Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef.exe
-
Size
454KB
-
MD5
bece5f257dd72a6d56c191adcd31dbc1
-
SHA1
5007dc9a2466d6f4670afc56b289b5e447f11aea
-
SHA256
b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef
-
SHA512
07fad550346ce996590b4517770421316d913767bb0989de02f36d193f516c4a444a0316b00ab16200b8b87d19f95d201964f3afe7708ff3f61fca13847605dc
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/764-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-842-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-1105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-1125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-1948-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3616 rlfxffr.exe 3608 thhbhh.exe 4544 7nhhbn.exe 3496 xlrflll.exe 232 5bnthb.exe 1308 rffxrfx.exe 1588 pvdjp.exe 2208 thnbtn.exe 2872 jjvpp.exe 400 hnbttn.exe 4052 7ffrllf.exe 1940 httnnh.exe 1780 jjvvv.exe 4892 9xrllfr.exe 1172 bhnhht.exe 3556 1ddvp.exe 3548 jjdvv.exe 4852 xlfrxlf.exe 1844 bbnbht.exe 2940 1ffrlfx.exe 2912 bhhhhh.exe 5052 frxxrlx.exe 1140 vddvv.exe 1216 vdjdv.exe 1784 xflllll.exe 5112 9ddpj.exe 832 5djvv.exe 2728 rfrrfff.exe 4776 pjpjd.exe 4396 frfxrfx.exe 1472 hhnhbt.exe 3532 pjvpp.exe 3336 pddjj.exe 3204 hbnbhn.exe 948 5jjvp.exe 2152 9dvvp.exe 2368 rxlxfff.exe 1376 bthtbn.exe 3640 vpdjp.exe 208 3jpdp.exe 1756 htnhtb.exe 2840 vvpjv.exe 2788 ppjdv.exe 1892 nhnhtb.exe 4656 vpvvd.exe 2868 jddvp.exe 3164 frfxrlf.exe 3876 nhhbtt.exe 2212 pddvp.exe 548 rflxrlx.exe 3544 1lfxxfr.exe 880 jddjd.exe 4076 jvjdv.exe 2148 frflrrl.exe 4120 nnhbhb.exe 4280 vpdvd.exe 2456 djpjd.exe 216 xflrflr.exe 4712 5hhbbb.exe 2648 vvpjd.exe 3396 rlfffrl.exe 1808 frxfffx.exe 2924 btttnn.exe 5000 3vvdd.exe -
resource yara_rule behavioral2/memory/764-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-842-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-1035-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-1105-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 764 wrote to memory of 3616 764 b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef.exe 84 PID 764 wrote to memory of 3616 764 b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef.exe 84 PID 764 wrote to memory of 3616 764 b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef.exe 84 PID 3616 wrote to memory of 3608 3616 rlfxffr.exe 85 PID 3616 wrote to memory of 3608 3616 rlfxffr.exe 85 PID 3616 wrote to memory of 3608 3616 rlfxffr.exe 85 PID 3608 wrote to memory of 4544 3608 thhbhh.exe 86 PID 3608 wrote to memory of 4544 3608 thhbhh.exe 86 PID 3608 wrote to memory of 4544 3608 thhbhh.exe 86 PID 4544 wrote to memory of 3496 4544 7nhhbn.exe 87 PID 4544 wrote to memory of 3496 4544 7nhhbn.exe 87 PID 4544 wrote to memory of 3496 4544 7nhhbn.exe 87 PID 3496 wrote to memory of 232 3496 xlrflll.exe 88 PID 3496 wrote to memory of 232 3496 xlrflll.exe 88 PID 3496 wrote to memory of 232 3496 xlrflll.exe 88 PID 232 wrote to memory of 1308 232 5bnthb.exe 89 PID 232 wrote to memory of 1308 232 5bnthb.exe 89 PID 232 wrote to memory of 1308 232 5bnthb.exe 89 PID 1308 wrote to memory of 1588 1308 rffxrfx.exe 90 PID 1308 wrote to memory of 1588 1308 rffxrfx.exe 90 PID 1308 wrote to memory of 1588 1308 rffxrfx.exe 90 PID 1588 wrote to memory of 2208 1588 pvdjp.exe 91 PID 1588 wrote to memory of 2208 1588 pvdjp.exe 91 PID 1588 wrote to memory of 2208 1588 pvdjp.exe 91 PID 2208 wrote to memory of 2872 2208 thnbtn.exe 92 PID 2208 wrote to memory of 2872 2208 thnbtn.exe 92 PID 2208 wrote to memory of 2872 2208 thnbtn.exe 92 PID 2872 wrote to memory of 400 2872 jjvpp.exe 93 PID 2872 wrote to memory of 400 2872 jjvpp.exe 93 PID 2872 wrote to memory of 400 2872 jjvpp.exe 93 PID 400 wrote to memory of 4052 400 hnbttn.exe 94 PID 400 wrote to memory of 4052 400 hnbttn.exe 94 PID 400 wrote to memory of 4052 400 hnbttn.exe 94 PID 4052 wrote to memory of 1940 4052 7ffrllf.exe 95 PID 4052 wrote to memory of 1940 4052 7ffrllf.exe 95 PID 4052 wrote to memory of 1940 4052 7ffrllf.exe 95 PID 1940 wrote to memory of 1780 1940 httnnh.exe 96 PID 1940 wrote to memory of 1780 1940 httnnh.exe 96 PID 1940 wrote to memory of 1780 1940 httnnh.exe 96 PID 1780 wrote to memory of 4892 1780 jjvvv.exe 97 PID 1780 wrote to memory of 4892 1780 jjvvv.exe 97 PID 1780 wrote to memory of 4892 1780 jjvvv.exe 97 PID 4892 wrote to memory of 1172 4892 9xrllfr.exe 98 PID 4892 wrote to memory of 1172 4892 9xrllfr.exe 98 PID 4892 wrote to memory of 1172 4892 9xrllfr.exe 98 PID 1172 wrote to memory of 3556 1172 bhnhht.exe 99 PID 1172 wrote to memory of 3556 1172 bhnhht.exe 99 PID 1172 wrote to memory of 3556 1172 bhnhht.exe 99 PID 3556 wrote to memory of 3548 3556 1ddvp.exe 100 PID 3556 wrote to memory of 3548 3556 1ddvp.exe 100 PID 3556 wrote to memory of 3548 3556 1ddvp.exe 100 PID 3548 wrote to memory of 4852 3548 jjdvv.exe 101 PID 3548 wrote to memory of 4852 3548 jjdvv.exe 101 PID 3548 wrote to memory of 4852 3548 jjdvv.exe 101 PID 4852 wrote to memory of 1844 4852 xlfrxlf.exe 102 PID 4852 wrote to memory of 1844 4852 xlfrxlf.exe 102 PID 4852 wrote to memory of 1844 4852 xlfrxlf.exe 102 PID 1844 wrote to memory of 2940 1844 bbnbht.exe 103 PID 1844 wrote to memory of 2940 1844 bbnbht.exe 103 PID 1844 wrote to memory of 2940 1844 bbnbht.exe 103 PID 2940 wrote to memory of 2912 2940 1ffrlfx.exe 104 PID 2940 wrote to memory of 2912 2940 1ffrlfx.exe 104 PID 2940 wrote to memory of 2912 2940 1ffrlfx.exe 104 PID 2912 wrote to memory of 5052 2912 bhhhhh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef.exe"C:\Users\Admin\AppData\Local\Temp\b64fa5c2fbf36228215fffa523db269d972919ccaf4817f3449836df367e7aef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\rlfxffr.exec:\rlfxffr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\thhbhh.exec:\thhbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\7nhhbn.exec:\7nhhbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\xlrflll.exec:\xlrflll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\5bnthb.exec:\5bnthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\rffxrfx.exec:\rffxrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\pvdjp.exec:\pvdjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\thnbtn.exec:\thnbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\jjvpp.exec:\jjvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\hnbttn.exec:\hnbttn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\7ffrllf.exec:\7ffrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\httnnh.exec:\httnnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\jjvvv.exec:\jjvvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\9xrllfr.exec:\9xrllfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\bhnhht.exec:\bhnhht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\1ddvp.exec:\1ddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\jjdvv.exec:\jjdvv.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\xlfrxlf.exec:\xlfrxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\bbnbht.exec:\bbnbht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\1ffrlfx.exec:\1ffrlfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\bhhhhh.exec:\bhhhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2912 -
\??\c:\frxxrlx.exec:\frxxrlx.exe23⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vddvv.exec:\vddvv.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\vdjdv.exec:\vdjdv.exe25⤵
- Executes dropped EXE
PID:1216 -
\??\c:\xflllll.exec:\xflllll.exe26⤵
- Executes dropped EXE
PID:1784 -
\??\c:\9ddpj.exec:\9ddpj.exe27⤵
- Executes dropped EXE
PID:5112 -
\??\c:\5djvv.exec:\5djvv.exe28⤵
- Executes dropped EXE
PID:832 -
\??\c:\rfrrfff.exec:\rfrrfff.exe29⤵
- Executes dropped EXE
PID:2728 -
\??\c:\pjpjd.exec:\pjpjd.exe30⤵
- Executes dropped EXE
PID:4776 -
\??\c:\frfxrfx.exec:\frfxrfx.exe31⤵
- Executes dropped EXE
PID:4396 -
\??\c:\hhnhbt.exec:\hhnhbt.exe32⤵
- Executes dropped EXE
PID:1472 -
\??\c:\pjvpp.exec:\pjvpp.exe33⤵
- Executes dropped EXE
PID:3532 -
\??\c:\pddjj.exec:\pddjj.exe34⤵
- Executes dropped EXE
PID:3336 -
\??\c:\hbnbhn.exec:\hbnbhn.exe35⤵
- Executes dropped EXE
PID:3204 -
\??\c:\5jjvp.exec:\5jjvp.exe36⤵
- Executes dropped EXE
PID:948 -
\??\c:\9dvvp.exec:\9dvvp.exe37⤵
- Executes dropped EXE
PID:2152 -
\??\c:\rxlxfff.exec:\rxlxfff.exe38⤵
- Executes dropped EXE
PID:2368 -
\??\c:\bthtbn.exec:\bthtbn.exe39⤵
- Executes dropped EXE
PID:1376 -
\??\c:\vpdjp.exec:\vpdjp.exe40⤵
- Executes dropped EXE
PID:3640 -
\??\c:\3jpdp.exec:\3jpdp.exe41⤵
- Executes dropped EXE
PID:208 -
\??\c:\htnhtb.exec:\htnhtb.exe42⤵
- Executes dropped EXE
PID:1756 -
\??\c:\vvpjv.exec:\vvpjv.exe43⤵
- Executes dropped EXE
PID:2840 -
\??\c:\ppjdv.exec:\ppjdv.exe44⤵
- Executes dropped EXE
PID:2788 -
\??\c:\nhnhtb.exec:\nhnhtb.exe45⤵
- Executes dropped EXE
PID:1892 -
\??\c:\vpvvd.exec:\vpvvd.exe46⤵
- Executes dropped EXE
PID:4656 -
\??\c:\jddvp.exec:\jddvp.exe47⤵
- Executes dropped EXE
PID:2868 -
\??\c:\frfxrlf.exec:\frfxrlf.exe48⤵
- Executes dropped EXE
PID:3164 -
\??\c:\nhhbtt.exec:\nhhbtt.exe49⤵
- Executes dropped EXE
PID:3876 -
\??\c:\pddvp.exec:\pddvp.exe50⤵
- Executes dropped EXE
PID:2212 -
\??\c:\rflxrlx.exec:\rflxrlx.exe51⤵
- Executes dropped EXE
PID:548 -
\??\c:\1lfxxfr.exec:\1lfxxfr.exe52⤵
- Executes dropped EXE
PID:3544 -
\??\c:\nthhhh.exec:\nthhhh.exe53⤵PID:2704
-
\??\c:\jddjd.exec:\jddjd.exe54⤵
- Executes dropped EXE
PID:880 -
\??\c:\jvjdv.exec:\jvjdv.exe55⤵
- Executes dropped EXE
PID:4076 -
\??\c:\frflrrl.exec:\frflrrl.exe56⤵
- Executes dropped EXE
PID:2148 -
\??\c:\nnhbhb.exec:\nnhbhb.exe57⤵
- Executes dropped EXE
PID:4120 -
\??\c:\vpdvd.exec:\vpdvd.exe58⤵
- Executes dropped EXE
PID:4280 -
\??\c:\djpjd.exec:\djpjd.exe59⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xflrflr.exec:\xflrflr.exe60⤵
- Executes dropped EXE
PID:216 -
\??\c:\5hhbbb.exec:\5hhbbb.exe61⤵
- Executes dropped EXE
PID:4712 -
\??\c:\vvpjd.exec:\vvpjd.exe62⤵
- Executes dropped EXE
PID:2648 -
\??\c:\rlfffrl.exec:\rlfffrl.exe63⤵
- Executes dropped EXE
PID:3396 -
\??\c:\frxfffx.exec:\frxfffx.exe64⤵
- Executes dropped EXE
PID:1808 -
\??\c:\btttnn.exec:\btttnn.exe65⤵
- Executes dropped EXE
PID:2924 -
\??\c:\3vvdd.exec:\3vvdd.exe66⤵
- Executes dropped EXE
PID:5000 -
\??\c:\xrlfxxr.exec:\xrlfxxr.exe67⤵PID:1088
-
\??\c:\llfffll.exec:\llfffll.exe68⤵PID:4844
-
\??\c:\hntnnh.exec:\hntnnh.exe69⤵PID:5088
-
\??\c:\jpjjv.exec:\jpjjv.exe70⤵PID:4768
-
\??\c:\fxxrlff.exec:\fxxrlff.exe71⤵PID:3560
-
\??\c:\bnnnhh.exec:\bnnnhh.exe72⤵PID:4832
-
\??\c:\pdddv.exec:\pdddv.exe73⤵PID:3652
-
\??\c:\3dvvp.exec:\3dvvp.exe74⤵PID:4512
-
\??\c:\xlfxxrr.exec:\xlfxxrr.exe75⤵PID:4348
-
\??\c:\nnhbbt.exec:\nnhbbt.exe76⤵PID:2280
-
\??\c:\vvvpj.exec:\vvvpj.exe77⤵PID:3556
-
\??\c:\7flxrlf.exec:\7flxrlf.exe78⤵PID:2260
-
\??\c:\rllflff.exec:\rllflff.exe79⤵PID:4548
-
\??\c:\tntbhh.exec:\tntbhh.exe80⤵PID:4948
-
\??\c:\1ppjd.exec:\1ppjd.exe81⤵PID:2940
-
\??\c:\xxrfxrr.exec:\xxrfxrr.exe82⤵PID:1460
-
\??\c:\rlxrlll.exec:\rlxrlll.exe83⤵PID:4172
-
\??\c:\nnhhnn.exec:\nnhhnn.exe84⤵PID:2516
-
\??\c:\5hbtnn.exec:\5hbtnn.exe85⤵PID:3084
-
\??\c:\5jvpp.exec:\5jvpp.exe86⤵PID:4596
-
\??\c:\lfxxxff.exec:\lfxxxff.exe87⤵PID:1708
-
\??\c:\bbhbhh.exec:\bbhbhh.exe88⤵PID:1784
-
\??\c:\9nnntt.exec:\9nnntt.exe89⤵PID:4332
-
\??\c:\5jddv.exec:\5jddv.exe90⤵PID:3628
-
\??\c:\vpjjd.exec:\vpjjd.exe91⤵PID:2944
-
\??\c:\xrfxllf.exec:\xrfxllf.exe92⤵PID:3308
-
\??\c:\nntnhh.exec:\nntnhh.exe93⤵PID:864
-
\??\c:\vdjdp.exec:\vdjdp.exe94⤵PID:3316
-
\??\c:\3ddvj.exec:\3ddvj.exe95⤵PID:4396
-
\??\c:\3lrxlll.exec:\3lrxlll.exe96⤵PID:3728
-
\??\c:\bbntnn.exec:\bbntnn.exe97⤵PID:3824
-
\??\c:\bttttb.exec:\bttttb.exe98⤵PID:3884
-
\??\c:\vdjdv.exec:\vdjdv.exe99⤵PID:3336
-
\??\c:\vpvvp.exec:\vpvvp.exe100⤵PID:1716
-
\??\c:\llrlrrx.exec:\llrlrrx.exe101⤵PID:2524
-
\??\c:\hbbtnn.exec:\hbbtnn.exe102⤵PID:2152
-
\??\c:\nbbhhh.exec:\nbbhhh.exe103⤵PID:4356
-
\??\c:\5ppjv.exec:\5ppjv.exe104⤵PID:2112
-
\??\c:\fllfxxr.exec:\fllfxxr.exe105⤵PID:2884
-
\??\c:\9frlffx.exec:\9frlffx.exe106⤵PID:1660
-
\??\c:\tnhbtb.exec:\tnhbtb.exe107⤵PID:1392
-
\??\c:\1vdvp.exec:\1vdvp.exe108⤵PID:1860
-
\??\c:\lrxxxxf.exec:\lrxxxxf.exe109⤵PID:4952
-
\??\c:\xrfxffl.exec:\xrfxffl.exe110⤵PID:184
-
\??\c:\hhnnhh.exec:\hhnnhh.exe111⤵PID:4656
-
\??\c:\7pvpv.exec:\7pvpv.exe112⤵PID:3868
-
\??\c:\flxxrlr.exec:\flxxrlr.exe113⤵PID:3504
-
\??\c:\9rrrllf.exec:\9rrrllf.exe114⤵PID:2608
-
\??\c:\bbnhbt.exec:\bbnhbt.exe115⤵PID:2240
-
\??\c:\jjppj.exec:\jjppj.exe116⤵PID:4480
-
\??\c:\lfrlrlx.exec:\lfrlrlx.exe117⤵PID:3544
-
\??\c:\tttttb.exec:\tttttb.exe118⤵PID:764
-
\??\c:\5bhhhh.exec:\5bhhhh.exe119⤵PID:4088
-
\??\c:\3jjdv.exec:\3jjdv.exe120⤵PID:3596
-
\??\c:\xxrlflf.exec:\xxrlflf.exe121⤵PID:1152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-