Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8N.exe
-
Size
346KB
-
MD5
2a122b8b62b136679869ec3600067c80
-
SHA1
640270824e9956d9369e23dc8d1b85cb9d478875
-
SHA256
b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8
-
SHA512
ca9130936d1a4c7d524a2c1d38e0c753b6a3aaf2d17a820267b72f60b845e13db40c36fdb2dece400a614ca950bb112b01da05e7e988d6242a6999bb29dd12a4
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAu:l7TcbWXZshJX2VGdu
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2096-7-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2284-13-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4540-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1844-25-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4568-21-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4256-42-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3840-49-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3168-54-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3168-58-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4048-64-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4824-77-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4676-70-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2616-87-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2444-100-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3580-93-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1856-81-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3628-115-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2512-131-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1140-142-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4340-158-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3384-165-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3056-174-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5080-185-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3616-182-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/868-191-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3320-198-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4936-202-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1652-206-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/392-210-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4616-214-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5016-218-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4908-225-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3608-229-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4864-236-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1796-243-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3908-247-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4100-254-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4692-264-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2780-268-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4256-276-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2884-292-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/556-296-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3956-306-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2968-313-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2936-335-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2032-339-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4332-346-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3640-350-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2424-357-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5100-358-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/224-368-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4588-378-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2800-396-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2856-432-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1844-460-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4204-464-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1052-480-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1224-484-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4252-488-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4316-492-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3980-554-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2860-678-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4340-898-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4356-1511-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2284 006048.exe 4568 hthhbt.exe 4540 2822040.exe 1844 o804006.exe 3356 2202080.exe 4256 pdjvp.exe 3840 2042608.exe 1052 606826.exe 3168 hnthbt.exe 4048 268204.exe 4676 04082.exe 4824 hbhtnh.exe 1856 bnnbnb.exe 2616 0488622.exe 3580 nnttth.exe 2412 nhbntn.exe 2444 vvpdp.exe 2300 hthhnt.exe 3628 frrxxrf.exe 4520 22820.exe 4332 m4426.exe 2512 xfrfrlx.exe 2108 dpvpd.exe 1140 k28226.exe 2268 6026222.exe 2380 fxflxrx.exe 4340 062042.exe 3384 llfrfrf.exe 3056 jvjvj.exe 768 4002084.exe 3616 600448.exe 5080 48800.exe 868 3thntn.exe 3280 vpvpv.exe 3320 26806.exe 4936 426060.exe 1652 3hhbtb.exe 392 vpjdj.exe 4616 xrflxlr.exe 5016 bbhhhh.exe 1520 thhbtt.exe 4908 666644.exe 3608 vpjdj.exe 4088 0404444.exe 4864 2684882.exe 4324 c020482.exe 1796 4060040.exe 3908 fxfxfxf.exe 748 jdjjp.exe 4100 82420.exe 3988 pjjjd.exe 3812 8620226.exe 4692 04484.exe 2780 xrfxxxf.exe 4696 w84488.exe 4256 jpvvj.exe 3752 8660482.exe 3972 20440.exe 2644 i882008.exe 2648 nhnhhh.exe 2884 i244888.exe 556 6288226.exe 4944 jpdvp.exe 4824 206662.exe -
resource yara_rule behavioral2/memory/2096-7-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2284-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2284-13-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4540-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1844-25-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4568-21-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4256-42-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3840-49-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3168-54-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3168-58-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4048-64-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1856-75-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4824-77-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4676-70-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2616-87-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2444-100-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3580-93-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1856-81-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3628-115-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2512-131-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1140-142-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4340-158-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3384-165-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3056-174-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5080-185-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3616-182-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/868-191-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3320-198-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4936-202-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1652-206-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/392-210-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4616-214-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5016-218-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4908-225-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3608-229-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4864-236-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1796-243-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3908-247-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4100-254-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4692-264-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2780-268-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4696-269-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4256-276-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2884-292-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/556-296-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3956-306-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2968-313-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2936-335-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2032-339-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4332-346-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3640-350-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2424-357-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5100-358-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/224-368-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4588-378-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2564-388-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2800-396-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2856-432-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1844-460-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4204-464-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1052-480-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1224-484-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4252-488-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4316-492-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e84260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8626826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6026222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8284226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k24266.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e04084.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 040644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2284 2096 b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8N.exe 83 PID 2096 wrote to memory of 2284 2096 b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8N.exe 83 PID 2096 wrote to memory of 2284 2096 b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8N.exe 83 PID 2284 wrote to memory of 4568 2284 006048.exe 84 PID 2284 wrote to memory of 4568 2284 006048.exe 84 PID 2284 wrote to memory of 4568 2284 006048.exe 84 PID 4568 wrote to memory of 4540 4568 hthhbt.exe 85 PID 4568 wrote to memory of 4540 4568 hthhbt.exe 85 PID 4568 wrote to memory of 4540 4568 hthhbt.exe 85 PID 4540 wrote to memory of 1844 4540 2822040.exe 86 PID 4540 wrote to memory of 1844 4540 2822040.exe 86 PID 4540 wrote to memory of 1844 4540 2822040.exe 86 PID 1844 wrote to memory of 3356 1844 o804006.exe 87 PID 1844 wrote to memory of 3356 1844 o804006.exe 87 PID 1844 wrote to memory of 3356 1844 o804006.exe 87 PID 3356 wrote to memory of 4256 3356 2202080.exe 88 PID 3356 wrote to memory of 4256 3356 2202080.exe 88 PID 3356 wrote to memory of 4256 3356 2202080.exe 88 PID 4256 wrote to memory of 3840 4256 pdjvp.exe 89 PID 4256 wrote to memory of 3840 4256 pdjvp.exe 89 PID 4256 wrote to memory of 3840 4256 pdjvp.exe 89 PID 3840 wrote to memory of 1052 3840 2042608.exe 90 PID 3840 wrote to memory of 1052 3840 2042608.exe 90 PID 3840 wrote to memory of 1052 3840 2042608.exe 90 PID 1052 wrote to memory of 3168 1052 606826.exe 91 PID 1052 wrote to memory of 3168 1052 606826.exe 91 PID 1052 wrote to memory of 3168 1052 606826.exe 91 PID 3168 wrote to memory of 4048 3168 hnthbt.exe 92 PID 3168 wrote to memory of 4048 3168 hnthbt.exe 92 PID 3168 wrote to memory of 4048 3168 hnthbt.exe 92 PID 4048 wrote to memory of 4676 4048 268204.exe 93 PID 4048 wrote to memory of 4676 4048 268204.exe 93 PID 4048 wrote to memory of 4676 4048 268204.exe 93 PID 4676 wrote to memory of 4824 4676 04082.exe 94 PID 4676 wrote to memory of 4824 4676 04082.exe 94 PID 4676 wrote to memory of 4824 4676 04082.exe 94 PID 4824 wrote to memory of 1856 4824 hbhtnh.exe 95 PID 4824 wrote to memory of 1856 4824 hbhtnh.exe 95 PID 4824 wrote to memory of 1856 4824 hbhtnh.exe 95 PID 1856 wrote to memory of 2616 1856 bnnbnb.exe 96 PID 1856 wrote to memory of 2616 1856 bnnbnb.exe 96 PID 1856 wrote to memory of 2616 1856 bnnbnb.exe 96 PID 2616 wrote to memory of 3580 2616 0488622.exe 97 PID 2616 wrote to memory of 3580 2616 0488622.exe 97 PID 2616 wrote to memory of 3580 2616 0488622.exe 97 PID 3580 wrote to memory of 2412 3580 nnttth.exe 98 PID 3580 wrote to memory of 2412 3580 nnttth.exe 98 PID 3580 wrote to memory of 2412 3580 nnttth.exe 98 PID 2412 wrote to memory of 2444 2412 nhbntn.exe 99 PID 2412 wrote to memory of 2444 2412 nhbntn.exe 99 PID 2412 wrote to memory of 2444 2412 nhbntn.exe 99 PID 2444 wrote to memory of 2300 2444 vvpdp.exe 100 PID 2444 wrote to memory of 2300 2444 vvpdp.exe 100 PID 2444 wrote to memory of 2300 2444 vvpdp.exe 100 PID 2300 wrote to memory of 3628 2300 hthhnt.exe 101 PID 2300 wrote to memory of 3628 2300 hthhnt.exe 101 PID 2300 wrote to memory of 3628 2300 hthhnt.exe 101 PID 3628 wrote to memory of 4520 3628 frrxxrf.exe 102 PID 3628 wrote to memory of 4520 3628 frrxxrf.exe 102 PID 3628 wrote to memory of 4520 3628 frrxxrf.exe 102 PID 4520 wrote to memory of 4332 4520 22820.exe 103 PID 4520 wrote to memory of 4332 4520 22820.exe 103 PID 4520 wrote to memory of 4332 4520 22820.exe 103 PID 4332 wrote to memory of 2512 4332 m4426.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8N.exe"C:\Users\Admin\AppData\Local\Temp\b61459d8afacc8fb9a8f6c0fc5686f44baaed1ada0573bca616d3ed05f0b3ad8N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\006048.exec:\006048.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\hthhbt.exec:\hthhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\2822040.exec:\2822040.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
\??\c:\o804006.exec:\o804006.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\2202080.exec:\2202080.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3356 -
\??\c:\pdjvp.exec:\pdjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\2042608.exec:\2042608.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\606826.exec:\606826.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\hnthbt.exec:\hnthbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\268204.exec:\268204.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\04082.exec:\04082.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\hbhtnh.exec:\hbhtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\bnnbnb.exec:\bnnbnb.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\0488622.exec:\0488622.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\nnttth.exec:\nnttth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\nhbntn.exec:\nhbntn.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\vvpdp.exec:\vvpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\hthhnt.exec:\hthhnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\frrxxrf.exec:\frrxxrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\22820.exec:\22820.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\m4426.exec:\m4426.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\xfrfrlx.exec:\xfrfrlx.exe23⤵
- Executes dropped EXE
PID:2512 -
\??\c:\dpvpd.exec:\dpvpd.exe24⤵
- Executes dropped EXE
PID:2108 -
\??\c:\k28226.exec:\k28226.exe25⤵
- Executes dropped EXE
PID:1140 -
\??\c:\6026222.exec:\6026222.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
\??\c:\fxflxrx.exec:\fxflxrx.exe27⤵
- Executes dropped EXE
PID:2380 -
\??\c:\062042.exec:\062042.exe28⤵
- Executes dropped EXE
PID:4340 -
\??\c:\llfrfrf.exec:\llfrfrf.exe29⤵
- Executes dropped EXE
PID:3384 -
\??\c:\jvjvj.exec:\jvjvj.exe30⤵
- Executes dropped EXE
PID:3056 -
\??\c:\4002084.exec:\4002084.exe31⤵
- Executes dropped EXE
PID:768 -
\??\c:\600448.exec:\600448.exe32⤵
- Executes dropped EXE
PID:3616 -
\??\c:\48800.exec:\48800.exe33⤵
- Executes dropped EXE
PID:5080 -
\??\c:\3thntn.exec:\3thntn.exe34⤵
- Executes dropped EXE
PID:868 -
\??\c:\vpvpv.exec:\vpvpv.exe35⤵
- Executes dropped EXE
PID:3280 -
\??\c:\26806.exec:\26806.exe36⤵
- Executes dropped EXE
PID:3320 -
\??\c:\426060.exec:\426060.exe37⤵
- Executes dropped EXE
PID:4936 -
\??\c:\3hhbtb.exec:\3hhbtb.exe38⤵
- Executes dropped EXE
PID:1652 -
\??\c:\vpjdj.exec:\vpjdj.exe39⤵
- Executes dropped EXE
PID:392 -
\??\c:\xrflxlr.exec:\xrflxlr.exe40⤵
- Executes dropped EXE
PID:4616 -
\??\c:\bbhhhh.exec:\bbhhhh.exe41⤵
- Executes dropped EXE
PID:5016 -
\??\c:\thhbtt.exec:\thhbtt.exe42⤵
- Executes dropped EXE
PID:1520 -
\??\c:\666644.exec:\666644.exe43⤵
- Executes dropped EXE
PID:4908 -
\??\c:\vpjdj.exec:\vpjdj.exe44⤵
- Executes dropped EXE
PID:3608 -
\??\c:\0404444.exec:\0404444.exe45⤵
- Executes dropped EXE
PID:4088 -
\??\c:\2684882.exec:\2684882.exe46⤵
- Executes dropped EXE
PID:4864 -
\??\c:\c020482.exec:\c020482.exe47⤵
- Executes dropped EXE
PID:4324 -
\??\c:\4060040.exec:\4060040.exe48⤵
- Executes dropped EXE
PID:1796 -
\??\c:\fxfxfxf.exec:\fxfxfxf.exe49⤵
- Executes dropped EXE
PID:3908 -
\??\c:\jdjjp.exec:\jdjjp.exe50⤵
- Executes dropped EXE
PID:748 -
\??\c:\82420.exec:\82420.exe51⤵
- Executes dropped EXE
PID:4100 -
\??\c:\pjjjd.exec:\pjjjd.exe52⤵
- Executes dropped EXE
PID:3988 -
\??\c:\8620226.exec:\8620226.exe53⤵
- Executes dropped EXE
PID:3812 -
\??\c:\04484.exec:\04484.exe54⤵
- Executes dropped EXE
PID:4692 -
\??\c:\xrfxxxf.exec:\xrfxxxf.exe55⤵
- Executes dropped EXE
PID:2780 -
\??\c:\w84488.exec:\w84488.exe56⤵
- Executes dropped EXE
PID:4696 -
\??\c:\jpvvj.exec:\jpvvj.exe57⤵
- Executes dropped EXE
PID:4256 -
\??\c:\8660482.exec:\8660482.exe58⤵
- Executes dropped EXE
PID:3752 -
\??\c:\20440.exec:\20440.exe59⤵
- Executes dropped EXE
PID:3972 -
\??\c:\i882008.exec:\i882008.exe60⤵
- Executes dropped EXE
PID:2644 -
\??\c:\nhnhhh.exec:\nhnhhh.exe61⤵
- Executes dropped EXE
PID:2648 -
\??\c:\i244888.exec:\i244888.exe62⤵
- Executes dropped EXE
PID:2884 -
\??\c:\6288226.exec:\6288226.exe63⤵
- Executes dropped EXE
PID:556 -
\??\c:\jpdvp.exec:\jpdvp.exe64⤵
- Executes dropped EXE
PID:4944 -
\??\c:\206662.exec:\206662.exe65⤵
- Executes dropped EXE
PID:4824 -
\??\c:\rxfxxxr.exec:\rxfxxxr.exe66⤵PID:3956
-
\??\c:\464826.exec:\464826.exe67⤵PID:3128
-
\??\c:\thhhtb.exec:\thhhtb.exe68⤵PID:2968
-
\??\c:\llrxrlx.exec:\llrxrlx.exe69⤵PID:3088
-
\??\c:\c464260.exec:\c464260.exe70⤵PID:1636
-
\??\c:\frllffx.exec:\frllffx.exe71⤵PID:2444
-
\??\c:\8244886.exec:\8244886.exe72⤵PID:2372
-
\??\c:\84000.exec:\84000.exe73⤵PID:1952
-
\??\c:\5djdd.exec:\5djdd.exe74⤵PID:4604
-
\??\c:\ddjdp.exec:\ddjdp.exe75⤵PID:2936
-
\??\c:\84482.exec:\84482.exe76⤵PID:2032
-
\??\c:\5nhbnb.exec:\5nhbnb.exe77⤵PID:772
-
\??\c:\ffllfxr.exec:\ffllfxr.exe78⤵PID:4332
-
\??\c:\djjjd.exec:\djjjd.exe79⤵PID:3640
-
\??\c:\thnhbb.exec:\thnhbb.exe80⤵PID:4836
-
\??\c:\9pppd.exec:\9pppd.exe81⤵PID:2424
-
\??\c:\068828.exec:\068828.exe82⤵PID:5100
-
\??\c:\82884.exec:\82884.exe83⤵PID:4784
-
\??\c:\k24266.exec:\k24266.exe84⤵
- System Location Discovery: System Language Discovery
PID:224 -
\??\c:\4004882.exec:\4004882.exe85⤵PID:100
-
\??\c:\3bhbbb.exec:\3bhbbb.exe86⤵PID:4808
-
\??\c:\6088480.exec:\6088480.exe87⤵PID:4588
-
\??\c:\646000.exec:\646000.exe88⤵PID:644
-
\??\c:\ttbnhh.exec:\ttbnhh.exe89⤵PID:4012
-
\??\c:\24048.exec:\24048.exe90⤵PID:2084
-
\??\c:\5jddp.exec:\5jddp.exe91⤵PID:2564
-
\??\c:\64004.exec:\64004.exe92⤵PID:3684
-
\??\c:\hbbbth.exec:\hbbbth.exe93⤵PID:2800
-
\??\c:\llxfxlf.exec:\llxfxlf.exe94⤵PID:468
-
\??\c:\42882.exec:\42882.exe95⤵PID:4304
-
\??\c:\044488.exec:\044488.exe96⤵PID:3768
-
\??\c:\8464226.exec:\8464226.exe97⤵PID:3068
-
\??\c:\o226004.exec:\o226004.exe98⤵PID:4912
-
\??\c:\a6226.exec:\a6226.exe99⤵PID:1712
-
\??\c:\228260.exec:\228260.exe100⤵PID:3664
-
\??\c:\nhnbtt.exec:\nhnbtt.exe101⤵PID:4572
-
\??\c:\608848.exec:\608848.exe102⤵PID:4208
-
\??\c:\888824.exec:\888824.exe103⤵PID:3608
-
\??\c:\pdvpj.exec:\pdvpj.exe104⤵PID:2856
-
\??\c:\3dvvp.exec:\3dvvp.exe105⤵PID:2832
-
\??\c:\xxfxrrl.exec:\xxfxrrl.exe106⤵PID:448
-
\??\c:\nnhhtt.exec:\nnhhtt.exe107⤵PID:1996
-
\??\c:\tbhbhh.exec:\tbhbhh.exe108⤵PID:3976
-
\??\c:\488260.exec:\488260.exe109⤵PID:740
-
\??\c:\0622660.exec:\0622660.exe110⤵PID:4540
-
\??\c:\0666048.exec:\0666048.exe111⤵PID:1948
-
\??\c:\44466.exec:\44466.exe112⤵PID:4796
-
\??\c:\rxxlxrx.exec:\rxxlxrx.exe113⤵
- System Location Discovery: System Language Discovery
PID:1844 -
\??\c:\266604.exec:\266604.exe114⤵PID:4204
-
\??\c:\60040.exec:\60040.exe115⤵PID:412
-
\??\c:\0422626.exec:\0422626.exe116⤵PID:3624
-
\??\c:\jdjdv.exec:\jdjdv.exe117⤵PID:5056
-
\??\c:\5djjv.exec:\5djjv.exe118⤵PID:988
-
\??\c:\fxfllff.exec:\fxfllff.exe119⤵PID:1052
-
\??\c:\2684440.exec:\2684440.exe120⤵PID:1224
-
\??\c:\9flxrlf.exec:\9flxrlf.exe121⤵PID:4252
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-