Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe
-
Size
454KB
-
MD5
3d0c3ede265f4941fe4e5f167541b992
-
SHA1
d26ace4e53a45ea92ba1155d2b01c67ffa19c327
-
SHA256
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7
-
SHA512
b3c52103b699c67c26432baf4b84dbb5aab6e7bf6d28bfbea438aa629cd1b4272ead9243f8e0392dca9ef9529731299e93900aa873040758595154b7c922411f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4804-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3524-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4352 tbnbtn.exe 4460 pjdvd.exe 2508 frrlfxl.exe 3068 jjpjp.exe 2344 djpdp.exe 3004 vpjpd.exe 392 htbtnh.exe 2052 7nhtnh.exe 516 pjpdp.exe 2616 7rrlxrf.exe 2264 3hnbnh.exe 1488 lrxlfrl.exe 4420 fllxlxl.exe 2332 5bthbn.exe 4860 pddpp.exe 2940 bnbbhb.exe 3340 xllfxrl.exe 468 xxfxlfx.exe 4664 9hhttn.exe 1292 dppdp.exe 3164 9dvjd.exe 344 thhbtt.exe 4532 rflfxrl.exe 4152 xfxrlfx.exe 3612 ttbnbt.exe 2336 dpddp.exe 3196 7hhbtn.exe 4080 7fxlxrf.exe 2480 jvvjv.exe 3492 7lxrxxl.exe 1548 bhnbtt.exe 916 frlxrff.exe 3344 5tnbnh.exe 1552 vjvjv.exe 4332 hhhbnh.exe 1624 htbnhb.exe 4924 xrfxfxr.exe 1876 lffxrlx.exe 2028 hnbnhb.exe 3524 vppdv.exe 4900 lxfxlxx.exe 4804 nhnhbb.exe 4460 9nthbb.exe 3116 jjjdd.exe 4028 rrxlfrl.exe 4780 nnhnhb.exe 3520 5pjdv.exe 3256 3frfffl.exe 2660 thnhbn.exe 3496 3vvjd.exe 392 pvjvp.exe 1928 7llfrrl.exe 2696 nnbbtb.exe 1420 tbhtnh.exe 5092 1jdvj.exe 3964 fllllll.exe 2500 5bthbt.exe 4272 ppvpd.exe 4420 5xfffxl.exe 2652 1nnhbb.exe 3992 ppdvp.exe 2684 frxrllx.exe 3244 ttbttt.exe 2940 nnnnhb.exe -
resource yara_rule behavioral2/memory/4804-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3524-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-712-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4804 wrote to memory of 4352 4804 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 83 PID 4804 wrote to memory of 4352 4804 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 83 PID 4804 wrote to memory of 4352 4804 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 83 PID 4352 wrote to memory of 4460 4352 tbnbtn.exe 84 PID 4352 wrote to memory of 4460 4352 tbnbtn.exe 84 PID 4352 wrote to memory of 4460 4352 tbnbtn.exe 84 PID 4460 wrote to memory of 2508 4460 pjdvd.exe 85 PID 4460 wrote to memory of 2508 4460 pjdvd.exe 85 PID 4460 wrote to memory of 2508 4460 pjdvd.exe 85 PID 2508 wrote to memory of 3068 2508 frrlfxl.exe 86 PID 2508 wrote to memory of 3068 2508 frrlfxl.exe 86 PID 2508 wrote to memory of 3068 2508 frrlfxl.exe 86 PID 3068 wrote to memory of 2344 3068 jjpjp.exe 87 PID 3068 wrote to memory of 2344 3068 jjpjp.exe 87 PID 3068 wrote to memory of 2344 3068 jjpjp.exe 87 PID 2344 wrote to memory of 3004 2344 djpdp.exe 88 PID 2344 wrote to memory of 3004 2344 djpdp.exe 88 PID 2344 wrote to memory of 3004 2344 djpdp.exe 88 PID 3004 wrote to memory of 392 3004 vpjpd.exe 89 PID 3004 wrote to memory of 392 3004 vpjpd.exe 89 PID 3004 wrote to memory of 392 3004 vpjpd.exe 89 PID 392 wrote to memory of 2052 392 htbtnh.exe 90 PID 392 wrote to memory of 2052 392 htbtnh.exe 90 PID 392 wrote to memory of 2052 392 htbtnh.exe 90 PID 2052 wrote to memory of 516 2052 7nhtnh.exe 91 PID 2052 wrote to memory of 516 2052 7nhtnh.exe 91 PID 2052 wrote to memory of 516 2052 7nhtnh.exe 91 PID 516 wrote to memory of 2616 516 pjpdp.exe 92 PID 516 wrote to memory of 2616 516 pjpdp.exe 92 PID 516 wrote to memory of 2616 516 pjpdp.exe 92 PID 2616 wrote to memory of 2264 2616 7rrlxrf.exe 93 PID 2616 wrote to memory of 2264 2616 7rrlxrf.exe 93 PID 2616 wrote to memory of 2264 2616 7rrlxrf.exe 93 PID 2264 wrote to memory of 1488 2264 3hnbnh.exe 94 PID 2264 wrote to memory of 1488 2264 3hnbnh.exe 94 PID 2264 wrote to memory of 1488 2264 3hnbnh.exe 94 PID 1488 wrote to memory of 4420 1488 lrxlfrl.exe 95 PID 1488 wrote to memory of 4420 1488 lrxlfrl.exe 95 PID 1488 wrote to memory of 4420 1488 lrxlfrl.exe 95 PID 4420 wrote to memory of 2332 4420 fllxlxl.exe 96 PID 4420 wrote to memory of 2332 4420 fllxlxl.exe 96 PID 4420 wrote to memory of 2332 4420 fllxlxl.exe 96 PID 2332 wrote to memory of 4860 2332 5bthbn.exe 97 PID 2332 wrote to memory of 4860 2332 5bthbn.exe 97 PID 2332 wrote to memory of 4860 2332 5bthbn.exe 97 PID 4860 wrote to memory of 2940 4860 pddpp.exe 98 PID 4860 wrote to memory of 2940 4860 pddpp.exe 98 PID 4860 wrote to memory of 2940 4860 pddpp.exe 98 PID 2940 wrote to memory of 3340 2940 bnbbhb.exe 99 PID 2940 wrote to memory of 3340 2940 bnbbhb.exe 99 PID 2940 wrote to memory of 3340 2940 bnbbhb.exe 99 PID 3340 wrote to memory of 468 3340 xllfxrl.exe 100 PID 3340 wrote to memory of 468 3340 xllfxrl.exe 100 PID 3340 wrote to memory of 468 3340 xllfxrl.exe 100 PID 468 wrote to memory of 4664 468 xxfxlfx.exe 101 PID 468 wrote to memory of 4664 468 xxfxlfx.exe 101 PID 468 wrote to memory of 4664 468 xxfxlfx.exe 101 PID 4664 wrote to memory of 1292 4664 9hhttn.exe 102 PID 4664 wrote to memory of 1292 4664 9hhttn.exe 102 PID 4664 wrote to memory of 1292 4664 9hhttn.exe 102 PID 1292 wrote to memory of 3164 1292 dppdp.exe 103 PID 1292 wrote to memory of 3164 1292 dppdp.exe 103 PID 1292 wrote to memory of 3164 1292 dppdp.exe 103 PID 3164 wrote to memory of 344 3164 9dvjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe"C:\Users\Admin\AppData\Local\Temp\00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\tbnbtn.exec:\tbnbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\pjdvd.exec:\pjdvd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\frrlfxl.exec:\frrlfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\jjpjp.exec:\jjpjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\djpdp.exec:\djpdp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\vpjpd.exec:\vpjpd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\htbtnh.exec:\htbtnh.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\7nhtnh.exec:\7nhtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\pjpdp.exec:\pjpdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\7rrlxrf.exec:\7rrlxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\3hnbnh.exec:\3hnbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\lrxlfrl.exec:\lrxlfrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\fllxlxl.exec:\fllxlxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\5bthbn.exec:\5bthbn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\pddpp.exec:\pddpp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\bnbbhb.exec:\bnbbhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\xllfxrl.exec:\xllfxrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3340 -
\??\c:\xxfxlfx.exec:\xxfxlfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\9hhttn.exec:\9hhttn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\dppdp.exec:\dppdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\9dvjd.exec:\9dvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\thhbtt.exec:\thhbtt.exe23⤵
- Executes dropped EXE
PID:344 -
\??\c:\rflfxrl.exec:\rflfxrl.exe24⤵
- Executes dropped EXE
PID:4532 -
\??\c:\xfxrlfx.exec:\xfxrlfx.exe25⤵
- Executes dropped EXE
PID:4152 -
\??\c:\ttbnbt.exec:\ttbnbt.exe26⤵
- Executes dropped EXE
PID:3612 -
\??\c:\dpddp.exec:\dpddp.exe27⤵
- Executes dropped EXE
PID:2336 -
\??\c:\7hhbtn.exec:\7hhbtn.exe28⤵
- Executes dropped EXE
PID:3196 -
\??\c:\7fxlxrf.exec:\7fxlxrf.exe29⤵
- Executes dropped EXE
PID:4080 -
\??\c:\jvvjv.exec:\jvvjv.exe30⤵
- Executes dropped EXE
PID:2480 -
\??\c:\7lxrxxl.exec:\7lxrxxl.exe31⤵
- Executes dropped EXE
PID:3492 -
\??\c:\bhnbtt.exec:\bhnbtt.exe32⤵
- Executes dropped EXE
PID:1548 -
\??\c:\frlxrff.exec:\frlxrff.exe33⤵
- Executes dropped EXE
PID:916 -
\??\c:\5tnbnh.exec:\5tnbnh.exe34⤵
- Executes dropped EXE
PID:3344 -
\??\c:\vjvjv.exec:\vjvjv.exe35⤵
- Executes dropped EXE
PID:1552 -
\??\c:\hhhbnh.exec:\hhhbnh.exe36⤵
- Executes dropped EXE
PID:4332 -
\??\c:\htbnhb.exec:\htbnhb.exe37⤵
- Executes dropped EXE
PID:1624 -
\??\c:\xrfxfxr.exec:\xrfxfxr.exe38⤵
- Executes dropped EXE
PID:4924 -
\??\c:\lffxrlx.exec:\lffxrlx.exe39⤵
- Executes dropped EXE
PID:1876 -
\??\c:\hnbnhb.exec:\hnbnhb.exe40⤵
- Executes dropped EXE
PID:2028 -
\??\c:\vppdv.exec:\vppdv.exe41⤵
- Executes dropped EXE
PID:3524 -
\??\c:\lxfxlxx.exec:\lxfxlxx.exe42⤵
- Executes dropped EXE
PID:4900 -
\??\c:\nhnhbb.exec:\nhnhbb.exe43⤵
- Executes dropped EXE
PID:4804 -
\??\c:\9nthbb.exec:\9nthbb.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460 -
\??\c:\jjjdd.exec:\jjjdd.exe45⤵
- Executes dropped EXE
PID:3116 -
\??\c:\rrxlfrl.exec:\rrxlfrl.exe46⤵
- Executes dropped EXE
PID:4028 -
\??\c:\nnhnhb.exec:\nnhnhb.exe47⤵
- Executes dropped EXE
PID:4780 -
\??\c:\5pjdv.exec:\5pjdv.exe48⤵
- Executes dropped EXE
PID:3520 -
\??\c:\3frfffl.exec:\3frfffl.exe49⤵
- Executes dropped EXE
PID:3256 -
\??\c:\thnhbn.exec:\thnhbn.exe50⤵
- Executes dropped EXE
PID:2660 -
\??\c:\3vvjd.exec:\3vvjd.exe51⤵
- Executes dropped EXE
PID:3496 -
\??\c:\pvjvp.exec:\pvjvp.exe52⤵
- Executes dropped EXE
PID:392 -
\??\c:\7llfrrl.exec:\7llfrrl.exe53⤵
- Executes dropped EXE
PID:1928 -
\??\c:\nnbbtb.exec:\nnbbtb.exe54⤵
- Executes dropped EXE
PID:2696 -
\??\c:\tbhtnh.exec:\tbhtnh.exe55⤵
- Executes dropped EXE
PID:1420 -
\??\c:\1jdvj.exec:\1jdvj.exe56⤵
- Executes dropped EXE
PID:5092 -
\??\c:\fllllll.exec:\fllllll.exe57⤵
- Executes dropped EXE
PID:3964 -
\??\c:\5bthbt.exec:\5bthbt.exe58⤵
- Executes dropped EXE
PID:2500 -
\??\c:\ppvpd.exec:\ppvpd.exe59⤵
- Executes dropped EXE
PID:4272 -
\??\c:\5xfffxl.exec:\5xfffxl.exe60⤵
- Executes dropped EXE
PID:4420 -
\??\c:\1nnhbb.exec:\1nnhbb.exe61⤵
- Executes dropped EXE
PID:2652 -
\??\c:\ppdvp.exec:\ppdvp.exe62⤵
- Executes dropped EXE
PID:3992 -
\??\c:\frxrllx.exec:\frxrllx.exe63⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ttbttt.exec:\ttbttt.exe64⤵
- Executes dropped EXE
PID:3244 -
\??\c:\nnnnhb.exec:\nnnnhb.exe65⤵
- Executes dropped EXE
PID:2940 -
\??\c:\vdjdd.exec:\vdjdd.exe66⤵PID:4936
-
\??\c:\1ppjd.exec:\1ppjd.exe67⤵PID:4728
-
\??\c:\rrrxrff.exec:\rrrxrff.exe68⤵PID:4984
-
\??\c:\tnnntt.exec:\tnnntt.exe69⤵PID:3212
-
\??\c:\dvdvp.exec:\dvdvp.exe70⤵PID:1576
-
\??\c:\lrfxxxr.exec:\lrfxxxr.exe71⤵PID:4920
-
\??\c:\ffrrlll.exec:\ffrrlll.exe72⤵PID:4032
-
\??\c:\hhthht.exec:\hhthht.exe73⤵PID:688
-
\??\c:\5vpjv.exec:\5vpjv.exe74⤵PID:4188
-
\??\c:\3lrfxxr.exec:\3lrfxxr.exe75⤵PID:5072
-
\??\c:\ntbtnn.exec:\ntbtnn.exe76⤵PID:3760
-
\??\c:\7vvvj.exec:\7vvvj.exe77⤵PID:4156
-
\??\c:\ppdvj.exec:\ppdvj.exe78⤵
- System Location Discovery: System Language Discovery
PID:3176 -
\??\c:\llxxrrx.exec:\llxxrrx.exe79⤵PID:1996
-
\??\c:\btttnh.exec:\btttnh.exe80⤵PID:3156
-
\??\c:\ppdvp.exec:\ppdvp.exe81⤵PID:2872
-
\??\c:\pppjj.exec:\pppjj.exe82⤵PID:2836
-
\??\c:\tttnhh.exec:\tttnhh.exe83⤵PID:1120
-
\??\c:\3tttnt.exec:\3tttnt.exe84⤵PID:2144
-
\??\c:\5vdvp.exec:\5vdvp.exe85⤵PID:5112
-
\??\c:\lxfxxxr.exec:\lxfxxxr.exe86⤵PID:4392
-
\??\c:\hhnnhb.exec:\hhnnhb.exe87⤵PID:4868
-
\??\c:\5pvpp.exec:\5pvpp.exe88⤵PID:4724
-
\??\c:\vjpvp.exec:\vjpvp.exe89⤵PID:1168
-
\??\c:\1lxlfff.exec:\1lxlfff.exe90⤵PID:4764
-
\??\c:\thnhhh.exec:\thnhhh.exe91⤵PID:3772
-
\??\c:\jjpjd.exec:\jjpjd.exe92⤵PID:212
-
\??\c:\ddpjp.exec:\ddpjp.exe93⤵PID:1552
-
\??\c:\lxrffff.exec:\lxrffff.exe94⤵PID:4332
-
\??\c:\lfffxxr.exec:\lfffxxr.exe95⤵PID:224
-
\??\c:\btbtnh.exec:\btbtnh.exe96⤵
- System Location Discovery: System Language Discovery
PID:4924 -
\??\c:\dvjdp.exec:\dvjdp.exe97⤵PID:1876
-
\??\c:\lxrlffx.exec:\lxrlffx.exe98⤵PID:4316
-
\??\c:\tntttt.exec:\tntttt.exe99⤵PID:1648
-
\??\c:\jpjdd.exec:\jpjdd.exe100⤵PID:2528
-
\??\c:\pjpjj.exec:\pjpjj.exe101⤵PID:4164
-
\??\c:\lfllfxr.exec:\lfllfxr.exe102⤵PID:3152
-
\??\c:\hbnhhh.exec:\hbnhhh.exe103⤵PID:3808
-
\??\c:\nhhbbb.exec:\nhhbbb.exe104⤵PID:4064
-
\??\c:\5dvpj.exec:\5dvpj.exe105⤵PID:4932
-
\??\c:\7lrrlrl.exec:\7lrrlrl.exe106⤵PID:2200
-
\??\c:\hbnbhn.exec:\hbnbhn.exe107⤵PID:3068
-
\??\c:\1pvpj.exec:\1pvpj.exe108⤵PID:1276
-
\??\c:\1flfxxr.exec:\1flfxxr.exe109⤵PID:828
-
\??\c:\xlfffrx.exec:\xlfffrx.exe110⤵PID:3004
-
\??\c:\hthbbb.exec:\hthbbb.exe111⤵PID:1036
-
\??\c:\3vvpp.exec:\3vvpp.exe112⤵
- System Location Discovery: System Language Discovery
PID:3824 -
\??\c:\fffffff.exec:\fffffff.exe113⤵PID:4748
-
\??\c:\nbnhtn.exec:\nbnhtn.exe114⤵PID:952
-
\??\c:\vvddv.exec:\vvddv.exe115⤵PID:2696
-
\??\c:\7pvpj.exec:\7pvpj.exe116⤵
- System Location Discovery: System Language Discovery
PID:1412 -
\??\c:\rfllllf.exec:\rfllllf.exe117⤵PID:2328
-
\??\c:\bbtnhh.exec:\bbtnhh.exe118⤵PID:1936
-
\??\c:\1vdvv.exec:\1vdvv.exe119⤵PID:2568
-
\??\c:\7jjdj.exec:\7jjdj.exe120⤵PID:1784
-
\??\c:\9xfxlll.exec:\9xfxlll.exe121⤵PID:4144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-