Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe
-
Size
454KB
-
MD5
4b53e0855029216735975fdd3800c7f7
-
SHA1
333ed94a86789ef97220a5663c2fa798fafa7001
-
SHA256
4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7
-
SHA512
def9518627bd69ebacd9caaba5a5d0eea1d302e3d627beeaa9cc77bad20bd787d8a724a3fb52011840a35fd8484fbfd418be1fb44ac35041a2512b9d8ca90253
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTT:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4436-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-1831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1528 tnnnhh.exe 64 nnnhtn.exe 824 htbnhh.exe 864 pjjvp.exe 4512 xxllrrl.exe 4024 dppjv.exe 1144 rxfxflr.exe 2444 llxrffr.exe 2316 lrxxlfr.exe 4636 pppdv.exe 3660 thtnhh.exe 208 jvvpd.exe 4920 bttnhh.exe 224 9ppjj.exe 3320 xflrffl.exe 4268 llxxllf.exe 4300 hbbbbh.exe 4468 dvpdv.exe 3744 vppjp.exe 3704 frxxrll.exe 3928 ntbbbb.exe 4620 bhttnn.exe 2708 9vddd.exe 828 bhnhhh.exe 4428 tnhbbt.exe 4756 xfrlffx.exe 2456 xfrrrxx.exe 2600 nnbtbb.exe 2452 xrllrxx.exe 5020 jvdpj.exe 4992 tntnnt.exe 4732 1jppj.exe 1748 jpddv.exe 892 lfllllr.exe 1324 nbtbbb.exe 3876 3djjp.exe 1988 vpvpj.exe 1140 lrlxrxr.exe 2128 nhtntt.exe 1672 djppp.exe 5024 xlxrlll.exe 960 bthhhb.exe 4700 nhnhbb.exe 1644 jjppj.exe 3024 rlrllxr.exe 4180 1rrrfrf.exe 4308 tbnntt.exe 460 vvjjd.exe 4008 fffxrxx.exe 2172 9bbbbh.exe 2076 tnbbtb.exe 2240 dpvpj.exe 3468 rlrlflf.exe 3908 thbtnh.exe 1320 7tbbbb.exe 2516 jdpjd.exe 3560 3flfxxx.exe 3464 nhttnn.exe 1716 djvvv.exe 532 ppvjv.exe 4512 lrlflrf.exe 2056 bthhhh.exe 3228 tbhbnt.exe 4676 jdpvv.exe -
resource yara_rule behavioral2/memory/4436-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-635-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xlfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fllrxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4436 wrote to memory of 1528 4436 4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe 82 PID 4436 wrote to memory of 1528 4436 4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe 82 PID 4436 wrote to memory of 1528 4436 4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe 82 PID 1528 wrote to memory of 64 1528 tnnnhh.exe 83 PID 1528 wrote to memory of 64 1528 tnnnhh.exe 83 PID 1528 wrote to memory of 64 1528 tnnnhh.exe 83 PID 64 wrote to memory of 824 64 nnnhtn.exe 84 PID 64 wrote to memory of 824 64 nnnhtn.exe 84 PID 64 wrote to memory of 824 64 nnnhtn.exe 84 PID 824 wrote to memory of 864 824 htbnhh.exe 85 PID 824 wrote to memory of 864 824 htbnhh.exe 85 PID 824 wrote to memory of 864 824 htbnhh.exe 85 PID 864 wrote to memory of 4512 864 pjjvp.exe 86 PID 864 wrote to memory of 4512 864 pjjvp.exe 86 PID 864 wrote to memory of 4512 864 pjjvp.exe 86 PID 4512 wrote to memory of 4024 4512 xxllrrl.exe 87 PID 4512 wrote to memory of 4024 4512 xxllrrl.exe 87 PID 4512 wrote to memory of 4024 4512 xxllrrl.exe 87 PID 4024 wrote to memory of 1144 4024 dppjv.exe 88 PID 4024 wrote to memory of 1144 4024 dppjv.exe 88 PID 4024 wrote to memory of 1144 4024 dppjv.exe 88 PID 1144 wrote to memory of 2444 1144 rxfxflr.exe 89 PID 1144 wrote to memory of 2444 1144 rxfxflr.exe 89 PID 1144 wrote to memory of 2444 1144 rxfxflr.exe 89 PID 2444 wrote to memory of 2316 2444 llxrffr.exe 90 PID 2444 wrote to memory of 2316 2444 llxrffr.exe 90 PID 2444 wrote to memory of 2316 2444 llxrffr.exe 90 PID 2316 wrote to memory of 4636 2316 lrxxlfr.exe 91 PID 2316 wrote to memory of 4636 2316 lrxxlfr.exe 91 PID 2316 wrote to memory of 4636 2316 lrxxlfr.exe 91 PID 4636 wrote to memory of 3660 4636 pppdv.exe 92 PID 4636 wrote to memory of 3660 4636 pppdv.exe 92 PID 4636 wrote to memory of 3660 4636 pppdv.exe 92 PID 3660 wrote to memory of 208 3660 thtnhh.exe 93 PID 3660 wrote to memory of 208 3660 thtnhh.exe 93 PID 3660 wrote to memory of 208 3660 thtnhh.exe 93 PID 208 wrote to memory of 4920 208 jvvpd.exe 94 PID 208 wrote to memory of 4920 208 jvvpd.exe 94 PID 208 wrote to memory of 4920 208 jvvpd.exe 94 PID 4920 wrote to memory of 224 4920 bttnhh.exe 95 PID 4920 wrote to memory of 224 4920 bttnhh.exe 95 PID 4920 wrote to memory of 224 4920 bttnhh.exe 95 PID 224 wrote to memory of 3320 224 9ppjj.exe 96 PID 224 wrote to memory of 3320 224 9ppjj.exe 96 PID 224 wrote to memory of 3320 224 9ppjj.exe 96 PID 3320 wrote to memory of 4268 3320 xflrffl.exe 97 PID 3320 wrote to memory of 4268 3320 xflrffl.exe 97 PID 3320 wrote to memory of 4268 3320 xflrffl.exe 97 PID 4268 wrote to memory of 4300 4268 llxxllf.exe 98 PID 4268 wrote to memory of 4300 4268 llxxllf.exe 98 PID 4268 wrote to memory of 4300 4268 llxxllf.exe 98 PID 4300 wrote to memory of 4468 4300 hbbbbh.exe 99 PID 4300 wrote to memory of 4468 4300 hbbbbh.exe 99 PID 4300 wrote to memory of 4468 4300 hbbbbh.exe 99 PID 4468 wrote to memory of 3744 4468 dvpdv.exe 100 PID 4468 wrote to memory of 3744 4468 dvpdv.exe 100 PID 4468 wrote to memory of 3744 4468 dvpdv.exe 100 PID 3744 wrote to memory of 3704 3744 vppjp.exe 101 PID 3744 wrote to memory of 3704 3744 vppjp.exe 101 PID 3744 wrote to memory of 3704 3744 vppjp.exe 101 PID 3704 wrote to memory of 3928 3704 frxxrll.exe 102 PID 3704 wrote to memory of 3928 3704 frxxrll.exe 102 PID 3704 wrote to memory of 3928 3704 frxxrll.exe 102 PID 3928 wrote to memory of 4620 3928 ntbbbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe"C:\Users\Admin\AppData\Local\Temp\4b6277b564dcbf284b4a50fdce6460fb0658f7891f09a1ef5c5b46887a269fb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\tnnnhh.exec:\tnnnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\nnnhtn.exec:\nnnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\htbnhh.exec:\htbnhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
\??\c:\pjjvp.exec:\pjjvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:864 -
\??\c:\xxllrrl.exec:\xxllrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\dppjv.exec:\dppjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\rxfxflr.exec:\rxfxflr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\llxrffr.exec:\llxrffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\lrxxlfr.exec:\lrxxlfr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\pppdv.exec:\pppdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\thtnhh.exec:\thtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\jvvpd.exec:\jvvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\bttnhh.exec:\bttnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920 -
\??\c:\9ppjj.exec:\9ppjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\xflrffl.exec:\xflrffl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\llxxllf.exec:\llxxllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\hbbbbh.exec:\hbbbbh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\dvpdv.exec:\dvpdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\vppjp.exec:\vppjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\frxxrll.exec:\frxxrll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\ntbbbb.exec:\ntbbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\bhttnn.exec:\bhttnn.exe23⤵
- Executes dropped EXE
PID:4620 -
\??\c:\9vddd.exec:\9vddd.exe24⤵
- Executes dropped EXE
PID:2708 -
\??\c:\bhnhhh.exec:\bhnhhh.exe25⤵
- Executes dropped EXE
PID:828 -
\??\c:\tnhbbt.exec:\tnhbbt.exe26⤵
- Executes dropped EXE
PID:4428 -
\??\c:\xfrlffx.exec:\xfrlffx.exe27⤵
- Executes dropped EXE
PID:4756 -
\??\c:\xfrrrxx.exec:\xfrrrxx.exe28⤵
- Executes dropped EXE
PID:2456 -
\??\c:\nnbtbb.exec:\nnbtbb.exe29⤵
- Executes dropped EXE
PID:2600 -
\??\c:\xrllrxx.exec:\xrllrxx.exe30⤵
- Executes dropped EXE
PID:2452 -
\??\c:\jvdpj.exec:\jvdpj.exe31⤵
- Executes dropped EXE
PID:5020 -
\??\c:\tntnnt.exec:\tntnnt.exe32⤵
- Executes dropped EXE
PID:4992 -
\??\c:\1jppj.exec:\1jppj.exe33⤵
- Executes dropped EXE
PID:4732 -
\??\c:\jpddv.exec:\jpddv.exe34⤵
- Executes dropped EXE
PID:1748 -
\??\c:\lfllllr.exec:\lfllllr.exe35⤵
- Executes dropped EXE
PID:892 -
\??\c:\nbtbbb.exec:\nbtbbb.exe36⤵
- Executes dropped EXE
PID:1324 -
\??\c:\3djjp.exec:\3djjp.exe37⤵
- Executes dropped EXE
PID:3876 -
\??\c:\vpvpj.exec:\vpvpj.exe38⤵
- Executes dropped EXE
PID:1988 -
\??\c:\lrlxrxr.exec:\lrlxrxr.exe39⤵
- Executes dropped EXE
PID:1140 -
\??\c:\nhtntt.exec:\nhtntt.exe40⤵
- Executes dropped EXE
PID:2128 -
\??\c:\djppp.exec:\djppp.exe41⤵
- Executes dropped EXE
PID:1672 -
\??\c:\xlxrlll.exec:\xlxrlll.exe42⤵
- Executes dropped EXE
PID:5024 -
\??\c:\bthhhb.exec:\bthhhb.exe43⤵
- Executes dropped EXE
PID:960 -
\??\c:\nhnhbb.exec:\nhnhbb.exe44⤵
- Executes dropped EXE
PID:4700 -
\??\c:\jjppj.exec:\jjppj.exe45⤵
- Executes dropped EXE
PID:1644 -
\??\c:\rlrllxr.exec:\rlrllxr.exe46⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1rrrfrf.exec:\1rrrfrf.exe47⤵
- Executes dropped EXE
PID:4180 -
\??\c:\tbnntt.exec:\tbnntt.exe48⤵
- Executes dropped EXE
PID:4308 -
\??\c:\vvjjd.exec:\vvjjd.exe49⤵
- Executes dropped EXE
PID:460 -
\??\c:\fffxrxx.exec:\fffxrxx.exe50⤵
- Executes dropped EXE
PID:4008 -
\??\c:\9bbbbh.exec:\9bbbbh.exe51⤵
- Executes dropped EXE
PID:2172 -
\??\c:\tnbbtb.exec:\tnbbtb.exe52⤵
- Executes dropped EXE
PID:2076 -
\??\c:\dpvpj.exec:\dpvpj.exe53⤵
- Executes dropped EXE
PID:2240 -
\??\c:\rlrlflf.exec:\rlrlflf.exe54⤵
- Executes dropped EXE
PID:3468 -
\??\c:\thbtnh.exec:\thbtnh.exe55⤵
- Executes dropped EXE
PID:3908 -
\??\c:\7tbbbb.exec:\7tbbbb.exe56⤵
- Executes dropped EXE
PID:1320 -
\??\c:\jdpjd.exec:\jdpjd.exe57⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3flfxxx.exec:\3flfxxx.exe58⤵
- Executes dropped EXE
PID:3560 -
\??\c:\nhttnn.exec:\nhttnn.exe59⤵
- Executes dropped EXE
PID:3464 -
\??\c:\djvvv.exec:\djvvv.exe60⤵
- Executes dropped EXE
PID:1716 -
\??\c:\ppvjv.exec:\ppvjv.exe61⤵
- Executes dropped EXE
PID:532 -
\??\c:\lrlflrf.exec:\lrlflrf.exe62⤵
- Executes dropped EXE
PID:4512 -
\??\c:\bthhhh.exec:\bthhhh.exe63⤵
- Executes dropped EXE
PID:2056 -
\??\c:\tbhbnt.exec:\tbhbnt.exe64⤵
- Executes dropped EXE
PID:3228 -
\??\c:\jdpvv.exec:\jdpvv.exe65⤵
- Executes dropped EXE
PID:4676 -
\??\c:\llxxllx.exec:\llxxllx.exe66⤵PID:3400
-
\??\c:\frffxff.exec:\frffxff.exe67⤵PID:1532
-
\??\c:\hbhbth.exec:\hbhbth.exe68⤵PID:3940
-
\??\c:\5ppjd.exec:\5ppjd.exe69⤵PID:3932
-
\??\c:\hhhbbb.exec:\hhhbbb.exe70⤵PID:2628
-
\??\c:\htnhtt.exec:\htnhtt.exe71⤵PID:680
-
\??\c:\pjpjv.exec:\pjpjv.exe72⤵PID:2416
-
\??\c:\llxrxxr.exec:\llxrxxr.exe73⤵PID:1944
-
\??\c:\nnbbtb.exec:\nnbbtb.exe74⤵PID:1984
-
\??\c:\vpdvv.exec:\vpdvv.exe75⤵PID:1720
-
\??\c:\fxllffx.exec:\fxllffx.exe76⤵PID:2816
-
\??\c:\rfxxrrl.exec:\rfxxrrl.exe77⤵PID:2656
-
\??\c:\bbtbhn.exec:\bbtbhn.exe78⤵PID:4884
-
\??\c:\jdpdd.exec:\jdpdd.exe79⤵PID:3204
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe80⤵PID:2432
-
\??\c:\bhttnn.exec:\bhttnn.exe81⤵PID:1408
-
\??\c:\bbtbtb.exec:\bbtbtb.exe82⤵PID:1128
-
\??\c:\pjvpd.exec:\pjvpd.exe83⤵PID:1596
-
\??\c:\7lllfff.exec:\7lllfff.exe84⤵PID:968
-
\??\c:\nhbbhh.exec:\nhbbhh.exe85⤵PID:1648
-
\??\c:\hhhbhh.exec:\hhhbhh.exe86⤵PID:4972
-
\??\c:\jjppv.exec:\jjppv.exe87⤵PID:4628
-
\??\c:\frxxrrl.exec:\frxxrrl.exe88⤵PID:3632
-
\??\c:\lllffff.exec:\lllffff.exe89⤵PID:1344
-
\??\c:\nhnhtt.exec:\nhnhtt.exe90⤵PID:2496
-
\??\c:\3djjd.exec:\3djjd.exe91⤵PID:4896
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe92⤵PID:4480
-
\??\c:\ffffrxl.exec:\ffffrxl.exe93⤵PID:2828
-
\??\c:\tnttnn.exec:\tnttnn.exe94⤵PID:3356
-
\??\c:\vpddv.exec:\vpddv.exe95⤵PID:1816
-
\??\c:\9frrlfl.exec:\9frrlfl.exe96⤵PID:4988
-
\??\c:\ffrxrfx.exec:\ffrxrfx.exe97⤵PID:2300
-
\??\c:\nbbttt.exec:\nbbttt.exe98⤵PID:3056
-
\??\c:\ppvdd.exec:\ppvdd.exe99⤵PID:3380
-
\??\c:\jpvvj.exec:\jpvvj.exe100⤵PID:4352
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe101⤵PID:892
-
\??\c:\9bbttt.exec:\9bbttt.exe102⤵PID:1324
-
\??\c:\3pvvp.exec:\3pvvp.exe103⤵PID:3876
-
\??\c:\jjddd.exec:\jjddd.exe104⤵PID:3436
-
\??\c:\btbbtt.exec:\btbbtt.exe105⤵PID:1140
-
\??\c:\hnttth.exec:\hnttth.exe106⤵PID:3384
-
\??\c:\jpvvp.exec:\jpvvp.exe107⤵PID:1672
-
\??\c:\flrllll.exec:\flrllll.exe108⤵PID:5024
-
\??\c:\ttbbbb.exec:\ttbbbb.exe109⤵PID:1356
-
\??\c:\jjpjv.exec:\jjpjv.exe110⤵PID:2504
-
\??\c:\jdjjv.exec:\jdjjv.exe111⤵PID:4256
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe112⤵PID:2028
-
\??\c:\nbnnnn.exec:\nbnnnn.exe113⤵PID:5064
-
\??\c:\pdpjp.exec:\pdpjp.exe114⤵PID:3580
-
\??\c:\ppvvd.exec:\ppvvd.exe115⤵PID:3152
-
\??\c:\rxxxxfl.exec:\rxxxxfl.exe116⤵PID:1492
-
\??\c:\nhtbtb.exec:\nhtbtb.exe117⤵PID:2172
-
\??\c:\dpddd.exec:\dpddd.exe118⤵PID:3344
-
\??\c:\xrllfll.exec:\xrllfll.exe119⤵PID:4752
-
\??\c:\fffxxxr.exec:\fffxxxr.exe120⤵
- System Location Discovery: System Language Discovery
PID:4748 -
\??\c:\hthbbb.exec:\hthbbb.exe121⤵PID:3908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-