Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01.exe
-
Size
454KB
-
MD5
fcab61bda86c112b10b376c4db30b8a8
-
SHA1
bd020f6f5377bf3f15fb1a1e449b5bb467429ad6
-
SHA256
b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01
-
SHA512
4114be965c85fc7e0a2070a451a8124076fe8b94bc37ee9aaa77ee024bcc1dc846f20b52cfcf293fee4806b4ae8f633da59e7b32611bfb9639528e1a8a63ffd4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4880-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-1323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4344 3lrlxlf.exe 1588 nnhnnh.exe 392 ddpdj.exe 784 1ffxxrl.exe 1048 nthnhb.exe 4760 xxrfllf.exe 2456 hhttbh.exe 1020 fxrfxll.exe 1772 ppvpp.exe 4040 lllfxrx.exe 3624 7djjv.exe 4292 rlxlffx.exe 756 9vppv.exe 2524 vjppj.exe 812 xxllfrl.exe 1492 9tttnh.exe 312 dvddj.exe 4976 7xfxrll.exe 3784 htbbbb.exe 4972 lfrllrr.exe 3944 9pjdv.exe 3628 xrlffll.exe 1128 dvjdv.exe 3408 htbtht.exe 1164 3pvvj.exe 1812 lfxxrrl.exe 2428 vvvvv.exe 452 pppjj.exe 860 xxlfllr.exe 1428 hhthbb.exe 2780 xlrfxrl.exe 2788 7llfrlx.exe 1068 dpdpp.exe 3556 dppdv.exe 4512 llrlxrl.exe 1500 htbnbt.exe 3252 bhnbhb.exe 4864 jvdvv.exe 1632 rxfrlrr.exe 724 tbhnnt.exe 4472 vpvpd.exe 5080 vppjj.exe 4064 ffxlflf.exe 1208 ntbbbn.exe 4836 dvvpd.exe 3284 lllfxrl.exe 1116 rrlfffx.exe 1588 nnbtnh.exe 436 dvvjd.exe 2948 rrfxllf.exe 4304 hbhhnn.exe 4192 jddjd.exe 2396 dpvjv.exe 4716 3lxrlfx.exe 940 thnbtn.exe 2456 pjjpp.exe 1020 xflxllf.exe 440 5btnnh.exe 4636 thhtnh.exe 5028 3pvjd.exe 3496 rffrfxr.exe 1504 1ffxrlf.exe 2080 bhbbhn.exe 1336 jpvpp.exe -
resource yara_rule behavioral2/memory/4880-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-593-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lllflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4880 wrote to memory of 4344 4880 b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01.exe 84 PID 4880 wrote to memory of 4344 4880 b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01.exe 84 PID 4880 wrote to memory of 4344 4880 b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01.exe 84 PID 4344 wrote to memory of 1588 4344 3lrlxlf.exe 85 PID 4344 wrote to memory of 1588 4344 3lrlxlf.exe 85 PID 4344 wrote to memory of 1588 4344 3lrlxlf.exe 85 PID 1588 wrote to memory of 392 1588 nnhnnh.exe 86 PID 1588 wrote to memory of 392 1588 nnhnnh.exe 86 PID 1588 wrote to memory of 392 1588 nnhnnh.exe 86 PID 392 wrote to memory of 784 392 ddpdj.exe 87 PID 392 wrote to memory of 784 392 ddpdj.exe 87 PID 392 wrote to memory of 784 392 ddpdj.exe 87 PID 784 wrote to memory of 1048 784 1ffxxrl.exe 88 PID 784 wrote to memory of 1048 784 1ffxxrl.exe 88 PID 784 wrote to memory of 1048 784 1ffxxrl.exe 88 PID 1048 wrote to memory of 4760 1048 nthnhb.exe 89 PID 1048 wrote to memory of 4760 1048 nthnhb.exe 89 PID 1048 wrote to memory of 4760 1048 nthnhb.exe 89 PID 4760 wrote to memory of 2456 4760 xxrfllf.exe 90 PID 4760 wrote to memory of 2456 4760 xxrfllf.exe 90 PID 4760 wrote to memory of 2456 4760 xxrfllf.exe 90 PID 2456 wrote to memory of 1020 2456 hhttbh.exe 91 PID 2456 wrote to memory of 1020 2456 hhttbh.exe 91 PID 2456 wrote to memory of 1020 2456 hhttbh.exe 91 PID 1020 wrote to memory of 1772 1020 fxrfxll.exe 92 PID 1020 wrote to memory of 1772 1020 fxrfxll.exe 92 PID 1020 wrote to memory of 1772 1020 fxrfxll.exe 92 PID 1772 wrote to memory of 4040 1772 ppvpp.exe 93 PID 1772 wrote to memory of 4040 1772 ppvpp.exe 93 PID 1772 wrote to memory of 4040 1772 ppvpp.exe 93 PID 4040 wrote to memory of 3624 4040 lllfxrx.exe 94 PID 4040 wrote to memory of 3624 4040 lllfxrx.exe 94 PID 4040 wrote to memory of 3624 4040 lllfxrx.exe 94 PID 3624 wrote to memory of 4292 3624 7djjv.exe 95 PID 3624 wrote to memory of 4292 3624 7djjv.exe 95 PID 3624 wrote to memory of 4292 3624 7djjv.exe 95 PID 4292 wrote to memory of 756 4292 rlxlffx.exe 96 PID 4292 wrote to memory of 756 4292 rlxlffx.exe 96 PID 4292 wrote to memory of 756 4292 rlxlffx.exe 96 PID 756 wrote to memory of 2524 756 9vppv.exe 97 PID 756 wrote to memory of 2524 756 9vppv.exe 97 PID 756 wrote to memory of 2524 756 9vppv.exe 97 PID 2524 wrote to memory of 812 2524 vjppj.exe 98 PID 2524 wrote to memory of 812 2524 vjppj.exe 98 PID 2524 wrote to memory of 812 2524 vjppj.exe 98 PID 812 wrote to memory of 1492 812 xxllfrl.exe 99 PID 812 wrote to memory of 1492 812 xxllfrl.exe 99 PID 812 wrote to memory of 1492 812 xxllfrl.exe 99 PID 1492 wrote to memory of 312 1492 9tttnh.exe 100 PID 1492 wrote to memory of 312 1492 9tttnh.exe 100 PID 1492 wrote to memory of 312 1492 9tttnh.exe 100 PID 312 wrote to memory of 4976 312 dvddj.exe 101 PID 312 wrote to memory of 4976 312 dvddj.exe 101 PID 312 wrote to memory of 4976 312 dvddj.exe 101 PID 4976 wrote to memory of 3784 4976 7xfxrll.exe 102 PID 4976 wrote to memory of 3784 4976 7xfxrll.exe 102 PID 4976 wrote to memory of 3784 4976 7xfxrll.exe 102 PID 3784 wrote to memory of 4972 3784 htbbbb.exe 103 PID 3784 wrote to memory of 4972 3784 htbbbb.exe 103 PID 3784 wrote to memory of 4972 3784 htbbbb.exe 103 PID 4972 wrote to memory of 3944 4972 lfrllrr.exe 104 PID 4972 wrote to memory of 3944 4972 lfrllrr.exe 104 PID 4972 wrote to memory of 3944 4972 lfrllrr.exe 104 PID 3944 wrote to memory of 3628 3944 9pjdv.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01.exe"C:\Users\Admin\AppData\Local\Temp\b8b7d89f94a587b116de079d524cadaaad75915991a27ad2237663d5b4ce2f01.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\3lrlxlf.exec:\3lrlxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\nnhnnh.exec:\nnhnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\ddpdj.exec:\ddpdj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\1ffxxrl.exec:\1ffxxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\nthnhb.exec:\nthnhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\xxrfllf.exec:\xxrfllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\hhttbh.exec:\hhttbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\fxrfxll.exec:\fxrfxll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\ppvpp.exec:\ppvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\lllfxrx.exec:\lllfxrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\7djjv.exec:\7djjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\rlxlffx.exec:\rlxlffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\9vppv.exec:\9vppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\vjppj.exec:\vjppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
\??\c:\xxllfrl.exec:\xxllfrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\9tttnh.exec:\9tttnh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
\??\c:\dvddj.exec:\dvddj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
\??\c:\7xfxrll.exec:\7xfxrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\htbbbb.exec:\htbbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\lfrllrr.exec:\lfrllrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\9pjdv.exec:\9pjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\xrlffll.exec:\xrlffll.exe23⤵
- Executes dropped EXE
PID:3628 -
\??\c:\dvjdv.exec:\dvjdv.exe24⤵
- Executes dropped EXE
PID:1128 -
\??\c:\htbtht.exec:\htbtht.exe25⤵
- Executes dropped EXE
PID:3408 -
\??\c:\3pvvj.exec:\3pvvj.exe26⤵
- Executes dropped EXE
PID:1164 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe27⤵
- Executes dropped EXE
PID:1812 -
\??\c:\vvvvv.exec:\vvvvv.exe28⤵
- Executes dropped EXE
PID:2428 -
\??\c:\pppjj.exec:\pppjj.exe29⤵
- Executes dropped EXE
PID:452 -
\??\c:\xxlfllr.exec:\xxlfllr.exe30⤵
- Executes dropped EXE
PID:860 -
\??\c:\hhthbb.exec:\hhthbb.exe31⤵
- Executes dropped EXE
PID:1428 -
\??\c:\xlrfxrl.exec:\xlrfxrl.exe32⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7llfrlx.exec:\7llfrlx.exe33⤵
- Executes dropped EXE
PID:2788 -
\??\c:\dpdpp.exec:\dpdpp.exe34⤵
- Executes dropped EXE
PID:1068 -
\??\c:\dppdv.exec:\dppdv.exe35⤵
- Executes dropped EXE
PID:3556 -
\??\c:\llrlxrl.exec:\llrlxrl.exe36⤵
- Executes dropped EXE
PID:4512 -
\??\c:\htbnbt.exec:\htbnbt.exe37⤵
- Executes dropped EXE
PID:1500 -
\??\c:\bhnbhb.exec:\bhnbhb.exe38⤵
- Executes dropped EXE
PID:3252 -
\??\c:\jvdvv.exec:\jvdvv.exe39⤵
- Executes dropped EXE
PID:4864 -
\??\c:\rxfrlrr.exec:\rxfrlrr.exe40⤵
- Executes dropped EXE
PID:1632 -
\??\c:\tbhnnt.exec:\tbhnnt.exe41⤵
- Executes dropped EXE
PID:724 -
\??\c:\vpvpd.exec:\vpvpd.exe42⤵
- Executes dropped EXE
PID:4472 -
\??\c:\vppjj.exec:\vppjj.exe43⤵
- Executes dropped EXE
PID:5080 -
\??\c:\ffxlflf.exec:\ffxlflf.exe44⤵
- Executes dropped EXE
PID:4064 -
\??\c:\ntbbbn.exec:\ntbbbn.exe45⤵
- Executes dropped EXE
PID:1208 -
\??\c:\dvvpd.exec:\dvvpd.exe46⤵
- Executes dropped EXE
PID:4836 -
\??\c:\lllfxrl.exec:\lllfxrl.exe47⤵
- Executes dropped EXE
PID:3284 -
\??\c:\rrlfffx.exec:\rrlfffx.exe48⤵
- Executes dropped EXE
PID:1116 -
\??\c:\nnbtnh.exec:\nnbtnh.exe49⤵
- Executes dropped EXE
PID:1588 -
\??\c:\dvvjd.exec:\dvvjd.exe50⤵
- Executes dropped EXE
PID:436 -
\??\c:\rrfxllf.exec:\rrfxllf.exe51⤵
- Executes dropped EXE
PID:2948 -
\??\c:\hbhhnn.exec:\hbhhnn.exe52⤵
- Executes dropped EXE
PID:4304 -
\??\c:\jddjd.exec:\jddjd.exe53⤵
- Executes dropped EXE
PID:4192 -
\??\c:\dpvjv.exec:\dpvjv.exe54⤵
- Executes dropped EXE
PID:2396 -
\??\c:\3lxrlfx.exec:\3lxrlfx.exe55⤵
- Executes dropped EXE
PID:4716 -
\??\c:\thnbtn.exec:\thnbtn.exe56⤵
- Executes dropped EXE
PID:940 -
\??\c:\pjjpp.exec:\pjjpp.exe57⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xflxllf.exec:\xflxllf.exe58⤵
- Executes dropped EXE
PID:1020 -
\??\c:\5btnnh.exec:\5btnnh.exe59⤵
- Executes dropped EXE
PID:440 -
\??\c:\thhtnh.exec:\thhtnh.exe60⤵
- Executes dropped EXE
PID:4636 -
\??\c:\3pvjd.exec:\3pvjd.exe61⤵
- Executes dropped EXE
PID:5028 -
\??\c:\rffrfxr.exec:\rffrfxr.exe62⤵
- Executes dropped EXE
PID:3496 -
\??\c:\1ffxrlf.exec:\1ffxrlf.exe63⤵
- Executes dropped EXE
PID:1504 -
\??\c:\bhbbhn.exec:\bhbbhn.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
\??\c:\jpvpp.exec:\jpvpp.exe65⤵
- Executes dropped EXE
PID:1336 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe66⤵PID:3168
-
\??\c:\nhthhb.exec:\nhthhb.exe67⤵PID:2820
-
\??\c:\bbthbb.exec:\bbthbb.exe68⤵PID:3892
-
\??\c:\vvjdp.exec:\vvjdp.exe69⤵PID:3432
-
\??\c:\1ffxllf.exec:\1ffxllf.exe70⤵PID:4296
-
\??\c:\thnnhb.exec:\thnnhb.exe71⤵PID:312
-
\??\c:\5btntt.exec:\5btntt.exe72⤵PID:628
-
\??\c:\jddvv.exec:\jddvv.exe73⤵PID:3112
-
\??\c:\5lrffxr.exec:\5lrffxr.exe74⤵PID:2300
-
\??\c:\3nnnhh.exec:\3nnnhh.exe75⤵PID:4196
-
\??\c:\vpppp.exec:\vpppp.exe76⤵PID:3944
-
\??\c:\3djdd.exec:\3djdd.exe77⤵PID:1472
-
\??\c:\1rfxrrl.exec:\1rfxrrl.exe78⤵PID:2620
-
\??\c:\bbbbbb.exec:\bbbbbb.exe79⤵PID:2832
-
\??\c:\jjdpd.exec:\jjdpd.exe80⤵PID:4920
-
\??\c:\frxxxxf.exec:\frxxxxf.exe81⤵PID:2000
-
\??\c:\xflfrrf.exec:\xflfrrf.exe82⤵PID:3836
-
\??\c:\tnntnn.exec:\tnntnn.exe83⤵PID:2028
-
\??\c:\dddvp.exec:\dddvp.exe84⤵PID:4748
-
\??\c:\jjdvj.exec:\jjdvj.exe85⤵PID:3156
-
\??\c:\rxfxffl.exec:\rxfxffl.exe86⤵PID:5044
-
\??\c:\7bbtnh.exec:\7bbtnh.exe87⤵PID:4300
-
\??\c:\djpjv.exec:\djpjv.exe88⤵PID:1584
-
\??\c:\rfffrlf.exec:\rfffrlf.exe89⤵PID:1228
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe90⤵PID:2780
-
\??\c:\1bhtht.exec:\1bhtht.exe91⤵PID:2968
-
\??\c:\djpdp.exec:\djpdp.exe92⤵PID:3796
-
\??\c:\pddpj.exec:\pddpj.exe93⤵PID:956
-
\??\c:\7rffxfx.exec:\7rffxfx.exe94⤵PID:4828
-
\??\c:\7rrlxrx.exec:\7rrlxrx.exe95⤵
- System Location Discovery: System Language Discovery
PID:2960 -
\??\c:\1bthbt.exec:\1bthbt.exe96⤵PID:3200
-
\??\c:\vjpjv.exec:\vjpjv.exe97⤵PID:820
-
\??\c:\lfffffx.exec:\lfffffx.exe98⤵PID:4864
-
\??\c:\3hhhht.exec:\3hhhht.exe99⤵PID:3504
-
\??\c:\dvddv.exec:\dvddv.exe100⤵PID:4892
-
\??\c:\vvvpv.exec:\vvvpv.exe101⤵PID:4140
-
\??\c:\nttthh.exec:\nttthh.exe102⤵PID:5080
-
\??\c:\9tnnnn.exec:\9tnnnn.exe103⤵PID:3568
-
\??\c:\vvddd.exec:\vvddd.exe104⤵PID:1520
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe105⤵PID:4880
-
\??\c:\hhhtnn.exec:\hhhtnn.exe106⤵PID:2308
-
\??\c:\dddvp.exec:\dddvp.exe107⤵PID:1996
-
\??\c:\rflxxll.exec:\rflxxll.exe108⤵PID:3320
-
\??\c:\nhttnt.exec:\nhttnt.exe109⤵PID:1580
-
\??\c:\9vvpd.exec:\9vvpd.exe110⤵PID:3060
-
\??\c:\jjpjv.exec:\jjpjv.exe111⤵PID:1048
-
\??\c:\rllllff.exec:\rllllff.exe112⤵PID:2660
-
\??\c:\hbbnhb.exec:\hbbnhb.exe113⤵PID:1248
-
\??\c:\jdpjd.exec:\jdpjd.exe114⤵PID:4760
-
\??\c:\rxfxllf.exec:\rxfxllf.exe115⤵PID:3440
-
\??\c:\xfllflf.exec:\xfllflf.exe116⤵PID:1852
-
\??\c:\bnnbth.exec:\bnnbth.exe117⤵PID:2456
-
\??\c:\jdpjp.exec:\jdpjp.exe118⤵PID:1020
-
\??\c:\rffrfxr.exec:\rffrfxr.exe119⤵PID:440
-
\??\c:\fffxrff.exec:\fffxrff.exe120⤵PID:4636
-
\??\c:\tntbtt.exec:\tntbtt.exe121⤵PID:3948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-