Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 07:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe
-
Size
455KB
-
MD5
1ca2e57352ce2fe08752aef1c385fe90
-
SHA1
d859e8f286e1fedf72435dc5d3c7a31dbb6b8835
-
SHA256
d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356
-
SHA512
06450a42f851b3a0e6510d79e4e0b3682ef267c2edb8a041bfe5a3f08922dc16b6d2964da2489105deef78c61cbd9f4550929e06ca5076c70520a93149d3a4c5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeL:q7Tc2NYHUrAwfMp3CDL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4044-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-523-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-956-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-1070-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-1230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-1352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-1611-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2452 hbhbhh.exe 4532 jpvpp.exe 2844 hbbtbb.exe 2828 hnnhbb.exe 376 jjjjp.exe 5108 xrxlflf.exe 448 btnhhb.exe 4688 flllffr.exe 3124 jvpjv.exe 1020 vpvpj.exe 4836 5thhbb.exe 3552 vpvvj.exe 3540 hhnhtn.exe 1824 xxlfxrl.exe 1148 bnnhbb.exe 3376 dvdvv.exe 544 xxxllxx.exe 1500 7bttnn.exe 1904 jvdvp.exe 5048 thnhtn.exe 948 hthbnn.exe 3112 rffxlrf.exe 3488 tbtnhb.exe 1516 xrlfrrl.exe 1912 ffllxxx.exe 3988 5bthbt.exe 2556 7ddvv.exe 1368 7rlfrrl.exe 2996 nhhbhh.exe 4060 jpdpd.exe 400 rflfxlf.exe 1084 pvvvp.exe 3504 htbtnh.exe 1676 7pjdv.exe 4276 dppjj.exe 1580 lxrfxrx.exe 3244 fxxlfxr.exe 4180 bntnnn.exe 2324 dvdpv.exe 4648 rrrfrlf.exe 4960 fxrlxxr.exe 1548 3tbnhn.exe 4272 vppjv.exe 4028 fxxxrrl.exe 4044 hntnhn.exe 2288 hhhbbt.exe 2748 jpppj.exe 1372 dddvp.exe 4632 xrfrrfl.exe 1732 bntbnn.exe 3212 jppjv.exe 3680 jppdj.exe 3692 lllfxxf.exe 1996 1llfxxl.exe 764 5hhtnh.exe 3416 vdjdd.exe 4688 lflxxrr.exe 2972 nhhthb.exe 3272 bbbbtt.exe 3820 ppdpj.exe 4040 lfxrxrr.exe 4004 ntnhbn.exe 752 dvdvv.exe 3552 pjpjd.exe -
resource yara_rule behavioral2/memory/4044-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-523-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-757-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-788-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-834-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrflfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxlxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4044 wrote to memory of 2452 4044 d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe 84 PID 4044 wrote to memory of 2452 4044 d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe 84 PID 4044 wrote to memory of 2452 4044 d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe 84 PID 2452 wrote to memory of 4532 2452 hbhbhh.exe 85 PID 2452 wrote to memory of 4532 2452 hbhbhh.exe 85 PID 2452 wrote to memory of 4532 2452 hbhbhh.exe 85 PID 4532 wrote to memory of 2844 4532 jpvpp.exe 86 PID 4532 wrote to memory of 2844 4532 jpvpp.exe 86 PID 4532 wrote to memory of 2844 4532 jpvpp.exe 86 PID 2844 wrote to memory of 2828 2844 hbbtbb.exe 87 PID 2844 wrote to memory of 2828 2844 hbbtbb.exe 87 PID 2844 wrote to memory of 2828 2844 hbbtbb.exe 87 PID 2828 wrote to memory of 376 2828 hnnhbb.exe 88 PID 2828 wrote to memory of 376 2828 hnnhbb.exe 88 PID 2828 wrote to memory of 376 2828 hnnhbb.exe 88 PID 376 wrote to memory of 5108 376 jjjjp.exe 89 PID 376 wrote to memory of 5108 376 jjjjp.exe 89 PID 376 wrote to memory of 5108 376 jjjjp.exe 89 PID 5108 wrote to memory of 448 5108 xrxlflf.exe 90 PID 5108 wrote to memory of 448 5108 xrxlflf.exe 90 PID 5108 wrote to memory of 448 5108 xrxlflf.exe 90 PID 448 wrote to memory of 4688 448 btnhhb.exe 91 PID 448 wrote to memory of 4688 448 btnhhb.exe 91 PID 448 wrote to memory of 4688 448 btnhhb.exe 91 PID 4688 wrote to memory of 3124 4688 flllffr.exe 92 PID 4688 wrote to memory of 3124 4688 flllffr.exe 92 PID 4688 wrote to memory of 3124 4688 flllffr.exe 92 PID 3124 wrote to memory of 1020 3124 jvpjv.exe 93 PID 3124 wrote to memory of 1020 3124 jvpjv.exe 93 PID 3124 wrote to memory of 1020 3124 jvpjv.exe 93 PID 1020 wrote to memory of 4836 1020 vpvpj.exe 94 PID 1020 wrote to memory of 4836 1020 vpvpj.exe 94 PID 1020 wrote to memory of 4836 1020 vpvpj.exe 94 PID 4836 wrote to memory of 3552 4836 5thhbb.exe 95 PID 4836 wrote to memory of 3552 4836 5thhbb.exe 95 PID 4836 wrote to memory of 3552 4836 5thhbb.exe 95 PID 3552 wrote to memory of 3540 3552 vpvvj.exe 96 PID 3552 wrote to memory of 3540 3552 vpvvj.exe 96 PID 3552 wrote to memory of 3540 3552 vpvvj.exe 96 PID 3540 wrote to memory of 1824 3540 hhnhtn.exe 97 PID 3540 wrote to memory of 1824 3540 hhnhtn.exe 97 PID 3540 wrote to memory of 1824 3540 hhnhtn.exe 97 PID 1824 wrote to memory of 1148 1824 xxlfxrl.exe 98 PID 1824 wrote to memory of 1148 1824 xxlfxrl.exe 98 PID 1824 wrote to memory of 1148 1824 xxlfxrl.exe 98 PID 1148 wrote to memory of 3376 1148 bnnhbb.exe 99 PID 1148 wrote to memory of 3376 1148 bnnhbb.exe 99 PID 1148 wrote to memory of 3376 1148 bnnhbb.exe 99 PID 3376 wrote to memory of 544 3376 dvdvv.exe 100 PID 3376 wrote to memory of 544 3376 dvdvv.exe 100 PID 3376 wrote to memory of 544 3376 dvdvv.exe 100 PID 544 wrote to memory of 1500 544 xxxllxx.exe 101 PID 544 wrote to memory of 1500 544 xxxllxx.exe 101 PID 544 wrote to memory of 1500 544 xxxllxx.exe 101 PID 1500 wrote to memory of 1904 1500 7bttnn.exe 102 PID 1500 wrote to memory of 1904 1500 7bttnn.exe 102 PID 1500 wrote to memory of 1904 1500 7bttnn.exe 102 PID 1904 wrote to memory of 5048 1904 jvdvp.exe 103 PID 1904 wrote to memory of 5048 1904 jvdvp.exe 103 PID 1904 wrote to memory of 5048 1904 jvdvp.exe 103 PID 5048 wrote to memory of 948 5048 thnhtn.exe 104 PID 5048 wrote to memory of 948 5048 thnhtn.exe 104 PID 5048 wrote to memory of 948 5048 thnhtn.exe 104 PID 948 wrote to memory of 3112 948 hthbnn.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe"C:\Users\Admin\AppData\Local\Temp\d4a90286412d0844a4b32336020d64da4680ec07e335e67c2e5dcfb8f7c34356N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\hbhbhh.exec:\hbhbhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
\??\c:\jpvpp.exec:\jpvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
\??\c:\hbbtbb.exec:\hbbtbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\hnnhbb.exec:\hnnhbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\jjjjp.exec:\jjjjp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\xrxlflf.exec:\xrxlflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108 -
\??\c:\btnhhb.exec:\btnhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\flllffr.exec:\flllffr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\jvpjv.exec:\jvpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\vpvpj.exec:\vpvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\5thhbb.exec:\5thhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\vpvvj.exec:\vpvvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\hhnhtn.exec:\hhnhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540 -
\??\c:\xxlfxrl.exec:\xxlfxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824 -
\??\c:\bnnhbb.exec:\bnnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\dvdvv.exec:\dvdvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\xxxllxx.exec:\xxxllxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\7bttnn.exec:\7bttnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\jvdvp.exec:\jvdvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\thnhtn.exec:\thnhtn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\hthbnn.exec:\hthbnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\rffxlrf.exec:\rffxlrf.exe23⤵
- Executes dropped EXE
PID:3112 -
\??\c:\tbtnhb.exec:\tbtnhb.exe24⤵
- Executes dropped EXE
PID:3488 -
\??\c:\xrlfrrl.exec:\xrlfrrl.exe25⤵
- Executes dropped EXE
PID:1516 -
\??\c:\ffllxxx.exec:\ffllxxx.exe26⤵
- Executes dropped EXE
PID:1912 -
\??\c:\5bthbt.exec:\5bthbt.exe27⤵
- Executes dropped EXE
PID:3988 -
\??\c:\7ddvv.exec:\7ddvv.exe28⤵
- Executes dropped EXE
PID:2556 -
\??\c:\7rlfrrl.exec:\7rlfrrl.exe29⤵
- Executes dropped EXE
PID:1368 -
\??\c:\nhhbhh.exec:\nhhbhh.exe30⤵
- Executes dropped EXE
PID:2996 -
\??\c:\jpdpd.exec:\jpdpd.exe31⤵
- Executes dropped EXE
PID:4060 -
\??\c:\rflfxlf.exec:\rflfxlf.exe32⤵
- Executes dropped EXE
PID:400 -
\??\c:\pvvvp.exec:\pvvvp.exe33⤵
- Executes dropped EXE
PID:1084 -
\??\c:\htbtnh.exec:\htbtnh.exe34⤵
- Executes dropped EXE
PID:3504 -
\??\c:\7pjdv.exec:\7pjdv.exe35⤵
- Executes dropped EXE
PID:1676 -
\??\c:\dppjj.exec:\dppjj.exe36⤵
- Executes dropped EXE
PID:4276 -
\??\c:\lxrfxrx.exec:\lxrfxrx.exe37⤵
- Executes dropped EXE
PID:1580 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe38⤵
- Executes dropped EXE
PID:3244 -
\??\c:\bntnnn.exec:\bntnnn.exe39⤵
- Executes dropped EXE
PID:4180 -
\??\c:\dvdpv.exec:\dvdpv.exe40⤵
- Executes dropped EXE
PID:2324 -
\??\c:\rrrfrlf.exec:\rrrfrlf.exe41⤵
- Executes dropped EXE
PID:4648 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe42⤵
- Executes dropped EXE
PID:4960 -
\??\c:\3tbnhn.exec:\3tbnhn.exe43⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vppjv.exec:\vppjv.exe44⤵
- Executes dropped EXE
PID:4272 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe45⤵
- Executes dropped EXE
PID:4028 -
\??\c:\hntnhn.exec:\hntnhn.exe46⤵
- Executes dropped EXE
PID:4044 -
\??\c:\hhhbbt.exec:\hhhbbt.exe47⤵
- Executes dropped EXE
PID:2288 -
\??\c:\jpppj.exec:\jpppj.exe48⤵
- Executes dropped EXE
PID:2748 -
\??\c:\dddvp.exec:\dddvp.exe49⤵
- Executes dropped EXE
PID:1372 -
\??\c:\xrfrrfl.exec:\xrfrrfl.exe50⤵
- Executes dropped EXE
PID:4632 -
\??\c:\bntbnn.exec:\bntbnn.exe51⤵
- Executes dropped EXE
PID:1732 -
\??\c:\jppjv.exec:\jppjv.exe52⤵
- Executes dropped EXE
PID:3212 -
\??\c:\jppdj.exec:\jppdj.exe53⤵
- Executes dropped EXE
PID:3680 -
\??\c:\lllfxxf.exec:\lllfxxf.exe54⤵
- Executes dropped EXE
PID:3692 -
\??\c:\1llfxxl.exec:\1llfxxl.exe55⤵
- Executes dropped EXE
PID:1996 -
\??\c:\5hhtnh.exec:\5hhtnh.exe56⤵
- Executes dropped EXE
PID:764 -
\??\c:\vdjdd.exec:\vdjdd.exe57⤵
- Executes dropped EXE
PID:3416 -
\??\c:\lflxxrr.exec:\lflxxrr.exe58⤵
- Executes dropped EXE
PID:4688 -
\??\c:\nhhthb.exec:\nhhthb.exe59⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bbbbtt.exec:\bbbbtt.exe60⤵
- Executes dropped EXE
PID:3272 -
\??\c:\ppdpj.exec:\ppdpj.exe61⤵
- Executes dropped EXE
PID:3820 -
\??\c:\lfxrxrr.exec:\lfxrxrr.exe62⤵
- Executes dropped EXE
PID:4040 -
\??\c:\ntnhbn.exec:\ntnhbn.exe63⤵
- Executes dropped EXE
PID:4004 -
\??\c:\dvdvv.exec:\dvdvv.exe64⤵
- Executes dropped EXE
PID:752 -
\??\c:\pjpjd.exec:\pjpjd.exe65⤵
- Executes dropped EXE
PID:3552 -
\??\c:\9rrlxxx.exec:\9rrlxxx.exe66⤵PID:4988
-
\??\c:\llfxllx.exec:\llfxllx.exe67⤵PID:1036
-
\??\c:\tnnnnn.exec:\tnnnnn.exe68⤵PID:2784
-
\??\c:\jjjvj.exec:\jjjvj.exe69⤵PID:2384
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe70⤵PID:1148
-
\??\c:\1rfxxxf.exec:\1rfxxxf.exe71⤵PID:4464
-
\??\c:\hnnhhb.exec:\hnnhhb.exe72⤵PID:4760
-
\??\c:\dvpdp.exec:\dvpdp.exe73⤵
- System Location Discovery: System Language Discovery
PID:1992 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe74⤵PID:628
-
\??\c:\frrfxxr.exec:\frrfxxr.exe75⤵PID:4728
-
\??\c:\bhhtnb.exec:\bhhtnb.exe76⤵PID:1668
-
\??\c:\djdpp.exec:\djdpp.exe77⤵PID:3952
-
\??\c:\rffrfxr.exec:\rffrfxr.exe78⤵PID:2492
-
\??\c:\9bbthh.exec:\9bbthh.exe79⤵PID:3980
-
\??\c:\btnhtn.exec:\btnhtn.exe80⤵PID:4940
-
\??\c:\dppdp.exec:\dppdp.exe81⤵PID:3488
-
\??\c:\rffrlfx.exec:\rffrlfx.exe82⤵PID:1552
-
\??\c:\7lllfff.exec:\7lllfff.exe83⤵PID:5080
-
\??\c:\nhbtnn.exec:\nhbtnn.exe84⤵PID:1388
-
\??\c:\vpddp.exec:\vpddp.exe85⤵PID:2068
-
\??\c:\rlxrffr.exec:\rlxrffr.exe86⤵PID:4304
-
\??\c:\hbttnh.exec:\hbttnh.exe87⤵PID:3468
-
\??\c:\dvvjv.exec:\dvvjv.exe88⤵PID:2444
-
\??\c:\flllxrr.exec:\flllxrr.exe89⤵PID:2824
-
\??\c:\hhthhb.exec:\hhthhb.exe90⤵PID:3876
-
\??\c:\3vjvd.exec:\3vjvd.exe91⤵PID:3652
-
\??\c:\dvdvj.exec:\dvdvj.exe92⤵PID:1564
-
\??\c:\lxxrfxx.exec:\lxxrfxx.exe93⤵PID:4160
-
\??\c:\tbbtnh.exec:\tbbtnh.exe94⤵PID:2272
-
\??\c:\bnnbnh.exec:\bnnbnh.exe95⤵PID:3080
-
\??\c:\pjjdp.exec:\pjjdp.exe96⤵PID:1880
-
\??\c:\xffrfxr.exec:\xffrfxr.exe97⤵PID:2568
-
\??\c:\tnnbth.exec:\tnnbth.exe98⤵PID:2380
-
\??\c:\bnthhb.exec:\bnthhb.exe99⤵PID:320
-
\??\c:\pjjdv.exec:\pjjdv.exe100⤵PID:1924
-
\??\c:\lxfrllf.exec:\lxfrllf.exe101⤵PID:3600
-
\??\c:\5hhbbt.exec:\5hhbbt.exe102⤵PID:4648
-
\??\c:\djpjj.exec:\djpjj.exe103⤵PID:4000
-
\??\c:\dvvpd.exec:\dvvpd.exe104⤵PID:2744
-
\??\c:\rfrllll.exec:\rfrllll.exe105⤵PID:2852
-
\??\c:\nbtnhh.exec:\nbtnhh.exe106⤵PID:4028
-
\??\c:\7pjdj.exec:\7pjdj.exe107⤵PID:1684
-
\??\c:\lxrlxxl.exec:\lxrlxxl.exe108⤵PID:2288
-
\??\c:\rrxxrrl.exec:\rrxxrrl.exe109⤵PID:3872
-
\??\c:\hthhbn.exec:\hthhbn.exe110⤵PID:3748
-
\??\c:\jvdvj.exec:\jvdvj.exe111⤵PID:2052
-
\??\c:\9fxrlfx.exec:\9fxrlfx.exe112⤵PID:2608
-
\??\c:\7lfxrlf.exec:\7lfxrlf.exe113⤵PID:2072
-
\??\c:\nhtnbt.exec:\nhtnbt.exe114⤵PID:1620
-
\??\c:\vjjvj.exec:\vjjvj.exe115⤵PID:4900
-
\??\c:\llrflfx.exec:\llrflfx.exe116⤵PID:1996
-
\??\c:\3nbbtt.exec:\3nbbtt.exe117⤵PID:1352
-
\??\c:\hhbtbt.exec:\hhbtbt.exe118⤵PID:1844
-
\??\c:\1jjvj.exec:\1jjvj.exe119⤵PID:4744
-
\??\c:\xxfrxrf.exec:\xxfrxrf.exe120⤵PID:1092
-
\??\c:\fxlllxx.exec:\fxlllxx.exe121⤵PID:228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-