Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe
-
Size
454KB
-
MD5
0162ba193f4475d9b9a1a039efc11ef7
-
SHA1
33f480b203f23096feb996097c1033589ebbf8b7
-
SHA256
d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06
-
SHA512
0a9885636a38f43c5f93935fd18ac6e8a4be1c2f9b100086a269dfbb678effe4b8fa0df4183e0585e52f7325ec293316cf53e5c3551aab749033ab52541ab4c8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbez:q7Tc2NYHUrAwfMp3CDz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4576-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/560-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/908-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-569-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-1179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-1344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-1545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4664 bhthbn.exe 4220 vdjvj.exe 2764 nhnbbn.exe 3236 xfrfllr.exe 3784 jdvjd.exe 904 lrrfxrl.exe 3500 lxxllfx.exe 3788 thnhtn.exe 4708 5tnbnh.exe 408 llrrrrx.exe 1548 htbnhh.exe 2000 5jjpd.exe 1744 lrfrfxr.exe 2384 fxllffl.exe 1120 vdvjv.exe 1328 lfxlxrf.exe 4916 frrxlfr.exe 4528 ddjjp.exe 3524 5hhthh.exe 3548 vvvjp.exe 216 1ffrfxl.exe 4992 tnbhth.exe 2216 9tbntn.exe 2068 jjjvj.exe 1828 nhnnnh.exe 1764 rrrlfrl.exe 4516 bttnhh.exe 2348 vvpdp.exe 872 nbthnb.exe 4144 vjdjp.exe 1620 llxrfxr.exe 2904 nhbhtt.exe 3280 pppvj.exe 4952 3llfrxr.exe 2324 3nbnhb.exe 4716 9pjvd.exe 3992 jpvjp.exe 1160 xffrfrl.exe 4276 htttbb.exe 3912 7pvjp.exe 5040 vvvjv.exe 824 frrlxrl.exe 2776 5ttnbb.exe 3532 bbnbtn.exe 1136 dppjd.exe 3220 fxxrlll.exe 3388 1nhthb.exe 5012 9jdvp.exe 3180 5jdpv.exe 4332 xllxlfx.exe 3472 nbhbtt.exe 3560 dddpj.exe 3744 fxlffxx.exe 3892 3xrlxfx.exe 1324 hbbttt.exe 3540 ddjdj.exe 3236 5llxlfr.exe 2544 1hbnbb.exe 904 htnbnh.exe 316 dpjpd.exe 5008 1ffxrrl.exe 4460 3ttthh.exe 1532 jpvdp.exe 3348 rrlfrrf.exe -
resource yara_rule behavioral2/memory/4576-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1764-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/560-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/908-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-569-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-1179-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7frfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4576 wrote to memory of 4664 4576 d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe 82 PID 4576 wrote to memory of 4664 4576 d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe 82 PID 4576 wrote to memory of 4664 4576 d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe 82 PID 4664 wrote to memory of 4220 4664 bhthbn.exe 83 PID 4664 wrote to memory of 4220 4664 bhthbn.exe 83 PID 4664 wrote to memory of 4220 4664 bhthbn.exe 83 PID 4220 wrote to memory of 2764 4220 vdjvj.exe 84 PID 4220 wrote to memory of 2764 4220 vdjvj.exe 84 PID 4220 wrote to memory of 2764 4220 vdjvj.exe 84 PID 2764 wrote to memory of 3236 2764 nhnbbn.exe 85 PID 2764 wrote to memory of 3236 2764 nhnbbn.exe 85 PID 2764 wrote to memory of 3236 2764 nhnbbn.exe 85 PID 3236 wrote to memory of 3784 3236 xfrfllr.exe 86 PID 3236 wrote to memory of 3784 3236 xfrfllr.exe 86 PID 3236 wrote to memory of 3784 3236 xfrfllr.exe 86 PID 3784 wrote to memory of 904 3784 jdvjd.exe 87 PID 3784 wrote to memory of 904 3784 jdvjd.exe 87 PID 3784 wrote to memory of 904 3784 jdvjd.exe 87 PID 904 wrote to memory of 3500 904 lrrfxrl.exe 88 PID 904 wrote to memory of 3500 904 lrrfxrl.exe 88 PID 904 wrote to memory of 3500 904 lrrfxrl.exe 88 PID 3500 wrote to memory of 3788 3500 lxxllfx.exe 89 PID 3500 wrote to memory of 3788 3500 lxxllfx.exe 89 PID 3500 wrote to memory of 3788 3500 lxxllfx.exe 89 PID 3788 wrote to memory of 4708 3788 thnhtn.exe 90 PID 3788 wrote to memory of 4708 3788 thnhtn.exe 90 PID 3788 wrote to memory of 4708 3788 thnhtn.exe 90 PID 4708 wrote to memory of 408 4708 5tnbnh.exe 91 PID 4708 wrote to memory of 408 4708 5tnbnh.exe 91 PID 4708 wrote to memory of 408 4708 5tnbnh.exe 91 PID 408 wrote to memory of 1548 408 llrrrrx.exe 92 PID 408 wrote to memory of 1548 408 llrrrrx.exe 92 PID 408 wrote to memory of 1548 408 llrrrrx.exe 92 PID 1548 wrote to memory of 2000 1548 htbnhh.exe 93 PID 1548 wrote to memory of 2000 1548 htbnhh.exe 93 PID 1548 wrote to memory of 2000 1548 htbnhh.exe 93 PID 2000 wrote to memory of 1744 2000 5jjpd.exe 94 PID 2000 wrote to memory of 1744 2000 5jjpd.exe 94 PID 2000 wrote to memory of 1744 2000 5jjpd.exe 94 PID 1744 wrote to memory of 2384 1744 lrfrfxr.exe 95 PID 1744 wrote to memory of 2384 1744 lrfrfxr.exe 95 PID 1744 wrote to memory of 2384 1744 lrfrfxr.exe 95 PID 2384 wrote to memory of 1120 2384 fxllffl.exe 96 PID 2384 wrote to memory of 1120 2384 fxllffl.exe 96 PID 2384 wrote to memory of 1120 2384 fxllffl.exe 96 PID 1120 wrote to memory of 1328 1120 vdvjv.exe 97 PID 1120 wrote to memory of 1328 1120 vdvjv.exe 97 PID 1120 wrote to memory of 1328 1120 vdvjv.exe 97 PID 1328 wrote to memory of 4916 1328 lfxlxrf.exe 98 PID 1328 wrote to memory of 4916 1328 lfxlxrf.exe 98 PID 1328 wrote to memory of 4916 1328 lfxlxrf.exe 98 PID 4916 wrote to memory of 4528 4916 frrxlfr.exe 99 PID 4916 wrote to memory of 4528 4916 frrxlfr.exe 99 PID 4916 wrote to memory of 4528 4916 frrxlfr.exe 99 PID 4528 wrote to memory of 3524 4528 ddjjp.exe 100 PID 4528 wrote to memory of 3524 4528 ddjjp.exe 100 PID 4528 wrote to memory of 3524 4528 ddjjp.exe 100 PID 3524 wrote to memory of 3548 3524 5hhthh.exe 101 PID 3524 wrote to memory of 3548 3524 5hhthh.exe 101 PID 3524 wrote to memory of 3548 3524 5hhthh.exe 101 PID 3548 wrote to memory of 216 3548 vvvjp.exe 102 PID 3548 wrote to memory of 216 3548 vvvjp.exe 102 PID 3548 wrote to memory of 216 3548 vvvjp.exe 102 PID 216 wrote to memory of 4992 216 1ffrfxl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe"C:\Users\Admin\AppData\Local\Temp\d209fbe4bb040e7677634a5daaf4c32c8294811ccfae1ae6ed73ee88c9937f06.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\bhthbn.exec:\bhthbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\vdjvj.exec:\vdjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\nhnbbn.exec:\nhnbbn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\xfrfllr.exec:\xfrfllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\jdvjd.exec:\jdvjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\lxxllfx.exec:\lxxllfx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\thnhtn.exec:\thnhtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\5tnbnh.exec:\5tnbnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
\??\c:\llrrrrx.exec:\llrrrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\htbnhh.exec:\htbnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\5jjpd.exec:\5jjpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000 -
\??\c:\lrfrfxr.exec:\lrfrfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\fxllffl.exec:\fxllffl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\vdvjv.exec:\vdvjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\frrxlfr.exec:\frrxlfr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\ddjjp.exec:\ddjjp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\5hhthh.exec:\5hhthh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3524 -
\??\c:\vvvjp.exec:\vvvjp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\1ffrfxl.exec:\1ffrfxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\tnbhth.exec:\tnbhth.exe23⤵
- Executes dropped EXE
PID:4992 -
\??\c:\9tbntn.exec:\9tbntn.exe24⤵
- Executes dropped EXE
PID:2216 -
\??\c:\jjjvj.exec:\jjjvj.exe25⤵
- Executes dropped EXE
PID:2068 -
\??\c:\nhnnnh.exec:\nhnnnh.exe26⤵
- Executes dropped EXE
PID:1828 -
\??\c:\rrrlfrl.exec:\rrrlfrl.exe27⤵
- Executes dropped EXE
PID:1764 -
\??\c:\bttnhh.exec:\bttnhh.exe28⤵
- Executes dropped EXE
PID:4516 -
\??\c:\vvpdp.exec:\vvpdp.exe29⤵
- Executes dropped EXE
PID:2348 -
\??\c:\nbthnb.exec:\nbthnb.exe30⤵
- Executes dropped EXE
PID:872 -
\??\c:\vjdjp.exec:\vjdjp.exe31⤵
- Executes dropped EXE
PID:4144 -
\??\c:\llxrfxr.exec:\llxrfxr.exe32⤵
- Executes dropped EXE
PID:1620 -
\??\c:\nhbhtt.exec:\nhbhtt.exe33⤵
- Executes dropped EXE
PID:2904 -
\??\c:\pppvj.exec:\pppvj.exe34⤵
- Executes dropped EXE
PID:3280 -
\??\c:\3llfrxr.exec:\3llfrxr.exe35⤵
- Executes dropped EXE
PID:4952 -
\??\c:\3nbnhb.exec:\3nbnhb.exe36⤵
- Executes dropped EXE
PID:2324 -
\??\c:\9pjvd.exec:\9pjvd.exe37⤵
- Executes dropped EXE
PID:4716 -
\??\c:\jpvjp.exec:\jpvjp.exe38⤵
- Executes dropped EXE
PID:3992 -
\??\c:\xffrfrl.exec:\xffrfrl.exe39⤵
- Executes dropped EXE
PID:1160 -
\??\c:\htttbb.exec:\htttbb.exe40⤵
- Executes dropped EXE
PID:4276 -
\??\c:\7pvjp.exec:\7pvjp.exe41⤵
- Executes dropped EXE
PID:3912 -
\??\c:\vvvjv.exec:\vvvjv.exe42⤵
- Executes dropped EXE
PID:5040 -
\??\c:\frrlxrl.exec:\frrlxrl.exe43⤵
- Executes dropped EXE
PID:824 -
\??\c:\5ttnbb.exec:\5ttnbb.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\bbnbtn.exec:\bbnbtn.exe45⤵
- Executes dropped EXE
PID:3532 -
\??\c:\dppjd.exec:\dppjd.exe46⤵
- Executes dropped EXE
PID:1136 -
\??\c:\fxxrlll.exec:\fxxrlll.exe47⤵
- Executes dropped EXE
PID:3220 -
\??\c:\1nhthb.exec:\1nhthb.exe48⤵
- Executes dropped EXE
PID:3388 -
\??\c:\9jdvp.exec:\9jdvp.exe49⤵
- Executes dropped EXE
PID:5012 -
\??\c:\5jdpv.exec:\5jdpv.exe50⤵
- Executes dropped EXE
PID:3180 -
\??\c:\xllxlfx.exec:\xllxlfx.exe51⤵
- Executes dropped EXE
PID:4332 -
\??\c:\nbhbtt.exec:\nbhbtt.exe52⤵
- Executes dropped EXE
PID:3472 -
\??\c:\dddpj.exec:\dddpj.exe53⤵
- Executes dropped EXE
PID:3560 -
\??\c:\fxlffxx.exec:\fxlffxx.exe54⤵
- Executes dropped EXE
PID:3744 -
\??\c:\3xrlxfx.exec:\3xrlxfx.exe55⤵
- Executes dropped EXE
PID:3892 -
\??\c:\hbbttt.exec:\hbbttt.exe56⤵
- Executes dropped EXE
PID:1324 -
\??\c:\ddjdj.exec:\ddjdj.exe57⤵
- Executes dropped EXE
PID:3540 -
\??\c:\5llxlfr.exec:\5llxlfr.exe58⤵
- Executes dropped EXE
PID:3236 -
\??\c:\1hbnbb.exec:\1hbnbb.exe59⤵
- Executes dropped EXE
PID:2544 -
\??\c:\htnbnh.exec:\htnbnh.exe60⤵
- Executes dropped EXE
PID:904 -
\??\c:\dpjpd.exec:\dpjpd.exe61⤵
- Executes dropped EXE
PID:316 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe62⤵
- Executes dropped EXE
PID:5008 -
\??\c:\3ttthh.exec:\3ttthh.exe63⤵
- Executes dropped EXE
PID:4460 -
\??\c:\jpvdp.exec:\jpvdp.exe64⤵
- Executes dropped EXE
PID:1532 -
\??\c:\rrlfrrf.exec:\rrlfrrf.exe65⤵
- Executes dropped EXE
PID:3348 -
\??\c:\1ffxxrl.exec:\1ffxxrl.exe66⤵PID:3052
-
\??\c:\nnnhtn.exec:\nnnhtn.exe67⤵PID:3408
-
\??\c:\vjjvj.exec:\vjjvj.exe68⤵PID:408
-
\??\c:\jjjjd.exec:\jjjjd.exe69⤵PID:1548
-
\??\c:\rrrrlll.exec:\rrrrlll.exe70⤵PID:4496
-
\??\c:\nbhbtn.exec:\nbhbtn.exe71⤵PID:2000
-
\??\c:\jjvpd.exec:\jjvpd.exe72⤵PID:2972
-
\??\c:\rxrlxrx.exec:\rxrlxrx.exe73⤵PID:1488
-
\??\c:\3tnntt.exec:\3tnntt.exe74⤵PID:1780
-
\??\c:\pjpjd.exec:\pjpjd.exe75⤵PID:4076
-
\??\c:\1pdjv.exec:\1pdjv.exe76⤵PID:4308
-
\??\c:\5rlxrfr.exec:\5rlxrfr.exe77⤵PID:2600
-
\??\c:\5tttnt.exec:\5tttnt.exe78⤵PID:4860
-
\??\c:\jjpvp.exec:\jjpvp.exe79⤵PID:5036
-
\??\c:\pvjdp.exec:\pvjdp.exe80⤵PID:4800
-
\??\c:\lxfxrrr.exec:\lxfxrrr.exe81⤵PID:5000
-
\??\c:\hbthbn.exec:\hbthbn.exe82⤵PID:216
-
\??\c:\dpvpd.exec:\dpvpd.exe83⤵PID:988
-
\??\c:\5lxrxrf.exec:\5lxrxrf.exe84⤵PID:1400
-
\??\c:\1rfrfxl.exec:\1rfrfxl.exe85⤵PID:1672
-
\??\c:\btttnn.exec:\btttnn.exe86⤵PID:4968
-
\??\c:\9jpjp.exec:\9jpjp.exe87⤵PID:4684
-
\??\c:\lfrlfff.exec:\lfrlfff.exe88⤵PID:1828
-
\??\c:\5nnhbb.exec:\5nnhbb.exe89⤵PID:1764
-
\??\c:\ddjvj.exec:\ddjvj.exe90⤵PID:1816
-
\??\c:\5pdvd.exec:\5pdvd.exe91⤵PID:4456
-
\??\c:\rrrffxr.exec:\rrrffxr.exe92⤵PID:1920
-
\??\c:\5tnbnt.exec:\5tnbnt.exe93⤵PID:1220
-
\??\c:\djjdv.exec:\djjdv.exe94⤵PID:2784
-
\??\c:\rfrxlxx.exec:\rfrxlxx.exe95⤵PID:1456
-
\??\c:\llffffl.exec:\llffffl.exe96⤵PID:1620
-
\??\c:\5bbnbt.exec:\5bbnbt.exe97⤵PID:552
-
\??\c:\vdpdp.exec:\vdpdp.exe98⤵PID:4592
-
\??\c:\dvvpv.exec:\dvvpv.exe99⤵PID:2332
-
\??\c:\fllxlxr.exec:\fllxlxr.exe100⤵PID:4752
-
\??\c:\3bhnbh.exec:\3bhnbh.exe101⤵PID:3580
-
\??\c:\jdjdv.exec:\jdjdv.exe102⤵PID:4716
-
\??\c:\rrxffrr.exec:\rrxffrr.exe103⤵PID:1656
-
\??\c:\fllfxrf.exec:\fllfxrf.exe104⤵PID:3692
-
\??\c:\btbnhb.exec:\btbnhb.exe105⤵PID:3176
-
\??\c:\jvpjd.exec:\jvpjd.exe106⤵PID:1716
-
\??\c:\9pjjv.exec:\9pjjv.exe107⤵PID:1264
-
\??\c:\rxxlrlf.exec:\rxxlrlf.exe108⤵PID:420
-
\??\c:\hbtnbn.exec:\hbtnbn.exe109⤵PID:1944
-
\??\c:\9nhbtt.exec:\9nhbtt.exe110⤵PID:388
-
\??\c:\ppvjd.exec:\ppvjd.exe111⤵PID:4248
-
\??\c:\fxlfflf.exec:\fxlfflf.exe112⤵PID:2956
-
\??\c:\htbthb.exec:\htbthb.exe113⤵PID:4396
-
\??\c:\3pjdv.exec:\3pjdv.exe114⤵PID:2032
-
\??\c:\vdvjv.exec:\vdvjv.exe115⤵PID:4400
-
\??\c:\fxxflrx.exec:\fxxflrx.exe116⤵PID:4332
-
\??\c:\btnnnn.exec:\btnnnn.exe117⤵PID:3840
-
\??\c:\pvdpv.exec:\pvdpv.exe118⤵PID:1536
-
\??\c:\pjjdv.exec:\pjjdv.exe119⤵PID:3584
-
\??\c:\rxfxrrx.exec:\rxfxrrx.exe120⤵PID:3288
-
\??\c:\thhbnh.exec:\thhbnh.exe121⤵PID:1172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-