Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 04:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469.exe
-
Size
453KB
-
MD5
fd9320ad7a7ef069db62e0456cc60269
-
SHA1
b91ad8acb65e10995b79257b2d4117b839403a32
-
SHA256
ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469
-
SHA512
8a6f29c75f3043a24bd75e1748c2cbabf5a014345ba99df5ad60fb12134b430ccdb93f09a29d5e5d31be282504423ab81212b4416a16cfd1aec5f04632211c73
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe8:q7Tc2NYHUrAwfMp3CD8
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3844-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-1091-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-1176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3928 9vvvp.exe 4344 nntnhh.exe 4896 nnnhnn.exe 4876 tnbthh.exe 3888 tbnhbb.exe 2992 ttnhbb.exe 1064 bbhnnn.exe 2952 xxlfxfx.exe 536 vpvvp.exe 3360 llffxxr.exe 4452 tbhntb.exe 4160 jpjdv.exe 2588 jdddv.exe 4924 djvvd.exe 1172 ffxxxxr.exe 632 jvpjd.exe 3476 tbhbth.exe 868 vvdjv.exe 528 tnnnnb.exe 1768 1lllffx.exe 5020 rflfxxx.exe 1584 7jjjd.exe 3480 pjjpj.exe 1040 xffxxxx.exe 1356 nhnhhh.exe 4792 tbnhhh.exe 2264 jpppj.exe 4700 rrxlflf.exe 4724 hnnhbb.exe 3884 ppvpj.exe 2732 rrrrllf.exe 2616 7xxrrxr.exe 3508 btbbtt.exe 4556 hntnhb.exe 1560 dddvj.exe 1780 9xxxrrl.exe 640 xxllffl.exe 3880 nbbtnh.exe 3280 tnhtnb.exe 2724 jddvj.exe 2304 lrrfrfx.exe 2244 tbntbb.exe 920 bnhbnn.exe 1952 1dvpd.exe 2180 rrlxxll.exe 3228 nhhbbb.exe 4880 vdjdv.exe 3332 lfxrfxr.exe 820 httnhh.exe 4336 pjdvp.exe 3484 vvdvd.exe 1800 xrrfxxl.exe 4456 1jdpj.exe 3660 htnbnb.exe 216 vpjdp.exe 3400 3lffrxl.exe 4876 lllfrlx.exe 3856 djpjd.exe 4428 9pjdv.exe 1484 hhbbnh.exe 2592 vdpdp.exe 2952 nhhthb.exe 4820 nhhbnn.exe 1556 vpjdp.exe -
resource yara_rule behavioral2/memory/3844-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-1091-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 3928 3844 ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469.exe 83 PID 3844 wrote to memory of 3928 3844 ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469.exe 83 PID 3844 wrote to memory of 3928 3844 ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469.exe 83 PID 3928 wrote to memory of 4344 3928 9vvvp.exe 84 PID 3928 wrote to memory of 4344 3928 9vvvp.exe 84 PID 3928 wrote to memory of 4344 3928 9vvvp.exe 84 PID 4344 wrote to memory of 4896 4344 nntnhh.exe 85 PID 4344 wrote to memory of 4896 4344 nntnhh.exe 85 PID 4344 wrote to memory of 4896 4344 nntnhh.exe 85 PID 4896 wrote to memory of 4876 4896 nnnhnn.exe 86 PID 4896 wrote to memory of 4876 4896 nnnhnn.exe 86 PID 4896 wrote to memory of 4876 4896 nnnhnn.exe 86 PID 4876 wrote to memory of 3888 4876 tnbthh.exe 87 PID 4876 wrote to memory of 3888 4876 tnbthh.exe 87 PID 4876 wrote to memory of 3888 4876 tnbthh.exe 87 PID 3888 wrote to memory of 2992 3888 tbnhbb.exe 88 PID 3888 wrote to memory of 2992 3888 tbnhbb.exe 88 PID 3888 wrote to memory of 2992 3888 tbnhbb.exe 88 PID 2992 wrote to memory of 1064 2992 ttnhbb.exe 89 PID 2992 wrote to memory of 1064 2992 ttnhbb.exe 89 PID 2992 wrote to memory of 1064 2992 ttnhbb.exe 89 PID 1064 wrote to memory of 2952 1064 bbhnnn.exe 90 PID 1064 wrote to memory of 2952 1064 bbhnnn.exe 90 PID 1064 wrote to memory of 2952 1064 bbhnnn.exe 90 PID 2952 wrote to memory of 536 2952 xxlfxfx.exe 91 PID 2952 wrote to memory of 536 2952 xxlfxfx.exe 91 PID 2952 wrote to memory of 536 2952 xxlfxfx.exe 91 PID 536 wrote to memory of 3360 536 vpvvp.exe 92 PID 536 wrote to memory of 3360 536 vpvvp.exe 92 PID 536 wrote to memory of 3360 536 vpvvp.exe 92 PID 3360 wrote to memory of 4452 3360 llffxxr.exe 93 PID 3360 wrote to memory of 4452 3360 llffxxr.exe 93 PID 3360 wrote to memory of 4452 3360 llffxxr.exe 93 PID 4452 wrote to memory of 4160 4452 tbhntb.exe 94 PID 4452 wrote to memory of 4160 4452 tbhntb.exe 94 PID 4452 wrote to memory of 4160 4452 tbhntb.exe 94 PID 4160 wrote to memory of 2588 4160 jpjdv.exe 95 PID 4160 wrote to memory of 2588 4160 jpjdv.exe 95 PID 4160 wrote to memory of 2588 4160 jpjdv.exe 95 PID 2588 wrote to memory of 4924 2588 jdddv.exe 96 PID 2588 wrote to memory of 4924 2588 jdddv.exe 96 PID 2588 wrote to memory of 4924 2588 jdddv.exe 96 PID 4924 wrote to memory of 1172 4924 djvvd.exe 97 PID 4924 wrote to memory of 1172 4924 djvvd.exe 97 PID 4924 wrote to memory of 1172 4924 djvvd.exe 97 PID 1172 wrote to memory of 632 1172 ffxxxxr.exe 98 PID 1172 wrote to memory of 632 1172 ffxxxxr.exe 98 PID 1172 wrote to memory of 632 1172 ffxxxxr.exe 98 PID 632 wrote to memory of 3476 632 jvpjd.exe 99 PID 632 wrote to memory of 3476 632 jvpjd.exe 99 PID 632 wrote to memory of 3476 632 jvpjd.exe 99 PID 3476 wrote to memory of 868 3476 tbhbth.exe 100 PID 3476 wrote to memory of 868 3476 tbhbth.exe 100 PID 3476 wrote to memory of 868 3476 tbhbth.exe 100 PID 868 wrote to memory of 528 868 vvdjv.exe 101 PID 868 wrote to memory of 528 868 vvdjv.exe 101 PID 868 wrote to memory of 528 868 vvdjv.exe 101 PID 528 wrote to memory of 1768 528 tnnnnb.exe 102 PID 528 wrote to memory of 1768 528 tnnnnb.exe 102 PID 528 wrote to memory of 1768 528 tnnnnb.exe 102 PID 1768 wrote to memory of 5020 1768 1lllffx.exe 103 PID 1768 wrote to memory of 5020 1768 1lllffx.exe 103 PID 1768 wrote to memory of 5020 1768 1lllffx.exe 103 PID 5020 wrote to memory of 1584 5020 rflfxxx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469.exe"C:\Users\Admin\AppData\Local\Temp\ea68216f15e150df7f2da475f8d4079411185e26ed154d3e2b59082ade589469.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\9vvvp.exec:\9vvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\nntnhh.exec:\nntnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\nnnhnn.exec:\nnnhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\tnbthh.exec:\tnbthh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\tbnhbb.exec:\tbnhbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\ttnhbb.exec:\ttnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\bbhnnn.exec:\bbhnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\xxlfxfx.exec:\xxlfxfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\vpvvp.exec:\vpvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\llffxxr.exec:\llffxxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\tbhntb.exec:\tbhntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\jpjdv.exec:\jpjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\jdddv.exec:\jdddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\djvvd.exec:\djvvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\ffxxxxr.exec:\ffxxxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\jvpjd.exec:\jvpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\tbhbth.exec:\tbhbth.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\vvdjv.exec:\vvdjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\tnnnnb.exec:\tnnnnb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
\??\c:\1lllffx.exec:\1lllffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\rflfxxx.exec:\rflfxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\7jjjd.exec:\7jjjd.exe23⤵
- Executes dropped EXE
PID:1584 -
\??\c:\pjjpj.exec:\pjjpj.exe24⤵
- Executes dropped EXE
PID:3480 -
\??\c:\xffxxxx.exec:\xffxxxx.exe25⤵
- Executes dropped EXE
PID:1040 -
\??\c:\nhnhhh.exec:\nhnhhh.exe26⤵
- Executes dropped EXE
PID:1356 -
\??\c:\tbnhhh.exec:\tbnhhh.exe27⤵
- Executes dropped EXE
PID:4792 -
\??\c:\jpppj.exec:\jpppj.exe28⤵
- Executes dropped EXE
PID:2264 -
\??\c:\rrxlflf.exec:\rrxlflf.exe29⤵
- Executes dropped EXE
PID:4700 -
\??\c:\hnnhbb.exec:\hnnhbb.exe30⤵
- Executes dropped EXE
PID:4724 -
\??\c:\ppvpj.exec:\ppvpj.exe31⤵
- Executes dropped EXE
PID:3884 -
\??\c:\rrrrllf.exec:\rrrrllf.exe32⤵
- Executes dropped EXE
PID:2732 -
\??\c:\7xxrrxr.exec:\7xxrrxr.exe33⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btbbtt.exec:\btbbtt.exe34⤵
- Executes dropped EXE
PID:3508 -
\??\c:\hntnhb.exec:\hntnhb.exe35⤵
- Executes dropped EXE
PID:4556 -
\??\c:\dddvj.exec:\dddvj.exe36⤵
- Executes dropped EXE
PID:1560 -
\??\c:\9xxxrrl.exec:\9xxxrrl.exe37⤵
- Executes dropped EXE
PID:1780 -
\??\c:\xxllffl.exec:\xxllffl.exe38⤵
- Executes dropped EXE
PID:640 -
\??\c:\nbbtnh.exec:\nbbtnh.exe39⤵
- Executes dropped EXE
PID:3880 -
\??\c:\tnhtnb.exec:\tnhtnb.exe40⤵
- Executes dropped EXE
PID:3280 -
\??\c:\jddvj.exec:\jddvj.exe41⤵
- Executes dropped EXE
PID:2724 -
\??\c:\lrrfrfx.exec:\lrrfrfx.exe42⤵
- Executes dropped EXE
PID:2304 -
\??\c:\tbntbb.exec:\tbntbb.exe43⤵
- Executes dropped EXE
PID:2244 -
\??\c:\bnhbnn.exec:\bnhbnn.exe44⤵
- Executes dropped EXE
PID:920 -
\??\c:\1dvpd.exec:\1dvpd.exe45⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rrlxxll.exec:\rrlxxll.exe46⤵
- Executes dropped EXE
PID:2180 -
\??\c:\nhhbbb.exec:\nhhbbb.exe47⤵
- Executes dropped EXE
PID:3228 -
\??\c:\vdjdv.exec:\vdjdv.exe48⤵
- Executes dropped EXE
PID:4880 -
\??\c:\lfxrfxr.exec:\lfxrfxr.exe49⤵
- Executes dropped EXE
PID:3332 -
\??\c:\httnhh.exec:\httnhh.exe50⤵
- Executes dropped EXE
PID:820 -
\??\c:\pjdvp.exec:\pjdvp.exe51⤵
- Executes dropped EXE
PID:4336 -
\??\c:\vvdvd.exec:\vvdvd.exe52⤵
- Executes dropped EXE
PID:3484 -
\??\c:\xrrfxxl.exec:\xrrfxxl.exe53⤵
- Executes dropped EXE
PID:1800 -
\??\c:\1jdpj.exec:\1jdpj.exe54⤵
- Executes dropped EXE
PID:4456 -
\??\c:\htnbnb.exec:\htnbnb.exe55⤵
- Executes dropped EXE
PID:3660 -
\??\c:\vpjdp.exec:\vpjdp.exe56⤵
- Executes dropped EXE
PID:216 -
\??\c:\3lffrxl.exec:\3lffrxl.exe57⤵
- Executes dropped EXE
PID:3400 -
\??\c:\lllfrlx.exec:\lllfrlx.exe58⤵
- Executes dropped EXE
PID:4876 -
\??\c:\djpjd.exec:\djpjd.exe59⤵
- Executes dropped EXE
PID:3856 -
\??\c:\9pjdv.exec:\9pjdv.exe60⤵
- Executes dropped EXE
PID:4428 -
\??\c:\hhbbnh.exec:\hhbbnh.exe61⤵
- Executes dropped EXE
PID:1484 -
\??\c:\vdpdp.exec:\vdpdp.exe62⤵
- Executes dropped EXE
PID:2592 -
\??\c:\nhhthb.exec:\nhhthb.exe63⤵
- Executes dropped EXE
PID:2952 -
\??\c:\nhhbnn.exec:\nhhbnn.exe64⤵
- Executes dropped EXE
PID:4820 -
\??\c:\vpjdp.exec:\vpjdp.exe65⤵
- Executes dropped EXE
PID:1556 -
\??\c:\ffxlfxr.exec:\ffxlfxr.exe66⤵PID:4488
-
\??\c:\5dpjj.exec:\5dpjj.exe67⤵PID:4104
-
\??\c:\lflffff.exec:\lflffff.exe68⤵PID:844
-
\??\c:\tbbnbb.exec:\tbbnbb.exe69⤵PID:1220
-
\??\c:\bthhhb.exec:\bthhhb.exe70⤵PID:2300
-
\??\c:\dvpjj.exec:\dvpjj.exe71⤵PID:1228
-
\??\c:\1bbthh.exec:\1bbthh.exe72⤵PID:3448
-
\??\c:\jjdvj.exec:\jjdvj.exe73⤵PID:3240
-
\??\c:\3ffffff.exec:\3ffffff.exe74⤵PID:912
-
\??\c:\hbtnbt.exec:\hbtnbt.exe75⤵PID:4808
-
\??\c:\pvjdv.exec:\pvjdv.exe76⤵PID:4044
-
\??\c:\9ppdv.exec:\9ppdv.exe77⤵PID:592
-
\??\c:\fflfrrf.exec:\fflfrrf.exe78⤵PID:2860
-
\??\c:\nnnbbt.exec:\nnnbbt.exe79⤵PID:2160
-
\??\c:\dvpdv.exec:\dvpdv.exe80⤵PID:1624
-
\??\c:\ppvjp.exec:\ppvjp.exe81⤵PID:984
-
\??\c:\llllxxr.exec:\llllxxr.exe82⤵PID:1600
-
\??\c:\5tbttt.exec:\5tbttt.exe83⤵PID:1704
-
\??\c:\pjjvp.exec:\pjjvp.exe84⤵PID:1040
-
\??\c:\xxfrrlr.exec:\xxfrrlr.exe85⤵PID:1456
-
\??\c:\rffxrlf.exec:\rffxrlf.exe86⤵PID:2340
-
\??\c:\1nttnn.exec:\1nttnn.exe87⤵PID:2512
-
\??\c:\vvpjd.exec:\vvpjd.exe88⤵PID:5064
-
\??\c:\pdddp.exec:\pdddp.exe89⤵PID:1972
-
\??\c:\7hbtnn.exec:\7hbtnn.exe90⤵PID:5116
-
\??\c:\nnthtt.exec:\nnthtt.exe91⤵PID:2320
-
\??\c:\dddpp.exec:\dddpp.exe92⤵PID:888
-
\??\c:\flrlxrl.exec:\flrlxrl.exe93⤵PID:1824
-
\??\c:\xfrfrrl.exec:\xfrfrrl.exe94⤵PID:2776
-
\??\c:\nnbtnh.exec:\nnbtnh.exe95⤵PID:3180
-
\??\c:\htbthb.exec:\htbthb.exe96⤵PID:3132
-
\??\c:\jdpjd.exec:\jdpjd.exe97⤵PID:3004
-
\??\c:\frrfrlf.exec:\frrfrlf.exe98⤵PID:5024
-
\??\c:\bnttnb.exec:\bnttnb.exe99⤵
- System Location Discovery: System Language Discovery
PID:4848 -
\??\c:\btnthb.exec:\btnthb.exe100⤵PID:780
-
\??\c:\pjdvp.exec:\pjdvp.exe101⤵PID:2584
-
\??\c:\llfxrlf.exec:\llfxrlf.exe102⤵PID:4912
-
\??\c:\hhbnhh.exec:\hhbnhh.exe103⤵PID:3104
-
\??\c:\dvjvp.exec:\dvjvp.exe104⤵PID:1300
-
\??\c:\vpvpd.exec:\vpvpd.exe105⤵PID:1892
-
\??\c:\7rlrffx.exec:\7rlrffx.exe106⤵PID:4524
-
\??\c:\nnbbnn.exec:\nnbbnn.exe107⤵PID:2844
-
\??\c:\vjjjd.exec:\vjjjd.exe108⤵PID:396
-
\??\c:\lffrfxr.exec:\lffrfxr.exe109⤵PID:4880
-
\??\c:\rxlrlll.exec:\rxlrlll.exe110⤵PID:1464
-
\??\c:\1ththh.exec:\1ththh.exe111⤵PID:1632
-
\??\c:\pppjv.exec:\pppjv.exe112⤵PID:2888
-
\??\c:\9ppjd.exec:\9ppjd.exe113⤵PID:2232
-
\??\c:\xrlxllx.exec:\xrlxllx.exe114⤵PID:2428
-
\??\c:\ttnbtn.exec:\ttnbtn.exe115⤵PID:232
-
\??\c:\hhthtn.exec:\hhthtn.exe116⤵PID:4952
-
\??\c:\dpvjd.exec:\dpvjd.exe117⤵PID:4520
-
\??\c:\7ppdp.exec:\7ppdp.exe118⤵PID:5112
-
\??\c:\frrlxlf.exec:\frrlxlf.exe119⤵PID:1372
-
\??\c:\hbbtnh.exec:\hbbtnh.exe120⤵PID:1332
-
\??\c:\tbhbbb.exec:\tbhbbb.exe121⤵PID:3756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-