Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe
-
Size
454KB
-
MD5
7da8d92eb3239e2873cf55d9f78f7ddf
-
SHA1
b5c1e180310c363376c267f6a43782a692b5b605
-
SHA256
9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7
-
SHA512
6e7a6290916e0cace2e773c3ae5209117ef4bacc7cf9eb12a33ef4ae895af297fbf97df131e4caa707ddc4c17eafe3e4bcbfe4f5806f1c2a6562a02172d5e19f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbet7:q7Tc2NYHUrAwfMp3CDt7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4744-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-485-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-711-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-891-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-1357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2184 1ddvp.exe 2340 nhnhth.exe 888 pjjdp.exe 1300 hhtnhh.exe 3064 pjpjj.exe 1548 ppvpd.exe 1388 5tthhh.exe 1028 7lfxlll.exe 2952 nntnhh.exe 1592 rlrxfrx.exe 4456 nhhhhb.exe 1756 pvvpj.exe 4960 llrlfxr.exe 5040 bbhbtn.exe 3732 bbhbbt.exe 2016 7rxxxxr.exe 4324 3bbtnn.exe 4520 bntnht.exe 680 fxxrrxx.exe 5092 rrxrlrl.exe 448 nththb.exe 3672 rrxrlll.exe 5044 fxxrllf.exe 4976 hhhbtt.exe 4256 jdvvj.exe 3556 dpvpj.exe 1784 7vdvp.exe 4268 lxrlxfx.exe 2292 pvpdp.exe 4652 bnhthb.exe 2384 jdddv.exe 3232 lrxrllf.exe 1108 nntntt.exe 4604 nbnhnn.exe 1232 frxlfxx.exe 3272 fffrfxl.exe 3132 nbnbhb.exe 968 djjpd.exe 100 7rlxfrf.exe 4552 3hnhnn.exe 3504 nhbnth.exe 3440 7vdpv.exe 4356 rllfrlf.exe 3544 5flffxr.exe 4940 3bbnth.exe 4980 vddpd.exe 556 fffxxrr.exe 888 fffrffr.exe 5032 pdjdv.exe 3904 9jjjp.exe 4780 3ttnbh.exe 2144 7ddvj.exe 2932 fllxlfr.exe 224 lxxrllf.exe 2504 ttbnhb.exe 1028 vppdv.exe 5084 xffrxrf.exe 2664 1bhbnb.exe 1292 bnnhbb.exe 4804 jppjj.exe 4516 7lfxfxf.exe 4456 bbhhhh.exe 3124 btbbbt.exe 4172 vpjvp.exe -
resource yara_rule behavioral2/memory/4744-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-485-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-711-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-753-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5frfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrrxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4744 wrote to memory of 2184 4744 9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe 82 PID 4744 wrote to memory of 2184 4744 9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe 82 PID 4744 wrote to memory of 2184 4744 9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe 82 PID 2184 wrote to memory of 2340 2184 1ddvp.exe 83 PID 2184 wrote to memory of 2340 2184 1ddvp.exe 83 PID 2184 wrote to memory of 2340 2184 1ddvp.exe 83 PID 2340 wrote to memory of 888 2340 nhnhth.exe 84 PID 2340 wrote to memory of 888 2340 nhnhth.exe 84 PID 2340 wrote to memory of 888 2340 nhnhth.exe 84 PID 888 wrote to memory of 1300 888 pjjdp.exe 85 PID 888 wrote to memory of 1300 888 pjjdp.exe 85 PID 888 wrote to memory of 1300 888 pjjdp.exe 85 PID 1300 wrote to memory of 3064 1300 hhtnhh.exe 86 PID 1300 wrote to memory of 3064 1300 hhtnhh.exe 86 PID 1300 wrote to memory of 3064 1300 hhtnhh.exe 86 PID 3064 wrote to memory of 1548 3064 pjpjj.exe 87 PID 3064 wrote to memory of 1548 3064 pjpjj.exe 87 PID 3064 wrote to memory of 1548 3064 pjpjj.exe 87 PID 1548 wrote to memory of 1388 1548 ppvpd.exe 88 PID 1548 wrote to memory of 1388 1548 ppvpd.exe 88 PID 1548 wrote to memory of 1388 1548 ppvpd.exe 88 PID 1388 wrote to memory of 1028 1388 5tthhh.exe 89 PID 1388 wrote to memory of 1028 1388 5tthhh.exe 89 PID 1388 wrote to memory of 1028 1388 5tthhh.exe 89 PID 1028 wrote to memory of 2952 1028 7lfxlll.exe 90 PID 1028 wrote to memory of 2952 1028 7lfxlll.exe 90 PID 1028 wrote to memory of 2952 1028 7lfxlll.exe 90 PID 2952 wrote to memory of 1592 2952 nntnhh.exe 91 PID 2952 wrote to memory of 1592 2952 nntnhh.exe 91 PID 2952 wrote to memory of 1592 2952 nntnhh.exe 91 PID 1592 wrote to memory of 4456 1592 rlrxfrx.exe 92 PID 1592 wrote to memory of 4456 1592 rlrxfrx.exe 92 PID 1592 wrote to memory of 4456 1592 rlrxfrx.exe 92 PID 4456 wrote to memory of 1756 4456 nhhhhb.exe 93 PID 4456 wrote to memory of 1756 4456 nhhhhb.exe 93 PID 4456 wrote to memory of 1756 4456 nhhhhb.exe 93 PID 1756 wrote to memory of 4960 1756 pvvpj.exe 94 PID 1756 wrote to memory of 4960 1756 pvvpj.exe 94 PID 1756 wrote to memory of 4960 1756 pvvpj.exe 94 PID 4960 wrote to memory of 5040 4960 llrlfxr.exe 95 PID 4960 wrote to memory of 5040 4960 llrlfxr.exe 95 PID 4960 wrote to memory of 5040 4960 llrlfxr.exe 95 PID 5040 wrote to memory of 3732 5040 bbhbtn.exe 96 PID 5040 wrote to memory of 3732 5040 bbhbtn.exe 96 PID 5040 wrote to memory of 3732 5040 bbhbtn.exe 96 PID 3732 wrote to memory of 2016 3732 bbhbbt.exe 97 PID 3732 wrote to memory of 2016 3732 bbhbbt.exe 97 PID 3732 wrote to memory of 2016 3732 bbhbbt.exe 97 PID 2016 wrote to memory of 4324 2016 7rxxxxr.exe 98 PID 2016 wrote to memory of 4324 2016 7rxxxxr.exe 98 PID 2016 wrote to memory of 4324 2016 7rxxxxr.exe 98 PID 4324 wrote to memory of 4520 4324 3bbtnn.exe 99 PID 4324 wrote to memory of 4520 4324 3bbtnn.exe 99 PID 4324 wrote to memory of 4520 4324 3bbtnn.exe 99 PID 4520 wrote to memory of 680 4520 bntnht.exe 100 PID 4520 wrote to memory of 680 4520 bntnht.exe 100 PID 4520 wrote to memory of 680 4520 bntnht.exe 100 PID 680 wrote to memory of 5092 680 fxxrrxx.exe 101 PID 680 wrote to memory of 5092 680 fxxrrxx.exe 101 PID 680 wrote to memory of 5092 680 fxxrrxx.exe 101 PID 5092 wrote to memory of 448 5092 rrxrlrl.exe 102 PID 5092 wrote to memory of 448 5092 rrxrlrl.exe 102 PID 5092 wrote to memory of 448 5092 rrxrlrl.exe 102 PID 448 wrote to memory of 3672 448 nththb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe"C:\Users\Admin\AppData\Local\Temp\9f810998df6102e7d45fbac65130610cded309b6566c82dbff3508e8268c33f7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\1ddvp.exec:\1ddvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\nhnhth.exec:\nhnhth.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\pjjdp.exec:\pjjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\hhtnhh.exec:\hhtnhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
\??\c:\pjpjj.exec:\pjpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\ppvpd.exec:\ppvpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\5tthhh.exec:\5tthhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\7lfxlll.exec:\7lfxlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\nntnhh.exec:\nntnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\rlrxfrx.exec:\rlrxfrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\nhhhhb.exec:\nhhhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\pvvpj.exec:\pvvpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\llrlfxr.exec:\llrlfxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\bbhbtn.exec:\bbhbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\bbhbbt.exec:\bbhbbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\7rxxxxr.exec:\7rxxxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\3bbtnn.exec:\3bbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\bntnht.exec:\bntnht.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\fxxrrxx.exec:\fxxrrxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\rrxrlrl.exec:\rrxrlrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\nththb.exec:\nththb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\rrxrlll.exec:\rrxrlll.exe23⤵
- Executes dropped EXE
PID:3672 -
\??\c:\fxxrllf.exec:\fxxrllf.exe24⤵
- Executes dropped EXE
PID:5044 -
\??\c:\hhhbtt.exec:\hhhbtt.exe25⤵
- Executes dropped EXE
PID:4976 -
\??\c:\jdvvj.exec:\jdvvj.exe26⤵
- Executes dropped EXE
PID:4256 -
\??\c:\dpvpj.exec:\dpvpj.exe27⤵
- Executes dropped EXE
PID:3556 -
\??\c:\7vdvp.exec:\7vdvp.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\lxrlxfx.exec:\lxrlxfx.exe29⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pvpdp.exec:\pvpdp.exe30⤵
- Executes dropped EXE
PID:2292 -
\??\c:\bnhthb.exec:\bnhthb.exe31⤵
- Executes dropped EXE
PID:4652 -
\??\c:\jdddv.exec:\jdddv.exe32⤵
- Executes dropped EXE
PID:2384 -
\??\c:\lrxrllf.exec:\lrxrllf.exe33⤵
- Executes dropped EXE
PID:3232 -
\??\c:\nntntt.exec:\nntntt.exe34⤵
- Executes dropped EXE
PID:1108 -
\??\c:\nbnhnn.exec:\nbnhnn.exe35⤵
- Executes dropped EXE
PID:4604 -
\??\c:\frxlfxx.exec:\frxlfxx.exe36⤵
- Executes dropped EXE
PID:1232 -
\??\c:\fffrfxl.exec:\fffrfxl.exe37⤵
- Executes dropped EXE
PID:3272 -
\??\c:\nbnbhb.exec:\nbnbhb.exe38⤵
- Executes dropped EXE
PID:3132 -
\??\c:\djjpd.exec:\djjpd.exe39⤵
- Executes dropped EXE
PID:968 -
\??\c:\7rlxfrf.exec:\7rlxfrf.exe40⤵
- Executes dropped EXE
PID:100 -
\??\c:\3hnhnn.exec:\3hnhnn.exe41⤵
- Executes dropped EXE
PID:4552 -
\??\c:\nhbnth.exec:\nhbnth.exe42⤵
- Executes dropped EXE
PID:3504 -
\??\c:\7vdpv.exec:\7vdpv.exe43⤵
- Executes dropped EXE
PID:3440 -
\??\c:\rllfrlf.exec:\rllfrlf.exe44⤵
- Executes dropped EXE
PID:4356 -
\??\c:\5flffxr.exec:\5flffxr.exe45⤵
- Executes dropped EXE
PID:3544 -
\??\c:\3bbnth.exec:\3bbnth.exe46⤵
- Executes dropped EXE
PID:4940 -
\??\c:\vddpd.exec:\vddpd.exe47⤵
- Executes dropped EXE
PID:4980 -
\??\c:\fffxxrr.exec:\fffxxrr.exe48⤵
- Executes dropped EXE
PID:556 -
\??\c:\fffrffr.exec:\fffrffr.exe49⤵
- Executes dropped EXE
PID:888 -
\??\c:\pdjdv.exec:\pdjdv.exe50⤵
- Executes dropped EXE
PID:5032 -
\??\c:\9jjjp.exec:\9jjjp.exe51⤵
- Executes dropped EXE
PID:3904 -
\??\c:\3ttnbh.exec:\3ttnbh.exe52⤵
- Executes dropped EXE
PID:4780 -
\??\c:\7ddvj.exec:\7ddvj.exe53⤵
- Executes dropped EXE
PID:2144 -
\??\c:\fllxlfr.exec:\fllxlfr.exe54⤵
- Executes dropped EXE
PID:2932 -
\??\c:\lxxrllf.exec:\lxxrllf.exe55⤵
- Executes dropped EXE
PID:224 -
\??\c:\ttbnhb.exec:\ttbnhb.exe56⤵
- Executes dropped EXE
PID:2504 -
\??\c:\vppdv.exec:\vppdv.exe57⤵
- Executes dropped EXE
PID:1028 -
\??\c:\xffrxrf.exec:\xffrxrf.exe58⤵
- Executes dropped EXE
PID:5084 -
\??\c:\1bhbnb.exec:\1bhbnb.exe59⤵
- Executes dropped EXE
PID:2664 -
\??\c:\bnnhbb.exec:\bnnhbb.exe60⤵
- Executes dropped EXE
PID:1292 -
\??\c:\jppjj.exec:\jppjj.exe61⤵
- Executes dropped EXE
PID:4804 -
\??\c:\7lfxfxf.exec:\7lfxfxf.exe62⤵
- Executes dropped EXE
PID:4516 -
\??\c:\bbhhhh.exec:\bbhhhh.exe63⤵
- Executes dropped EXE
PID:4456 -
\??\c:\btbbbt.exec:\btbbbt.exe64⤵
- Executes dropped EXE
PID:3124 -
\??\c:\vpjvp.exec:\vpjvp.exe65⤵
- Executes dropped EXE
PID:4172 -
\??\c:\fxrflfx.exec:\fxrflfx.exe66⤵PID:2056
-
\??\c:\hhnhhh.exec:\hhnhhh.exe67⤵PID:3536
-
\??\c:\9jddd.exec:\9jddd.exe68⤵PID:2360
-
\??\c:\lflxfxf.exec:\lflxfxf.exe69⤵PID:3400
-
\??\c:\httnhh.exec:\httnhh.exe70⤵PID:660
-
\??\c:\pppvv.exec:\pppvv.exe71⤵PID:1340
-
\??\c:\pjdpv.exec:\pjdpv.exe72⤵PID:2372
-
\??\c:\rlxfrrr.exec:\rlxfrrr.exe73⤵PID:1892
-
\??\c:\rllfxxr.exec:\rllfxxr.exe74⤵PID:3680
-
\??\c:\btbtnt.exec:\btbtnt.exe75⤵PID:4324
-
\??\c:\1jjdv.exec:\1jjdv.exe76⤵PID:4080
-
\??\c:\1lxrfxr.exec:\1lxrfxr.exe77⤵PID:4284
-
\??\c:\lfllfxx.exec:\lfllfxx.exe78⤵PID:920
-
\??\c:\5bnbnh.exec:\5bnbnh.exe79⤵PID:5092
-
\??\c:\1ppjd.exec:\1ppjd.exe80⤵PID:4140
-
\??\c:\pjpdd.exec:\pjpdd.exe81⤵PID:3396
-
\??\c:\rrxlxrl.exec:\rrxlxrl.exe82⤵PID:3696
-
\??\c:\hbbtbb.exec:\hbbtbb.exe83⤵PID:2256
-
\??\c:\1vvjv.exec:\1vvjv.exe84⤵PID:440
-
\??\c:\vvpvj.exec:\vvpvj.exe85⤵PID:5052
-
\??\c:\lflfrrr.exec:\lflfrrr.exe86⤵PID:2344
-
\??\c:\bbhbtt.exec:\bbhbtt.exe87⤵PID:3468
-
\??\c:\9pvpj.exec:\9pvpj.exe88⤵PID:2936
-
\??\c:\ppvpp.exec:\ppvpp.exe89⤵PID:4708
-
\??\c:\1xxrffr.exec:\1xxrffr.exe90⤵PID:3100
-
\??\c:\bhnbnh.exec:\bhnbnh.exe91⤵PID:3540
-
\??\c:\dvdvp.exec:\dvdvp.exe92⤵PID:4484
-
\??\c:\pvjdp.exec:\pvjdp.exe93⤵PID:2192
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe94⤵PID:4752
-
\??\c:\bhnbnh.exec:\bhnbnh.exe95⤵PID:228
-
\??\c:\vjvvj.exec:\vjvvj.exe96⤵PID:3128
-
\??\c:\vvvpd.exec:\vvvpd.exe97⤵PID:1476
-
\??\c:\lxxrxxr.exec:\lxxrxxr.exe98⤵PID:2984
-
\??\c:\3bbttt.exec:\3bbttt.exe99⤵PID:3200
-
\??\c:\7ppdv.exec:\7ppdv.exe100⤵PID:3176
-
\??\c:\7xfxrrr.exec:\7xfxrrr.exe101⤵PID:4408
-
\??\c:\1rllflf.exec:\1rllflf.exe102⤵PID:3548
-
\??\c:\bntnnh.exec:\bntnnh.exe103⤵PID:372
-
\??\c:\5hbnbt.exec:\5hbnbt.exe104⤵PID:2804
-
\??\c:\jddvp.exec:\jddvp.exe105⤵PID:1048
-
\??\c:\lflrrfl.exec:\lflrrfl.exe106⤵PID:4496
-
\??\c:\hthbbb.exec:\hthbbb.exe107⤵PID:4368
-
\??\c:\pppjv.exec:\pppjv.exe108⤵PID:3976
-
\??\c:\1djjj.exec:\1djjj.exe109⤵PID:1320
-
\??\c:\5fllxxx.exec:\5fllxxx.exe110⤵PID:3248
-
\??\c:\1ffxrrl.exec:\1ffxrrl.exe111⤵PID:2756
-
\??\c:\3tnbtn.exec:\3tnbtn.exe112⤵PID:4272
-
\??\c:\5jjdp.exec:\5jjdp.exe113⤵PID:4132
-
\??\c:\llrlxrl.exec:\llrlxrl.exe114⤵PID:4044
-
\??\c:\nhnhbn.exec:\nhnhbn.exe115⤵PID:4816
-
\??\c:\3thbnt.exec:\3thbnt.exe116⤵PID:3388
-
\??\c:\jvjjv.exec:\jvjjv.exe117⤵PID:4200
-
\??\c:\jvjdj.exec:\jvjdj.exe118⤵PID:1460
-
\??\c:\llrfrfr.exec:\llrfrfr.exe119⤵PID:2616
-
\??\c:\httnhh.exec:\httnhh.exe120⤵PID:4888
-
\??\c:\nhhbhn.exec:\nhhbhn.exe121⤵PID:4800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-