Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482.exe
-
Size
455KB
-
MD5
dc11271a33c5f1b5b7bc950b5d12f0bf
-
SHA1
7c379f94068d4f7355672383ee84196be2acfb2a
-
SHA256
a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482
-
SHA512
4361b7deb94b1f55522c61cf0527e5ea09045176f2ccb931cfb0043b787251363173da8a24a99bab3998d64c8e705e3b2a2bcadd5c6034e049911dd080acdf05
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT3:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 60 IoCs
resource yara_rule behavioral2/memory/1032-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/580-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-920-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-1057-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 876 htbbbt.exe 4672 jdpjd.exe 3332 vddvp.exe 60 lxfrffl.exe 3380 hnntbt.exe 1288 rxrlfxr.exe 444 jvpjj.exe 3412 xfrxxrr.exe 1440 nhbthh.exe 3940 jjdvp.exe 448 vpvpp.exe 1592 bnnhtn.exe 400 pdjjv.exe 1920 3rlflfx.exe 3552 bbttnn.exe 2680 pvvpj.exe 2820 hhhhnn.exe 1604 lrxxrll.exe 2684 rlxrllf.exe 4320 bthhnn.exe 2276 xlrrlrl.exe 4816 fxrlffx.exe 4608 vvjpv.exe 2548 rrfxrll.exe 3868 5bttnh.exe 4788 tbhtnt.exe 636 5bnnnh.exe 3524 vdjdd.exe 2000 vvvpv.exe 580 9flxxrx.exe 2976 hbhhbb.exe 1760 rfllffx.exe 3864 bbbttn.exe 2012 vpjdv.exe 1700 rlrfxxr.exe 3416 tnnhbt.exe 3560 vjvvj.exe 1188 9rllflf.exe 4080 hbbttt.exe 4556 htbhbh.exe 2952 1pppp.exe 4944 lxxrffx.exe 1516 httnnh.exe 3212 nnhbnn.exe 1100 ddjjp.exe 876 fxxxllf.exe 4016 bntnhh.exe 4980 7vpdv.exe 1844 llxrlll.exe 3548 tnntbt.exe 2748 bbttnb.exe 1888 djvpj.exe 1152 3lflfrr.exe 4032 rlrllff.exe 756 tnnhnn.exe 2148 pvdjv.exe 1028 xflrllr.exe 4960 7hbbtt.exe 4344 jdppd.exe 448 5vvpp.exe 4316 frrlfxr.exe 1388 bntnnh.exe 1944 vppjd.exe 3352 lffxrrl.exe -
resource yara_rule behavioral2/memory/1032-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/580-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-652-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frlrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xllxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1032 wrote to memory of 876 1032 a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482.exe 82 PID 1032 wrote to memory of 876 1032 a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482.exe 82 PID 1032 wrote to memory of 876 1032 a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482.exe 82 PID 876 wrote to memory of 4672 876 htbbbt.exe 83 PID 876 wrote to memory of 4672 876 htbbbt.exe 83 PID 876 wrote to memory of 4672 876 htbbbt.exe 83 PID 4672 wrote to memory of 3332 4672 jdpjd.exe 84 PID 4672 wrote to memory of 3332 4672 jdpjd.exe 84 PID 4672 wrote to memory of 3332 4672 jdpjd.exe 84 PID 3332 wrote to memory of 60 3332 vddvp.exe 85 PID 3332 wrote to memory of 60 3332 vddvp.exe 85 PID 3332 wrote to memory of 60 3332 vddvp.exe 85 PID 60 wrote to memory of 3380 60 lxfrffl.exe 86 PID 60 wrote to memory of 3380 60 lxfrffl.exe 86 PID 60 wrote to memory of 3380 60 lxfrffl.exe 86 PID 3380 wrote to memory of 1288 3380 hnntbt.exe 87 PID 3380 wrote to memory of 1288 3380 hnntbt.exe 87 PID 3380 wrote to memory of 1288 3380 hnntbt.exe 87 PID 1288 wrote to memory of 444 1288 rxrlfxr.exe 88 PID 1288 wrote to memory of 444 1288 rxrlfxr.exe 88 PID 1288 wrote to memory of 444 1288 rxrlfxr.exe 88 PID 444 wrote to memory of 3412 444 jvpjj.exe 89 PID 444 wrote to memory of 3412 444 jvpjj.exe 89 PID 444 wrote to memory of 3412 444 jvpjj.exe 89 PID 3412 wrote to memory of 1440 3412 xfrxxrr.exe 90 PID 3412 wrote to memory of 1440 3412 xfrxxrr.exe 90 PID 3412 wrote to memory of 1440 3412 xfrxxrr.exe 90 PID 1440 wrote to memory of 3940 1440 nhbthh.exe 91 PID 1440 wrote to memory of 3940 1440 nhbthh.exe 91 PID 1440 wrote to memory of 3940 1440 nhbthh.exe 91 PID 3940 wrote to memory of 448 3940 jjdvp.exe 92 PID 3940 wrote to memory of 448 3940 jjdvp.exe 92 PID 3940 wrote to memory of 448 3940 jjdvp.exe 92 PID 448 wrote to memory of 1592 448 vpvpp.exe 93 PID 448 wrote to memory of 1592 448 vpvpp.exe 93 PID 448 wrote to memory of 1592 448 vpvpp.exe 93 PID 1592 wrote to memory of 400 1592 bnnhtn.exe 94 PID 1592 wrote to memory of 400 1592 bnnhtn.exe 94 PID 1592 wrote to memory of 400 1592 bnnhtn.exe 94 PID 400 wrote to memory of 1920 400 pdjjv.exe 95 PID 400 wrote to memory of 1920 400 pdjjv.exe 95 PID 400 wrote to memory of 1920 400 pdjjv.exe 95 PID 1920 wrote to memory of 3552 1920 3rlflfx.exe 96 PID 1920 wrote to memory of 3552 1920 3rlflfx.exe 96 PID 1920 wrote to memory of 3552 1920 3rlflfx.exe 96 PID 3552 wrote to memory of 2680 3552 bbttnn.exe 97 PID 3552 wrote to memory of 2680 3552 bbttnn.exe 97 PID 3552 wrote to memory of 2680 3552 bbttnn.exe 97 PID 2680 wrote to memory of 2820 2680 pvvpj.exe 98 PID 2680 wrote to memory of 2820 2680 pvvpj.exe 98 PID 2680 wrote to memory of 2820 2680 pvvpj.exe 98 PID 2820 wrote to memory of 1604 2820 hhhhnn.exe 99 PID 2820 wrote to memory of 1604 2820 hhhhnn.exe 99 PID 2820 wrote to memory of 1604 2820 hhhhnn.exe 99 PID 1604 wrote to memory of 2684 1604 lrxxrll.exe 100 PID 1604 wrote to memory of 2684 1604 lrxxrll.exe 100 PID 1604 wrote to memory of 2684 1604 lrxxrll.exe 100 PID 2684 wrote to memory of 4320 2684 rlxrllf.exe 101 PID 2684 wrote to memory of 4320 2684 rlxrllf.exe 101 PID 2684 wrote to memory of 4320 2684 rlxrllf.exe 101 PID 4320 wrote to memory of 2276 4320 bthhnn.exe 102 PID 4320 wrote to memory of 2276 4320 bthhnn.exe 102 PID 4320 wrote to memory of 2276 4320 bthhnn.exe 102 PID 2276 wrote to memory of 4816 2276 xlrrlrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482.exe"C:\Users\Admin\AppData\Local\Temp\a589563e285dae358fdcb813ee847aec3e7d4065c041e03fd1729d092c303482.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\htbbbt.exec:\htbbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\jdpjd.exec:\jdpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\vddvp.exec:\vddvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\lxfrffl.exec:\lxfrffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:60 -
\??\c:\hnntbt.exec:\hnntbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\rxrlfxr.exec:\rxrlfxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\jvpjj.exec:\jvpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\xfrxxrr.exec:\xfrxxrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\nhbthh.exec:\nhbthh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\jjdvp.exec:\jjdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\vpvpp.exec:\vpvpp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\bnnhtn.exec:\bnnhtn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\pdjjv.exec:\pdjjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\3rlflfx.exec:\3rlflfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\bbttnn.exec:\bbttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\pvvpj.exec:\pvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\hhhhnn.exec:\hhhhnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\lrxxrll.exec:\lrxxrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\rlxrllf.exec:\rlxrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\bthhnn.exec:\bthhnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\fxrlffx.exec:\fxrlffx.exe23⤵
- Executes dropped EXE
PID:4816 -
\??\c:\vvjpv.exec:\vvjpv.exe24⤵
- Executes dropped EXE
PID:4608 -
\??\c:\rrfxrll.exec:\rrfxrll.exe25⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5bttnh.exec:\5bttnh.exe26⤵
- Executes dropped EXE
PID:3868 -
\??\c:\tbhtnt.exec:\tbhtnt.exe27⤵
- Executes dropped EXE
PID:4788 -
\??\c:\5bnnnh.exec:\5bnnnh.exe28⤵
- Executes dropped EXE
PID:636 -
\??\c:\vdjdd.exec:\vdjdd.exe29⤵
- Executes dropped EXE
PID:3524 -
\??\c:\vvvpv.exec:\vvvpv.exe30⤵
- Executes dropped EXE
PID:2000 -
\??\c:\9flxxrx.exec:\9flxxrx.exe31⤵
- Executes dropped EXE
PID:580 -
\??\c:\hbhhbb.exec:\hbhhbb.exe32⤵
- Executes dropped EXE
PID:2976 -
\??\c:\rfllffx.exec:\rfllffx.exe33⤵
- Executes dropped EXE
PID:1760 -
\??\c:\bbbttn.exec:\bbbttn.exe34⤵
- Executes dropped EXE
PID:3864 -
\??\c:\vpjdv.exec:\vpjdv.exe35⤵
- Executes dropped EXE
PID:2012 -
\??\c:\rlrfxxr.exec:\rlrfxxr.exe36⤵
- Executes dropped EXE
PID:1700 -
\??\c:\tnnhbt.exec:\tnnhbt.exe37⤵
- Executes dropped EXE
PID:3416 -
\??\c:\vjvvj.exec:\vjvvj.exe38⤵
- Executes dropped EXE
PID:3560 -
\??\c:\9rllflf.exec:\9rllflf.exe39⤵
- Executes dropped EXE
PID:1188 -
\??\c:\hbbttt.exec:\hbbttt.exe40⤵
- Executes dropped EXE
PID:4080 -
\??\c:\htbhbh.exec:\htbhbh.exe41⤵
- Executes dropped EXE
PID:4556 -
\??\c:\1pppp.exec:\1pppp.exe42⤵
- Executes dropped EXE
PID:2952 -
\??\c:\lxxrffx.exec:\lxxrffx.exe43⤵
- Executes dropped EXE
PID:4944 -
\??\c:\httnnh.exec:\httnnh.exe44⤵
- Executes dropped EXE
PID:1516 -
\??\c:\nnhbnn.exec:\nnhbnn.exe45⤵
- Executes dropped EXE
PID:3212 -
\??\c:\ddjjp.exec:\ddjjp.exe46⤵
- Executes dropped EXE
PID:1100 -
\??\c:\fxxxllf.exec:\fxxxllf.exe47⤵
- Executes dropped EXE
PID:876 -
\??\c:\bntnhh.exec:\bntnhh.exe48⤵
- Executes dropped EXE
PID:4016 -
\??\c:\7vpdv.exec:\7vpdv.exe49⤵
- Executes dropped EXE
PID:4980 -
\??\c:\llxrlll.exec:\llxrlll.exe50⤵
- Executes dropped EXE
PID:1844 -
\??\c:\tnntbt.exec:\tnntbt.exe51⤵
- Executes dropped EXE
PID:3548 -
\??\c:\bbttnb.exec:\bbttnb.exe52⤵
- Executes dropped EXE
PID:2748 -
\??\c:\djvpj.exec:\djvpj.exe53⤵
- Executes dropped EXE
PID:1888 -
\??\c:\3lflfrr.exec:\3lflfrr.exe54⤵
- Executes dropped EXE
PID:1152 -
\??\c:\rlrllff.exec:\rlrllff.exe55⤵
- Executes dropped EXE
PID:4032 -
\??\c:\tnnhnn.exec:\tnnhnn.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756 -
\??\c:\pvdjv.exec:\pvdjv.exe57⤵
- Executes dropped EXE
PID:2148 -
\??\c:\xflrllr.exec:\xflrllr.exe58⤵
- Executes dropped EXE
PID:1028 -
\??\c:\7hbbtt.exec:\7hbbtt.exe59⤵
- Executes dropped EXE
PID:4960 -
\??\c:\jdppd.exec:\jdppd.exe60⤵
- Executes dropped EXE
PID:4344 -
\??\c:\5vvpp.exec:\5vvpp.exe61⤵
- Executes dropped EXE
PID:448 -
\??\c:\frrlfxr.exec:\frrlfxr.exe62⤵
- Executes dropped EXE
PID:4316 -
\??\c:\bntnnh.exec:\bntnnh.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1388 -
\??\c:\vppjd.exec:\vppjd.exe64⤵
- Executes dropped EXE
PID:1944 -
\??\c:\lffxrrl.exec:\lffxrrl.exe65⤵
- Executes dropped EXE
PID:3352 -
\??\c:\xrrxrxx.exec:\xrrxrxx.exe66⤵PID:1680
-
\??\c:\jdddj.exec:\jdddj.exe67⤵PID:4264
-
\??\c:\lrxffff.exec:\lrxffff.exe68⤵PID:2328
-
\??\c:\1lxffrx.exec:\1lxffrx.exe69⤵PID:4444
-
\??\c:\bbhbnh.exec:\bbhbnh.exe70⤵PID:3308
-
\??\c:\vjpjv.exec:\vjpjv.exe71⤵PID:4636
-
\??\c:\xlfrfrf.exec:\xlfrfrf.exe72⤵PID:2956
-
\??\c:\5bbhth.exec:\5bbhth.exe73⤵PID:1496
-
\??\c:\jvdvv.exec:\jvdvv.exe74⤵PID:3764
-
\??\c:\fxlfllr.exec:\fxlfllr.exe75⤵PID:1864
-
\??\c:\7rlxfxf.exec:\7rlxfxf.exe76⤵PID:4168
-
\??\c:\bhbtnh.exec:\bhbtnh.exe77⤵PID:4924
-
\??\c:\7dvpj.exec:\7dvpj.exe78⤵PID:2608
-
\??\c:\1rrfxlf.exec:\1rrfxlf.exe79⤵PID:2128
-
\??\c:\bbbnbn.exec:\bbbnbn.exe80⤵PID:3016
-
\??\c:\1nhthb.exec:\1nhthb.exe81⤵PID:1692
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe82⤵PID:4800
-
\??\c:\lxxxrlx.exec:\lxxxrlx.exe83⤵PID:1940
-
\??\c:\htbhhn.exec:\htbhhn.exe84⤵PID:1088
-
\??\c:\jdpdd.exec:\jdpdd.exe85⤵PID:1204
-
\??\c:\fxfxrrf.exec:\fxfxrrf.exe86⤵PID:4732
-
\??\c:\hbbbnb.exec:\hbbbnb.exe87⤵PID:580
-
\??\c:\hbnhtn.exec:\hbnhtn.exe88⤵PID:1504
-
\??\c:\9vvpp.exec:\9vvpp.exe89⤵PID:4048
-
\??\c:\fxxffxf.exec:\fxxffxf.exe90⤵PID:5068
-
\??\c:\nthbhh.exec:\nthbhh.exe91⤵PID:4528
-
\??\c:\vvdvj.exec:\vvdvj.exe92⤵PID:4572
-
\??\c:\xlrllrr.exec:\xlrllrr.exe93⤵PID:1436
-
\??\c:\ffxrffr.exec:\ffxrffr.exe94⤵PID:2656
-
\??\c:\htnttb.exec:\htnttb.exe95⤵PID:1480
-
\??\c:\pvdpv.exec:\pvdpv.exe96⤵PID:2812
-
\??\c:\xrrlrrx.exec:\xrrlrrx.exe97⤵PID:3960
-
\??\c:\nhhtbn.exec:\nhhtbn.exe98⤵PID:1860
-
\??\c:\jvjvp.exec:\jvjvp.exe99⤵PID:2936
-
\??\c:\jddpd.exec:\jddpd.exe100⤵PID:4296
-
\??\c:\rllfxrr.exec:\rllfxrr.exe101⤵PID:3444
-
\??\c:\tnbtnh.exec:\tnbtnh.exe102⤵PID:1584
-
\??\c:\9pvdv.exec:\9pvdv.exe103⤵PID:208
-
\??\c:\7ffxrlr.exec:\7ffxrlr.exe104⤵PID:2304
-
\??\c:\rxxlrrx.exec:\rxxlrrx.exe105⤵PID:4348
-
\??\c:\3httbh.exec:\3httbh.exe106⤵PID:3212
-
\??\c:\llrxxxr.exec:\llrxxxr.exe107⤵PID:3136
-
\??\c:\nbnhhh.exec:\nbnhhh.exe108⤵PID:4676
-
\??\c:\9bhbnn.exec:\9bhbnn.exe109⤵PID:3520
-
\??\c:\vpdvp.exec:\vpdvp.exe110⤵PID:2912
-
\??\c:\fxrlxfr.exec:\fxrlxfr.exe111⤵PID:4660
-
\??\c:\tnnhtt.exec:\tnnhtt.exe112⤵PID:4008
-
\??\c:\pdjdd.exec:\pdjdd.exe113⤵PID:920
-
\??\c:\pjjdv.exec:\pjjdv.exe114⤵PID:2748
-
\??\c:\fllfrxl.exec:\fllfrxl.exe115⤵PID:1888
-
\??\c:\htbbbb.exec:\htbbbb.exe116⤵PID:1152
-
\??\c:\nhnntt.exec:\nhnntt.exe117⤵PID:4032
-
\??\c:\7pppj.exec:\7pppj.exe118⤵PID:3252
-
\??\c:\fxlfrxl.exec:\fxlfrxl.exe119⤵PID:4256
-
\??\c:\9hhbtn.exec:\9hhbtn.exe120⤵PID:3900
-
\??\c:\dvvjp.exec:\dvvjp.exe121⤵PID:3860
-
\??\c:\fxrlxrf.exec:\fxrlxrf.exe122⤵PID:4960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-