Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 18:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe
-
Size
456KB
-
MD5
797ccb05a37c20b190b39708b77b904b
-
SHA1
c94e55e875df32b7f3a82e3668fb8967cecba7ad
-
SHA256
e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46
-
SHA512
2e14e14dfc1674080f9cdbfe8b5cd2f96801e0598d1fd34d26486d1bd808ad4317559c8cf991e5cbb93a69e90f0e341b0123e25eb04ee431a86486b44512fa21
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRT:q7Tc2NYHUrAwfMp3CDRT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3508-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-754-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-1240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-1437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 688 thhbtt.exe 5040 3jdvj.exe 4296 9lrffff.exe 4984 jpjdv.exe 3668 frfxrlx.exe 1924 7jpjp.exe 4056 xlxrllf.exe 816 dvvpj.exe 4576 nnthnh.exe 1128 jjddd.exe 3652 ddvdv.exe 1860 vdjvp.exe 4660 rfffxxr.exe 1152 lffxlrr.exe 1892 3hntnb.exe 752 pjvjd.exe 1292 nhnhhh.exe 4108 1tnnbb.exe 4592 3vpjd.exe 3376 lffxflr.exe 1564 tttnht.exe 4068 jvvvp.exe 2036 pppjp.exe 2540 rxfxrlx.exe 4288 7vddd.exe 2436 dvppd.exe 3424 frfxfxx.exe 3620 fxrxlrl.exe 3840 3bnbhn.exe 3436 xrfxxff.exe 3552 bhnhbh.exe 5088 pdjvd.exe 1540 7rxrlrr.exe 3152 vvdvd.exe 4900 llfxrrr.exe 2168 xrlllll.exe 3884 7bbtnh.exe 2360 vpjpd.exe 3328 fffrffx.exe 3156 bhbtnh.exe 4608 5ddvp.exe 3556 vppvj.exe 1592 lfxrrlf.exe 3200 hnthbb.exe 736 3ddvp.exe 4356 flrlffx.exe 3268 xlllllf.exe 3956 bbtnhn.exe 2704 vppjj.exe 5040 rfxlxxx.exe 5064 7btnbb.exe 3360 bttthh.exe 4072 ppvdv.exe 1944 xlxxllf.exe 1924 hbbbtt.exe 3996 nhnhbb.exe 2028 vpvvp.exe 4816 llxfxrr.exe 1388 tnbbnn.exe 1552 nbbtnh.exe 2816 9ddpj.exe 4968 3jvpv.exe 1792 xxfxrlr.exe 812 tnnhtt.exe -
resource yara_rule behavioral2/memory/3508-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-698-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3508 wrote to memory of 688 3508 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 82 PID 3508 wrote to memory of 688 3508 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 82 PID 3508 wrote to memory of 688 3508 e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe 82 PID 688 wrote to memory of 5040 688 thhbtt.exe 83 PID 688 wrote to memory of 5040 688 thhbtt.exe 83 PID 688 wrote to memory of 5040 688 thhbtt.exe 83 PID 5040 wrote to memory of 4296 5040 3jdvj.exe 84 PID 5040 wrote to memory of 4296 5040 3jdvj.exe 84 PID 5040 wrote to memory of 4296 5040 3jdvj.exe 84 PID 4296 wrote to memory of 4984 4296 9lrffff.exe 85 PID 4296 wrote to memory of 4984 4296 9lrffff.exe 85 PID 4296 wrote to memory of 4984 4296 9lrffff.exe 85 PID 4984 wrote to memory of 3668 4984 jpjdv.exe 86 PID 4984 wrote to memory of 3668 4984 jpjdv.exe 86 PID 4984 wrote to memory of 3668 4984 jpjdv.exe 86 PID 3668 wrote to memory of 1924 3668 frfxrlx.exe 87 PID 3668 wrote to memory of 1924 3668 frfxrlx.exe 87 PID 3668 wrote to memory of 1924 3668 frfxrlx.exe 87 PID 1924 wrote to memory of 4056 1924 7jpjp.exe 88 PID 1924 wrote to memory of 4056 1924 7jpjp.exe 88 PID 1924 wrote to memory of 4056 1924 7jpjp.exe 88 PID 4056 wrote to memory of 816 4056 xlxrllf.exe 89 PID 4056 wrote to memory of 816 4056 xlxrllf.exe 89 PID 4056 wrote to memory of 816 4056 xlxrllf.exe 89 PID 816 wrote to memory of 4576 816 dvvpj.exe 90 PID 816 wrote to memory of 4576 816 dvvpj.exe 90 PID 816 wrote to memory of 4576 816 dvvpj.exe 90 PID 4576 wrote to memory of 1128 4576 nnthnh.exe 91 PID 4576 wrote to memory of 1128 4576 nnthnh.exe 91 PID 4576 wrote to memory of 1128 4576 nnthnh.exe 91 PID 1128 wrote to memory of 3652 1128 jjddd.exe 92 PID 1128 wrote to memory of 3652 1128 jjddd.exe 92 PID 1128 wrote to memory of 3652 1128 jjddd.exe 92 PID 3652 wrote to memory of 1860 3652 ddvdv.exe 93 PID 3652 wrote to memory of 1860 3652 ddvdv.exe 93 PID 3652 wrote to memory of 1860 3652 ddvdv.exe 93 PID 1860 wrote to memory of 4660 1860 vdjvp.exe 94 PID 1860 wrote to memory of 4660 1860 vdjvp.exe 94 PID 1860 wrote to memory of 4660 1860 vdjvp.exe 94 PID 4660 wrote to memory of 1152 4660 rfffxxr.exe 95 PID 4660 wrote to memory of 1152 4660 rfffxxr.exe 95 PID 4660 wrote to memory of 1152 4660 rfffxxr.exe 95 PID 1152 wrote to memory of 1892 1152 lffxlrr.exe 96 PID 1152 wrote to memory of 1892 1152 lffxlrr.exe 96 PID 1152 wrote to memory of 1892 1152 lffxlrr.exe 96 PID 1892 wrote to memory of 752 1892 3hntnb.exe 97 PID 1892 wrote to memory of 752 1892 3hntnb.exe 97 PID 1892 wrote to memory of 752 1892 3hntnb.exe 97 PID 752 wrote to memory of 1292 752 pjvjd.exe 98 PID 752 wrote to memory of 1292 752 pjvjd.exe 98 PID 752 wrote to memory of 1292 752 pjvjd.exe 98 PID 1292 wrote to memory of 4108 1292 nhnhhh.exe 99 PID 1292 wrote to memory of 4108 1292 nhnhhh.exe 99 PID 1292 wrote to memory of 4108 1292 nhnhhh.exe 99 PID 4108 wrote to memory of 4592 4108 1tnnbb.exe 100 PID 4108 wrote to memory of 4592 4108 1tnnbb.exe 100 PID 4108 wrote to memory of 4592 4108 1tnnbb.exe 100 PID 4592 wrote to memory of 3376 4592 3vpjd.exe 101 PID 4592 wrote to memory of 3376 4592 3vpjd.exe 101 PID 4592 wrote to memory of 3376 4592 3vpjd.exe 101 PID 3376 wrote to memory of 1564 3376 lffxflr.exe 102 PID 3376 wrote to memory of 1564 3376 lffxflr.exe 102 PID 3376 wrote to memory of 1564 3376 lffxflr.exe 102 PID 1564 wrote to memory of 4068 1564 tttnht.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe"C:\Users\Admin\AppData\Local\Temp\e0a0e747be20e2bc32d7b078c72199d5b884672d3abaa91746b08aa7bf418b46.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
\??\c:\thhbtt.exec:\thhbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\3jdvj.exec:\3jdvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\9lrffff.exec:\9lrffff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\jpjdv.exec:\jpjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\frfxrlx.exec:\frfxrlx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\7jpjp.exec:\7jpjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\xlxrllf.exec:\xlxrllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056 -
\??\c:\dvvpj.exec:\dvvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\nnthnh.exec:\nnthnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\jjddd.exec:\jjddd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1128 -
\??\c:\ddvdv.exec:\ddvdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\vdjvp.exec:\vdjvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\rfffxxr.exec:\rfffxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\lffxlrr.exec:\lffxlrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
\??\c:\3hntnb.exec:\3hntnb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\pjvjd.exec:\pjvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\nhnhhh.exec:\nhnhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\1tnnbb.exec:\1tnnbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\3vpjd.exec:\3vpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\lffxflr.exec:\lffxflr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\tttnht.exec:\tttnht.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
\??\c:\jvvvp.exec:\jvvvp.exe23⤵
- Executes dropped EXE
PID:4068 -
\??\c:\pppjp.exec:\pppjp.exe24⤵
- Executes dropped EXE
PID:2036 -
\??\c:\rxfxrlx.exec:\rxfxrlx.exe25⤵
- Executes dropped EXE
PID:2540 -
\??\c:\7vddd.exec:\7vddd.exe26⤵
- Executes dropped EXE
PID:4288 -
\??\c:\dvppd.exec:\dvppd.exe27⤵
- Executes dropped EXE
PID:2436 -
\??\c:\frfxfxx.exec:\frfxfxx.exe28⤵
- Executes dropped EXE
PID:3424 -
\??\c:\fxrxlrl.exec:\fxrxlrl.exe29⤵
- Executes dropped EXE
PID:3620 -
\??\c:\3bnbhn.exec:\3bnbhn.exe30⤵
- Executes dropped EXE
PID:3840 -
\??\c:\xrfxxff.exec:\xrfxxff.exe31⤵
- Executes dropped EXE
PID:3436 -
\??\c:\bhnhbh.exec:\bhnhbh.exe32⤵
- Executes dropped EXE
PID:3552 -
\??\c:\pdjvd.exec:\pdjvd.exe33⤵
- Executes dropped EXE
PID:5088 -
\??\c:\7rxrlrr.exec:\7rxrlrr.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\vvdvd.exec:\vvdvd.exe35⤵
- Executes dropped EXE
PID:3152 -
\??\c:\llfxrrr.exec:\llfxrrr.exe36⤵
- Executes dropped EXE
PID:4900 -
\??\c:\xrlllll.exec:\xrlllll.exe37⤵
- Executes dropped EXE
PID:2168 -
\??\c:\7bbtnh.exec:\7bbtnh.exe38⤵
- Executes dropped EXE
PID:3884 -
\??\c:\vpjpd.exec:\vpjpd.exe39⤵
- Executes dropped EXE
PID:2360 -
\??\c:\fffrffx.exec:\fffrffx.exe40⤵
- Executes dropped EXE
PID:3328 -
\??\c:\bhbtnh.exec:\bhbtnh.exe41⤵
- Executes dropped EXE
PID:3156 -
\??\c:\5ddvp.exec:\5ddvp.exe42⤵
- Executes dropped EXE
PID:4608 -
\??\c:\vppvj.exec:\vppvj.exe43⤵
- Executes dropped EXE
PID:3556 -
\??\c:\lfxrrlf.exec:\lfxrrlf.exe44⤵
- Executes dropped EXE
PID:1592 -
\??\c:\hnthbb.exec:\hnthbb.exe45⤵
- Executes dropped EXE
PID:3200 -
\??\c:\3ddvp.exec:\3ddvp.exe46⤵
- Executes dropped EXE
PID:736 -
\??\c:\flrlffx.exec:\flrlffx.exe47⤵
- Executes dropped EXE
PID:4356 -
\??\c:\xlllllf.exec:\xlllllf.exe48⤵
- Executes dropped EXE
PID:3268 -
\??\c:\bbtnhn.exec:\bbtnhn.exe49⤵
- Executes dropped EXE
PID:3956 -
\??\c:\vppjj.exec:\vppjj.exe50⤵
- Executes dropped EXE
PID:2704 -
\??\c:\rfxlxxx.exec:\rfxlxxx.exe51⤵
- Executes dropped EXE
PID:5040 -
\??\c:\7btnbb.exec:\7btnbb.exe52⤵
- Executes dropped EXE
PID:5064 -
\??\c:\bttthh.exec:\bttthh.exe53⤵
- Executes dropped EXE
PID:3360 -
\??\c:\ppvdv.exec:\ppvdv.exe54⤵
- Executes dropped EXE
PID:4072 -
\??\c:\xlxxllf.exec:\xlxxllf.exe55⤵
- Executes dropped EXE
PID:1944 -
\??\c:\hbbbtt.exec:\hbbbtt.exe56⤵
- Executes dropped EXE
PID:1924 -
\??\c:\nhnhbb.exec:\nhnhbb.exe57⤵
- Executes dropped EXE
PID:3996 -
\??\c:\vpvvp.exec:\vpvvp.exe58⤵
- Executes dropped EXE
PID:2028 -
\??\c:\llxfxrr.exec:\llxfxrr.exe59⤵
- Executes dropped EXE
PID:4816 -
\??\c:\tnbbnn.exec:\tnbbnn.exe60⤵
- Executes dropped EXE
PID:1388 -
\??\c:\nbbtnh.exec:\nbbtnh.exe61⤵
- Executes dropped EXE
PID:1552 -
\??\c:\9ddpj.exec:\9ddpj.exe62⤵
- Executes dropped EXE
PID:2816 -
\??\c:\3jvpv.exec:\3jvpv.exe63⤵
- Executes dropped EXE
PID:4968 -
\??\c:\xxfxrlr.exec:\xxfxrlr.exe64⤵
- Executes dropped EXE
PID:1792 -
\??\c:\tnnhtt.exec:\tnnhtt.exe65⤵
- Executes dropped EXE
PID:812 -
\??\c:\dvdvj.exec:\dvdvj.exe66⤵PID:2860
-
\??\c:\pjjdv.exec:\pjjdv.exe67⤵PID:1636
-
\??\c:\3fxrllf.exec:\3fxrllf.exe68⤵PID:2156
-
\??\c:\nntnhh.exec:\nntnhh.exe69⤵PID:3476
-
\??\c:\ddjjp.exec:\ddjjp.exe70⤵PID:3336
-
\??\c:\frxrfrl.exec:\frxrfrl.exe71⤵PID:228
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe72⤵PID:232
-
\??\c:\7hnntn.exec:\7hnntn.exe73⤵PID:4852
-
\??\c:\vdddp.exec:\vdddp.exe74⤵PID:2912
-
\??\c:\1vdvd.exec:\1vdvd.exe75⤵PID:3532
-
\??\c:\1nhhbh.exec:\1nhhbh.exe76⤵PID:4068
-
\??\c:\nntnhb.exec:\nntnhb.exe77⤵PID:2732
-
\??\c:\djjjd.exec:\djjjd.exe78⤵PID:1300
-
\??\c:\xlrlffx.exec:\xlrlffx.exe79⤵PID:1816
-
\??\c:\htbtnn.exec:\htbtnn.exe80⤵PID:4596
-
\??\c:\hbbhtn.exec:\hbbhtn.exe81⤵PID:3068
-
\??\c:\jdddp.exec:\jdddp.exe82⤵PID:4936
-
\??\c:\fffxrrf.exec:\fffxrrf.exe83⤵
- System Location Discovery: System Language Discovery
PID:1472 -
\??\c:\ffrfxxr.exec:\ffrfxxr.exe84⤵PID:1252
-
\??\c:\9bbbnn.exec:\9bbbnn.exe85⤵PID:3024
-
\??\c:\jjpjj.exec:\jjpjj.exe86⤵PID:2012
-
\??\c:\9dvpv.exec:\9dvpv.exe87⤵PID:2952
-
\??\c:\lflxrrl.exec:\lflxrrl.exe88⤵PID:2852
-
\??\c:\btbttt.exec:\btbttt.exe89⤵PID:2812
-
\??\c:\9vdvp.exec:\9vdvp.exe90⤵PID:3976
-
\??\c:\dvjdp.exec:\dvjdp.exe91⤵PID:1380
-
\??\c:\lxfxlff.exec:\lxfxlff.exe92⤵PID:4416
-
\??\c:\nhnbtn.exec:\nhnbtn.exe93⤵PID:2672
-
\??\c:\tnnhtt.exec:\tnnhtt.exe94⤵PID:4468
-
\??\c:\5pvpd.exec:\5pvpd.exe95⤵PID:1076
-
\??\c:\7rrlxrl.exec:\7rrlxrl.exe96⤵PID:4428
-
\??\c:\hhhbtn.exec:\hhhbtn.exe97⤵PID:4808
-
\??\c:\jjppj.exec:\jjppj.exe98⤵PID:968
-
\??\c:\vvppv.exec:\vvppv.exe99⤵
- System Location Discovery: System Language Discovery
PID:4944 -
\??\c:\lffxxxr.exec:\lffxxxr.exe100⤵PID:4784
-
\??\c:\9bttnn.exec:\9bttnn.exe101⤵PID:2712
-
\??\c:\vjjdp.exec:\vjjdp.exe102⤵PID:4252
-
\??\c:\pddvp.exec:\pddvp.exe103⤵PID:3768
-
\??\c:\rflfxrl.exec:\rflfxrl.exe104⤵PID:4480
-
\??\c:\1bhbhb.exec:\1bhbhb.exe105⤵PID:1760
-
\??\c:\1ppjv.exec:\1ppjv.exe106⤵PID:212
-
\??\c:\xlrfrrl.exec:\xlrfrrl.exe107⤵PID:2396
-
\??\c:\fllffxx.exec:\fllffxx.exe108⤵PID:208
-
\??\c:\7ntnhh.exec:\7ntnhh.exe109⤵PID:1012
-
\??\c:\vjpdv.exec:\vjpdv.exe110⤵PID:4984
-
\??\c:\lfrlfff.exec:\lfrlfff.exe111⤵PID:5096
-
\??\c:\3tnnhb.exec:\3tnnhb.exe112⤵PID:3360
-
\??\c:\hhtnhb.exec:\hhtnhb.exe113⤵PID:1420
-
\??\c:\5ppjv.exec:\5ppjv.exe114⤵PID:1944
-
\??\c:\fflfxrl.exec:\fflfxrl.exe115⤵PID:1924
-
\??\c:\lrxxrrl.exec:\lrxxrrl.exe116⤵PID:3996
-
\??\c:\1htnbb.exec:\1htnbb.exe117⤵PID:3856
-
\??\c:\vdjdd.exec:\vdjdd.exe118⤵PID:4292
-
\??\c:\lfrrflr.exec:\lfrrflr.exe119⤵PID:2380
-
\??\c:\3xfxxxr.exec:\3xfxxxr.exe120⤵PID:1128
-
\??\c:\thhbtn.exec:\thhbtn.exe121⤵PID:1684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-