Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 03:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad.exe
-
Size
455KB
-
MD5
e1f5421a7824f8a21213a42eb6906b73
-
SHA1
3d523fbea75e02325fdfab4963f54e85d0d834f1
-
SHA256
b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad
-
SHA512
b2f25feed71382b8ebd53e52083fd8af653debbf925a3d71894f479b192d1a13fff2a4906041e7a7095f0f23434c8246ae00f14985eb7defa95a0711eb075c10
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeJ:q7Tc2NYHUrAwfMp3CDJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2988-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-1058-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-1074-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-1301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-1347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-1436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 htnbnh.exe 4736 fxrllrl.exe 316 htnbbn.exe 4932 fllfffx.exe 4604 3nnhhb.exe 3980 tbbthh.exe 724 vppjj.exe 3696 fflfxrl.exe 4368 thhhbb.exe 1496 hbbtnh.exe 2632 lxxxllf.exe 3268 htnhhn.exe 4156 xlfxrlx.exe 3120 jppjp.exe 4040 xlrfxrx.exe 1904 tnnnnt.exe 1684 ddjdd.exe 4676 7fxrlrl.exe 2740 bntnhh.exe 1156 xxxrlff.exe 4376 thnbtn.exe 3148 1bhbbt.exe 3752 dvdvv.exe 3236 nttnnt.exe 4956 3fxrlfx.exe 3228 ttthnn.exe 4816 pddpj.exe 1560 vddvv.exe 4716 xffflfx.exe 5064 pjpdv.exe 2568 dvjjd.exe 4004 3lrlxlf.exe 2936 ppdjp.exe 8 3flfrll.exe 2596 thhtnh.exe 4596 bhtnbb.exe 3020 7vpjv.exe 1220 ttbttt.exe 2172 jppjd.exe 2636 rffrffr.exe 4092 nttnnn.exe 776 jdjjp.exe 1568 frxrffx.exe 4432 1lllfff.exe 988 bbnhhh.exe 3948 jdjdp.exe 832 rlfxlfx.exe 4212 fffxrlf.exe 3968 9ppjd.exe 4932 jdjdj.exe 3232 1xrlfxr.exe 4204 tntthh.exe 3540 9vdvd.exe 1612 ffxxrff.exe 2584 nhtntt.exe 3060 jjjdp.exe 4312 7rxlrlr.exe 1340 httthb.exe 1704 dpvjp.exe 5068 djpdv.exe 4844 xrrrlll.exe 384 tbnhtt.exe 2644 tnthhb.exe 4156 dvdpp.exe -
resource yara_rule behavioral2/memory/2988-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-778-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-784-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2988 wrote to memory of 4188 2988 b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad.exe 82 PID 2988 wrote to memory of 4188 2988 b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad.exe 82 PID 2988 wrote to memory of 4188 2988 b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad.exe 82 PID 4188 wrote to memory of 4736 4188 htnbnh.exe 83 PID 4188 wrote to memory of 4736 4188 htnbnh.exe 83 PID 4188 wrote to memory of 4736 4188 htnbnh.exe 83 PID 4736 wrote to memory of 316 4736 fxrllrl.exe 84 PID 4736 wrote to memory of 316 4736 fxrllrl.exe 84 PID 4736 wrote to memory of 316 4736 fxrllrl.exe 84 PID 316 wrote to memory of 4932 316 htnbbn.exe 85 PID 316 wrote to memory of 4932 316 htnbbn.exe 85 PID 316 wrote to memory of 4932 316 htnbbn.exe 85 PID 4932 wrote to memory of 4604 4932 fllfffx.exe 86 PID 4932 wrote to memory of 4604 4932 fllfffx.exe 86 PID 4932 wrote to memory of 4604 4932 fllfffx.exe 86 PID 4604 wrote to memory of 3980 4604 3nnhhb.exe 87 PID 4604 wrote to memory of 3980 4604 3nnhhb.exe 87 PID 4604 wrote to memory of 3980 4604 3nnhhb.exe 87 PID 3980 wrote to memory of 724 3980 tbbthh.exe 88 PID 3980 wrote to memory of 724 3980 tbbthh.exe 88 PID 3980 wrote to memory of 724 3980 tbbthh.exe 88 PID 724 wrote to memory of 3696 724 vppjj.exe 89 PID 724 wrote to memory of 3696 724 vppjj.exe 89 PID 724 wrote to memory of 3696 724 vppjj.exe 89 PID 3696 wrote to memory of 4368 3696 fflfxrl.exe 90 PID 3696 wrote to memory of 4368 3696 fflfxrl.exe 90 PID 3696 wrote to memory of 4368 3696 fflfxrl.exe 90 PID 4368 wrote to memory of 1496 4368 thhhbb.exe 91 PID 4368 wrote to memory of 1496 4368 thhhbb.exe 91 PID 4368 wrote to memory of 1496 4368 thhhbb.exe 91 PID 1496 wrote to memory of 2632 1496 hbbtnh.exe 92 PID 1496 wrote to memory of 2632 1496 hbbtnh.exe 92 PID 1496 wrote to memory of 2632 1496 hbbtnh.exe 92 PID 2632 wrote to memory of 3268 2632 lxxxllf.exe 93 PID 2632 wrote to memory of 3268 2632 lxxxllf.exe 93 PID 2632 wrote to memory of 3268 2632 lxxxllf.exe 93 PID 3268 wrote to memory of 4156 3268 htnhhn.exe 94 PID 3268 wrote to memory of 4156 3268 htnhhn.exe 94 PID 3268 wrote to memory of 4156 3268 htnhhn.exe 94 PID 4156 wrote to memory of 3120 4156 xlfxrlx.exe 95 PID 4156 wrote to memory of 3120 4156 xlfxrlx.exe 95 PID 4156 wrote to memory of 3120 4156 xlfxrlx.exe 95 PID 3120 wrote to memory of 4040 3120 jppjp.exe 96 PID 3120 wrote to memory of 4040 3120 jppjp.exe 96 PID 3120 wrote to memory of 4040 3120 jppjp.exe 96 PID 4040 wrote to memory of 1904 4040 xlrfxrx.exe 97 PID 4040 wrote to memory of 1904 4040 xlrfxrx.exe 97 PID 4040 wrote to memory of 1904 4040 xlrfxrx.exe 97 PID 1904 wrote to memory of 1684 1904 tnnnnt.exe 98 PID 1904 wrote to memory of 1684 1904 tnnnnt.exe 98 PID 1904 wrote to memory of 1684 1904 tnnnnt.exe 98 PID 1684 wrote to memory of 4676 1684 ddjdd.exe 99 PID 1684 wrote to memory of 4676 1684 ddjdd.exe 99 PID 1684 wrote to memory of 4676 1684 ddjdd.exe 99 PID 4676 wrote to memory of 2740 4676 7fxrlrl.exe 100 PID 4676 wrote to memory of 2740 4676 7fxrlrl.exe 100 PID 4676 wrote to memory of 2740 4676 7fxrlrl.exe 100 PID 2740 wrote to memory of 1156 2740 bntnhh.exe 101 PID 2740 wrote to memory of 1156 2740 bntnhh.exe 101 PID 2740 wrote to memory of 1156 2740 bntnhh.exe 101 PID 1156 wrote to memory of 4376 1156 xxxrlff.exe 102 PID 1156 wrote to memory of 4376 1156 xxxrlff.exe 102 PID 1156 wrote to memory of 4376 1156 xxxrlff.exe 102 PID 4376 wrote to memory of 3148 4376 thnbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad.exe"C:\Users\Admin\AppData\Local\Temp\b4ccb52eb1660f7883a2501894ab81a58eacc702506c5917e52f9d9f183aadad.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\htnbnh.exec:\htnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\fxrllrl.exec:\fxrllrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\htnbbn.exec:\htnbbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\fllfffx.exec:\fllfffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\3nnhhb.exec:\3nnhhb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\tbbthh.exec:\tbbthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\vppjj.exec:\vppjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
\??\c:\fflfxrl.exec:\fflfxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\thhhbb.exec:\thhhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\hbbtnh.exec:\hbbtnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\lxxxllf.exec:\lxxxllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\htnhhn.exec:\htnhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\xlfxrlx.exec:\xlfxrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
\??\c:\jppjp.exec:\jppjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\xlrfxrx.exec:\xlrfxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\tnnnnt.exec:\tnnnnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904 -
\??\c:\ddjdd.exec:\ddjdd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684 -
\??\c:\7fxrlrl.exec:\7fxrlrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4676 -
\??\c:\bntnhh.exec:\bntnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\xxxrlff.exec:\xxxrlff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\thnbtn.exec:\thnbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\1bhbbt.exec:\1bhbbt.exe23⤵
- Executes dropped EXE
PID:3148 -
\??\c:\dvdvv.exec:\dvdvv.exe24⤵
- Executes dropped EXE
PID:3752 -
\??\c:\nttnnt.exec:\nttnnt.exe25⤵
- Executes dropped EXE
PID:3236 -
\??\c:\3fxrlfx.exec:\3fxrlfx.exe26⤵
- Executes dropped EXE
PID:4956 -
\??\c:\ttthnn.exec:\ttthnn.exe27⤵
- Executes dropped EXE
PID:3228 -
\??\c:\pddpj.exec:\pddpj.exe28⤵
- Executes dropped EXE
PID:4816 -
\??\c:\vddvv.exec:\vddvv.exe29⤵
- Executes dropped EXE
PID:1560 -
\??\c:\xffflfx.exec:\xffflfx.exe30⤵
- Executes dropped EXE
PID:4716 -
\??\c:\pjpdv.exec:\pjpdv.exe31⤵
- Executes dropped EXE
PID:5064 -
\??\c:\dvjjd.exec:\dvjjd.exe32⤵
- Executes dropped EXE
PID:2568 -
\??\c:\3lrlxlf.exec:\3lrlxlf.exe33⤵
- Executes dropped EXE
PID:4004 -
\??\c:\ppdjp.exec:\ppdjp.exe34⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3flfrll.exec:\3flfrll.exe35⤵
- Executes dropped EXE
PID:8 -
\??\c:\thhtnh.exec:\thhtnh.exe36⤵
- Executes dropped EXE
PID:2596 -
\??\c:\bhtnbb.exec:\bhtnbb.exe37⤵
- Executes dropped EXE
PID:4596 -
\??\c:\7vpjv.exec:\7vpjv.exe38⤵
- Executes dropped EXE
PID:3020 -
\??\c:\ttbttt.exec:\ttbttt.exe39⤵
- Executes dropped EXE
PID:1220 -
\??\c:\jppjd.exec:\jppjd.exe40⤵
- Executes dropped EXE
PID:2172 -
\??\c:\rffrffr.exec:\rffrffr.exe41⤵
- Executes dropped EXE
PID:2636 -
\??\c:\nttnnn.exec:\nttnnn.exe42⤵
- Executes dropped EXE
PID:4092 -
\??\c:\jdjjp.exec:\jdjjp.exe43⤵
- Executes dropped EXE
PID:776 -
\??\c:\frxrffx.exec:\frxrffx.exe44⤵
- Executes dropped EXE
PID:1568 -
\??\c:\1lllfff.exec:\1lllfff.exe45⤵
- Executes dropped EXE
PID:4432 -
\??\c:\bbnhhh.exec:\bbnhhh.exe46⤵
- Executes dropped EXE
PID:988 -
\??\c:\jdjdp.exec:\jdjdp.exe47⤵
- Executes dropped EXE
PID:3948 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe48⤵
- Executes dropped EXE
PID:832 -
\??\c:\fffxrlf.exec:\fffxrlf.exe49⤵
- Executes dropped EXE
PID:4212 -
\??\c:\9ppjd.exec:\9ppjd.exe50⤵
- Executes dropped EXE
PID:3968 -
\??\c:\jdjdj.exec:\jdjdj.exe51⤵
- Executes dropped EXE
PID:4932 -
\??\c:\1xrlfxr.exec:\1xrlfxr.exe52⤵
- Executes dropped EXE
PID:3232 -
\??\c:\tntthh.exec:\tntthh.exe53⤵
- Executes dropped EXE
PID:4204 -
\??\c:\9vdvd.exec:\9vdvd.exe54⤵
- Executes dropped EXE
PID:3540 -
\??\c:\ffxxrff.exec:\ffxxrff.exe55⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nhtntt.exec:\nhtntt.exe56⤵
- Executes dropped EXE
PID:2584 -
\??\c:\jjjdp.exec:\jjjdp.exe57⤵
- Executes dropped EXE
PID:3060 -
\??\c:\7rxlrlr.exec:\7rxlrlr.exe58⤵
- Executes dropped EXE
PID:4312 -
\??\c:\httthb.exec:\httthb.exe59⤵
- Executes dropped EXE
PID:1340 -
\??\c:\dpvjp.exec:\dpvjp.exe60⤵
- Executes dropped EXE
PID:1704 -
\??\c:\djpdv.exec:\djpdv.exe61⤵
- Executes dropped EXE
PID:5068 -
\??\c:\xrrrlll.exec:\xrrrlll.exe62⤵
- Executes dropped EXE
PID:4844 -
\??\c:\tbnhtt.exec:\tbnhtt.exe63⤵
- Executes dropped EXE
PID:384 -
\??\c:\tnthhb.exec:\tnthhb.exe64⤵
- Executes dropped EXE
PID:2644 -
\??\c:\dvdpp.exec:\dvdpp.exe65⤵
- Executes dropped EXE
PID:4156 -
\??\c:\3lfxllf.exec:\3lfxllf.exe66⤵PID:1616
-
\??\c:\ntbthh.exec:\ntbthh.exe67⤵PID:2620
-
\??\c:\nnnnbb.exec:\nnnnbb.exe68⤵PID:228
-
\??\c:\ppppd.exec:\ppppd.exe69⤵PID:808
-
\??\c:\rxrrffx.exec:\rxrrffx.exe70⤵PID:1844
-
\??\c:\nhtnhb.exec:\nhtnhb.exe71⤵PID:1068
-
\??\c:\ddppj.exec:\ddppj.exe72⤵PID:2820
-
\??\c:\9jjdp.exec:\9jjdp.exe73⤵PID:1428
-
\??\c:\bhtnhh.exec:\bhtnhh.exe74⤵PID:1156
-
\??\c:\dvpjp.exec:\dvpjp.exe75⤵PID:2248
-
\??\c:\1pjdp.exec:\1pjdp.exe76⤵PID:2240
-
\??\c:\lxrxlff.exec:\lxrxlff.exe77⤵PID:3584
-
\??\c:\nbhbtt.exec:\nbhbtt.exe78⤵PID:4888
-
\??\c:\pvvjv.exec:\pvvjv.exe79⤵PID:1364
-
\??\c:\rllxlfx.exec:\rllxlfx.exe80⤵PID:2932
-
\??\c:\xlrfxrf.exec:\xlrfxrf.exe81⤵PID:2964
-
\??\c:\bhnhhh.exec:\bhnhhh.exe82⤵PID:2024
-
\??\c:\dvvvv.exec:\dvvvv.exe83⤵PID:4500
-
\??\c:\ddjvp.exec:\ddjvp.exe84⤵PID:4080
-
\??\c:\xlxfxlf.exec:\xlxfxlf.exe85⤵PID:2216
-
\??\c:\thhbnn.exec:\thhbnn.exe86⤵PID:4672
-
\??\c:\pvdjd.exec:\pvdjd.exe87⤵PID:884
-
\??\c:\3ffxffx.exec:\3ffxffx.exe88⤵PID:3348
-
\??\c:\nnbttt.exec:\nnbttt.exe89⤵PID:2648
-
\??\c:\pjjdp.exec:\pjjdp.exe90⤵PID:1960
-
\??\c:\fxfxllf.exec:\fxfxllf.exe91⤵PID:4088
-
\??\c:\5tnhtn.exec:\5tnhtn.exe92⤵PID:392
-
\??\c:\1jjvp.exec:\1jjvp.exe93⤵PID:916
-
\??\c:\jdvpp.exec:\jdvpp.exe94⤵PID:1500
-
\??\c:\rxllrxf.exec:\rxllrxf.exe95⤵PID:4596
-
\??\c:\tnhhbb.exec:\tnhhbb.exe96⤵PID:3020
-
\??\c:\djpdp.exec:\djpdp.exe97⤵
- System Location Discovery: System Language Discovery
PID:2912 -
\??\c:\lfrlfxl.exec:\lfrlfxl.exe98⤵PID:820
-
\??\c:\fllxrll.exec:\fllxrll.exe99⤵PID:4560
-
\??\c:\hnhhbb.exec:\hnhhbb.exe100⤵PID:2520
-
\??\c:\5dvpd.exec:\5dvpd.exe101⤵PID:532
-
\??\c:\frxlxxr.exec:\frxlxxr.exe102⤵PID:4436
-
\??\c:\bbhtnh.exec:\bbhtnh.exe103⤵PID:4528
-
\??\c:\jvvjp.exec:\jvvjp.exe104⤵PID:2988
-
\??\c:\5flffxf.exec:\5flffxf.exe105⤵PID:112
-
\??\c:\bntnhh.exec:\bntnhh.exe106⤵PID:3556
-
\??\c:\pjppj.exec:\pjppj.exe107⤵PID:1604
-
\??\c:\xxffrll.exec:\xxffrll.exe108⤵PID:2368
-
\??\c:\tbttbh.exec:\tbttbh.exe109⤵PID:3968
-
\??\c:\1nbbnh.exec:\1nbbnh.exe110⤵PID:1116
-
\??\c:\9djvp.exec:\9djvp.exe111⤵PID:3232
-
\??\c:\lfffrxl.exec:\lfffrxl.exe112⤵PID:4296
-
\??\c:\lffrlfx.exec:\lffrlfx.exe113⤵PID:740
-
\??\c:\hhhbtt.exec:\hhhbtt.exe114⤵PID:1320
-
\??\c:\dvdvj.exec:\dvdvj.exe115⤵PID:2948
-
\??\c:\rllfrlf.exec:\rllfrlf.exe116⤵PID:1692
-
\??\c:\xrrlffx.exec:\xrrlffx.exe117⤵PID:1744
-
\??\c:\bbhhbb.exec:\bbhhbb.exe118⤵PID:3060
-
\??\c:\pdjdv.exec:\pdjdv.exe119⤵PID:2180
-
\??\c:\xrllxrl.exec:\xrllxrl.exe120⤵PID:1340
-
\??\c:\nntnbt.exec:\nntnbt.exe121⤵PID:3248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-