Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe
-
Size
454KB
-
MD5
5bd3c5a83b4a45614e163ce8d8c4648e
-
SHA1
810a05636b2e38176953f9714a6ae652ae93654c
-
SHA256
ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852
-
SHA512
df12dadf9b63696841f17015d2ded03a68e2819edf165428d73690d4f0b26fb1dbba085c03cfaf241b76c9c003da024e2a466b14a407562265439edd5566d879
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4676-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-830-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-924-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-1012-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-1464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-1597-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4844 xfrllll.exe 2648 hhhbhh.exe 3304 dvjjd.exe 4932 flrrlll.exe 3632 nhnnnn.exe 5064 pvvvp.exe 2012 xfffxxx.exe 4052 rllllll.exe 3796 bhhhbh.exe 2624 djdvd.exe 4028 flfxllf.exe 4740 rxlffxx.exe 2568 5nhbtt.exe 3424 vvvpj.exe 4960 rlrlfxr.exe 3524 xlrllfl.exe 3776 bbhhbt.exe 1736 ddvvp.exe 4196 rllfxxf.exe 4848 rrxxrrf.exe 2948 hbhthb.exe 4808 jvvdv.exe 1400 7xffxlf.exe 2140 nnbthh.exe 3452 hhttbt.exe 4724 pjddv.exe 1232 lrflllx.exe 3664 nthnbn.exe 3204 1nhbtn.exe 3296 pjjjd.exe 2884 rflxrrl.exe 4504 nnnnhb.exe 3980 nbhbtt.exe 2960 3pppd.exe 1108 xlrrlll.exe 1600 bbhbtt.exe 1820 htbtnn.exe 3048 jpdvp.exe 2536 lrrxrll.exe 4988 hbtnnt.exe 3544 bbnhhh.exe 5040 dvvvp.exe 4448 rlxrfff.exe 4424 lflfxrr.exe 4676 ttnttb.exe 4844 dvvvj.exe 3740 fxxrrrr.exe 3304 3lrrlll.exe 2448 5ttbbb.exe 5056 ddvjj.exe 632 jjpjv.exe 4316 fxrllff.exe 1840 btbbtt.exe 924 1bnhbb.exe 3796 jdpdj.exe 2368 rfllfff.exe 1140 xxllffx.exe 4400 tbnnhh.exe 1424 9pppp.exe 3424 rrllrrx.exe 2072 ffxrlff.exe 3244 nbhhnb.exe 460 1ddvp.exe 1736 9jpdd.exe -
resource yara_rule behavioral2/memory/4676-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-789-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-830-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ffllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4676 wrote to memory of 4844 4676 ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe 83 PID 4676 wrote to memory of 4844 4676 ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe 83 PID 4676 wrote to memory of 4844 4676 ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe 83 PID 4844 wrote to memory of 2648 4844 xfrllll.exe 84 PID 4844 wrote to memory of 2648 4844 xfrllll.exe 84 PID 4844 wrote to memory of 2648 4844 xfrllll.exe 84 PID 2648 wrote to memory of 3304 2648 hhhbhh.exe 130 PID 2648 wrote to memory of 3304 2648 hhhbhh.exe 130 PID 2648 wrote to memory of 3304 2648 hhhbhh.exe 130 PID 3304 wrote to memory of 4932 3304 dvjjd.exe 86 PID 3304 wrote to memory of 4932 3304 dvjjd.exe 86 PID 3304 wrote to memory of 4932 3304 dvjjd.exe 86 PID 4932 wrote to memory of 3632 4932 flrrlll.exe 87 PID 4932 wrote to memory of 3632 4932 flrrlll.exe 87 PID 4932 wrote to memory of 3632 4932 flrrlll.exe 87 PID 3632 wrote to memory of 5064 3632 nhnnnn.exe 88 PID 3632 wrote to memory of 5064 3632 nhnnnn.exe 88 PID 3632 wrote to memory of 5064 3632 nhnnnn.exe 88 PID 5064 wrote to memory of 2012 5064 pvvvp.exe 89 PID 5064 wrote to memory of 2012 5064 pvvvp.exe 89 PID 5064 wrote to memory of 2012 5064 pvvvp.exe 89 PID 2012 wrote to memory of 4052 2012 xfffxxx.exe 90 PID 2012 wrote to memory of 4052 2012 xfffxxx.exe 90 PID 2012 wrote to memory of 4052 2012 xfffxxx.exe 90 PID 4052 wrote to memory of 3796 4052 rllllll.exe 91 PID 4052 wrote to memory of 3796 4052 rllllll.exe 91 PID 4052 wrote to memory of 3796 4052 rllllll.exe 91 PID 3796 wrote to memory of 2624 3796 bhhhbh.exe 92 PID 3796 wrote to memory of 2624 3796 bhhhbh.exe 92 PID 3796 wrote to memory of 2624 3796 bhhhbh.exe 92 PID 2624 wrote to memory of 4028 2624 djdvd.exe 93 PID 2624 wrote to memory of 4028 2624 djdvd.exe 93 PID 2624 wrote to memory of 4028 2624 djdvd.exe 93 PID 4028 wrote to memory of 4740 4028 flfxllf.exe 94 PID 4028 wrote to memory of 4740 4028 flfxllf.exe 94 PID 4028 wrote to memory of 4740 4028 flfxllf.exe 94 PID 4740 wrote to memory of 2568 4740 rxlffxx.exe 95 PID 4740 wrote to memory of 2568 4740 rxlffxx.exe 95 PID 4740 wrote to memory of 2568 4740 rxlffxx.exe 95 PID 2568 wrote to memory of 3424 2568 5nhbtt.exe 96 PID 2568 wrote to memory of 3424 2568 5nhbtt.exe 96 PID 2568 wrote to memory of 3424 2568 5nhbtt.exe 96 PID 3424 wrote to memory of 4960 3424 vvvpj.exe 97 PID 3424 wrote to memory of 4960 3424 vvvpj.exe 97 PID 3424 wrote to memory of 4960 3424 vvvpj.exe 97 PID 4960 wrote to memory of 3524 4960 rlrlfxr.exe 98 PID 4960 wrote to memory of 3524 4960 rlrlfxr.exe 98 PID 4960 wrote to memory of 3524 4960 rlrlfxr.exe 98 PID 3524 wrote to memory of 3776 3524 xlrllfl.exe 99 PID 3524 wrote to memory of 3776 3524 xlrllfl.exe 99 PID 3524 wrote to memory of 3776 3524 xlrllfl.exe 99 PID 3776 wrote to memory of 1736 3776 bbhhbt.exe 100 PID 3776 wrote to memory of 1736 3776 bbhhbt.exe 100 PID 3776 wrote to memory of 1736 3776 bbhhbt.exe 100 PID 1736 wrote to memory of 4196 1736 ddvvp.exe 101 PID 1736 wrote to memory of 4196 1736 ddvvp.exe 101 PID 1736 wrote to memory of 4196 1736 ddvvp.exe 101 PID 4196 wrote to memory of 4848 4196 rllfxxf.exe 102 PID 4196 wrote to memory of 4848 4196 rllfxxf.exe 102 PID 4196 wrote to memory of 4848 4196 rllfxxf.exe 102 PID 4848 wrote to memory of 2948 4848 rrxxrrf.exe 149 PID 4848 wrote to memory of 2948 4848 rrxxrrf.exe 149 PID 4848 wrote to memory of 2948 4848 rrxxrrf.exe 149 PID 2948 wrote to memory of 4808 2948 hbhthb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe"C:\Users\Admin\AppData\Local\Temp\ad7fdb334d287c23dd8f3a7f3ae30c4785fffd5dd018afd4add3ce5564f54852.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\xfrllll.exec:\xfrllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\hhhbhh.exec:\hhhbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\dvjjd.exec:\dvjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\flrrlll.exec:\flrrlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\nhnnnn.exec:\nhnnnn.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\pvvvp.exec:\pvvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\xfffxxx.exec:\xfffxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
\??\c:\rllllll.exec:\rllllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\bhhhbh.exec:\bhhhbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
\??\c:\djdvd.exec:\djdvd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\flfxllf.exec:\flfxllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\rxlffxx.exec:\rxlffxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\5nhbtt.exec:\5nhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\vvvpj.exec:\vvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\xlrllfl.exec:\xlrllfl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\bbhhbt.exec:\bbhhbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\ddvvp.exec:\ddvvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\rllfxxf.exec:\rllfxxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\rrxxrrf.exec:\rrxxrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\hbhthb.exec:\hbhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\jvvdv.exec:\jvvdv.exe23⤵
- Executes dropped EXE
PID:4808 -
\??\c:\7xffxlf.exec:\7xffxlf.exe24⤵
- Executes dropped EXE
PID:1400 -
\??\c:\nnbthh.exec:\nnbthh.exe25⤵
- Executes dropped EXE
PID:2140 -
\??\c:\hhttbt.exec:\hhttbt.exe26⤵
- Executes dropped EXE
PID:3452 -
\??\c:\pjddv.exec:\pjddv.exe27⤵
- Executes dropped EXE
PID:4724 -
\??\c:\lrflllx.exec:\lrflllx.exe28⤵
- Executes dropped EXE
PID:1232 -
\??\c:\nthnbn.exec:\nthnbn.exe29⤵
- Executes dropped EXE
PID:3664 -
\??\c:\1nhbtn.exec:\1nhbtn.exe30⤵
- Executes dropped EXE
PID:3204 -
\??\c:\pjjjd.exec:\pjjjd.exe31⤵
- Executes dropped EXE
PID:3296 -
\??\c:\rflxrrl.exec:\rflxrrl.exe32⤵
- Executes dropped EXE
PID:2884 -
\??\c:\nnnnhb.exec:\nnnnhb.exe33⤵
- Executes dropped EXE
PID:4504 -
\??\c:\nbhbtt.exec:\nbhbtt.exe34⤵
- Executes dropped EXE
PID:3980 -
\??\c:\3pppd.exec:\3pppd.exe35⤵
- Executes dropped EXE
PID:2960 -
\??\c:\xlrrlll.exec:\xlrrlll.exe36⤵
- Executes dropped EXE
PID:1108 -
\??\c:\bbhbtt.exec:\bbhbtt.exe37⤵
- Executes dropped EXE
PID:1600 -
\??\c:\htbtnn.exec:\htbtnn.exe38⤵
- Executes dropped EXE
PID:1820 -
\??\c:\jpdvp.exec:\jpdvp.exe39⤵
- Executes dropped EXE
PID:3048 -
\??\c:\lrrxrll.exec:\lrrxrll.exe40⤵
- Executes dropped EXE
PID:2536 -
\??\c:\hbtnnt.exec:\hbtnnt.exe41⤵
- Executes dropped EXE
PID:4988 -
\??\c:\bbnhhh.exec:\bbnhhh.exe42⤵
- Executes dropped EXE
PID:3544 -
\??\c:\dvvvp.exec:\dvvvp.exe43⤵
- Executes dropped EXE
PID:5040 -
\??\c:\rlxrfff.exec:\rlxrfff.exe44⤵
- Executes dropped EXE
PID:4448 -
\??\c:\lflfxrr.exec:\lflfxrr.exe45⤵
- Executes dropped EXE
PID:4424 -
\??\c:\ttnttb.exec:\ttnttb.exe46⤵
- Executes dropped EXE
PID:4676 -
\??\c:\dvvvj.exec:\dvvvj.exe47⤵
- Executes dropped EXE
PID:4844 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe48⤵
- Executes dropped EXE
PID:3740 -
\??\c:\3lrrlll.exec:\3lrrlll.exe49⤵
- Executes dropped EXE
PID:3304 -
\??\c:\5ttbbb.exec:\5ttbbb.exe50⤵
- Executes dropped EXE
PID:2448 -
\??\c:\ddvjj.exec:\ddvjj.exe51⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jjpjv.exec:\jjpjv.exe52⤵
- Executes dropped EXE
PID:632 -
\??\c:\fxrllff.exec:\fxrllff.exe53⤵
- Executes dropped EXE
PID:4316 -
\??\c:\btbbtt.exec:\btbbtt.exe54⤵
- Executes dropped EXE
PID:1840 -
\??\c:\1bnhbb.exec:\1bnhbb.exe55⤵
- Executes dropped EXE
PID:924 -
\??\c:\jdpdj.exec:\jdpdj.exe56⤵
- Executes dropped EXE
PID:3796 -
\??\c:\rfllfff.exec:\rfllfff.exe57⤵
- Executes dropped EXE
PID:2368 -
\??\c:\xxllffx.exec:\xxllffx.exe58⤵
- Executes dropped EXE
PID:1140 -
\??\c:\tbnnhh.exec:\tbnnhh.exe59⤵
- Executes dropped EXE
PID:4400 -
\??\c:\9pppp.exec:\9pppp.exe60⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rrllrrx.exec:\rrllrrx.exe61⤵
- Executes dropped EXE
PID:3424 -
\??\c:\ffxrlff.exec:\ffxrlff.exe62⤵
- Executes dropped EXE
PID:2072 -
\??\c:\nbhhnb.exec:\nbhhnb.exe63⤵
- Executes dropped EXE
PID:3244 -
\??\c:\1ddvp.exec:\1ddvp.exe64⤵
- Executes dropped EXE
PID:460 -
\??\c:\9jpdd.exec:\9jpdd.exe65⤵
- Executes dropped EXE
PID:1736 -
\??\c:\1lfrlxx.exec:\1lfrlxx.exe66⤵PID:4196
-
\??\c:\nttttb.exec:\nttttb.exe67⤵PID:4372
-
\??\c:\nhbhhh.exec:\nhbhhh.exe68⤵
- System Location Discovery: System Language Discovery
PID:2948 -
\??\c:\vvddd.exec:\vvddd.exe69⤵PID:4808
-
\??\c:\lrrrrrr.exec:\lrrrrrr.exe70⤵PID:768
-
\??\c:\bbnntt.exec:\bbnntt.exe71⤵PID:5072
-
\??\c:\jjdvj.exec:\jjdvj.exe72⤵PID:4724
-
\??\c:\xrrrrrx.exec:\xrrrrrx.exe73⤵PID:4468
-
\??\c:\htbtnn.exec:\htbtnn.exe74⤵PID:4832
-
\??\c:\jjvdd.exec:\jjvdd.exe75⤵PID:2944
-
\??\c:\rflfflf.exec:\rflfflf.exe76⤵PID:1292
-
\??\c:\hnnhth.exec:\hnnhth.exe77⤵PID:4776
-
\??\c:\dvddj.exec:\dvddj.exe78⤵PID:2052
-
\??\c:\xlrlllr.exec:\xlrlllr.exe79⤵PID:3408
-
\??\c:\tttnnt.exec:\tttnnt.exe80⤵PID:416
-
\??\c:\7hnnnt.exec:\7hnnnt.exe81⤵PID:2456
-
\??\c:\pjvvp.exec:\pjvvp.exe82⤵PID:5032
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe83⤵PID:5068
-
\??\c:\tnthhh.exec:\tnthhh.exe84⤵PID:3992
-
\??\c:\7vdvj.exec:\7vdvj.exe85⤵PID:4796
-
\??\c:\vddpv.exec:\vddpv.exe86⤵PID:1468
-
\??\c:\lfrlrrf.exec:\lfrlrrf.exe87⤵PID:2100
-
\??\c:\thnnht.exec:\thnnht.exe88⤵PID:3156
-
\??\c:\1jjvv.exec:\1jjvv.exe89⤵PID:2040
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe90⤵PID:3208
-
\??\c:\bbnnnt.exec:\bbnnnt.exe91⤵PID:4068
-
\??\c:\hbbtbb.exec:\hbbtbb.exe92⤵PID:4364
-
\??\c:\dvjdj.exec:\dvjdj.exe93⤵PID:4932
-
\??\c:\3bbtnt.exec:\3bbtnt.exe94⤵PID:4440
-
\??\c:\bnnhhb.exec:\bnnhhb.exe95⤵PID:3304
-
\??\c:\djvjd.exec:\djvjd.exe96⤵PID:1016
-
\??\c:\lllflfx.exec:\lllflfx.exe97⤵PID:3124
-
\??\c:\ttttbb.exec:\ttttbb.exe98⤵PID:2620
-
\??\c:\pjvpj.exec:\pjvpj.exe99⤵PID:5092
-
\??\c:\lflfxxx.exec:\lflfxxx.exe100⤵PID:3512
-
\??\c:\jdjdv.exec:\jdjdv.exe101⤵PID:388
-
\??\c:\lflllll.exec:\lflllll.exe102⤵PID:3796
-
\??\c:\dppjd.exec:\dppjd.exe103⤵PID:4744
-
\??\c:\1xrrllf.exec:\1xrrllf.exe104⤵PID:544
-
\??\c:\hhhnhh.exec:\hhhnhh.exe105⤵PID:3276
-
\??\c:\llxrxrx.exec:\llxrxrx.exe106⤵PID:3764
-
\??\c:\nhhhbh.exec:\nhhhbh.exe107⤵PID:2404
-
\??\c:\vvddd.exec:\vvddd.exe108⤵PID:812
-
\??\c:\llffxxr.exec:\llffxxr.exe109⤵PID:2148
-
\??\c:\vvvpd.exec:\vvvpd.exe110⤵PID:2568
-
\??\c:\lrxxlfx.exec:\lrxxlfx.exe111⤵PID:3752
-
\??\c:\dvvjd.exec:\dvvjd.exe112⤵PID:1592
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe113⤵PID:2080
-
\??\c:\ttnhnt.exec:\ttnhnt.exe114⤵PID:212
-
\??\c:\dpvvp.exec:\dpvvp.exe115⤵PID:1800
-
\??\c:\pjpjd.exec:\pjpjd.exe116⤵PID:3020
-
\??\c:\lllfxxr.exec:\lllfxxr.exe117⤵PID:3856
-
\??\c:\9ttntt.exec:\9ttntt.exe118⤵PID:2532
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe119⤵PID:3736
-
\??\c:\btbnhb.exec:\btbnhb.exe120⤵PID:3460
-
\??\c:\jddvd.exec:\jddvd.exe121⤵PID:4948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-