Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe
-
Size
454KB
-
MD5
c792b5ba0f3418a01c910352f5783ff0
-
SHA1
4da115c9bee81ec3e11367a57fa5f03f747de1f3
-
SHA256
0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5e
-
SHA512
aa13906156c9e8915ba2523ec6db149def34d67b0a07ccc07a2a3a0ec05fe1d0b5de71e224cea1d1ccaa376026809d482780aed2a78a48cdc6a09abf665b1188
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAber7:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4832-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-695-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-867-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-1155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-1287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-1864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4268 nhnhnh.exe 3744 lfrrxxf.exe 4772 dvvdv.exe 3576 xxxrfff.exe 4840 pdvdv.exe 2140 bnbhbt.exe 3596 lflffff.exe 2740 rxflrxr.exe 4776 lrlxxxx.exe 316 hhnhbb.exe 3248 rfrlffx.exe 4088 7rrrrxr.exe 4112 dvdpv.exe 2564 lrrlfrl.exe 2152 hnnhhb.exe 4868 nbhhbh.exe 4972 tnttnn.exe 4220 vpjvv.exe 3676 frrlfxr.exe 5088 bbnhhh.exe 4740 vpdvv.exe 5072 dppjd.exe 4568 lfrlfrl.exe 3144 xrxrxrx.exe 2412 pjjdj.exe 2100 9llffff.exe 3640 1vdvp.exe 448 5pjdd.exe 4484 rfxrrxr.exe 4752 lrfxrfx.exe 1392 nhtnhh.exe 3988 rlrfxxr.exe 3528 pvvpd.exe 2744 vpppj.exe 1444 nhbhbt.exe 5056 nthbtn.exe 4964 jdpjp.exe 1864 5xrlrrr.exe 5012 bhhnhb.exe 1828 pdpjd.exe 4616 xllfxrl.exe 2992 ntbbhh.exe 1620 dpvvp.exe 1824 rfllffx.exe 2496 tntnbt.exe 4892 7pvjd.exe 1128 xrxrrrr.exe 3752 ttnhhh.exe 4876 jdpjp.exe 4940 5ddvp.exe 3512 hnhbnn.exe 4308 hbhbnn.exe 64 jjvvp.exe 3268 lxrrfrl.exe 652 7tbttt.exe 4080 pjvpv.exe 4524 llfrllf.exe 3748 fflxrlx.exe 4140 ttbhnn.exe 3708 jvvvp.exe 1872 lflxrlf.exe 2176 tnthtn.exe 3596 3nhhbb.exe 4532 dvdvd.exe -
resource yara_rule behavioral2/memory/4268-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-643-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-867-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4832 wrote to memory of 4268 4832 0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe 82 PID 4832 wrote to memory of 4268 4832 0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe 82 PID 4832 wrote to memory of 4268 4832 0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe 82 PID 4268 wrote to memory of 3744 4268 nhnhnh.exe 83 PID 4268 wrote to memory of 3744 4268 nhnhnh.exe 83 PID 4268 wrote to memory of 3744 4268 nhnhnh.exe 83 PID 3744 wrote to memory of 4772 3744 lfrrxxf.exe 84 PID 3744 wrote to memory of 4772 3744 lfrrxxf.exe 84 PID 3744 wrote to memory of 4772 3744 lfrrxxf.exe 84 PID 4772 wrote to memory of 3576 4772 dvvdv.exe 85 PID 4772 wrote to memory of 3576 4772 dvvdv.exe 85 PID 4772 wrote to memory of 3576 4772 dvvdv.exe 85 PID 3576 wrote to memory of 4840 3576 xxxrfff.exe 86 PID 3576 wrote to memory of 4840 3576 xxxrfff.exe 86 PID 3576 wrote to memory of 4840 3576 xxxrfff.exe 86 PID 4840 wrote to memory of 2140 4840 pdvdv.exe 87 PID 4840 wrote to memory of 2140 4840 pdvdv.exe 87 PID 4840 wrote to memory of 2140 4840 pdvdv.exe 87 PID 2140 wrote to memory of 3596 2140 bnbhbt.exe 88 PID 2140 wrote to memory of 3596 2140 bnbhbt.exe 88 PID 2140 wrote to memory of 3596 2140 bnbhbt.exe 88 PID 3596 wrote to memory of 2740 3596 lflffff.exe 89 PID 3596 wrote to memory of 2740 3596 lflffff.exe 89 PID 3596 wrote to memory of 2740 3596 lflffff.exe 89 PID 2740 wrote to memory of 4776 2740 rxflrxr.exe 90 PID 2740 wrote to memory of 4776 2740 rxflrxr.exe 90 PID 2740 wrote to memory of 4776 2740 rxflrxr.exe 90 PID 4776 wrote to memory of 316 4776 lrlxxxx.exe 91 PID 4776 wrote to memory of 316 4776 lrlxxxx.exe 91 PID 4776 wrote to memory of 316 4776 lrlxxxx.exe 91 PID 316 wrote to memory of 3248 316 hhnhbb.exe 92 PID 316 wrote to memory of 3248 316 hhnhbb.exe 92 PID 316 wrote to memory of 3248 316 hhnhbb.exe 92 PID 3248 wrote to memory of 4088 3248 rfrlffx.exe 93 PID 3248 wrote to memory of 4088 3248 rfrlffx.exe 93 PID 3248 wrote to memory of 4088 3248 rfrlffx.exe 93 PID 4088 wrote to memory of 4112 4088 7rrrrxr.exe 94 PID 4088 wrote to memory of 4112 4088 7rrrrxr.exe 94 PID 4088 wrote to memory of 4112 4088 7rrrrxr.exe 94 PID 4112 wrote to memory of 2564 4112 dvdpv.exe 95 PID 4112 wrote to memory of 2564 4112 dvdpv.exe 95 PID 4112 wrote to memory of 2564 4112 dvdpv.exe 95 PID 2564 wrote to memory of 2152 2564 lrrlfrl.exe 96 PID 2564 wrote to memory of 2152 2564 lrrlfrl.exe 96 PID 2564 wrote to memory of 2152 2564 lrrlfrl.exe 96 PID 2152 wrote to memory of 4868 2152 hnnhhb.exe 97 PID 2152 wrote to memory of 4868 2152 hnnhhb.exe 97 PID 2152 wrote to memory of 4868 2152 hnnhhb.exe 97 PID 4868 wrote to memory of 4972 4868 nbhhbh.exe 98 PID 4868 wrote to memory of 4972 4868 nbhhbh.exe 98 PID 4868 wrote to memory of 4972 4868 nbhhbh.exe 98 PID 4972 wrote to memory of 4220 4972 tnttnn.exe 99 PID 4972 wrote to memory of 4220 4972 tnttnn.exe 99 PID 4972 wrote to memory of 4220 4972 tnttnn.exe 99 PID 4220 wrote to memory of 3676 4220 vpjvv.exe 100 PID 4220 wrote to memory of 3676 4220 vpjvv.exe 100 PID 4220 wrote to memory of 3676 4220 vpjvv.exe 100 PID 3676 wrote to memory of 5088 3676 frrlfxr.exe 101 PID 3676 wrote to memory of 5088 3676 frrlfxr.exe 101 PID 3676 wrote to memory of 5088 3676 frrlfxr.exe 101 PID 5088 wrote to memory of 4740 5088 bbnhhh.exe 102 PID 5088 wrote to memory of 4740 5088 bbnhhh.exe 102 PID 5088 wrote to memory of 4740 5088 bbnhhh.exe 102 PID 4740 wrote to memory of 5072 4740 vpdvv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe"C:\Users\Admin\AppData\Local\Temp\0a92bcb4e81042864a5246db3e70022c20fc619d023f7782ff75d43ebb581d5eN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\nhnhnh.exec:\nhnhnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\lfrrxxf.exec:\lfrrxxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\dvvdv.exec:\dvvdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\xxxrfff.exec:\xxxrfff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\pdvdv.exec:\pdvdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\bnbhbt.exec:\bnbhbt.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\lflffff.exec:\lflffff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\rxflrxr.exec:\rxflrxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\lrlxxxx.exec:\lrlxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\hhnhbb.exec:\hhnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\rfrlffx.exec:\rfrlffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\7rrrrxr.exec:\7rrrrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\dvdpv.exec:\dvdpv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\lrrlfrl.exec:\lrrlfrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\hnnhhb.exec:\hnnhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\nbhhbh.exec:\nbhhbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\tnttnn.exec:\tnttnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\vpjvv.exec:\vpjvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\frrlfxr.exec:\frrlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\bbnhhh.exec:\bbnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\vpdvv.exec:\vpdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\dppjd.exec:\dppjd.exe23⤵
- Executes dropped EXE
PID:5072 -
\??\c:\lfrlfrl.exec:\lfrlfrl.exe24⤵
- Executes dropped EXE
PID:4568 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe25⤵
- Executes dropped EXE
PID:3144 -
\??\c:\pjjdj.exec:\pjjdj.exe26⤵
- Executes dropped EXE
PID:2412 -
\??\c:\9llffff.exec:\9llffff.exe27⤵
- Executes dropped EXE
PID:2100 -
\??\c:\1vdvp.exec:\1vdvp.exe28⤵
- Executes dropped EXE
PID:3640 -
\??\c:\5pjdd.exec:\5pjdd.exe29⤵
- Executes dropped EXE
PID:448 -
\??\c:\rfxrrxr.exec:\rfxrrxr.exe30⤵
- Executes dropped EXE
PID:4484 -
\??\c:\lrfxrfx.exec:\lrfxrfx.exe31⤵
- Executes dropped EXE
PID:4752 -
\??\c:\nhtnhh.exec:\nhtnhh.exe32⤵
- Executes dropped EXE
PID:1392 -
\??\c:\rlrfxxr.exec:\rlrfxxr.exe33⤵
- Executes dropped EXE
PID:3988 -
\??\c:\pvvpd.exec:\pvvpd.exe34⤵
- Executes dropped EXE
PID:3528 -
\??\c:\vpppj.exec:\vpppj.exe35⤵
- Executes dropped EXE
PID:2744 -
\??\c:\nhbhbt.exec:\nhbhbt.exe36⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nthbtn.exec:\nthbtn.exe37⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jdpjp.exec:\jdpjp.exe38⤵
- Executes dropped EXE
PID:4964 -
\??\c:\5xrlrrr.exec:\5xrlrrr.exe39⤵
- Executes dropped EXE
PID:1864 -
\??\c:\bhhnhb.exec:\bhhnhb.exe40⤵
- Executes dropped EXE
PID:5012 -
\??\c:\pdpjd.exec:\pdpjd.exe41⤵
- Executes dropped EXE
PID:1828 -
\??\c:\xllfxrl.exec:\xllfxrl.exe42⤵
- Executes dropped EXE
PID:4616 -
\??\c:\ntbbhh.exec:\ntbbhh.exe43⤵
- Executes dropped EXE
PID:2992 -
\??\c:\dpvvp.exec:\dpvvp.exe44⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rfllffx.exec:\rfllffx.exe45⤵
- Executes dropped EXE
PID:1824 -
\??\c:\tntnbt.exec:\tntnbt.exe46⤵
- Executes dropped EXE
PID:2496 -
\??\c:\7pvjd.exec:\7pvjd.exe47⤵
- Executes dropped EXE
PID:4892 -
\??\c:\xrxrrrr.exec:\xrxrrrr.exe48⤵
- Executes dropped EXE
PID:1128 -
\??\c:\ttnhhh.exec:\ttnhhh.exe49⤵
- Executes dropped EXE
PID:3752 -
\??\c:\jdpjp.exec:\jdpjp.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
\??\c:\5ddvp.exec:\5ddvp.exe51⤵
- Executes dropped EXE
PID:4940 -
\??\c:\hnhbnn.exec:\hnhbnn.exe52⤵
- Executes dropped EXE
PID:3512 -
\??\c:\hbhbnn.exec:\hbhbnn.exe53⤵
- Executes dropped EXE
PID:4308 -
\??\c:\jjvvp.exec:\jjvvp.exe54⤵
- Executes dropped EXE
PID:64 -
\??\c:\lxrrfrl.exec:\lxrrfrl.exe55⤵
- Executes dropped EXE
PID:3268 -
\??\c:\7tbttt.exec:\7tbttt.exe56⤵
- Executes dropped EXE
PID:652 -
\??\c:\pjvpv.exec:\pjvpv.exe57⤵
- Executes dropped EXE
PID:4080 -
\??\c:\llfrllf.exec:\llfrllf.exe58⤵
- Executes dropped EXE
PID:4524 -
\??\c:\fflxrlx.exec:\fflxrlx.exe59⤵
- Executes dropped EXE
PID:3748 -
\??\c:\ttbhnn.exec:\ttbhnn.exe60⤵
- Executes dropped EXE
PID:4140 -
\??\c:\jvvvp.exec:\jvvvp.exe61⤵
- Executes dropped EXE
PID:3708 -
\??\c:\lflxrlf.exec:\lflxrlf.exe62⤵
- Executes dropped EXE
PID:1872 -
\??\c:\tnthtn.exec:\tnthtn.exe63⤵
- Executes dropped EXE
PID:2176 -
\??\c:\3nhhbb.exec:\3nhhbb.exe64⤵
- Executes dropped EXE
PID:3596 -
\??\c:\dvdvd.exec:\dvdvd.exe65⤵
- Executes dropped EXE
PID:4532 -
\??\c:\rlxlxll.exec:\rlxlxll.exe66⤵PID:2292
-
\??\c:\nhnnhb.exec:\nhnnhb.exe67⤵PID:2740
-
\??\c:\jdvpj.exec:\jdvpj.exe68⤵PID:2548
-
\??\c:\fffxrrr.exec:\fffxrrr.exe69⤵PID:1304
-
\??\c:\1hnhnn.exec:\1hnhnn.exe70⤵PID:3248
-
\??\c:\btbbtn.exec:\btbbtn.exe71⤵PID:1400
-
\??\c:\ppjvp.exec:\ppjvp.exe72⤵PID:4088
-
\??\c:\rlxlrrf.exec:\rlxlrrf.exe73⤵PID:4836
-
\??\c:\1ntnhh.exec:\1ntnhh.exe74⤵PID:4212
-
\??\c:\djjjp.exec:\djjjp.exe75⤵PID:3000
-
\??\c:\lllxrrl.exec:\lllxrrl.exe76⤵PID:4016
-
\??\c:\tbhhth.exec:\tbhhth.exe77⤵PID:912
-
\??\c:\jvvjd.exec:\jvvjd.exe78⤵PID:3808
-
\??\c:\xlllflf.exec:\xlllflf.exe79⤵PID:4220
-
\??\c:\1tnhbb.exec:\1tnhbb.exe80⤵PID:452
-
\??\c:\pddvj.exec:\pddvj.exe81⤵PID:624
-
\??\c:\djddv.exec:\djddv.exe82⤵PID:4572
-
\??\c:\rlfxfrf.exec:\rlfxfrf.exe83⤵PID:4348
-
\??\c:\bthttb.exec:\bthttb.exe84⤵PID:1524
-
\??\c:\jpvjd.exec:\jpvjd.exe85⤵PID:376
-
\??\c:\pvdjv.exec:\pvdjv.exe86⤵PID:2904
-
\??\c:\xxllfrx.exec:\xxllfrx.exe87⤵PID:2244
-
\??\c:\nbbtnb.exec:\nbbtnb.exe88⤵PID:3144
-
\??\c:\pvjjd.exec:\pvjjd.exe89⤵PID:372
-
\??\c:\fllxrlf.exec:\fllxrlf.exe90⤵PID:4360
-
\??\c:\frfrllx.exec:\frfrllx.exe91⤵PID:3304
-
\??\c:\btbthh.exec:\btbthh.exe92⤵PID:1500
-
\??\c:\ppvvj.exec:\ppvvj.exe93⤵PID:4648
-
\??\c:\lflxrlx.exec:\lflxrlx.exe94⤵PID:2400
-
\??\c:\xrxlffx.exec:\xrxlffx.exe95⤵PID:4928
-
\??\c:\htthtn.exec:\htthtn.exe96⤵PID:1604
-
\??\c:\pvdvp.exec:\pvdvp.exe97⤵PID:220
-
\??\c:\5vdjd.exec:\5vdjd.exe98⤵PID:2968
-
\??\c:\thtnbt.exec:\thtnbt.exe99⤵PID:1520
-
\??\c:\5hhbtt.exec:\5hhbtt.exe100⤵PID:1616
-
\??\c:\pdpjv.exec:\pdpjv.exe101⤵PID:4516
-
\??\c:\rllxrfr.exec:\rllxrfr.exe102⤵PID:2356
-
\??\c:\htbttn.exec:\htbttn.exe103⤵PID:1508
-
\??\c:\ntntnb.exec:\ntntnb.exe104⤵PID:2212
-
\??\c:\jvdvv.exec:\jvdvv.exe105⤵PID:708
-
\??\c:\5lxrlfx.exec:\5lxrlfx.exe106⤵PID:3636
-
\??\c:\bttnhb.exec:\bttnhb.exe107⤵PID:1412
-
\??\c:\btthbh.exec:\btthbh.exe108⤵PID:1828
-
\??\c:\vjvjj.exec:\vjvjj.exe109⤵PID:4520
-
\??\c:\xrlxfxx.exec:\xrlxfxx.exe110⤵PID:1644
-
\??\c:\xllfxxr.exec:\xllfxxr.exe111⤵PID:3724
-
\??\c:\9nthnn.exec:\9nthnn.exe112⤵PID:1824
-
\??\c:\dppjv.exec:\dppjv.exe113⤵PID:2496
-
\??\c:\xflfxfx.exec:\xflfxfx.exe114⤵PID:4892
-
\??\c:\nbtbnb.exec:\nbtbnb.exe115⤵PID:4696
-
\??\c:\hnntth.exec:\hnntth.exe116⤵PID:1368
-
\??\c:\vdvjd.exec:\vdvjd.exe117⤵PID:3924
-
\??\c:\lffrxlr.exec:\lffrxlr.exe118⤵PID:3392
-
\??\c:\btnbtn.exec:\btnbtn.exe119⤵PID:3288
-
\??\c:\nhtthb.exec:\nhtthb.exe120⤵PID:4284
-
\??\c:\jvvdd.exec:\jvvdd.exe121⤵PID:4832
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe122⤵PID:2316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-