Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 12:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe
-
Size
453KB
-
MD5
f4aa05e3d665e90e07ccb953d0548ab2
-
SHA1
95a037523541999335985290daf1cdfc10a00777
-
SHA256
ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc
-
SHA512
76fff6aa6d8c542a3464f1b53e9ac7d19eae0de39aefdb4389fe960344c4214185939074015b1a4427e9ba8a553de5465a5ec396c233cd7537a591514c4de029
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4032-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2656-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-1128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-1298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-1490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-1620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4924 hnhtth.exe 4156 5vjvj.exe 3648 xxrlxxx.exe 2060 bbbtht.exe 1308 5pddv.exe 2348 pppdv.exe 2216 3ttnbt.exe 4892 5hhbbb.exe 868 xfxrfrl.exe 4624 9tnhtn.exe 3588 3xxlffx.exe 2032 tthtnh.exe 3160 lflfxxl.exe 4248 tthbtt.exe 1280 dpjdd.exe 3900 httthb.exe 2716 dvdvj.exe 748 dpjvd.exe 1672 nhhbhb.exe 3744 3tnbhb.exe 3088 5rllxxx.exe 4888 lxrflfr.exe 1364 dddvp.exe 4644 1flfrlx.exe 4340 vdvdd.exe 1164 thhnbt.exe 2412 vppdj.exe 1528 9vpdv.exe 2852 xflllrx.exe 4428 1btnhb.exe 4848 pjvpj.exe 2592 nttnbt.exe 4364 jvpjd.exe 732 5bbnhh.exe 4052 vjdpd.exe 372 5lfxfxr.exe 2508 xxxxxxf.exe 2968 nttbth.exe 2920 dvvjv.exe 224 jpvjv.exe 1872 lrfxrll.exe 2452 htntbn.exe 5068 dddvp.exe 4160 jdvjj.exe 3996 lrxlxrl.exe 4324 bhtnbt.exe 3504 jpvjv.exe 4636 dddjv.exe 1756 xlrlfxl.exe 3300 bnntbh.exe 3348 dpppj.exe 3416 lxfffff.exe 4424 frfxxll.exe 1308 nhthth.exe 996 pdddv.exe 1796 fflxlxr.exe 2216 ffxlfxf.exe 4748 3nnhbt.exe 2100 vpppd.exe 1604 xxfrfxr.exe 3848 7ffxxxl.exe 3592 bhhbnh.exe 1804 9vpdj.exe 4684 xfrfrlx.exe -
resource yara_rule behavioral2/memory/4032-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2656-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-793-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-806-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnntbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfflxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4032 wrote to memory of 4924 4032 ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe 85 PID 4032 wrote to memory of 4924 4032 ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe 85 PID 4032 wrote to memory of 4924 4032 ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe 85 PID 4924 wrote to memory of 4156 4924 hnhtth.exe 86 PID 4924 wrote to memory of 4156 4924 hnhtth.exe 86 PID 4924 wrote to memory of 4156 4924 hnhtth.exe 86 PID 4156 wrote to memory of 3648 4156 5vjvj.exe 87 PID 4156 wrote to memory of 3648 4156 5vjvj.exe 87 PID 4156 wrote to memory of 3648 4156 5vjvj.exe 87 PID 3648 wrote to memory of 2060 3648 xxrlxxx.exe 88 PID 3648 wrote to memory of 2060 3648 xxrlxxx.exe 88 PID 3648 wrote to memory of 2060 3648 xxrlxxx.exe 88 PID 2060 wrote to memory of 1308 2060 bbbtht.exe 89 PID 2060 wrote to memory of 1308 2060 bbbtht.exe 89 PID 2060 wrote to memory of 1308 2060 bbbtht.exe 89 PID 1308 wrote to memory of 2348 1308 5pddv.exe 90 PID 1308 wrote to memory of 2348 1308 5pddv.exe 90 PID 1308 wrote to memory of 2348 1308 5pddv.exe 90 PID 2348 wrote to memory of 2216 2348 pppdv.exe 91 PID 2348 wrote to memory of 2216 2348 pppdv.exe 91 PID 2348 wrote to memory of 2216 2348 pppdv.exe 91 PID 2216 wrote to memory of 4892 2216 3ttnbt.exe 92 PID 2216 wrote to memory of 4892 2216 3ttnbt.exe 92 PID 2216 wrote to memory of 4892 2216 3ttnbt.exe 92 PID 4892 wrote to memory of 868 4892 5hhbbb.exe 93 PID 4892 wrote to memory of 868 4892 5hhbbb.exe 93 PID 4892 wrote to memory of 868 4892 5hhbbb.exe 93 PID 868 wrote to memory of 4624 868 xfxrfrl.exe 94 PID 868 wrote to memory of 4624 868 xfxrfrl.exe 94 PID 868 wrote to memory of 4624 868 xfxrfrl.exe 94 PID 4624 wrote to memory of 3588 4624 9tnhtn.exe 95 PID 4624 wrote to memory of 3588 4624 9tnhtn.exe 95 PID 4624 wrote to memory of 3588 4624 9tnhtn.exe 95 PID 3588 wrote to memory of 2032 3588 3xxlffx.exe 96 PID 3588 wrote to memory of 2032 3588 3xxlffx.exe 96 PID 3588 wrote to memory of 2032 3588 3xxlffx.exe 96 PID 2032 wrote to memory of 3160 2032 tthtnh.exe 97 PID 2032 wrote to memory of 3160 2032 tthtnh.exe 97 PID 2032 wrote to memory of 3160 2032 tthtnh.exe 97 PID 3160 wrote to memory of 4248 3160 lflfxxl.exe 98 PID 3160 wrote to memory of 4248 3160 lflfxxl.exe 98 PID 3160 wrote to memory of 4248 3160 lflfxxl.exe 98 PID 4248 wrote to memory of 1280 4248 tthbtt.exe 99 PID 4248 wrote to memory of 1280 4248 tthbtt.exe 99 PID 4248 wrote to memory of 1280 4248 tthbtt.exe 99 PID 1280 wrote to memory of 3900 1280 dpjdd.exe 100 PID 1280 wrote to memory of 3900 1280 dpjdd.exe 100 PID 1280 wrote to memory of 3900 1280 dpjdd.exe 100 PID 3900 wrote to memory of 2716 3900 httthb.exe 101 PID 3900 wrote to memory of 2716 3900 httthb.exe 101 PID 3900 wrote to memory of 2716 3900 httthb.exe 101 PID 2716 wrote to memory of 748 2716 dvdvj.exe 102 PID 2716 wrote to memory of 748 2716 dvdvj.exe 102 PID 2716 wrote to memory of 748 2716 dvdvj.exe 102 PID 748 wrote to memory of 1672 748 dpjvd.exe 103 PID 748 wrote to memory of 1672 748 dpjvd.exe 103 PID 748 wrote to memory of 1672 748 dpjvd.exe 103 PID 1672 wrote to memory of 3744 1672 nhhbhb.exe 104 PID 1672 wrote to memory of 3744 1672 nhhbhb.exe 104 PID 1672 wrote to memory of 3744 1672 nhhbhb.exe 104 PID 3744 wrote to memory of 3088 3744 3tnbhb.exe 105 PID 3744 wrote to memory of 3088 3744 3tnbhb.exe 105 PID 3744 wrote to memory of 3088 3744 3tnbhb.exe 105 PID 3088 wrote to memory of 4888 3088 5rllxxx.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe"C:\Users\Admin\AppData\Local\Temp\ea4f5635b2196ace8fc1f7dec8223c717591eb0854e98cd4c1b5149c6ea92cbc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\hnhtth.exec:\hnhtth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\5vjvj.exec:\5vjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\xxrlxxx.exec:\xxrlxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\bbbtht.exec:\bbbtht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\5pddv.exec:\5pddv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\pppdv.exec:\pppdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\3ttnbt.exec:\3ttnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2216 -
\??\c:\5hhbbb.exec:\5hhbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\xfxrfrl.exec:\xfxrfrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\9tnhtn.exec:\9tnhtn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\3xxlffx.exec:\3xxlffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\tthtnh.exec:\tthtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\lflfxxl.exec:\lflfxxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\tthbtt.exec:\tthbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\dpjdd.exec:\dpjdd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\httthb.exec:\httthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\dvdvj.exec:\dvdvj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\dpjvd.exec:\dpjvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\nhhbhb.exec:\nhhbhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\3tnbhb.exec:\3tnbhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\5rllxxx.exec:\5rllxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\lxrflfr.exec:\lxrflfr.exe23⤵
- Executes dropped EXE
PID:4888 -
\??\c:\dddvp.exec:\dddvp.exe24⤵
- Executes dropped EXE
PID:1364 -
\??\c:\1flfrlx.exec:\1flfrlx.exe25⤵
- Executes dropped EXE
PID:4644 -
\??\c:\vdvdd.exec:\vdvdd.exe26⤵
- Executes dropped EXE
PID:4340 -
\??\c:\thhnbt.exec:\thhnbt.exe27⤵
- Executes dropped EXE
PID:1164 -
\??\c:\vppdj.exec:\vppdj.exe28⤵
- Executes dropped EXE
PID:2412 -
\??\c:\9vpdv.exec:\9vpdv.exe29⤵
- Executes dropped EXE
PID:1528 -
\??\c:\xflllrx.exec:\xflllrx.exe30⤵
- Executes dropped EXE
PID:2852 -
\??\c:\1btnhb.exec:\1btnhb.exe31⤵
- Executes dropped EXE
PID:4428 -
\??\c:\pjvpj.exec:\pjvpj.exe32⤵
- Executes dropped EXE
PID:4848 -
\??\c:\nttnbt.exec:\nttnbt.exe33⤵
- Executes dropped EXE
PID:2592 -
\??\c:\jvpjd.exec:\jvpjd.exe34⤵
- Executes dropped EXE
PID:4364 -
\??\c:\5bbnhh.exec:\5bbnhh.exe35⤵
- Executes dropped EXE
PID:732 -
\??\c:\vjdpd.exec:\vjdpd.exe36⤵
- Executes dropped EXE
PID:4052 -
\??\c:\5lfxfxr.exec:\5lfxfxr.exe37⤵
- Executes dropped EXE
PID:372 -
\??\c:\xxxxxxf.exec:\xxxxxxf.exe38⤵
- Executes dropped EXE
PID:2508 -
\??\c:\nttbth.exec:\nttbth.exe39⤵
- Executes dropped EXE
PID:2968 -
\??\c:\dvvjv.exec:\dvvjv.exe40⤵
- Executes dropped EXE
PID:2920 -
\??\c:\jpvjv.exec:\jpvjv.exe41⤵
- Executes dropped EXE
PID:224 -
\??\c:\lrfxrll.exec:\lrfxrll.exe42⤵
- Executes dropped EXE
PID:1872 -
\??\c:\htntbn.exec:\htntbn.exe43⤵
- Executes dropped EXE
PID:2452 -
\??\c:\dddvp.exec:\dddvp.exe44⤵
- Executes dropped EXE
PID:5068 -
\??\c:\jdvjj.exec:\jdvjj.exe45⤵
- Executes dropped EXE
PID:4160 -
\??\c:\lrxlxrl.exec:\lrxlxrl.exe46⤵
- Executes dropped EXE
PID:3996 -
\??\c:\bhtnbt.exec:\bhtnbt.exe47⤵
- Executes dropped EXE
PID:4324 -
\??\c:\jpvjv.exec:\jpvjv.exe48⤵
- Executes dropped EXE
PID:3504 -
\??\c:\dddjv.exec:\dddjv.exe49⤵
- Executes dropped EXE
PID:4636 -
\??\c:\xlrlfxl.exec:\xlrlfxl.exe50⤵
- Executes dropped EXE
PID:1756 -
\??\c:\bnntbh.exec:\bnntbh.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3300 -
\??\c:\dpppj.exec:\dpppj.exe52⤵
- Executes dropped EXE
PID:3348 -
\??\c:\lxfffff.exec:\lxfffff.exe53⤵
- Executes dropped EXE
PID:3416 -
\??\c:\frfxxll.exec:\frfxxll.exe54⤵
- Executes dropped EXE
PID:4424 -
\??\c:\nhthth.exec:\nhthth.exe55⤵
- Executes dropped EXE
PID:1308 -
\??\c:\pdddv.exec:\pdddv.exe56⤵
- Executes dropped EXE
PID:996 -
\??\c:\fflxlxr.exec:\fflxlxr.exe57⤵
- Executes dropped EXE
PID:1796 -
\??\c:\ffxlfxf.exec:\ffxlfxf.exe58⤵
- Executes dropped EXE
PID:2216 -
\??\c:\3nnhbt.exec:\3nnhbt.exe59⤵
- Executes dropped EXE
PID:4748 -
\??\c:\vpppd.exec:\vpppd.exe60⤵
- Executes dropped EXE
PID:2100 -
\??\c:\xxfrfxr.exec:\xxfrfxr.exe61⤵
- Executes dropped EXE
PID:1604 -
\??\c:\7ffxxxl.exec:\7ffxxxl.exe62⤵
- Executes dropped EXE
PID:3848 -
\??\c:\bhhbnh.exec:\bhhbnh.exe63⤵
- Executes dropped EXE
PID:3592 -
\??\c:\9vpdj.exec:\9vpdj.exe64⤵
- Executes dropped EXE
PID:1804 -
\??\c:\xfrfrlx.exec:\xfrfrlx.exe65⤵
- Executes dropped EXE
PID:4684 -
\??\c:\lfffxxr.exec:\lfffxxr.exe66⤵PID:4416
-
\??\c:\9hnhtn.exec:\9hnhtn.exe67⤵PID:3840
-
\??\c:\vpdpd.exec:\vpdpd.exe68⤵PID:4272
-
\??\c:\jppdd.exec:\jppdd.exe69⤵PID:60
-
\??\c:\frrrlll.exec:\frrrlll.exe70⤵PID:3136
-
\??\c:\nbbnbt.exec:\nbbnbt.exe71⤵PID:2716
-
\??\c:\3hhhtn.exec:\3hhhtn.exe72⤵PID:1800
-
\??\c:\5pjdp.exec:\5pjdp.exe73⤵PID:1784
-
\??\c:\fxxlxxr.exec:\fxxlxxr.exe74⤵
- System Location Discovery: System Language Discovery
PID:1028 -
\??\c:\xxfxrll.exec:\xxfxrll.exe75⤵PID:4492
-
\??\c:\hbtnbt.exec:\hbtnbt.exe76⤵PID:808
-
\??\c:\jddpd.exec:\jddpd.exe77⤵PID:4432
-
\??\c:\fffrfrf.exec:\fffrfrf.exe78⤵PID:2368
-
\??\c:\llrfxrf.exec:\llrfxrf.exe79⤵PID:3972
-
\??\c:\1tnhtn.exec:\1tnhtn.exe80⤵PID:876
-
\??\c:\jvjjv.exec:\jvjjv.exe81⤵PID:4644
-
\??\c:\lxrflrl.exec:\lxrflrl.exe82⤵PID:3960
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe83⤵PID:4392
-
\??\c:\bbtnbb.exec:\bbtnbb.exe84⤵PID:888
-
\??\c:\1tbnbn.exec:\1tbnbn.exe85⤵PID:4012
-
\??\c:\lfrllfl.exec:\lfrllfl.exe86⤵PID:4572
-
\??\c:\rlrfrlx.exec:\rlrfrlx.exe87⤵PID:1568
-
\??\c:\thnbth.exec:\thnbth.exe88⤵
- System Location Discovery: System Language Discovery
PID:1792 -
\??\c:\9vdvj.exec:\9vdvj.exe89⤵PID:624
-
\??\c:\jvvpp.exec:\jvvpp.exe90⤵PID:2460
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe91⤵PID:5108
-
\??\c:\bttnhh.exec:\bttnhh.exe92⤵PID:4868
-
\??\c:\dpdvj.exec:\dpdvj.exe93⤵PID:3920
-
\??\c:\pjpdp.exec:\pjpdp.exe94⤵PID:444
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe95⤵PID:3144
-
\??\c:\nbhnbb.exec:\nbhnbb.exe96⤵PID:4828
-
\??\c:\dvdpd.exec:\dvdpd.exe97⤵PID:1940
-
\??\c:\jjjvj.exec:\jjjvj.exe98⤵PID:4220
-
\??\c:\rrffllf.exec:\rrffllf.exe99⤵PID:2320
-
\??\c:\htbttt.exec:\htbttt.exe100⤵PID:4180
-
\??\c:\bbbthh.exec:\bbbthh.exe101⤵PID:1872
-
\??\c:\dpvpv.exec:\dpvpv.exe102⤵PID:1844
-
\??\c:\lllfflf.exec:\lllfflf.exe103⤵PID:2464
-
\??\c:\flfrllf.exec:\flfrllf.exe104⤵PID:4328
-
\??\c:\nthbtt.exec:\nthbtt.exe105⤵PID:4568
-
\??\c:\pvdvp.exec:\pvdvp.exe106⤵PID:4324
-
\??\c:\vvpjj.exec:\vvpjj.exe107⤵PID:4216
-
\??\c:\1xlllll.exec:\1xlllll.exe108⤵PID:3520
-
\??\c:\3tbtbt.exec:\3tbtbt.exe109⤵PID:5080
-
\??\c:\dvvpd.exec:\dvvpd.exe110⤵PID:2060
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe111⤵PID:3660
-
\??\c:\rlrfxrf.exec:\rlrfxrf.exe112⤵PID:3416
-
\??\c:\nhhbtt.exec:\nhhbtt.exe113⤵PID:2392
-
\??\c:\pjdvj.exec:\pjdvj.exe114⤵PID:1308
-
\??\c:\lrrrfrl.exec:\lrrrfrl.exe115⤵PID:996
-
\??\c:\1lrlffx.exec:\1lrlffx.exe116⤵PID:1796
-
\??\c:\3nnhth.exec:\3nnhth.exe117⤵PID:1884
-
\??\c:\jjjjd.exec:\jjjjd.exe118⤵PID:868
-
\??\c:\rxxlfrl.exec:\rxxlfrl.exe119⤵PID:5024
-
\??\c:\9thbbt.exec:\9thbbt.exe120⤵PID:5012
-
\??\c:\nntbnt.exec:\nntbnt.exe121⤵PID:212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-