Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe
-
Size
455KB
-
MD5
e0d00ed264faec5d76d903c971c763e0
-
SHA1
ad09bd392b05e1e7363977bb402f5fb82ff0e1b7
-
SHA256
bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2
-
SHA512
92da5a8971317a490735ef7fbce0ff19a513c585adb5f279e4e015d39fef09cadd399e67311eb4b03c8ea9644b3332db6363b262714ad2b1a9e3bdd6cc3f0a81
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeQ:q7Tc2NYHUrAwfMp3CDQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2888-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/364-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-565-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-1748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4812 thnbbt.exe 1404 3pjdv.exe 4140 xxffxlf.exe 2416 nnhtnh.exe 1400 fflrfrf.exe 3824 hhhnth.exe 4200 xrrfxrl.exe 364 jddpp.exe 1508 frrlfxr.exe 2208 rxfxlfr.exe 1500 1hhthh.exe 2752 tttnbt.exe 436 3lfxllf.exe 2636 thbthb.exe 1320 5lfrffr.exe 2952 bnbthb.exe 4928 lxrfxrf.exe 3932 frxrlff.exe 3444 hnbttt.exe 3428 bhhthh.exe 3660 vjppv.exe 3484 lrxxrfx.exe 2268 fxxxrxl.exe 4760 nhnnnh.exe 2220 vjdpp.exe 1576 rllxrlf.exe 2304 rlxrrlr.exe 4684 bnbthb.exe 3136 ddjdv.exe 2988 fxfrllf.exe 2588 5tnhbb.exe 3384 1vvpd.exe 4936 lfrllfl.exe 3496 xxfrfrf.exe 868 jvddv.exe 2840 rxrlxrf.exe 1768 thnhnh.exe 2272 vvjdj.exe 1640 3fxlxrf.exe 4516 hnhbtb.exe 3168 pdpjj.exe 2432 rffrrlf.exe 3132 thnhhb.exe 2492 dppdp.exe 2812 xrrlfxl.exe 4540 thbnbt.exe 2456 5vppd.exe 1484 rfxrlff.exe 4468 rflxrlf.exe 1448 tbhbtt.exe 5040 pjdpj.exe 3816 xllflfx.exe 4448 tnhbtn.exe 220 5ddvj.exe 1224 lxfrrll.exe 1400 llrllll.exe 1372 jjppj.exe 2320 vvvdv.exe 3292 rrxrlfx.exe 364 nhnbhb.exe 2192 djppd.exe 3004 vpjdj.exe 2016 lrxlrlf.exe 4500 tnnbtn.exe -
resource yara_rule behavioral2/memory/2888-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2812-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/364-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-565-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-627-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-691-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rflrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 4812 2888 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 82 PID 2888 wrote to memory of 4812 2888 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 82 PID 2888 wrote to memory of 4812 2888 bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe 82 PID 4812 wrote to memory of 1404 4812 thnbbt.exe 83 PID 4812 wrote to memory of 1404 4812 thnbbt.exe 83 PID 4812 wrote to memory of 1404 4812 thnbbt.exe 83 PID 1404 wrote to memory of 4140 1404 3pjdv.exe 84 PID 1404 wrote to memory of 4140 1404 3pjdv.exe 84 PID 1404 wrote to memory of 4140 1404 3pjdv.exe 84 PID 4140 wrote to memory of 2416 4140 xxffxlf.exe 85 PID 4140 wrote to memory of 2416 4140 xxffxlf.exe 85 PID 4140 wrote to memory of 2416 4140 xxffxlf.exe 85 PID 2416 wrote to memory of 1400 2416 nnhtnh.exe 86 PID 2416 wrote to memory of 1400 2416 nnhtnh.exe 86 PID 2416 wrote to memory of 1400 2416 nnhtnh.exe 86 PID 1400 wrote to memory of 3824 1400 fflrfrf.exe 87 PID 1400 wrote to memory of 3824 1400 fflrfrf.exe 87 PID 1400 wrote to memory of 3824 1400 fflrfrf.exe 87 PID 3824 wrote to memory of 4200 3824 hhhnth.exe 88 PID 3824 wrote to memory of 4200 3824 hhhnth.exe 88 PID 3824 wrote to memory of 4200 3824 hhhnth.exe 88 PID 4200 wrote to memory of 364 4200 xrrfxrl.exe 89 PID 4200 wrote to memory of 364 4200 xrrfxrl.exe 89 PID 4200 wrote to memory of 364 4200 xrrfxrl.exe 89 PID 364 wrote to memory of 1508 364 jddpp.exe 90 PID 364 wrote to memory of 1508 364 jddpp.exe 90 PID 364 wrote to memory of 1508 364 jddpp.exe 90 PID 1508 wrote to memory of 2208 1508 frrlfxr.exe 91 PID 1508 wrote to memory of 2208 1508 frrlfxr.exe 91 PID 1508 wrote to memory of 2208 1508 frrlfxr.exe 91 PID 2208 wrote to memory of 1500 2208 rxfxlfr.exe 92 PID 2208 wrote to memory of 1500 2208 rxfxlfr.exe 92 PID 2208 wrote to memory of 1500 2208 rxfxlfr.exe 92 PID 1500 wrote to memory of 2752 1500 1hhthh.exe 93 PID 1500 wrote to memory of 2752 1500 1hhthh.exe 93 PID 1500 wrote to memory of 2752 1500 1hhthh.exe 93 PID 2752 wrote to memory of 436 2752 tttnbt.exe 94 PID 2752 wrote to memory of 436 2752 tttnbt.exe 94 PID 2752 wrote to memory of 436 2752 tttnbt.exe 94 PID 436 wrote to memory of 2636 436 3lfxllf.exe 95 PID 436 wrote to memory of 2636 436 3lfxllf.exe 95 PID 436 wrote to memory of 2636 436 3lfxllf.exe 95 PID 2636 wrote to memory of 1320 2636 thbthb.exe 96 PID 2636 wrote to memory of 1320 2636 thbthb.exe 96 PID 2636 wrote to memory of 1320 2636 thbthb.exe 96 PID 1320 wrote to memory of 2952 1320 5lfrffr.exe 97 PID 1320 wrote to memory of 2952 1320 5lfrffr.exe 97 PID 1320 wrote to memory of 2952 1320 5lfrffr.exe 97 PID 2952 wrote to memory of 4928 2952 bnbthb.exe 98 PID 2952 wrote to memory of 4928 2952 bnbthb.exe 98 PID 2952 wrote to memory of 4928 2952 bnbthb.exe 98 PID 4928 wrote to memory of 3932 4928 lxrfxrf.exe 99 PID 4928 wrote to memory of 3932 4928 lxrfxrf.exe 99 PID 4928 wrote to memory of 3932 4928 lxrfxrf.exe 99 PID 3932 wrote to memory of 3444 3932 frxrlff.exe 100 PID 3932 wrote to memory of 3444 3932 frxrlff.exe 100 PID 3932 wrote to memory of 3444 3932 frxrlff.exe 100 PID 3444 wrote to memory of 3428 3444 hnbttt.exe 101 PID 3444 wrote to memory of 3428 3444 hnbttt.exe 101 PID 3444 wrote to memory of 3428 3444 hnbttt.exe 101 PID 3428 wrote to memory of 3660 3428 bhhthh.exe 102 PID 3428 wrote to memory of 3660 3428 bhhthh.exe 102 PID 3428 wrote to memory of 3660 3428 bhhthh.exe 102 PID 3660 wrote to memory of 3484 3660 vjppv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe"C:\Users\Admin\AppData\Local\Temp\bc410a0881a2573adb750f0b11c677097b3945666e78084eec82b9489dd7efc2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\thnbbt.exec:\thnbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\3pjdv.exec:\3pjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\xxffxlf.exec:\xxffxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\nnhtnh.exec:\nnhtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\fflrfrf.exec:\fflrfrf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\hhhnth.exec:\hhhnth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\xrrfxrl.exec:\xrrfxrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
\??\c:\jddpp.exec:\jddpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:364 -
\??\c:\frrlfxr.exec:\frrlfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\rxfxlfr.exec:\rxfxlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\1hhthh.exec:\1hhthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\tttnbt.exec:\tttnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\3lfxllf.exec:\3lfxllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\thbthb.exec:\thbthb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\5lfrffr.exec:\5lfrffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\bnbthb.exec:\bnbthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2952 -
\??\c:\lxrfxrf.exec:\lxrfxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\frxrlff.exec:\frxrlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\hnbttt.exec:\hnbttt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\bhhthh.exec:\bhhthh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\vjppv.exec:\vjppv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\lrxxrfx.exec:\lrxxrfx.exe23⤵
- Executes dropped EXE
PID:3484 -
\??\c:\fxxxrxl.exec:\fxxxrxl.exe24⤵
- Executes dropped EXE
PID:2268 -
\??\c:\nhnnnh.exec:\nhnnnh.exe25⤵
- Executes dropped EXE
PID:4760 -
\??\c:\vjdpp.exec:\vjdpp.exe26⤵
- Executes dropped EXE
PID:2220 -
\??\c:\rllxrlf.exec:\rllxrlf.exe27⤵
- Executes dropped EXE
PID:1576 -
\??\c:\rlxrrlr.exec:\rlxrrlr.exe28⤵
- Executes dropped EXE
PID:2304 -
\??\c:\bnbthb.exec:\bnbthb.exe29⤵
- Executes dropped EXE
PID:4684 -
\??\c:\ddjdv.exec:\ddjdv.exe30⤵
- Executes dropped EXE
PID:3136 -
\??\c:\fxfrllf.exec:\fxfrllf.exe31⤵
- Executes dropped EXE
PID:2988 -
\??\c:\5tnhbb.exec:\5tnhbb.exe32⤵
- Executes dropped EXE
PID:2588 -
\??\c:\1vvpd.exec:\1vvpd.exe33⤵
- Executes dropped EXE
PID:3384 -
\??\c:\lfrllfl.exec:\lfrllfl.exe34⤵
- Executes dropped EXE
PID:4936 -
\??\c:\xxfrfrf.exec:\xxfrfrf.exe35⤵
- Executes dropped EXE
PID:3496 -
\??\c:\jvddv.exec:\jvddv.exe36⤵
- Executes dropped EXE
PID:868 -
\??\c:\rxrlxrf.exec:\rxrlxrf.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
\??\c:\thnhnh.exec:\thnhnh.exe38⤵
- Executes dropped EXE
PID:1768 -
\??\c:\vvjdj.exec:\vvjdj.exe39⤵
- Executes dropped EXE
PID:2272 -
\??\c:\3fxlxrf.exec:\3fxlxrf.exe40⤵
- Executes dropped EXE
PID:1640 -
\??\c:\hnhbtb.exec:\hnhbtb.exe41⤵
- Executes dropped EXE
PID:4516 -
\??\c:\pdpjj.exec:\pdpjj.exe42⤵
- Executes dropped EXE
PID:3168 -
\??\c:\rffrrlf.exec:\rffrrlf.exe43⤵
- Executes dropped EXE
PID:2432 -
\??\c:\thnhhb.exec:\thnhhb.exe44⤵
- Executes dropped EXE
PID:3132 -
\??\c:\dppdp.exec:\dppdp.exe45⤵
- Executes dropped EXE
PID:2492 -
\??\c:\xrrlfxl.exec:\xrrlfxl.exe46⤵
- Executes dropped EXE
PID:2812 -
\??\c:\thbnbt.exec:\thbnbt.exe47⤵
- Executes dropped EXE
PID:4540 -
\??\c:\5vppd.exec:\5vppd.exe48⤵
- Executes dropped EXE
PID:2456 -
\??\c:\rfxrlff.exec:\rfxrlff.exe49⤵
- Executes dropped EXE
PID:1484 -
\??\c:\rflxrlf.exec:\rflxrlf.exe50⤵
- Executes dropped EXE
PID:4468 -
\??\c:\tbhbtt.exec:\tbhbtt.exe51⤵
- Executes dropped EXE
PID:1448 -
\??\c:\pjdpj.exec:\pjdpj.exe52⤵
- Executes dropped EXE
PID:5040 -
\??\c:\xllflfx.exec:\xllflfx.exe53⤵
- Executes dropped EXE
PID:3816 -
\??\c:\tnhbtn.exec:\tnhbtn.exe54⤵
- Executes dropped EXE
PID:4448 -
\??\c:\5ddvj.exec:\5ddvj.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:220 -
\??\c:\lxfrrll.exec:\lxfrrll.exe56⤵
- Executes dropped EXE
PID:1224 -
\??\c:\llrllll.exec:\llrllll.exe57⤵
- Executes dropped EXE
PID:1400 -
\??\c:\jjppj.exec:\jjppj.exe58⤵
- Executes dropped EXE
PID:1372 -
\??\c:\vvvdv.exec:\vvvdv.exe59⤵
- Executes dropped EXE
PID:2320 -
\??\c:\rrxrlfx.exec:\rrxrlfx.exe60⤵
- Executes dropped EXE
PID:3292 -
\??\c:\nhnbhb.exec:\nhnbhb.exe61⤵
- Executes dropped EXE
PID:364 -
\??\c:\djppd.exec:\djppd.exe62⤵
- Executes dropped EXE
PID:2192 -
\??\c:\vpjdj.exec:\vpjdj.exe63⤵
- Executes dropped EXE
PID:3004 -
\??\c:\lrxlrlf.exec:\lrxlrlf.exe64⤵
- Executes dropped EXE
PID:2016 -
\??\c:\tnnbtn.exec:\tnnbtn.exe65⤵
- Executes dropped EXE
PID:4500 -
\??\c:\jjdvv.exec:\jjdvv.exe66⤵PID:1588
-
\??\c:\5rlxfxl.exec:\5rlxfxl.exe67⤵PID:2180
-
\??\c:\5nhthb.exec:\5nhthb.exe68⤵PID:2424
-
\??\c:\vjdpv.exec:\vjdpv.exe69⤵PID:3300
-
\??\c:\jjpjj.exec:\jjpjj.exe70⤵PID:1648
-
\??\c:\rxfxfxr.exec:\rxfxfxr.exe71⤵PID:2612
-
\??\c:\3tbtbb.exec:\3tbtbb.exe72⤵PID:992
-
\??\c:\vvvpv.exec:\vvvpv.exe73⤵PID:2952
-
\??\c:\xflxlfl.exec:\xflxlfl.exe74⤵PID:4012
-
\??\c:\rrxxllf.exec:\rrxxllf.exe75⤵PID:1188
-
\??\c:\tttnhb.exec:\tttnhb.exe76⤵PID:1184
-
\??\c:\1jdvj.exec:\1jdvj.exe77⤵PID:624
-
\??\c:\rfxlfxf.exec:\rfxlfxf.exe78⤵PID:4256
-
\??\c:\nhhbtt.exec:\nhhbtt.exe79⤵PID:4656
-
\??\c:\pppvp.exec:\pppvp.exe80⤵PID:3212
-
\??\c:\xllxlxl.exec:\xllxlxl.exe81⤵PID:3696
-
\??\c:\bbhbnn.exec:\bbhbnn.exe82⤵PID:5064
-
\??\c:\bhnnhh.exec:\bhnnhh.exe83⤵PID:3700
-
\??\c:\1ddpp.exec:\1ddpp.exe84⤵PID:4264
-
\??\c:\lllxfxr.exec:\lllxfxr.exe85⤵PID:4760
-
\??\c:\hbbbtt.exec:\hbbbtt.exe86⤵PID:2740
-
\??\c:\vvjvv.exec:\vvjvv.exe87⤵PID:536
-
\??\c:\rlrfrrl.exec:\rlrfrrl.exe88⤵PID:1884
-
\??\c:\frlxrlf.exec:\frlxrlf.exe89⤵PID:756
-
\??\c:\nbhhhh.exec:\nbhhhh.exe90⤵PID:2656
-
\??\c:\vdjdp.exec:\vdjdp.exe91⤵PID:4856
-
\??\c:\rffxfxr.exec:\rffxfxr.exe92⤵PID:2908
-
\??\c:\hnttnt.exec:\hnttnt.exe93⤵PID:1776
-
\??\c:\dpvdj.exec:\dpvdj.exe94⤵PID:3180
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe95⤵PID:3384
-
\??\c:\nhbbnb.exec:\nhbbnb.exe96⤵PID:2360
-
\??\c:\pvpdd.exec:\pvpdd.exe97⤵PID:2532
-
\??\c:\xllfllx.exec:\xllfllx.exe98⤵PID:5072
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe99⤵PID:1244
-
\??\c:\hbbtnn.exec:\hbbtnn.exe100⤵PID:1972
-
\??\c:\pddpd.exec:\pddpd.exe101⤵PID:4940
-
\??\c:\jddjd.exec:\jddjd.exe102⤵PID:1640
-
\??\c:\frlfxrl.exec:\frlfxrl.exe103⤵PID:8
-
\??\c:\btthhb.exec:\btthhb.exe104⤵PID:3596
-
\??\c:\ppjdj.exec:\ppjdj.exe105⤵PID:4044
-
\??\c:\5rrfrfr.exec:\5rrfrfr.exe106⤵PID:3624
-
\??\c:\fxxxrxr.exec:\fxxxrxr.exe107⤵PID:2868
-
\??\c:\9bbthb.exec:\9bbthb.exe108⤵PID:4932
-
\??\c:\vppvp.exec:\vppvp.exe109⤵PID:3024
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe110⤵PID:4352
-
\??\c:\hthbtn.exec:\hthbtn.exe111⤵PID:4580
-
\??\c:\vpddd.exec:\vpddd.exe112⤵PID:4812
-
\??\c:\dpvpp.exec:\dpvpp.exe113⤵PID:232
-
\??\c:\flrflff.exec:\flrflff.exe114⤵PID:4524
-
\??\c:\1nhthb.exec:\1nhthb.exe115⤵PID:216
-
\??\c:\vvdpd.exec:\vvdpd.exe116⤵PID:4880
-
\??\c:\ddjdv.exec:\ddjdv.exe117⤵PID:2416
-
\??\c:\1ffrfxl.exec:\1ffrfxl.exe118⤵PID:5076
-
\??\c:\hbtnnh.exec:\hbtnnh.exe119⤵PID:3824
-
\??\c:\jddvj.exec:\jddvj.exe120⤵PID:3424
-
\??\c:\xlrfrlx.exec:\xlrfrlx.exe121⤵PID:3404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-