Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 05:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6.exe
-
Size
455KB
-
MD5
ae32847caa2e411deacdd7bea00b9b20
-
SHA1
0b4ae70bd9a7d8d1e1675979e2c296c585a96ac6
-
SHA256
c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6
-
SHA512
32d4c0b4a28601847bea7fb296830a2983991fc3bfa02074404e7a43aa86e7e41c3e93be25b94279c580654a8c4b7891d19f43c033dce3a2d13168bccce28b3e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbee:q7Tc2NYHUrAwfMp3CDe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-582-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-1014-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-1210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-1548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2676 nhnbtb.exe 816 jvpjv.exe 1620 rffxlfx.exe 4436 nbbtth.exe 4460 5hbthh.exe 2400 7jvpd.exe 4648 hnhhnn.exe 1060 lxrlxxl.exe 4584 bnhbnh.exe 2184 vpjvj.exe 1464 1hthtn.exe 2016 9vjvp.exe 2868 nbbbbt.exe 4984 vjdvp.exe 2860 hnnbnn.exe 2760 vjvjv.exe 3528 lrrfxrl.exe 1424 lfxlfrl.exe 2408 tbntbb.exe 3116 jpdpj.exe 2336 bnbnnn.exe 3968 xlxlfxx.exe 564 hnnhht.exe 2608 lxxlxfr.exe 5036 hbnbhh.exe 2368 djjpd.exe 3684 rllfxxr.exe 1788 pjddd.exe 60 rllfxxx.exe 4556 thhhbh.exe 1432 djjpj.exe 1152 lllrrrr.exe 4588 dvpdv.exe 1508 rrxrllf.exe 428 hhnhbb.exe 1428 ppvdd.exe 1928 vpjdp.exe 4288 xfrlxll.exe 4432 7bnhbh.exe 2524 vjjjd.exe 4868 jjjdv.exe 1624 lrfxlrl.exe 436 ntbhnn.exe 412 hbbtnn.exe 3812 ddpdv.exe 3972 llllxff.exe 2816 3lrlxxl.exe 4664 hbbbtt.exe 4744 dvdvp.exe 452 rlffffr.exe 2884 1xxrlll.exe 4704 bhhbhh.exe 2412 jjpvd.exe 228 1rxrlrl.exe 3632 1nttnn.exe 2016 nbhhhn.exe 5092 ddjvv.exe 3764 xrxrllf.exe 3980 9htntt.exe 3044 vddvv.exe 2364 pjjdv.exe 3528 flrffff.exe 1424 5nnnhh.exe 3204 7rrxllf.exe -
resource yara_rule behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-701-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-799-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrfffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2676 1520 c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6.exe 83 PID 1520 wrote to memory of 2676 1520 c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6.exe 83 PID 1520 wrote to memory of 2676 1520 c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6.exe 83 PID 2676 wrote to memory of 816 2676 nhnbtb.exe 84 PID 2676 wrote to memory of 816 2676 nhnbtb.exe 84 PID 2676 wrote to memory of 816 2676 nhnbtb.exe 84 PID 816 wrote to memory of 1620 816 jvpjv.exe 85 PID 816 wrote to memory of 1620 816 jvpjv.exe 85 PID 816 wrote to memory of 1620 816 jvpjv.exe 85 PID 1620 wrote to memory of 4436 1620 rffxlfx.exe 86 PID 1620 wrote to memory of 4436 1620 rffxlfx.exe 86 PID 1620 wrote to memory of 4436 1620 rffxlfx.exe 86 PID 4436 wrote to memory of 4460 4436 nbbtth.exe 87 PID 4436 wrote to memory of 4460 4436 nbbtth.exe 87 PID 4436 wrote to memory of 4460 4436 nbbtth.exe 87 PID 4460 wrote to memory of 2400 4460 5hbthh.exe 89 PID 4460 wrote to memory of 2400 4460 5hbthh.exe 89 PID 4460 wrote to memory of 2400 4460 5hbthh.exe 89 PID 2400 wrote to memory of 4648 2400 7jvpd.exe 90 PID 2400 wrote to memory of 4648 2400 7jvpd.exe 90 PID 2400 wrote to memory of 4648 2400 7jvpd.exe 90 PID 4648 wrote to memory of 1060 4648 hnhhnn.exe 91 PID 4648 wrote to memory of 1060 4648 hnhhnn.exe 91 PID 4648 wrote to memory of 1060 4648 hnhhnn.exe 91 PID 1060 wrote to memory of 4584 1060 lxrlxxl.exe 92 PID 1060 wrote to memory of 4584 1060 lxrlxxl.exe 92 PID 1060 wrote to memory of 4584 1060 lxrlxxl.exe 92 PID 4584 wrote to memory of 2184 4584 bnhbnh.exe 93 PID 4584 wrote to memory of 2184 4584 bnhbnh.exe 93 PID 4584 wrote to memory of 2184 4584 bnhbnh.exe 93 PID 2184 wrote to memory of 1464 2184 vpjvj.exe 95 PID 2184 wrote to memory of 1464 2184 vpjvj.exe 95 PID 2184 wrote to memory of 1464 2184 vpjvj.exe 95 PID 1464 wrote to memory of 2016 1464 1hthtn.exe 96 PID 1464 wrote to memory of 2016 1464 1hthtn.exe 96 PID 1464 wrote to memory of 2016 1464 1hthtn.exe 96 PID 2016 wrote to memory of 2868 2016 9vjvp.exe 97 PID 2016 wrote to memory of 2868 2016 9vjvp.exe 97 PID 2016 wrote to memory of 2868 2016 9vjvp.exe 97 PID 2868 wrote to memory of 4984 2868 nbbbbt.exe 98 PID 2868 wrote to memory of 4984 2868 nbbbbt.exe 98 PID 2868 wrote to memory of 4984 2868 nbbbbt.exe 98 PID 4984 wrote to memory of 2860 4984 vjdvp.exe 99 PID 4984 wrote to memory of 2860 4984 vjdvp.exe 99 PID 4984 wrote to memory of 2860 4984 vjdvp.exe 99 PID 2860 wrote to memory of 2760 2860 hnnbnn.exe 100 PID 2860 wrote to memory of 2760 2860 hnnbnn.exe 100 PID 2860 wrote to memory of 2760 2860 hnnbnn.exe 100 PID 2760 wrote to memory of 3528 2760 vjvjv.exe 101 PID 2760 wrote to memory of 3528 2760 vjvjv.exe 101 PID 2760 wrote to memory of 3528 2760 vjvjv.exe 101 PID 3528 wrote to memory of 1424 3528 lrrfxrl.exe 102 PID 3528 wrote to memory of 1424 3528 lrrfxrl.exe 102 PID 3528 wrote to memory of 1424 3528 lrrfxrl.exe 102 PID 1424 wrote to memory of 2408 1424 lfxlfrl.exe 103 PID 1424 wrote to memory of 2408 1424 lfxlfrl.exe 103 PID 1424 wrote to memory of 2408 1424 lfxlfrl.exe 103 PID 2408 wrote to memory of 3116 2408 tbntbb.exe 104 PID 2408 wrote to memory of 3116 2408 tbntbb.exe 104 PID 2408 wrote to memory of 3116 2408 tbntbb.exe 104 PID 3116 wrote to memory of 2336 3116 jpdpj.exe 105 PID 3116 wrote to memory of 2336 3116 jpdpj.exe 105 PID 3116 wrote to memory of 2336 3116 jpdpj.exe 105 PID 2336 wrote to memory of 3968 2336 bnbnnn.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6.exe"C:\Users\Admin\AppData\Local\Temp\c38a27008c92591524336dac0424b2044914e432b0230c127280f4a1e2591bd6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\nhnbtb.exec:\nhnbtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\jvpjv.exec:\jvpjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\rffxlfx.exec:\rffxlfx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\nbbtth.exec:\nbbtth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\5hbthh.exec:\5hbthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\7jvpd.exec:\7jvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\hnhhnn.exec:\hnhhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\lxrlxxl.exec:\lxrlxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060 -
\??\c:\bnhbnh.exec:\bnhbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\vpjvj.exec:\vpjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\1hthtn.exec:\1hthtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\9vjvp.exec:\9vjvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\nbbbbt.exec:\nbbbbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\vjdvp.exec:\vjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\hnnbnn.exec:\hnnbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
\??\c:\vjvjv.exec:\vjvjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\lfxlfrl.exec:\lfxlfrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\tbntbb.exec:\tbntbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\jpdpj.exec:\jpdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\bnbnnn.exec:\bnbnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\xlxlfxx.exec:\xlxlfxx.exe23⤵
- Executes dropped EXE
PID:3968 -
\??\c:\hnnhht.exec:\hnnhht.exe24⤵
- Executes dropped EXE
PID:564 -
\??\c:\lxxlxfr.exec:\lxxlxfr.exe25⤵
- Executes dropped EXE
PID:2608 -
\??\c:\hbnbhh.exec:\hbnbhh.exe26⤵
- Executes dropped EXE
PID:5036 -
\??\c:\djjpd.exec:\djjpd.exe27⤵
- Executes dropped EXE
PID:2368 -
\??\c:\rllfxxr.exec:\rllfxxr.exe28⤵
- Executes dropped EXE
PID:3684 -
\??\c:\pjddd.exec:\pjddd.exe29⤵
- Executes dropped EXE
PID:1788 -
\??\c:\rllfxxx.exec:\rllfxxx.exe30⤵
- Executes dropped EXE
PID:60 -
\??\c:\thhhbh.exec:\thhhbh.exe31⤵
- Executes dropped EXE
PID:4556 -
\??\c:\djjpj.exec:\djjpj.exe32⤵
- Executes dropped EXE
PID:1432 -
\??\c:\lllrrrr.exec:\lllrrrr.exe33⤵
- Executes dropped EXE
PID:1152 -
\??\c:\dvpdv.exec:\dvpdv.exe34⤵
- Executes dropped EXE
PID:4588 -
\??\c:\rrxrllf.exec:\rrxrllf.exe35⤵
- Executes dropped EXE
PID:1508 -
\??\c:\hhnhbb.exec:\hhnhbb.exe36⤵
- Executes dropped EXE
PID:428 -
\??\c:\ppvdd.exec:\ppvdd.exe37⤵
- Executes dropped EXE
PID:1428 -
\??\c:\vpjdp.exec:\vpjdp.exe38⤵
- Executes dropped EXE
PID:1928 -
\??\c:\xfrlxll.exec:\xfrlxll.exe39⤵
- Executes dropped EXE
PID:4288 -
\??\c:\7bnhbh.exec:\7bnhbh.exe40⤵
- Executes dropped EXE
PID:4432 -
\??\c:\vjjjd.exec:\vjjjd.exe41⤵
- Executes dropped EXE
PID:2524 -
\??\c:\jjjdv.exec:\jjjdv.exe42⤵
- Executes dropped EXE
PID:4868 -
\??\c:\lrfxlrl.exec:\lrfxlrl.exe43⤵
- Executes dropped EXE
PID:1624 -
\??\c:\ntbhnn.exec:\ntbhnn.exe44⤵
- Executes dropped EXE
PID:436 -
\??\c:\hbbtnn.exec:\hbbtnn.exe45⤵
- Executes dropped EXE
PID:412 -
\??\c:\ddpdv.exec:\ddpdv.exe46⤵
- Executes dropped EXE
PID:3812 -
\??\c:\llllxff.exec:\llllxff.exe47⤵
- Executes dropped EXE
PID:3972 -
\??\c:\3lrlxxl.exec:\3lrlxxl.exe48⤵
- Executes dropped EXE
PID:2816 -
\??\c:\hbbbtt.exec:\hbbbtt.exe49⤵
- Executes dropped EXE
PID:4664 -
\??\c:\dvdvp.exec:\dvdvp.exe50⤵
- Executes dropped EXE
PID:4744 -
\??\c:\rlffffr.exec:\rlffffr.exe51⤵
- Executes dropped EXE
PID:452 -
\??\c:\1xxrlll.exec:\1xxrlll.exe52⤵
- Executes dropped EXE
PID:2884 -
\??\c:\bhhbhh.exec:\bhhbhh.exe53⤵
- Executes dropped EXE
PID:4704 -
\??\c:\jjpvd.exec:\jjpvd.exe54⤵
- Executes dropped EXE
PID:2412 -
\??\c:\1rxrlrl.exec:\1rxrlrl.exe55⤵
- Executes dropped EXE
PID:228 -
\??\c:\1nttnn.exec:\1nttnn.exe56⤵
- Executes dropped EXE
PID:3632 -
\??\c:\nbhhhn.exec:\nbhhhn.exe57⤵
- Executes dropped EXE
PID:2016 -
\??\c:\ddjvv.exec:\ddjvv.exe58⤵
- Executes dropped EXE
PID:5092 -
\??\c:\xrxrllf.exec:\xrxrllf.exe59⤵
- Executes dropped EXE
PID:3764 -
\??\c:\9htntt.exec:\9htntt.exe60⤵
- Executes dropped EXE
PID:3980 -
\??\c:\vddvv.exec:\vddvv.exe61⤵
- Executes dropped EXE
PID:3044 -
\??\c:\pjjdv.exec:\pjjdv.exe62⤵
- Executes dropped EXE
PID:2364 -
\??\c:\flrffff.exec:\flrffff.exe63⤵
- Executes dropped EXE
PID:3528 -
\??\c:\5nnnhh.exec:\5nnnhh.exe64⤵
- Executes dropped EXE
PID:1424 -
\??\c:\7rrxllf.exec:\7rrxllf.exe65⤵
- Executes dropped EXE
PID:3204 -
\??\c:\xxxffff.exec:\xxxffff.exe66⤵PID:532
-
\??\c:\tbbtnn.exec:\tbbtnn.exe67⤵PID:3652
-
\??\c:\vvvjv.exec:\vvvjv.exe68⤵PID:2660
-
\??\c:\ffrlrrx.exec:\ffrlrrx.exe69⤵PID:688
-
\??\c:\nnbthh.exec:\nnbthh.exe70⤵PID:3968
-
\??\c:\vdjjd.exec:\vdjjd.exe71⤵PID:2916
-
\??\c:\5ddvv.exec:\5ddvv.exe72⤵PID:3644
-
\??\c:\xrffxll.exec:\xrffxll.exe73⤵PID:4072
-
\??\c:\7bhhbb.exec:\7bhhbb.exe74⤵PID:2368
-
\??\c:\nhntnn.exec:\nhntnn.exe75⤵PID:4692
-
\??\c:\vpjdd.exec:\vpjdd.exe76⤵PID:1056
-
\??\c:\7flxrlf.exec:\7flxrlf.exe77⤵PID:4364
-
\??\c:\xrrlflf.exec:\xrrlflf.exe78⤵PID:60
-
\??\c:\7bthbb.exec:\7bthbb.exe79⤵PID:2928
-
\??\c:\pjvpj.exec:\pjvpj.exe80⤵PID:1064
-
\??\c:\ppdpv.exec:\ppdpv.exe81⤵PID:4936
-
\??\c:\fxxrxxx.exec:\fxxrxxx.exe82⤵PID:1152
-
\??\c:\hhtnhb.exec:\hhtnhb.exe83⤵PID:4392
-
\??\c:\pjjvp.exec:\pjjvp.exe84⤵PID:448
-
\??\c:\vvvjd.exec:\vvvjd.exe85⤵PID:2320
-
\??\c:\lfxxxxr.exec:\lfxxxxr.exe86⤵PID:4220
-
\??\c:\jvdjd.exec:\jvdjd.exe87⤵PID:3180
-
\??\c:\3ddpv.exec:\3ddpv.exe88⤵PID:3924
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe89⤵PID:4028
-
\??\c:\xlfrlfx.exec:\xlfrlfx.exe90⤵PID:1520
-
\??\c:\9bbnbt.exec:\9bbnbt.exe91⤵PID:1380
-
\??\c:\jvvpd.exec:\jvvpd.exe92⤵PID:4120
-
\??\c:\rrxrxrf.exec:\rrxrxrf.exe93⤵
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\5ffxrll.exec:\5ffxrll.exe94⤵PID:784
-
\??\c:\nbtbtn.exec:\nbtbtn.exe95⤵PID:2416
-
\??\c:\3vvjv.exec:\3vvjv.exe96⤵PID:4848
-
\??\c:\1ddpv.exec:\1ddpv.exe97⤵PID:2228
-
\??\c:\rffrlfx.exec:\rffrlfx.exe98⤵PID:2400
-
\??\c:\nhhhtn.exec:\nhhhtn.exe99⤵PID:4860
-
\??\c:\9jjvj.exec:\9jjvj.exe100⤵PID:1672
-
\??\c:\jvdpp.exec:\jvdpp.exe101⤵PID:3972
-
\??\c:\7lxlxrf.exec:\7lxlxrf.exe102⤵PID:516
-
\??\c:\hbhbbt.exec:\hbhbbt.exe103⤵PID:4664
-
\??\c:\9hhhtn.exec:\9hhhtn.exe104⤵PID:1876
-
\??\c:\dddpj.exec:\dddpj.exe105⤵PID:1484
-
\??\c:\frllrll.exec:\frllrll.exe106⤵PID:3876
-
\??\c:\rflxrlr.exec:\rflxrlr.exe107⤵PID:3828
-
\??\c:\3btthb.exec:\3btthb.exe108⤵PID:1048
-
\??\c:\ddjvp.exec:\ddjvp.exe109⤵PID:228
-
\??\c:\5rlxllx.exec:\5rlxllx.exe110⤵PID:2776
-
\??\c:\3xrfrlx.exec:\3xrfrlx.exe111⤵PID:756
-
\??\c:\tbnbnt.exec:\tbnbnt.exe112⤵PID:3468
-
\??\c:\7vdjv.exec:\7vdjv.exe113⤵PID:1196
-
\??\c:\frlxfxl.exec:\frlxfxl.exe114⤵PID:624
-
\??\c:\7lrxlfr.exec:\7lrxlfr.exe115⤵PID:3980
-
\??\c:\ntthtn.exec:\ntthtn.exe116⤵PID:1976
-
\??\c:\vjppv.exec:\vjppv.exe117⤵PID:208
-
\??\c:\5llxfxr.exec:\5llxfxr.exe118⤵PID:2264
-
\??\c:\ntnhbt.exec:\ntnhbt.exe119⤵PID:3528
-
\??\c:\5vpdp.exec:\5vpdp.exe120⤵PID:2408
-
\??\c:\jpjvj.exec:\jpjvj.exe121⤵PID:3936
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-