Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe
-
Size
456KB
-
MD5
879edf229a3ad8d1bd495ee5144949c4
-
SHA1
c016fedda18e1a7bd17e50beecb3e16447901e72
-
SHA256
858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397
-
SHA512
b46534caf4c14742000ecef02f7a14f574a060d3a2cbaa4455df966080a51450c684322814de035afa7d1a7af8d231e56efc9bd0d055cada9e511ffc6276497d
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRM:q7Tc2NYHUrAwfMp3CDRM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4748-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-1094-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1728 tbhttn.exe 2960 ddddv.exe 3236 pdpjj.exe 5044 9tbtnh.exe 1524 fxxrrrl.exe 2304 djddp.exe 1296 hthhbb.exe 2064 fxfxflr.exe 3456 jpppj.exe 4652 bnnhhb.exe 3928 ppjvj.exe 3864 5xffxfx.exe 920 jjvvd.exe 1920 tttnhh.exe 5116 vvjjv.exe 4816 vppjd.exe 4476 fxxrllf.exe 4640 rflfxxr.exe 1448 xrxrrlf.exe 4916 rfrllll.exe 3192 dpddv.exe 924 hthnnb.exe 4016 3xfrxxr.exe 1340 bbbtbb.exe 1780 pdjdd.exe 1536 ddvpp.exe 3000 hhtnnt.exe 3068 rrrlxxf.exe 2972 dpdvj.exe 3516 vpdpv.exe 5100 tnhbtt.exe 2396 rlxlffx.exe 544 9nhbtn.exe 3064 3pvpj.exe 1672 tntnnn.exe 3972 jpvvp.exe 1848 xxfrfrx.exe 1948 xxrrrrr.exe 4568 btbbhh.exe 2360 jpjjd.exe 3768 lxfrffx.exe 1052 bttnhh.exe 3136 5djdv.exe 1960 vjdvv.exe 2148 1rxlfxf.exe 1180 hbhbhh.exe 3808 hnbtnh.exe 4884 7jpdv.exe 4344 lrxrrrl.exe 1952 bnnhbn.exe 3680 dvdvv.exe 4932 ppjjd.exe 3248 fxfrllf.exe 2324 thnnnh.exe 3804 vdddd.exe 5044 xxlfffl.exe 1868 tbbtnn.exe 4968 7jpjd.exe 4876 llxrrlf.exe 3604 bnttnn.exe 4796 pvddd.exe 2244 lrrrlfx.exe 3928 3hhhhn.exe 1316 9djvp.exe -
resource yara_rule behavioral2/memory/4748-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-624-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4748 wrote to memory of 1728 4748 858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe 83 PID 4748 wrote to memory of 1728 4748 858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe 83 PID 4748 wrote to memory of 1728 4748 858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe 83 PID 1728 wrote to memory of 2960 1728 tbhttn.exe 84 PID 1728 wrote to memory of 2960 1728 tbhttn.exe 84 PID 1728 wrote to memory of 2960 1728 tbhttn.exe 84 PID 2960 wrote to memory of 3236 2960 ddddv.exe 85 PID 2960 wrote to memory of 3236 2960 ddddv.exe 85 PID 2960 wrote to memory of 3236 2960 ddddv.exe 85 PID 3236 wrote to memory of 5044 3236 pdpjj.exe 86 PID 3236 wrote to memory of 5044 3236 pdpjj.exe 86 PID 3236 wrote to memory of 5044 3236 pdpjj.exe 86 PID 5044 wrote to memory of 1524 5044 9tbtnh.exe 87 PID 5044 wrote to memory of 1524 5044 9tbtnh.exe 87 PID 5044 wrote to memory of 1524 5044 9tbtnh.exe 87 PID 1524 wrote to memory of 2304 1524 fxxrrrl.exe 88 PID 1524 wrote to memory of 2304 1524 fxxrrrl.exe 88 PID 1524 wrote to memory of 2304 1524 fxxrrrl.exe 88 PID 2304 wrote to memory of 1296 2304 djddp.exe 89 PID 2304 wrote to memory of 1296 2304 djddp.exe 89 PID 2304 wrote to memory of 1296 2304 djddp.exe 89 PID 1296 wrote to memory of 2064 1296 hthhbb.exe 90 PID 1296 wrote to memory of 2064 1296 hthhbb.exe 90 PID 1296 wrote to memory of 2064 1296 hthhbb.exe 90 PID 2064 wrote to memory of 3456 2064 fxfxflr.exe 91 PID 2064 wrote to memory of 3456 2064 fxfxflr.exe 91 PID 2064 wrote to memory of 3456 2064 fxfxflr.exe 91 PID 3456 wrote to memory of 4652 3456 jpppj.exe 92 PID 3456 wrote to memory of 4652 3456 jpppj.exe 92 PID 3456 wrote to memory of 4652 3456 jpppj.exe 92 PID 4652 wrote to memory of 3928 4652 bnnhhb.exe 93 PID 4652 wrote to memory of 3928 4652 bnnhhb.exe 93 PID 4652 wrote to memory of 3928 4652 bnnhhb.exe 93 PID 3928 wrote to memory of 3864 3928 ppjvj.exe 94 PID 3928 wrote to memory of 3864 3928 ppjvj.exe 94 PID 3928 wrote to memory of 3864 3928 ppjvj.exe 94 PID 3864 wrote to memory of 920 3864 5xffxfx.exe 95 PID 3864 wrote to memory of 920 3864 5xffxfx.exe 95 PID 3864 wrote to memory of 920 3864 5xffxfx.exe 95 PID 920 wrote to memory of 1920 920 jjvvd.exe 96 PID 920 wrote to memory of 1920 920 jjvvd.exe 96 PID 920 wrote to memory of 1920 920 jjvvd.exe 96 PID 1920 wrote to memory of 5116 1920 tttnhh.exe 97 PID 1920 wrote to memory of 5116 1920 tttnhh.exe 97 PID 1920 wrote to memory of 5116 1920 tttnhh.exe 97 PID 5116 wrote to memory of 4816 5116 vvjjv.exe 98 PID 5116 wrote to memory of 4816 5116 vvjjv.exe 98 PID 5116 wrote to memory of 4816 5116 vvjjv.exe 98 PID 4816 wrote to memory of 4476 4816 vppjd.exe 99 PID 4816 wrote to memory of 4476 4816 vppjd.exe 99 PID 4816 wrote to memory of 4476 4816 vppjd.exe 99 PID 4476 wrote to memory of 4640 4476 fxxrllf.exe 100 PID 4476 wrote to memory of 4640 4476 fxxrllf.exe 100 PID 4476 wrote to memory of 4640 4476 fxxrllf.exe 100 PID 4640 wrote to memory of 1448 4640 rflfxxr.exe 101 PID 4640 wrote to memory of 1448 4640 rflfxxr.exe 101 PID 4640 wrote to memory of 1448 4640 rflfxxr.exe 101 PID 1448 wrote to memory of 4916 1448 xrxrrlf.exe 102 PID 1448 wrote to memory of 4916 1448 xrxrrlf.exe 102 PID 1448 wrote to memory of 4916 1448 xrxrrlf.exe 102 PID 4916 wrote to memory of 3192 4916 rfrllll.exe 103 PID 4916 wrote to memory of 3192 4916 rfrllll.exe 103 PID 4916 wrote to memory of 3192 4916 rfrllll.exe 103 PID 3192 wrote to memory of 924 3192 dpddv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe"C:\Users\Admin\AppData\Local\Temp\858522ade56ef8346756e95f4ffc9ce5db17b6f4b7070cf92abc1d1854b78397.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\tbhttn.exec:\tbhttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\ddddv.exec:\ddddv.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\pdpjj.exec:\pdpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\9tbtnh.exec:\9tbtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\djddp.exec:\djddp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\hthhbb.exec:\hthhbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\fxfxflr.exec:\fxfxflr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\jpppj.exec:\jpppj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\bnnhhb.exec:\bnnhhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\ppjvj.exec:\ppjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\5xffxfx.exec:\5xffxfx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\jjvvd.exec:\jjvvd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\tttnhh.exec:\tttnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\vvjjv.exec:\vvjjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\vppjd.exec:\vppjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\fxxrllf.exec:\fxxrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\rflfxxr.exec:\rflfxxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\xrxrrlf.exec:\xrxrrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\rfrllll.exec:\rfrllll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\dpddv.exec:\dpddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\hthnnb.exec:\hthnnb.exe23⤵
- Executes dropped EXE
PID:924 -
\??\c:\3xfrxxr.exec:\3xfrxxr.exe24⤵
- Executes dropped EXE
PID:4016 -
\??\c:\bbbtbb.exec:\bbbtbb.exe25⤵
- Executes dropped EXE
PID:1340 -
\??\c:\pdjdd.exec:\pdjdd.exe26⤵
- Executes dropped EXE
PID:1780 -
\??\c:\ddvpp.exec:\ddvpp.exe27⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hhtnnt.exec:\hhtnnt.exe28⤵
- Executes dropped EXE
PID:3000 -
\??\c:\rrrlxxf.exec:\rrrlxxf.exe29⤵
- Executes dropped EXE
PID:3068 -
\??\c:\dpdvj.exec:\dpdvj.exe30⤵
- Executes dropped EXE
PID:2972 -
\??\c:\vpdpv.exec:\vpdpv.exe31⤵
- Executes dropped EXE
PID:3516 -
\??\c:\tnhbtt.exec:\tnhbtt.exe32⤵
- Executes dropped EXE
PID:5100 -
\??\c:\rlxlffx.exec:\rlxlffx.exe33⤵
- Executes dropped EXE
PID:2396 -
\??\c:\9nhbtn.exec:\9nhbtn.exe34⤵
- Executes dropped EXE
PID:544 -
\??\c:\3pvpj.exec:\3pvpj.exe35⤵
- Executes dropped EXE
PID:3064 -
\??\c:\tntnnn.exec:\tntnnn.exe36⤵
- Executes dropped EXE
PID:1672 -
\??\c:\jpvvp.exec:\jpvvp.exe37⤵
- Executes dropped EXE
PID:3972 -
\??\c:\xxfrfrx.exec:\xxfrfrx.exe38⤵
- Executes dropped EXE
PID:1848 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe39⤵
- Executes dropped EXE
PID:1948 -
\??\c:\btbbhh.exec:\btbbhh.exe40⤵
- Executes dropped EXE
PID:4568 -
\??\c:\jpjjd.exec:\jpjjd.exe41⤵
- Executes dropped EXE
PID:2360 -
\??\c:\lxfrffx.exec:\lxfrffx.exe42⤵
- Executes dropped EXE
PID:3768 -
\??\c:\bttnhh.exec:\bttnhh.exe43⤵
- Executes dropped EXE
PID:1052 -
\??\c:\5djdv.exec:\5djdv.exe44⤵
- Executes dropped EXE
PID:3136 -
\??\c:\vjdvv.exec:\vjdvv.exe45⤵
- Executes dropped EXE
PID:1960 -
\??\c:\1rxlfxf.exec:\1rxlfxf.exe46⤵
- Executes dropped EXE
PID:2148 -
\??\c:\hbhbhh.exec:\hbhbhh.exe47⤵
- Executes dropped EXE
PID:1180 -
\??\c:\hnbtnh.exec:\hnbtnh.exe48⤵
- Executes dropped EXE
PID:3808 -
\??\c:\7jpdv.exec:\7jpdv.exe49⤵
- Executes dropped EXE
PID:4884 -
\??\c:\lrxrrrl.exec:\lrxrrrl.exe50⤵
- Executes dropped EXE
PID:4344 -
\??\c:\bnnhbn.exec:\bnnhbn.exe51⤵
- Executes dropped EXE
PID:1952 -
\??\c:\dvdvv.exec:\dvdvv.exe52⤵
- Executes dropped EXE
PID:3680 -
\??\c:\ppjjd.exec:\ppjjd.exe53⤵
- Executes dropped EXE
PID:4932 -
\??\c:\fxfrllf.exec:\fxfrllf.exe54⤵
- Executes dropped EXE
PID:3248 -
\??\c:\thnnnh.exec:\thnnnh.exe55⤵
- Executes dropped EXE
PID:2324 -
\??\c:\vdddd.exec:\vdddd.exe56⤵
- Executes dropped EXE
PID:3804 -
\??\c:\xxlfffl.exec:\xxlfffl.exe57⤵
- Executes dropped EXE
PID:5044 -
\??\c:\tbbtnn.exec:\tbbtnn.exe58⤵
- Executes dropped EXE
PID:1868 -
\??\c:\7jpjd.exec:\7jpjd.exe59⤵
- Executes dropped EXE
PID:4968 -
\??\c:\llxrrlf.exec:\llxrrlf.exe60⤵
- Executes dropped EXE
PID:4876 -
\??\c:\bnttnn.exec:\bnttnn.exe61⤵
- Executes dropped EXE
PID:3604 -
\??\c:\pvddd.exec:\pvddd.exe62⤵
- Executes dropped EXE
PID:4796 -
\??\c:\lrrrlfx.exec:\lrrrlfx.exe63⤵
- Executes dropped EXE
PID:2244 -
\??\c:\3hhhhn.exec:\3hhhhn.exe64⤵
- Executes dropped EXE
PID:3928 -
\??\c:\9djvp.exec:\9djvp.exe65⤵
- Executes dropped EXE
PID:1316 -
\??\c:\9frllfl.exec:\9frllfl.exe66⤵PID:768
-
\??\c:\hhnhbb.exec:\hhnhbb.exe67⤵PID:2632
-
\??\c:\3ppjp.exec:\3ppjp.exe68⤵
- System Location Discovery: System Language Discovery
PID:920 -
\??\c:\5dppj.exec:\5dppj.exe69⤵PID:3296
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe70⤵PID:2112
-
\??\c:\bbhbbb.exec:\bbhbbb.exe71⤵PID:4700
-
\??\c:\3vdvd.exec:\3vdvd.exe72⤵PID:5116
-
\??\c:\dvdvp.exec:\dvdvp.exe73⤵PID:2268
-
\??\c:\xrfxffl.exec:\xrfxffl.exe74⤵PID:2620
-
\??\c:\7hhbtn.exec:\7hhbtn.exe75⤵PID:3552
-
\??\c:\dvpjd.exec:\dvpjd.exe76⤵PID:4428
-
\??\c:\jppjv.exec:\jppjv.exe77⤵PID:1444
-
\??\c:\rfrlflf.exec:\rfrlflf.exe78⤵PID:1448
-
\??\c:\9nnhbb.exec:\9nnhbb.exe79⤵PID:2708
-
\??\c:\pjppp.exec:\pjppp.exe80⤵PID:1368
-
\??\c:\xlxrxrx.exec:\xlxrxrx.exe81⤵PID:3496
-
\??\c:\rlxrxxr.exec:\rlxrxxr.exe82⤵PID:4292
-
\??\c:\bbhnbh.exec:\bbhnbh.exe83⤵PID:460
-
\??\c:\7jdvv.exec:\7jdvv.exe84⤵PID:1284
-
\??\c:\vpvpv.exec:\vpvpv.exe85⤵PID:224
-
\??\c:\frrfrlf.exec:\frrfrlf.exe86⤵PID:228
-
\??\c:\bbtnhh.exec:\bbtnhh.exe87⤵PID:4348
-
\??\c:\hhnbtt.exec:\hhnbtt.exe88⤵PID:1860
-
\??\c:\jddpv.exec:\jddpv.exe89⤵PID:1116
-
\??\c:\ffrffff.exec:\ffrffff.exe90⤵PID:4296
-
\??\c:\9frxrrl.exec:\9frxrrl.exe91⤵PID:1204
-
\??\c:\btnhtt.exec:\btnhtt.exe92⤵PID:3516
-
\??\c:\vjjdv.exec:\vjjdv.exe93⤵PID:4780
-
\??\c:\rxfrrlf.exec:\rxfrrlf.exe94⤵PID:4028
-
\??\c:\9nthtt.exec:\9nthtt.exe95⤵PID:3448
-
\??\c:\thhnhh.exec:\thhnhh.exe96⤵PID:3508
-
\??\c:\dvpjp.exec:\dvpjp.exe97⤵PID:1404
-
\??\c:\fxlfrrx.exec:\fxlfrrx.exe98⤵PID:1796
-
\??\c:\hhbtnn.exec:\hhbtnn.exe99⤵PID:3972
-
\??\c:\nnnhbt.exec:\nnnhbt.exe100⤵PID:3720
-
\??\c:\ddjdd.exec:\ddjdd.exe101⤵PID:4864
-
\??\c:\hbtnhh.exec:\hbtnhh.exe102⤵PID:2020
-
\??\c:\thbbtb.exec:\thbbtb.exe103⤵PID:2032
-
\??\c:\vvdpd.exec:\vvdpd.exe104⤵PID:3620
-
\??\c:\ffrrffl.exec:\ffrrffl.exe105⤵PID:1052
-
\??\c:\thnnhn.exec:\thnnhn.exe106⤵
- System Location Discovery: System Language Discovery
PID:1644 -
\??\c:\pjpvp.exec:\pjpvp.exe107⤵PID:1180
-
\??\c:\5rxrlll.exec:\5rxrlll.exe108⤵PID:2508
-
\??\c:\lxllfff.exec:\lxllfff.exe109⤵PID:4784
-
\??\c:\hhthtt.exec:\hhthtt.exe110⤵PID:4340
-
\??\c:\vjpjj.exec:\vjpjj.exe111⤵PID:964
-
\??\c:\fxffxxx.exec:\fxffxxx.exe112⤵PID:3652
-
\??\c:\ttttnn.exec:\ttttnn.exe113⤵
- System Location Discovery: System Language Discovery
PID:3680 -
\??\c:\5jvvd.exec:\5jvvd.exe114⤵PID:5096
-
\??\c:\7lxxxfx.exec:\7lxxxfx.exe115⤵PID:4756
-
\??\c:\tnnnnn.exec:\tnnnnn.exe116⤵PID:3128
-
\??\c:\jdjdd.exec:\jdjdd.exe117⤵PID:552
-
\??\c:\dvjdp.exec:\dvjdp.exe118⤵PID:4776
-
\??\c:\fxfxrfr.exec:\fxfxrfr.exe119⤵PID:3540
-
\??\c:\hhnthn.exec:\hhnthn.exe120⤵PID:1868
-
\??\c:\dvdvp.exec:\dvdvp.exe121⤵PID:3352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-