of 4420 512 ddvpp.exe 93 PID 4420 wrote to memory of 964 4420 pvvvp.exe 94 PID 4420 wrote to memory of 964 4420 pvvvp.exe 94 PID 4420 wrote to memory of 964 4420 pvvvp.exe 94 PID 964 wrote to memory of 4964 964 hhbttt.exe 95 PID 964 wrote to memory of 4964 964 hhbttt.exe 95 PID 964 wrote to memory of 4964 964 hhbttt.exe 95 PID 4964 wrote to memory of 3028 4964 ffllrrf.exe 96 PID 4964 wrote to memory of 3028 4964 ffllrrf.exe 96 PID 4964 wrote to memory of 3028 4964 ffllrrf.exe 96 PID 3028 wrote to memory of 1852 3028 tthbbb.exe 97 PID 3028 wrote to memory of 1852 3028 tthbbb.exe 97 PID 3028 wrote to memory of 1852 3028 tthbbb.exe 97 PID 1852 wrote to memory of 4932 1852 1xlfrlr.exe 98 PID 1852 wrote to memory of 4932 1852 1xlfrlr.exe 98 PID 1852 wrote to memory of 4932 1852 1xlfrlr.exe 98 PID 4932 wrote to memory of 1140 4932 bhhbtt.exe 99 PID 4932 wrote to memory of 1140 4932 bhhbtt.exe 99 PID 4932 wrote to memory of 1140 4932 bhhbtt.exe 99 PID 1140 wrote to memory of 1088 1140 ppvpv.exe 100 PID 1140 wrote to memory of 1088 1140 ppvpv.exe 100 PID 1140 wrote to memory of 1088 1140 ppvpv.exe 100 PID 1088 wrote to memory of 892 1088 btbtth.exe 101 PID 1088 wrote to memory of 892 1088 btbtth.exe 101 PID 1088 wrote to memory of 892 1088 btbtth.exe 101 PID 892 wrote to memory of 4508 892 xrrfxxr.exe 102 PID 892 wrote to memory of 4508 892 xrrfxxr.exe 102 PID 892 wrote to memory of 4508 892 xrrfxxr.exe 102 PID 4508 wrote to memory of 2428 4508 nntnhb.exe 103 PID 4508 wrote to memory of 2428 4508 nntnhb.exe 103 PID 4508 wrote to memory of 2428 4508 nntnhb.exe 103 PID 2428 wrote to memory of 3140 2428 dvdvv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b.exe"C:\Users\Admin\AppData\Local\Temp\a5c2a7b7be35856bb3d20aa8c5b915b5a65a4c79a26c3bb7edf7deca5c74d54b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\rllffxx.exec:\rllffxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\bhnbbh.exec:\bhnbbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\nnthnh.exec:\nnthnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\xxllffx.exec:\xxllffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\jvjdv.exec:\jvjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\xxxxffl.exec:\xxxxffl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\9jdjd.exec:\9jdjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\xxrrlll.exec:\xxrrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\nhnhbb.exec:\nhnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\ddvpp.exec:\ddvpp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\pvvvp.exec:\pvvvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\hhbttt.exec:\hhbttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\ffllrrf.exec:\ffllrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\tthbbb.exec:\tthbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\1xlfrlr.exec:\1xlfrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\bhhbtt.exec:\bhhbtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\ppvpv.exec:\ppvpv.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\btbtth.exec:\btbtth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\xrrfxxr.exec:\xrrfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
\??\c:\nntnhb.exec:\nntnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\dvdvv.exec:\dvdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\xflfrfr.exec:\xflfrfr.exe23⤵
- Executes dropped EXE
PID:3140 -
\??\c:\bbbbnn.exec:\bbbbnn.exe24⤵
- Executes dropped EXE
PID:4628 -
\??\c:\vpppj.exec:\vpppj.exe25⤵
- Executes dropped EXE
PID:2936 -
\??\c:\flfxrlf.exec:\flfxrlf.exe26⤵
- Executes dropped EXE
PID:4020 -
\??\c:\rxlxxfx.exec:\rxlxxfx.exe27⤵
- Executes dropped EXE
PID:3176 -
\??\c:\7dpdd.exec:\7dpdd.exe28⤵
- Executes dropped EXE
PID:3496 -
\??\c:\tttnhh.exec:\tttnhh.exe29⤵
- Executes dropped EXE
PID:4612 -
\??\c:\jdjdv.exec:\jdjdv.exe30⤵
- Executes dropped EXE
PID:2248 -
\??\c:\bnnhbt.exec:\bnnhbt.exe31⤵
- Executes dropped EXE
PID:4808 -
\??\c:\5rxxrxr.exec:\5rxxrxr.exe32⤵
- Executes dropped EXE
PID:3592 -
\??\c:\9ttnnn.exec:\9ttnnn.exe33⤵
- Executes dropped EXE
PID:3972 -
\??\c:\lxflllf.exec:\lxflllf.exe34⤵
- Executes dropped EXE
PID:4880 -
\??\c:\5fxlflf.exec:\5fxlflf.exe35⤵
- Executes dropped EXE
PID:5036 -
\??\c:\1bnnhn.exec:\1bnnhn.exe36⤵
- Executes dropped EXE
PID:2972 -
\??\c:\dppjj.exec:\dppjj.exe37⤵
- Executes dropped EXE
PID:3624 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe38⤵
- Executes dropped EXE
PID:4888 -
\??\c:\bhnhnn.exec:\bhnhnn.exe39⤵
- Executes dropped EXE
PID:1040 -
\??\c:\hhhnhn.exec:\hhhnhn.exe40⤵
- Executes dropped EXE
PID:5108 -
\??\c:\ffrrlll.exec:\ffrrlll.exe41⤵
- Executes dropped EXE
PID:548 -
\??\c:\nhttnn.exec:\nhttnn.exe42⤵
- Executes dropped EXE
PID:4132 -
\??\c:\nnhhbb.exec:\nnhhbb.exe43⤵
- Executes dropped EXE
PID:3388 -
\??\c:\ppdvd.exec:\ppdvd.exe44⤵
- Executes dropped EXE
PID:220 -
\??\c:\rrlrrrr.exec:\rrlrrrr.exe45⤵
- Executes dropped EXE
PID:3476 -
\??\c:\dvppd.exec:\dvppd.exe46⤵
- Executes dropped EXE
PID:3772 -
\??\c:\1lxrllf.exec:\1lxrllf.exe47⤵
- Executes dropped EXE
PID:4416 -
\??\c:\ttbtnn.exec:\ttbtnn.exe48⤵
- Executes dropped EXE
PID:3012 -
\??\c:\djvpp.exec:\djvpp.exe49⤵
- Executes dropped EXE
PID:1800 -
\??\c:\frxllrl.exec:\frxllrl.exe50⤵
- Executes dropped EXE
PID:4752 -
\??\c:\rxrlffl.exec:\rxrlffl.exe51⤵
- Executes dropped EXE
PID:1696 -
\??\c:\tnhbnh.exec:\tnhbnh.exe52⤵
- Executes dropped EXE
PID:4760 -
\??\c:\vvpjv.exec:\vvpjv.exe53⤵
- Executes dropped EXE
PID:1368 -
\??\c:\fxrffll.exec:\fxrffll.exe54⤵
- Executes dropped EXE
PID:624 -
\??\c:\hhbbtt.exec:\hhbbtt.exe55⤵
- Executes dropped EXE
PID:2080 -
\??\c:\pdvjd.exec:\pdvjd.exe56⤵
- Executes dropped EXE
PID:1880 -
\??\c:\fxxfxxx.exec:\fxxfxxx.exe57⤵
- Executes dropped EXE
PID:4900 -
\??\c:\7tbbhh.exec:\7tbbhh.exe58⤵
- Executes dropped EXE
PID:3060 -
\??\c:\jdvjd.exec:\jdvjd.exe59⤵
- Executes dropped EXE
PID:848 -
\??\c:\lxrlxrf.exec:\lxrlxrf.exe60⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lfffllr.exec:\lfffllr.exe61⤵
- Executes dropped EXE
PID:3740 -
\??\c:\bhtnbt.exec:\bhtnbt.exe62⤵
- Executes dropped EXE
PID:4436 -
\??\c:\jdvjd.exec:\jdvjd.exe63⤵
- Executes dropped EXE
PID:2144 -
\??\c:\llxxrxx.exec:\llxxrxx.exe64⤵
- Executes dropped EXE
PID:4992 -
\??\c:\1lllffx.exec:\1lllffx.exe65⤵
- Executes dropped EXE
PID:960 -
\??\c:\htnnbt.exec:\htnnbt.exe66⤵PID:4484
-
\??\c:\ddjdj.exec:\ddjdj.exe67⤵PID:3144
-
\??\c:\rfxxrrl.exec:\rfxxrrl.exe68⤵PID:1088
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe69⤵PID:4536
-
\??\c:\ttbtbb.exec:\ttbtbb.exe70⤵PID:4976
-
\??\c:\ppjvp.exec:\ppjvp.exe71⤵PID:2428
-
\??\c:\rffxxfx.exec:\rffxxfx.exe72⤵PID:2412
-
\??\c:\httnnn.exec:\httnnn.exe73⤵PID:1568
-
\??\c:\vpjvp.exec:\vpjvp.exe74⤵PID:4136
-
\??\c:\dpjdp.exec:\dpjdp.exe75⤵PID:3864
-
\??\c:\llfrfxr.exec:\llfrfxr.exe76⤵PID:5016
-
\??\c:\bnttbt.exec:\bnttbt.exe77⤵PID:680
-
\??\c:\dpjdp.exec:\dpjdp.exe78⤵PID:4024
-
\??\c:\vdvpd.exec:\vdvpd.exe79⤵PID:4284
-
\??\c:\9ffxrrl.exec:\9ffxrrl.exe80⤵PID:1924
-
\??\c:\htnbtt.exec:\htnbtt.exe81⤵PID:2844
-
\??\c:\vdjvj.exec:\vdjvj.exe82⤵PID:2516
-
\??\c:\rrxrllf.exec:\rrxrllf.exe83⤵PID:3184
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe84⤵PID:4692
-
\??\c:\3bbttn.exec:\3bbttn.exe85⤵PID:3972
-
\??\c:\djddv.exec:\djddv.exe86⤵PID:4880
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe87⤵PID:224
-
\??\c:\htttnn.exec:\htttnn.exe88⤵PID:4832
-
\??\c:\1hhbbb.exec:\1hhbbb.exe89⤵PID:1540
-
\??\c:\ppjjd.exec:\ppjjd.exe90⤵PID:3152
-
\??\c:\rllfxxx.exec:\rllfxxx.exe91⤵PID:4888
-
\??\c:\9hbbtt.exec:\9hbbtt.exe92⤵PID:1536
-
\??\c:\hbnnhh.exec:\hbnnhh.exe93⤵PID:1632
-
\??\c:\ppvjv.exec:\ppvjv.exe94⤵PID:4424
-
\??\c:\lllfxrr.exec:\lllfxrr.exe95⤵PID:4440
-
\??\c:\hbnnhh.exec:\hbnnhh.exe96⤵PID:1436
-
\??\c:\tnbbth.exec:\tnbbth.exe97⤵PID:2440
-
\??\c:\dpddv.exec:\dpddv.exe98⤵PID:3652
-
\??\c:\xllxllx.exec:\xllxllx.exe99⤵PID:4848
-
\??\c:\nbbtth.exec:\nbbtth.exe100⤵PID:3116
-
\??\c:\djjpd.exec:\djjpd.exe101⤵PID:4264
-
\??\c:\dpdvv.exec:\dpdvv.exe102⤵PID:3440
-
\??\c:\1nhnbt.exec:\1nhnbt.exe103⤵PID:2096
-
\??\c:\bbnnhh.exec:\bbnnhh.exe104⤵PID:4092
-
\??\c:\jjvjv.exec:\jjvjv.exe105⤵PID:2172
-
\??\c:\lfrflll.exec:\lfrflll.exe106⤵PID:5100
-
\??\c:\5xrrfll.exec:\5xrrfll.exe107⤵PID:2180
-
\??\c:\nhnnhh.exec:\nhnnhh.exe108⤵PID:3584
-
\??\c:\jjppd.exec:\jjppd.exe109⤵PID:5072
-
\??\c:\pjvvp.exec:\pjvvp.exe110⤵PID:2416
-
\??\c:\flffxxr.exec:\flffxxr.exe111⤵PID:1052
-
\??\c:\bbtbhn.exec:\bbtbhn.exe112⤵PID:1064
-
\??\c:\5jvvj.exec:\5jvvj.exe113⤵PID:512
-
\??\c:\dvpjv.exec:\dvpjv.exe114⤵PID:4700
-
\??\c:\xxrfrll.exec:\xxrfrll.exe115⤵PID:3048
-
\??\c:\tbhhhb.exec:\tbhhhb.exe116⤵PID:3872
-
\??\c:\pppdv.exec:\pppdv.exe117⤵PID:1884
-
\??\c:\fllxxrr.exec:\fllxxrr.exe118⤵PID:848
-
\??\c:\rrxrlrl.exec:\rrxrlrl.exe119⤵PID:184
-
\??\c:\tntnnn.exec:\tntnnn.exe120⤵PID:3988
-
\??\c:\vppjd.exec:\vppjd.exe121⤵PID:3588
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-