Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-12-2024 00:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801.exe
-
Size
335KB
-
MD5
c5affacc3abd7f0e7a61a42962a0c358
-
SHA1
89394f8e3963170550295998bab8289361246d1a
-
SHA256
634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801
-
SHA512
70e9d77ee62698644c9c9a38e7c9a846bdac1b36405841c5cff5ca7c79324759976c0298e35f7476e4d90161b8eca655a0562661aa68ad5b1949dc2b5173365f
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPh3:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4400-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-606-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-658-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-772-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-935-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3792 hhhhth.exe 876 3pjvj.exe 4812 nhhbtn.exe 1624 jvpdv.exe 2136 lxxlxrf.exe 4324 frlxfxl.exe 4612 thbthb.exe 2212 3pjvj.exe 808 7vdpd.exe 4100 3xlfxrf.exe 1416 xxrlffl.exe 2192 btnthb.exe 1556 pdjvp.exe 2948 rflxrlf.exe 976 5tbthb.exe 212 3jjvp.exe 4688 vdpjp.exe 2760 ppdjv.exe 3396 flxlfxr.exe 4896 3hnhbb.exe 3608 hnnbhn.exe 3936 nhhbnh.exe 2252 9nhnbt.exe 3268 frfxrff.exe 4260 nhbbtb.exe 4708 djdpd.exe 3132 1flfrll.exe 4304 nbhtbt.exe 2876 7dpjv.exe 2892 dpvpj.exe 3164 rrxrrlr.exe 1928 nhnnhh.exe 3556 3ppjv.exe 3244 hnhhnt.exe 3832 9jjdp.exe 3368 thbntn.exe 1948 bhbhbt.exe 1636 3pjpj.exe 3224 rrrrrrr.exe 3060 thnhbb.exe 4208 vppjp.exe 4196 jpjvp.exe 920 rllxlxl.exe 2748 9nhbtt.exe 3256 jjdvd.exe 3996 9jjdp.exe 2112 xlrfxxr.exe 2300 rllfxxr.exe 2248 3nnbtn.exe 1256 dvjdp.exe 1232 dppdv.exe 4532 ffxrfxx.exe 2260 1bbbhh.exe 628 7frfrfx.exe 4692 rlllxxx.exe 2336 9tbbbb.exe 1340 7jdpv.exe 5000 djdvj.exe 2292 rrlxlxl.exe 2532 hthbhh.exe 4488 nbhthn.exe 3216 pdjpd.exe 2220 3rxlfrr.exe 116 ffrflfr.exe -
resource yara_rule behavioral2/memory/4400-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-606-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfffxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4400 wrote to memory of 3792 4400 634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801.exe 82 PID 4400 wrote to memory of 3792 4400 634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801.exe 82 PID 4400 wrote to memory of 3792 4400 634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801.exe 82 PID 3792 wrote to memory of 876 3792 hhhhth.exe 83 PID 3792 wrote to memory of 876 3792 hhhhth.exe 83 PID 3792 wrote to memory of 876 3792 hhhhth.exe 83 PID 876 wrote to memory of 4812 876 3pjvj.exe 84 PID 876 wrote to memory of 4812 876 3pjvj.exe 84 PID 876 wrote to memory of 4812 876 3pjvj.exe 84 PID 4812 wrote to memory of 1624 4812 nhhbtn.exe 85 PID 4812 wrote to memory of 1624 4812 nhhbtn.exe 85 PID 4812 wrote to memory of 1624 4812 nhhbtn.exe 85 PID 1624 wrote to memory of 2136 1624 jvpdv.exe 86 PID 1624 wrote to memory of 2136 1624 jvpdv.exe 86 PID 1624 wrote to memory of 2136 1624 jvpdv.exe 86 PID 2136 wrote to memory of 4324 2136 lxxlxrf.exe 87 PID 2136 wrote to memory of 4324 2136 lxxlxrf.exe 87 PID 2136 wrote to memory of 4324 2136 lxxlxrf.exe 87 PID 4324 wrote to memory of 4612 4324 frlxfxl.exe 88 PID 4324 wrote to memory of 4612 4324 frlxfxl.exe 88 PID 4324 wrote to memory of 4612 4324 frlxfxl.exe 88 PID 4612 wrote to memory of 2212 4612 thbthb.exe 89 PID 4612 wrote to memory of 2212 4612 thbthb.exe 89 PID 4612 wrote to memory of 2212 4612 thbthb.exe 89 PID 2212 wrote to memory of 808 2212 3pjvj.exe 90 PID 2212 wrote to memory of 808 2212 3pjvj.exe 90 PID 2212 wrote to memory of 808 2212 3pjvj.exe 90 PID 808 wrote to memory of 4100 808 7vdpd.exe 91 PID 808 wrote to memory of 4100 808 7vdpd.exe 91 PID 808 wrote to memory of 4100 808 7vdpd.exe 91 PID 4100 wrote to memory of 1416 4100 3xlfxrf.exe 92 PID 4100 wrote to memory of 1416 4100 3xlfxrf.exe 92 PID 4100 wrote to memory of 1416 4100 3xlfxrf.exe 92 PID 1416 wrote to memory of 2192 1416 xxrlffl.exe 93 PID 1416 wrote to memory of 2192 1416 xxrlffl.exe 93 PID 1416 wrote to memory of 2192 1416 xxrlffl.exe 93 PID 2192 wrote to memory of 1556 2192 btnthb.exe 94 PID 2192 wrote to memory of 1556 2192 btnthb.exe 94 PID 2192 wrote to memory of 1556 2192 btnthb.exe 94 PID 1556 wrote to memory of 2948 1556 pdjvp.exe 95 PID 1556 wrote to memory of 2948 1556 pdjvp.exe 95 PID 1556 wrote to memory of 2948 1556 pdjvp.exe 95 PID 2948 wrote to memory of 976 2948 rflxrlf.exe 96 PID 2948 wrote to memory of 976 2948 rflxrlf.exe 96 PID 2948 wrote to memory of 976 2948 rflxrlf.exe 96 PID 976 wrote to memory of 212 976 5tbthb.exe 97 PID 976 wrote to memory of 212 976 5tbthb.exe 97 PID 976 wrote to memory of 212 976 5tbthb.exe 97 PID 212 wrote to memory of 4688 212 3jjvp.exe 98 PID 212 wrote to memory of 4688 212 3jjvp.exe 98 PID 212 wrote to memory of 4688 212 3jjvp.exe 98 PID 4688 wrote to memory of 2760 4688 vdpjp.exe 99 PID 4688 wrote to memory of 2760 4688 vdpjp.exe 99 PID 4688 wrote to memory of 2760 4688 vdpjp.exe 99 PID 2760 wrote to memory of 3396 2760 ppdjv.exe 100 PID 2760 wrote to memory of 3396 2760 ppdjv.exe 100 PID 2760 wrote to memory of 3396 2760 ppdjv.exe 100 PID 3396 wrote to memory of 4896 3396 flxlfxr.exe 101 PID 3396 wrote to memory of 4896 3396 flxlfxr.exe 101 PID 3396 wrote to memory of 4896 3396 flxlfxr.exe 101 PID 4896 wrote to memory of 3608 4896 3hnhbb.exe 102 PID 4896 wrote to memory of 3608 4896 3hnhbb.exe 102 PID 4896 wrote to memory of 3608 4896 3hnhbb.exe 102 PID 3608 wrote to memory of 3936 3608 hnnbhn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801.exe"C:\Users\Admin\AppData\Local\Temp\634968eed6d2b8a93dbef3df2ed88b0799fa4b21b404b0c8ab1f0cef74790801.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\hhhhth.exec:\hhhhth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\3pjvj.exec:\3pjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\nhhbtn.exec:\nhhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\jvpdv.exec:\jvpdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\frlxfxl.exec:\frlxfxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\thbthb.exec:\thbthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\3pjvj.exec:\3pjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\7vdpd.exec:\7vdpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\3xlfxrf.exec:\3xlfxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\xxrlffl.exec:\xxrlffl.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\btnthb.exec:\btnthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\pdjvp.exec:\pdjvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\rflxrlf.exec:\rflxrlf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\5tbthb.exec:\5tbthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:976 -
\??\c:\3jjvp.exec:\3jjvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\vdpjp.exec:\vdpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\ppdjv.exec:\ppdjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
\??\c:\flxlfxr.exec:\flxlfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\3hnhbb.exec:\3hnhbb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\hnnbhn.exec:\hnnbhn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\nhhbnh.exec:\nhhbnh.exe23⤵
- Executes dropped EXE
PID:3936 -
\??\c:\9nhnbt.exec:\9nhnbt.exe24⤵
- Executes dropped EXE
PID:2252 -
\??\c:\frfxrff.exec:\frfxrff.exe25⤵
- Executes dropped EXE
PID:3268 -
\??\c:\nhbbtb.exec:\nhbbtb.exe26⤵
- Executes dropped EXE
PID:4260 -
\??\c:\djdpd.exec:\djdpd.exe27⤵
- Executes dropped EXE
PID:4708 -
\??\c:\1flfrll.exec:\1flfrll.exe28⤵
- Executes dropped EXE
PID:3132 -
\??\c:\nbhtbt.exec:\nbhtbt.exe29⤵
- Executes dropped EXE
PID:4304 -
\??\c:\7dpjv.exec:\7dpjv.exe30⤵
- Executes dropped EXE
PID:2876 -
\??\c:\dpvpj.exec:\dpvpj.exe31⤵
- Executes dropped EXE
PID:2892 -
\??\c:\rrxrrlr.exec:\rrxrrlr.exe32⤵
- Executes dropped EXE
PID:3164 -
\??\c:\nhnnhh.exec:\nhnnhh.exe33⤵
- Executes dropped EXE
PID:1928 -
\??\c:\3ppjv.exec:\3ppjv.exe34⤵
- Executes dropped EXE
PID:3556 -
\??\c:\hnhhnt.exec:\hnhhnt.exe35⤵
- Executes dropped EXE
PID:3244 -
\??\c:\9jjdp.exec:\9jjdp.exe36⤵
- Executes dropped EXE
PID:3832 -
\??\c:\thbntn.exec:\thbntn.exe37⤵
- Executes dropped EXE
PID:3368 -
\??\c:\bhbhbt.exec:\bhbhbt.exe38⤵
- Executes dropped EXE
PID:1948 -
\??\c:\3pjpj.exec:\3pjpj.exe39⤵
- Executes dropped EXE
PID:1636 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe40⤵
- Executes dropped EXE
PID:3224 -
\??\c:\thnhbb.exec:\thnhbb.exe41⤵
- Executes dropped EXE
PID:3060 -
\??\c:\vppjp.exec:\vppjp.exe42⤵
- Executes dropped EXE
PID:4208 -
\??\c:\jpjvp.exec:\jpjvp.exe43⤵
- Executes dropped EXE
PID:4196 -
\??\c:\rllxlxl.exec:\rllxlxl.exe44⤵
- Executes dropped EXE
PID:920 -
\??\c:\9nhbtt.exec:\9nhbtt.exe45⤵
- Executes dropped EXE
PID:2748 -
\??\c:\jjdvd.exec:\jjdvd.exe46⤵
- Executes dropped EXE
PID:3256 -
\??\c:\9jjdp.exec:\9jjdp.exe47⤵
- Executes dropped EXE
PID:3996 -
\??\c:\xlrfxxr.exec:\xlrfxxr.exe48⤵
- Executes dropped EXE
PID:2112 -
\??\c:\rllfxxr.exec:\rllfxxr.exe49⤵
- Executes dropped EXE
PID:2300 -
\??\c:\3nnbtn.exec:\3nnbtn.exe50⤵
- Executes dropped EXE
PID:2248 -
\??\c:\dvjdp.exec:\dvjdp.exe51⤵
- Executes dropped EXE
PID:1256 -
\??\c:\dppdv.exec:\dppdv.exe52⤵
- Executes dropped EXE
PID:1232 -
\??\c:\ffxrfxx.exec:\ffxrfxx.exe53⤵
- Executes dropped EXE
PID:4532 -
\??\c:\1bbbhh.exec:\1bbbhh.exe54⤵
- Executes dropped EXE
PID:2260 -
\??\c:\7frfrfx.exec:\7frfrfx.exe55⤵
- Executes dropped EXE
PID:628 -
\??\c:\rlllxxx.exec:\rlllxxx.exe56⤵
- Executes dropped EXE
PID:4692 -
\??\c:\9tbbbb.exec:\9tbbbb.exe57⤵
- Executes dropped EXE
PID:2336 -
\??\c:\7jdpv.exec:\7jdpv.exe58⤵
- Executes dropped EXE
PID:1340 -
\??\c:\djdvj.exec:\djdvj.exe59⤵
- Executes dropped EXE
PID:5000 -
\??\c:\rrlxlxl.exec:\rrlxlxl.exe60⤵
- Executes dropped EXE
PID:2292 -
\??\c:\hthbhh.exec:\hthbhh.exe61⤵
- Executes dropped EXE
PID:2532 -
\??\c:\nbhthn.exec:\nbhthn.exe62⤵
- Executes dropped EXE
PID:4488 -
\??\c:\pdjpd.exec:\pdjpd.exe63⤵
- Executes dropped EXE
PID:3216 -
\??\c:\3rxlfrr.exec:\3rxlfrr.exe64⤵
- Executes dropped EXE
PID:2220 -
\??\c:\ffrflfr.exec:\ffrflfr.exe65⤵
- Executes dropped EXE
PID:116 -
\??\c:\pvdpd.exec:\pvdpd.exe66⤵PID:2384
-
\??\c:\3xxflxx.exec:\3xxflxx.exe67⤵PID:1500
-
\??\c:\fxxfrll.exec:\fxxfrll.exe68⤵PID:1840
-
\??\c:\1nntth.exec:\1nntth.exe69⤵PID:4976
-
\??\c:\1ddpj.exec:\1ddpj.exe70⤵PID:5064
-
\??\c:\5jdvv.exec:\5jdvv.exe71⤵PID:2192
-
\??\c:\3xlxxrl.exec:\3xlxxrl.exe72⤵PID:4952
-
\??\c:\tbbhtn.exec:\tbbhtn.exe73⤵PID:2360
-
\??\c:\pdpdp.exec:\pdpdp.exe74⤵PID:2956
-
\??\c:\dvjdv.exec:\dvjdv.exe75⤵PID:2704
-
\??\c:\1lrlxxr.exec:\1lrlxxr.exe76⤵PID:4296
-
\??\c:\9bnhbb.exec:\9bnhbb.exe77⤵PID:4940
-
\??\c:\1hthth.exec:\1hthth.exe78⤵PID:4044
-
\??\c:\3jpvj.exec:\3jpvj.exe79⤵PID:4828
-
\??\c:\7xfxllf.exec:\7xfxllf.exe80⤵PID:1096
-
\??\c:\1bnbhb.exec:\1bnbhb.exe81⤵PID:4484
-
\??\c:\7jdpd.exec:\7jdpd.exe82⤵PID:3768
-
\??\c:\7vpdp.exec:\7vpdp.exe83⤵PID:468
-
\??\c:\xrrxlrr.exec:\xrrxlrr.exe84⤵PID:2104
-
\??\c:\hbbtnh.exec:\hbbtnh.exe85⤵PID:3528
-
\??\c:\7dddj.exec:\7dddj.exe86⤵PID:2788
-
\??\c:\jjdvj.exec:\jjdvj.exe87⤵PID:4228
-
\??\c:\3lrlrrr.exec:\3lrlrrr.exe88⤵PID:4912
-
\??\c:\xflfxrl.exec:\xflfxrl.exe89⤵PID:4260
-
\??\c:\bnbnhb.exec:\bnbnhb.exe90⤵
- System Location Discovery: System Language Discovery
PID:3788 -
\??\c:\dppjv.exec:\dppjv.exe91⤵PID:2472
-
\??\c:\9lrllrr.exec:\9lrllrr.exe92⤵PID:856
-
\??\c:\5xxrlff.exec:\5xxrlff.exe93⤵PID:536
-
\??\c:\tttnhh.exec:\tttnhh.exe94⤵PID:4440
-
\??\c:\tnnhhh.exec:\tnnhhh.exe95⤵PID:3384
-
\??\c:\9ppjv.exec:\9ppjv.exe96⤵PID:2888
-
\??\c:\3xxlffr.exec:\3xxlffr.exe97⤵PID:2728
-
\??\c:\thbnbt.exec:\thbnbt.exe98⤵PID:744
-
\??\c:\vdjvd.exec:\vdjvd.exe99⤵PID:2988
-
\??\c:\vvjvp.exec:\vvjvp.exe100⤵PID:1068
-
\??\c:\fxlxfrf.exec:\fxlxfrf.exe101⤵PID:4240
-
\??\c:\bnhbnb.exec:\bnhbnb.exe102⤵PID:3380
-
\??\c:\tbbthh.exec:\tbbthh.exe103⤵PID:4936
-
\??\c:\ddddp.exec:\ddddp.exe104⤵PID:1948
-
\??\c:\7ffxrlx.exec:\7ffxrlx.exe105⤵PID:1636
-
\??\c:\3xflxrf.exec:\3xflxrf.exe106⤵PID:1648
-
\??\c:\hthhbt.exec:\hthhbt.exe107⤵PID:208
-
\??\c:\vdpdp.exec:\vdpdp.exe108⤵PID:2620
-
\??\c:\3jvpv.exec:\3jvpv.exe109⤵PID:4656
-
\??\c:\3rlfxxr.exec:\3rlfxxr.exe110⤵PID:4908
-
\??\c:\1ttthh.exec:\1ttthh.exe111⤵PID:4340
-
\??\c:\ntthnh.exec:\ntthnh.exe112⤵PID:2556
-
\??\c:\dpvpj.exec:\dpvpj.exe113⤵PID:4944
-
\??\c:\pjddv.exec:\pjddv.exe114⤵PID:2244
-
\??\c:\nhhbnh.exec:\nhhbnh.exe115⤵PID:1592
-
\??\c:\nhhbbt.exec:\nhhbbt.exe116⤵PID:1112
-
\??\c:\dvpdj.exec:\dvpdj.exe117⤵PID:1828
-
\??\c:\fxxlfll.exec:\fxxlfll.exe118⤵PID:4540
-
\??\c:\llllffx.exec:\llllffx.exe119⤵PID:1232
-
\??\c:\hnbtbb.exec:\hnbtbb.exe120⤵PID:4532
-
\??\c:\9tbthb.exec:\9tbthb.exe121⤵PID:3108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-