Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe
-
Size
455KB
-
MD5
27af1e866dc33ed6156be79eb42abd62
-
SHA1
37aec31e70b5c1669f07ad942de43e14ca099ef7
-
SHA256
a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e
-
SHA512
10cfb50ee94b68923ab681e136620d607f41f19e6502ab12502724e06ffd4009b58859e00d99c7202001182c215636e902f4bc26532eaa77926b7133b99ee8dd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTk:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1512-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-1043-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-1212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4728 htnhtt.exe 5104 frrrfxr.exe 1360 ppjvj.exe 1372 bnnnnt.exe 3604 lfrlflf.exe 788 5llfxxr.exe 4840 lxxrxrl.exe 4812 fxxrrrx.exe 4692 1jjdp.exe 2640 hnnhbt.exe 4316 dppdv.exe 3368 xrfxlfx.exe 2372 pvpjd.exe 3432 frlfxrr.exe 4292 nnnbnh.exe 636 rlrlxrx.exe 228 nhtnhb.exe 2264 dvjpd.exe 2760 bntnhh.exe 4560 5jpdv.exe 4868 tttnnn.exe 3012 bbtnnn.exe 4404 5jjdv.exe 2016 5lrllll.exe 2604 lxffxxr.exe 32 tnhtnh.exe 3100 tbnbtb.exe 2008 3ffxrlf.exe 2984 nbbtnh.exe 4036 vjjdd.exe 4908 bhbhnn.exe 4356 jdvjv.exe 4304 xxlffll.exe 4236 1jpjv.exe 2976 xlrllff.exe 4936 7xxxrxr.exe 2652 hbbnhh.exe 3160 pdjpp.exe 2120 9xxrrxr.exe 4192 9bnhbb.exe 3360 dvvjv.exe 2172 rlrrlrr.exe 3376 bhhbtn.exe 2104 pdjdv.exe 1428 llrrxxx.exe 764 7ntntn.exe 4056 5tnbbb.exe 3124 ppvvd.exe 1112 3lfrrlx.exe 1404 thnhbb.exe 3040 vjjvv.exe 3596 9xrlxrr.exe 4416 hnnhbb.exe 2376 jjdvv.exe 1512 1vvpj.exe 3904 3rrlfff.exe 2712 7nhtnb.exe 100 jjvpd.exe 1380 3llflfx.exe 4700 3ntnnn.exe 3676 jdpjj.exe 3320 jdddp.exe 2004 5fxrfff.exe 4676 nnbnht.exe -
resource yara_rule behavioral2/memory/1512-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-754-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1512 wrote to memory of 4728 1512 a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe 82 PID 1512 wrote to memory of 4728 1512 a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe 82 PID 1512 wrote to memory of 4728 1512 a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe 82 PID 4728 wrote to memory of 5104 4728 htnhtt.exe 83 PID 4728 wrote to memory of 5104 4728 htnhtt.exe 83 PID 4728 wrote to memory of 5104 4728 htnhtt.exe 83 PID 5104 wrote to memory of 1360 5104 frrrfxr.exe 84 PID 5104 wrote to memory of 1360 5104 frrrfxr.exe 84 PID 5104 wrote to memory of 1360 5104 frrrfxr.exe 84 PID 1360 wrote to memory of 1372 1360 ppjvj.exe 85 PID 1360 wrote to memory of 1372 1360 ppjvj.exe 85 PID 1360 wrote to memory of 1372 1360 ppjvj.exe 85 PID 1372 wrote to memory of 3604 1372 bnnnnt.exe 86 PID 1372 wrote to memory of 3604 1372 bnnnnt.exe 86 PID 1372 wrote to memory of 3604 1372 bnnnnt.exe 86 PID 3604 wrote to memory of 788 3604 lfrlflf.exe 87 PID 3604 wrote to memory of 788 3604 lfrlflf.exe 87 PID 3604 wrote to memory of 788 3604 lfrlflf.exe 87 PID 788 wrote to memory of 4840 788 5llfxxr.exe 88 PID 788 wrote to memory of 4840 788 5llfxxr.exe 88 PID 788 wrote to memory of 4840 788 5llfxxr.exe 88 PID 4840 wrote to memory of 4812 4840 lxxrxrl.exe 89 PID 4840 wrote to memory of 4812 4840 lxxrxrl.exe 89 PID 4840 wrote to memory of 4812 4840 lxxrxrl.exe 89 PID 4812 wrote to memory of 4692 4812 fxxrrrx.exe 90 PID 4812 wrote to memory of 4692 4812 fxxrrrx.exe 90 PID 4812 wrote to memory of 4692 4812 fxxrrrx.exe 90 PID 4692 wrote to memory of 2640 4692 1jjdp.exe 91 PID 4692 wrote to memory of 2640 4692 1jjdp.exe 91 PID 4692 wrote to memory of 2640 4692 1jjdp.exe 91 PID 2640 wrote to memory of 4316 2640 hnnhbt.exe 92 PID 2640 wrote to memory of 4316 2640 hnnhbt.exe 92 PID 2640 wrote to memory of 4316 2640 hnnhbt.exe 92 PID 4316 wrote to memory of 3368 4316 dppdv.exe 93 PID 4316 wrote to memory of 3368 4316 dppdv.exe 93 PID 4316 wrote to memory of 3368 4316 dppdv.exe 93 PID 3368 wrote to memory of 2372 3368 xrfxlfx.exe 94 PID 3368 wrote to memory of 2372 3368 xrfxlfx.exe 94 PID 3368 wrote to memory of 2372 3368 xrfxlfx.exe 94 PID 2372 wrote to memory of 3432 2372 pvpjd.exe 95 PID 2372 wrote to memory of 3432 2372 pvpjd.exe 95 PID 2372 wrote to memory of 3432 2372 pvpjd.exe 95 PID 3432 wrote to memory of 4292 3432 frlfxrr.exe 96 PID 3432 wrote to memory of 4292 3432 frlfxrr.exe 96 PID 3432 wrote to memory of 4292 3432 frlfxrr.exe 96 PID 4292 wrote to memory of 636 4292 nnnbnh.exe 97 PID 4292 wrote to memory of 636 4292 nnnbnh.exe 97 PID 4292 wrote to memory of 636 4292 nnnbnh.exe 97 PID 636 wrote to memory of 228 636 rlrlxrx.exe 98 PID 636 wrote to memory of 228 636 rlrlxrx.exe 98 PID 636 wrote to memory of 228 636 rlrlxrx.exe 98 PID 228 wrote to memory of 2264 228 nhtnhb.exe 99 PID 228 wrote to memory of 2264 228 nhtnhb.exe 99 PID 228 wrote to memory of 2264 228 nhtnhb.exe 99 PID 2264 wrote to memory of 2760 2264 dvjpd.exe 100 PID 2264 wrote to memory of 2760 2264 dvjpd.exe 100 PID 2264 wrote to memory of 2760 2264 dvjpd.exe 100 PID 2760 wrote to memory of 4560 2760 bntnhh.exe 101 PID 2760 wrote to memory of 4560 2760 bntnhh.exe 101 PID 2760 wrote to memory of 4560 2760 bntnhh.exe 101 PID 4560 wrote to memory of 4868 4560 5jpdv.exe 102 PID 4560 wrote to memory of 4868 4560 5jpdv.exe 102 PID 4560 wrote to memory of 4868 4560 5jpdv.exe 102 PID 4868 wrote to memory of 3012 4868 tttnnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe"C:\Users\Admin\AppData\Local\Temp\a47f31d035e52e3b90d3445f87c3d628c3f54514805c84ba18842dfbb1a5b63e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\htnhtt.exec:\htnhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\frrrfxr.exec:\frrrfxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5104 -
\??\c:\ppjvj.exec:\ppjvj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\bnnnnt.exec:\bnnnnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
\??\c:\lfrlflf.exec:\lfrlflf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\5llfxxr.exec:\5llfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:788 -
\??\c:\lxxrxrl.exec:\lxxrxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\1jjdp.exec:\1jjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\hnnhbt.exec:\hnnhbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
\??\c:\dppdv.exec:\dppdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\pvpjd.exec:\pvpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\frlfxrr.exec:\frlfxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\nnnbnh.exec:\nnnbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\rlrlxrx.exec:\rlrlxrx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\nhtnhb.exec:\nhtnhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\dvjpd.exec:\dvjpd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\bntnhh.exec:\bntnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\5jpdv.exec:\5jpdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\tttnnn.exec:\tttnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\bbtnnn.exec:\bbtnnn.exe23⤵
- Executes dropped EXE
PID:3012 -
\??\c:\5jjdv.exec:\5jjdv.exe24⤵
- Executes dropped EXE
PID:4404 -
\??\c:\5lrllll.exec:\5lrllll.exe25⤵
- Executes dropped EXE
PID:2016 -
\??\c:\lxffxxr.exec:\lxffxxr.exe26⤵
- Executes dropped EXE
PID:2604 -
\??\c:\tnhtnh.exec:\tnhtnh.exe27⤵
- Executes dropped EXE
PID:32 -
\??\c:\tbnbtb.exec:\tbnbtb.exe28⤵
- Executes dropped EXE
PID:3100 -
\??\c:\3ffxrlf.exec:\3ffxrlf.exe29⤵
- Executes dropped EXE
PID:2008 -
\??\c:\nbbtnh.exec:\nbbtnh.exe30⤵
- Executes dropped EXE
PID:2984 -
\??\c:\vjjdd.exec:\vjjdd.exe31⤵
- Executes dropped EXE
PID:4036 -
\??\c:\bhbhnn.exec:\bhbhnn.exe32⤵
- Executes dropped EXE
PID:4908 -
\??\c:\jdvjv.exec:\jdvjv.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356 -
\??\c:\xxlffll.exec:\xxlffll.exe34⤵
- Executes dropped EXE
PID:4304 -
\??\c:\1jpjv.exec:\1jpjv.exe35⤵
- Executes dropped EXE
PID:4236 -
\??\c:\xlrllff.exec:\xlrllff.exe36⤵
- Executes dropped EXE
PID:2976 -
\??\c:\7xxxrxr.exec:\7xxxrxr.exe37⤵
- Executes dropped EXE
PID:4936 -
\??\c:\hbbnhh.exec:\hbbnhh.exe38⤵
- Executes dropped EXE
PID:2652 -
\??\c:\pdjpp.exec:\pdjpp.exe39⤵
- Executes dropped EXE
PID:3160 -
\??\c:\9xxrrxr.exec:\9xxrrxr.exe40⤵
- Executes dropped EXE
PID:2120 -
\??\c:\9bnhbb.exec:\9bnhbb.exe41⤵
- Executes dropped EXE
PID:4192 -
\??\c:\dvvjv.exec:\dvvjv.exe42⤵
- Executes dropped EXE
PID:3360 -
\??\c:\rlrrlrr.exec:\rlrrlrr.exe43⤵
- Executes dropped EXE
PID:2172 -
\??\c:\bhhbtn.exec:\bhhbtn.exe44⤵
- Executes dropped EXE
PID:3376 -
\??\c:\pdjdv.exec:\pdjdv.exe45⤵
- Executes dropped EXE
PID:2104 -
\??\c:\llrrxxx.exec:\llrrxxx.exe46⤵
- Executes dropped EXE
PID:1428 -
\??\c:\7ntntn.exec:\7ntntn.exe47⤵
- Executes dropped EXE
PID:764 -
\??\c:\5tnbbb.exec:\5tnbbb.exe48⤵
- Executes dropped EXE
PID:4056 -
\??\c:\ppvvd.exec:\ppvvd.exe49⤵
- Executes dropped EXE
PID:3124 -
\??\c:\3lfrrlx.exec:\3lfrrlx.exe50⤵
- Executes dropped EXE
PID:1112 -
\??\c:\thnhbb.exec:\thnhbb.exe51⤵
- Executes dropped EXE
PID:1404 -
\??\c:\vjjvv.exec:\vjjvv.exe52⤵
- Executes dropped EXE
PID:3040 -
\??\c:\9xrlxrr.exec:\9xrlxrr.exe53⤵
- Executes dropped EXE
PID:3596 -
\??\c:\hnnhbb.exec:\hnnhbb.exe54⤵
- Executes dropped EXE
PID:4416 -
\??\c:\jjdvv.exec:\jjdvv.exe55⤵
- Executes dropped EXE
PID:2376 -
\??\c:\1vvpj.exec:\1vvpj.exe56⤵
- Executes dropped EXE
PID:1512 -
\??\c:\3rrlfff.exec:\3rrlfff.exe57⤵
- Executes dropped EXE
PID:3904 -
\??\c:\7nhtnb.exec:\7nhtnb.exe58⤵
- Executes dropped EXE
PID:2712 -
\??\c:\jjvpd.exec:\jjvpd.exe59⤵
- Executes dropped EXE
PID:100 -
\??\c:\3llflfx.exec:\3llflfx.exe60⤵
- Executes dropped EXE
PID:1380 -
\??\c:\3ntnnn.exec:\3ntnnn.exe61⤵
- Executes dropped EXE
PID:4700 -
\??\c:\jdpjj.exec:\jdpjj.exe62⤵
- Executes dropped EXE
PID:3676 -
\??\c:\jdddp.exec:\jdddp.exe63⤵
- Executes dropped EXE
PID:3320 -
\??\c:\5fxrfff.exec:\5fxrfff.exe64⤵
- Executes dropped EXE
PID:2004 -
\??\c:\nnbnht.exec:\nnbnht.exe65⤵
- Executes dropped EXE
PID:4676 -
\??\c:\pjvpp.exec:\pjvpp.exe66⤵PID:3548
-
\??\c:\dppjv.exec:\dppjv.exe67⤵PID:4732
-
\??\c:\xxxrlff.exec:\xxxrlff.exe68⤵PID:2460
-
\??\c:\5hthbn.exec:\5hthbn.exe69⤵PID:3856
-
\??\c:\pjdpj.exec:\pjdpj.exe70⤵PID:3048
-
\??\c:\pjjpp.exec:\pjjpp.exe71⤵PID:4960
-
\??\c:\9rxrxxr.exec:\9rxrxxr.exe72⤵PID:4696
-
\??\c:\httntt.exec:\httntt.exe73⤵PID:2108
-
\??\c:\vdjdv.exec:\vdjdv.exe74⤵PID:4780
-
\??\c:\vjpjd.exec:\vjpjd.exe75⤵PID:760
-
\??\c:\rlxxfrl.exec:\rlxxfrl.exe76⤵PID:1788
-
\??\c:\nhhbbb.exec:\nhhbbb.exe77⤵PID:3980
-
\??\c:\vvddd.exec:\vvddd.exe78⤵PID:636
-
\??\c:\dppdp.exec:\dppdp.exe79⤵PID:5096
-
\??\c:\5ffrlrl.exec:\5ffrlrl.exe80⤵PID:1296
-
\??\c:\hthbtn.exec:\hthbtn.exe81⤵PID:3752
-
\??\c:\dvdvp.exec:\dvdvp.exe82⤵PID:2760
-
\??\c:\xrfxrxr.exec:\xrfxrxr.exe83⤵PID:2648
-
\??\c:\bbbthb.exec:\bbbthb.exe84⤵PID:1964
-
\??\c:\tnbhbb.exec:\tnbhbb.exe85⤵PID:1816
-
\??\c:\pjjdv.exec:\pjjdv.exe86⤵PID:1724
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe87⤵PID:1124
-
\??\c:\btbnnh.exec:\btbnnh.exe88⤵PID:3492
-
\??\c:\jpvpd.exec:\jpvpd.exe89⤵PID:1492
-
\??\c:\vpdvv.exec:\vpdvv.exe90⤵PID:3952
-
\??\c:\9rrfrlr.exec:\9rrfrlr.exe91⤵PID:2320
-
\??\c:\nbhbtt.exec:\nbhbtt.exe92⤵
- System Location Discovery: System Language Discovery
PID:1620 -
\??\c:\pppjd.exec:\pppjd.exe93⤵PID:2888
-
\??\c:\fxfxfxf.exec:\fxfxfxf.exe94⤵PID:3100
-
\??\c:\bbhttn.exec:\bbhttn.exe95⤵PID:2384
-
\??\c:\3jpdd.exec:\3jpdd.exe96⤵PID:5020
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe97⤵PID:3984
-
\??\c:\rrfxfff.exec:\rrfxfff.exe98⤵PID:3136
-
\??\c:\bttnbb.exec:\bttnbb.exe99⤵PID:3688
-
\??\c:\jvvpj.exec:\jvvpj.exe100⤵PID:3948
-
\??\c:\9xrlllf.exec:\9xrlllf.exe101⤵PID:4304
-
\??\c:\5nnnbb.exec:\5nnnbb.exe102⤵PID:984
-
\??\c:\7nhbnn.exec:\7nhbnn.exe103⤵PID:3064
-
\??\c:\dpddj.exec:\dpddj.exe104⤵PID:2932
-
\??\c:\frlfrrf.exec:\frlfrrf.exe105⤵PID:5080
-
\??\c:\thnbhb.exec:\thnbhb.exe106⤵PID:1384
-
\??\c:\pvdvd.exec:\pvdvd.exe107⤵PID:1396
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe108⤵PID:1780
-
\??\c:\hntnhh.exec:\hntnhh.exe109⤵PID:1240
-
\??\c:\pvjvj.exec:\pvjvj.exe110⤵PID:1984
-
\??\c:\xflfrlf.exec:\xflfrlf.exe111⤵PID:396
-
\??\c:\hbbtnt.exec:\hbbtnt.exe112⤵PID:4488
-
\??\c:\vppjd.exec:\vppjd.exe113⤵PID:3628
-
\??\c:\jddvp.exec:\jddvp.exe114⤵PID:4468
-
\??\c:\9lffrrl.exec:\9lffrrl.exe115⤵PID:872
-
\??\c:\ntntnn.exec:\ntntnn.exe116⤵PID:4056
-
\??\c:\djdpj.exec:\djdpj.exe117⤵PID:8
-
\??\c:\lxfxllx.exec:\lxfxllx.exe118⤵PID:4872
-
\??\c:\xxxxrxr.exec:\xxxxrxr.exe119⤵PID:1676
-
\??\c:\3bthbb.exec:\3bthbb.exe120⤵PID:4608
-
\??\c:\1pjdp.exec:\1pjdp.exe121⤵PID:3596
-
\??\c:\lxrrllr.exec:\lxrrllr.exe122⤵PID:4416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-