Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe
-
Size
455KB
-
MD5
132ae24eab364be096189d52cbf94680
-
SHA1
8d2d80b8a8e707cd10663c54a075b4fd077c1e62
-
SHA256
d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77
-
SHA512
aa0d99d8bf4a9ab8261ec9d885502f98abd5fde05f7d27cb94a34826a08487409858886ead19bdd804d6ba7c8ce129a65db8eccc25fd927e86fb75bf7fb5b1c5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4328-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/264-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-702-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-1028-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-1128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1452 thhhtt.exe 2360 tththh.exe 1956 jpvpj.exe 844 xrrfxrl.exe 4208 7nnhtt.exe 3560 lxxlxrf.exe 2268 nnnhtn.exe 1080 dvvpd.exe 1104 hbbthb.exe 460 htnhbb.exe 2140 7ffxffr.exe 3904 htnhhb.exe 5032 5ddjd.exe 3416 rlxrxxf.exe 752 xlrllfx.exe 5028 hbhttt.exe 836 pdpjp.exe 548 1llfxxx.exe 3608 pdjdv.exe 2292 lrxfrxf.exe 880 htbbtn.exe 1604 thnhhh.exe 2008 vvddj.exe 3620 rrllffx.exe 3008 fffxrrl.exe 1848 jdjjj.exe 2332 xxfxrrr.exe 2432 ppvpp.exe 2356 rlxxlfr.exe 2616 hhhtnt.exe 3244 xlrxxff.exe 3460 hthntn.exe 2972 9jddv.exe 4344 bnbhbt.exe 436 5ttnbb.exe 1556 dvjpd.exe 3556 fxlrxxf.exe 2500 bbnnhn.exe 4264 pdvvp.exe 5072 frlxfxr.exe 232 xxlxrxr.exe 408 pdjvv.exe 1312 xxrfrxf.exe 2460 tnntnt.exe 2032 hbbbtb.exe 4936 7vvvv.exe 4220 9lxxxfl.exe 2804 htbnhh.exe 3324 tnhbbn.exe 3684 xxlllrx.exe 4524 xrffxfx.exe 1856 bnbbbt.exe 4436 pjpvv.exe 4372 5xflxfx.exe 2040 flxxrrr.exe 3068 btttnt.exe 3776 vvddj.exe 2892 xxfxrrr.exe 1528 rlfrflx.exe 2144 nhtnhh.exe 3908 vjdvj.exe 2328 1llfrlf.exe 3588 hhnbtt.exe 2556 dppjj.exe -
resource yara_rule behavioral2/memory/4328-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/264-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-702-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-739-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4328 wrote to memory of 1452 4328 d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe 82 PID 4328 wrote to memory of 1452 4328 d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe 82 PID 4328 wrote to memory of 1452 4328 d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe 82 PID 1452 wrote to memory of 2360 1452 thhhtt.exe 83 PID 1452 wrote to memory of 2360 1452 thhhtt.exe 83 PID 1452 wrote to memory of 2360 1452 thhhtt.exe 83 PID 2360 wrote to memory of 1956 2360 tththh.exe 84 PID 2360 wrote to memory of 1956 2360 tththh.exe 84 PID 2360 wrote to memory of 1956 2360 tththh.exe 84 PID 1956 wrote to memory of 844 1956 jpvpj.exe 85 PID 1956 wrote to memory of 844 1956 jpvpj.exe 85 PID 1956 wrote to memory of 844 1956 jpvpj.exe 85 PID 844 wrote to memory of 4208 844 xrrfxrl.exe 86 PID 844 wrote to memory of 4208 844 xrrfxrl.exe 86 PID 844 wrote to memory of 4208 844 xrrfxrl.exe 86 PID 4208 wrote to memory of 3560 4208 7nnhtt.exe 87 PID 4208 wrote to memory of 3560 4208 7nnhtt.exe 87 PID 4208 wrote to memory of 3560 4208 7nnhtt.exe 87 PID 3560 wrote to memory of 2268 3560 lxxlxrf.exe 88 PID 3560 wrote to memory of 2268 3560 lxxlxrf.exe 88 PID 3560 wrote to memory of 2268 3560 lxxlxrf.exe 88 PID 2268 wrote to memory of 1080 2268 nnnhtn.exe 89 PID 2268 wrote to memory of 1080 2268 nnnhtn.exe 89 PID 2268 wrote to memory of 1080 2268 nnnhtn.exe 89 PID 1080 wrote to memory of 1104 1080 dvvpd.exe 90 PID 1080 wrote to memory of 1104 1080 dvvpd.exe 90 PID 1080 wrote to memory of 1104 1080 dvvpd.exe 90 PID 1104 wrote to memory of 460 1104 hbbthb.exe 91 PID 1104 wrote to memory of 460 1104 hbbthb.exe 91 PID 1104 wrote to memory of 460 1104 hbbthb.exe 91 PID 460 wrote to memory of 2140 460 htnhbb.exe 92 PID 460 wrote to memory of 2140 460 htnhbb.exe 92 PID 460 wrote to memory of 2140 460 htnhbb.exe 92 PID 2140 wrote to memory of 3904 2140 7ffxffr.exe 93 PID 2140 wrote to memory of 3904 2140 7ffxffr.exe 93 PID 2140 wrote to memory of 3904 2140 7ffxffr.exe 93 PID 3904 wrote to memory of 5032 3904 htnhhb.exe 94 PID 3904 wrote to memory of 5032 3904 htnhhb.exe 94 PID 3904 wrote to memory of 5032 3904 htnhhb.exe 94 PID 5032 wrote to memory of 3416 5032 5ddjd.exe 95 PID 5032 wrote to memory of 3416 5032 5ddjd.exe 95 PID 5032 wrote to memory of 3416 5032 5ddjd.exe 95 PID 3416 wrote to memory of 752 3416 rlxrxxf.exe 96 PID 3416 wrote to memory of 752 3416 rlxrxxf.exe 96 PID 3416 wrote to memory of 752 3416 rlxrxxf.exe 96 PID 752 wrote to memory of 5028 752 xlrllfx.exe 97 PID 752 wrote to memory of 5028 752 xlrllfx.exe 97 PID 752 wrote to memory of 5028 752 xlrllfx.exe 97 PID 5028 wrote to memory of 836 5028 hbhttt.exe 98 PID 5028 wrote to memory of 836 5028 hbhttt.exe 98 PID 5028 wrote to memory of 836 5028 hbhttt.exe 98 PID 836 wrote to memory of 548 836 pdpjp.exe 99 PID 836 wrote to memory of 548 836 pdpjp.exe 99 PID 836 wrote to memory of 548 836 pdpjp.exe 99 PID 548 wrote to memory of 3608 548 1llfxxx.exe 100 PID 548 wrote to memory of 3608 548 1llfxxx.exe 100 PID 548 wrote to memory of 3608 548 1llfxxx.exe 100 PID 3608 wrote to memory of 2292 3608 pdjdv.exe 101 PID 3608 wrote to memory of 2292 3608 pdjdv.exe 101 PID 3608 wrote to memory of 2292 3608 pdjdv.exe 101 PID 2292 wrote to memory of 880 2292 lrxfrxf.exe 102 PID 2292 wrote to memory of 880 2292 lrxfrxf.exe 102 PID 2292 wrote to memory of 880 2292 lrxfrxf.exe 102 PID 880 wrote to memory of 1604 880 htbbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe"C:\Users\Admin\AppData\Local\Temp\d2555ec7a258692e0722b42a44972b790f974dbe8ba9df39d40cee4624042d77N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\thhhtt.exec:\thhhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\tththh.exec:\tththh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\jpvpj.exec:\jpvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\7nnhtt.exec:\7nnhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\nnnhtn.exec:\nnnhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\dvvpd.exec:\dvvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\hbbthb.exec:\hbbthb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\htnhbb.exec:\htnhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\7ffxffr.exec:\7ffxffr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\htnhhb.exec:\htnhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\5ddjd.exec:\5ddjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
\??\c:\xlrllfx.exec:\xlrllfx.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\hbhttt.exec:\hbhttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\pdpjp.exec:\pdpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\1llfxxx.exec:\1llfxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\pdjdv.exec:\pdjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\lrxfrxf.exec:\lrxfrxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\htbbtn.exec:\htbbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\thnhhh.exec:\thnhhh.exe23⤵
- Executes dropped EXE
PID:1604 -
\??\c:\vvddj.exec:\vvddj.exe24⤵
- Executes dropped EXE
PID:2008 -
\??\c:\rrllffx.exec:\rrllffx.exe25⤵
- Executes dropped EXE
PID:3620 -
\??\c:\fffxrrl.exec:\fffxrrl.exe26⤵
- Executes dropped EXE
PID:3008 -
\??\c:\jdjjj.exec:\jdjjj.exe27⤵
- Executes dropped EXE
PID:1848 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe28⤵
- Executes dropped EXE
PID:2332 -
\??\c:\ppvpp.exec:\ppvpp.exe29⤵
- Executes dropped EXE
PID:2432 -
\??\c:\rlxxlfr.exec:\rlxxlfr.exe30⤵
- Executes dropped EXE
PID:2356 -
\??\c:\hhhtnt.exec:\hhhtnt.exe31⤵
- Executes dropped EXE
PID:2616 -
\??\c:\xlrxxff.exec:\xlrxxff.exe32⤵
- Executes dropped EXE
PID:3244 -
\??\c:\hthntn.exec:\hthntn.exe33⤵
- Executes dropped EXE
PID:3460 -
\??\c:\9jddv.exec:\9jddv.exe34⤵
- Executes dropped EXE
PID:2972 -
\??\c:\bnbhbt.exec:\bnbhbt.exe35⤵
- Executes dropped EXE
PID:4344 -
\??\c:\5ttnbb.exec:\5ttnbb.exe36⤵
- Executes dropped EXE
PID:436 -
\??\c:\dvjpd.exec:\dvjpd.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556 -
\??\c:\fxlrxxf.exec:\fxlrxxf.exe38⤵
- Executes dropped EXE
PID:3556 -
\??\c:\bbnnhn.exec:\bbnnhn.exe39⤵
- Executes dropped EXE
PID:2500 -
\??\c:\pdvvp.exec:\pdvvp.exe40⤵
- Executes dropped EXE
PID:4264 -
\??\c:\frlxfxr.exec:\frlxfxr.exe41⤵
- Executes dropped EXE
PID:5072 -
\??\c:\xxlxrxr.exec:\xxlxrxr.exe42⤵
- Executes dropped EXE
PID:232 -
\??\c:\pdjvv.exec:\pdjvv.exe43⤵
- Executes dropped EXE
PID:408 -
\??\c:\xxrfrxf.exec:\xxrfrxf.exe44⤵
- Executes dropped EXE
PID:1312 -
\??\c:\tnntnt.exec:\tnntnt.exe45⤵
- Executes dropped EXE
PID:2460 -
\??\c:\hbbbtb.exec:\hbbbtb.exe46⤵
- Executes dropped EXE
PID:2032 -
\??\c:\7vvvv.exec:\7vvvv.exe47⤵
- Executes dropped EXE
PID:4936 -
\??\c:\9lxxxfl.exec:\9lxxxfl.exe48⤵
- Executes dropped EXE
PID:4220 -
\??\c:\htbnhh.exec:\htbnhh.exe49⤵
- Executes dropped EXE
PID:2804 -
\??\c:\tnhbbn.exec:\tnhbbn.exe50⤵
- Executes dropped EXE
PID:3324 -
\??\c:\xxlllrx.exec:\xxlllrx.exe51⤵
- Executes dropped EXE
PID:3684 -
\??\c:\xrffxfx.exec:\xrffxfx.exe52⤵
- Executes dropped EXE
PID:4524 -
\??\c:\bnbbbt.exec:\bnbbbt.exe53⤵
- Executes dropped EXE
PID:1856 -
\??\c:\pjpvv.exec:\pjpvv.exe54⤵
- Executes dropped EXE
PID:4436 -
\??\c:\5xflxfx.exec:\5xflxfx.exe55⤵
- Executes dropped EXE
PID:4372 -
\??\c:\flxxrrr.exec:\flxxrrr.exe56⤵
- Executes dropped EXE
PID:2040 -
\??\c:\btttnt.exec:\btttnt.exe57⤵
- Executes dropped EXE
PID:3068 -
\??\c:\vvddj.exec:\vvddj.exe58⤵
- Executes dropped EXE
PID:3776 -
\??\c:\xxfxrrr.exec:\xxfxrrr.exe59⤵
- Executes dropped EXE
PID:2892 -
\??\c:\rlfrflx.exec:\rlfrflx.exe60⤵
- Executes dropped EXE
PID:1528 -
\??\c:\nhtnhh.exec:\nhtnhh.exe61⤵
- Executes dropped EXE
PID:2144 -
\??\c:\vjdvj.exec:\vjdvj.exe62⤵
- Executes dropped EXE
PID:3908 -
\??\c:\1llfrlf.exec:\1llfrlf.exe63⤵
- Executes dropped EXE
PID:2328 -
\??\c:\hhnbtt.exec:\hhnbtt.exe64⤵
- Executes dropped EXE
PID:3588 -
\??\c:\dppjj.exec:\dppjj.exe65⤵
- Executes dropped EXE
PID:2556 -
\??\c:\jjvjv.exec:\jjvjv.exe66⤵PID:2268
-
\??\c:\1xfxllf.exec:\1xfxllf.exe67⤵PID:4408
-
\??\c:\5hnnbb.exec:\5hnnbb.exe68⤵PID:1080
-
\??\c:\9jdpd.exec:\9jdpd.exe69⤵PID:2608
-
\??\c:\rfrflfx.exec:\rfrflfx.exe70⤵PID:3132
-
\??\c:\hhtntt.exec:\hhtntt.exe71⤵PID:5068
-
\??\c:\djpjd.exec:\djpjd.exe72⤵PID:5048
-
\??\c:\djpdj.exec:\djpdj.exe73⤵PID:4652
-
\??\c:\rrlxrlf.exec:\rrlxrlf.exe74⤵PID:4828
-
\??\c:\tnnhtt.exec:\tnnhtt.exe75⤵PID:3416
-
\??\c:\vpvpj.exec:\vpvpj.exe76⤵PID:3344
-
\??\c:\jjdpd.exec:\jjdpd.exe77⤵PID:4644
-
\??\c:\xxxrfxl.exec:\xxxrfxl.exe78⤵PID:4604
-
\??\c:\ttbnht.exec:\ttbnht.exe79⤵PID:1840
-
\??\c:\vvpvd.exec:\vvpvd.exe80⤵PID:4204
-
\??\c:\7lrxfxf.exec:\7lrxfxf.exe81⤵PID:1420
-
\??\c:\hbhhnh.exec:\hbhhnh.exe82⤵PID:4636
-
\??\c:\1nhthh.exec:\1nhthh.exe83⤵PID:2280
-
\??\c:\dpppj.exec:\dpppj.exe84⤵PID:4848
-
\??\c:\xlrffff.exec:\xlrffff.exe85⤵PID:4744
-
\??\c:\pdvpd.exec:\pdvpd.exe86⤵PID:880
-
\??\c:\rrxrxxx.exec:\rrxrxxx.exe87⤵PID:2744
-
\??\c:\nhhbtb.exec:\nhhbtb.exe88⤵PID:4772
-
\??\c:\dvdpp.exec:\dvdpp.exe89⤵PID:2420
-
\??\c:\lrrrfxr.exec:\lrrrfxr.exe90⤵PID:3296
-
\??\c:\nttnhb.exec:\nttnhb.exe91⤵PID:5104
-
\??\c:\ddppj.exec:\ddppj.exe92⤵PID:4832
-
\??\c:\dvpdp.exec:\dvpdp.exe93⤵PID:1848
-
\??\c:\xxfxlfl.exec:\xxfxlfl.exe94⤵PID:2876
-
\??\c:\7tnhhh.exec:\7tnhhh.exe95⤵PID:1316
-
\??\c:\5thhtn.exec:\5thhtn.exe96⤵PID:4912
-
\??\c:\jvdpd.exec:\jvdpd.exe97⤵PID:4160
-
\??\c:\frrxfrx.exec:\frrxfrx.exe98⤵PID:264
-
\??\c:\ntthbt.exec:\ntthbt.exe99⤵PID:3352
-
\??\c:\vjpjj.exec:\vjpjj.exe100⤵PID:5088
-
\??\c:\frxrflf.exec:\frxrflf.exe101⤵PID:4428
-
\??\c:\thtnhh.exec:\thtnhh.exe102⤵PID:552
-
\??\c:\nhhbtt.exec:\nhhbtt.exe103⤵PID:1888
-
\??\c:\vjjdj.exec:\vjjdj.exe104⤵PID:1148
-
\??\c:\5rfxfxx.exec:\5rfxfxx.exe105⤵PID:3316
-
\??\c:\nbhhbb.exec:\nbhhbb.exe106⤵PID:2276
-
\??\c:\jdpdj.exec:\jdpdj.exe107⤵PID:3368
-
\??\c:\ddjpj.exec:\ddjpj.exe108⤵PID:4396
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe109⤵PID:3500
-
\??\c:\htnhnn.exec:\htnhnn.exe110⤵PID:232
-
\??\c:\pjddj.exec:\pjddj.exe111⤵PID:408
-
\??\c:\lflxlff.exec:\lflxlff.exe112⤵PID:964
-
\??\c:\rrfxlfr.exec:\rrfxlfr.exe113⤵PID:2352
-
\??\c:\7bthtt.exec:\7bthtt.exe114⤵PID:1300
-
\??\c:\9vjjv.exec:\9vjjv.exe115⤵PID:4936
-
\??\c:\7ffxlfr.exec:\7ffxlfr.exe116⤵PID:4220
-
\??\c:\ntbtbh.exec:\ntbtbh.exe117⤵PID:2804
-
\??\c:\hthbhh.exec:\hthbhh.exe118⤵PID:3884
-
\??\c:\vvdjp.exec:\vvdjp.exe119⤵PID:3684
-
\??\c:\flflxfr.exec:\flflxfr.exe120⤵PID:4524
-
\??\c:\hhhtbt.exec:\hhhtbt.exe121⤵PID:1176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-