Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 16:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe
-
Size
454KB
-
MD5
3d0c3ede265f4941fe4e5f167541b992
-
SHA1
d26ace4e53a45ea92ba1155d2b01c67ffa19c327
-
SHA256
00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7
-
SHA512
b3c52103b699c67c26432baf4b84dbb5aab6e7bf6d28bfbea438aa629cd1b4272ead9243f8e0392dca9ef9529731299e93900aa873040758595154b7c922411f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbej:q7Tc2NYHUrAwfMp3CDj
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-712-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4404 jvddv.exe 4204 tnhbbt.exe 1468 vvvvd.exe 3276 nhhtbb.exe 3208 ffxrrfl.exe 4192 3ppjj.exe 1156 llffxxx.exe 1220 djdjj.exe 2436 9flrfff.exe 4040 ddjdd.exe 3008 rrxxllx.exe 3492 9nttnn.exe 2092 fxfxrrr.exe 1336 btbtnh.exe 1776 djjjj.exe 2372 xlffxxx.exe 4084 3hnnhn.exe 4424 pddvp.exe 972 llllllf.exe 4080 ffrlrrx.exe 2940 xffxxxx.exe 4944 5ttnbb.exe 4752 ntbbbb.exe 4980 xlxlflf.exe 1764 tnbtnh.exe 1080 9vvjp.exe 2632 hntntn.exe 448 pjjdp.exe 816 xlrlrll.exe 1016 thhbnh.exe 3684 djppj.exe 3544 rffrffr.exe 2968 jvjvp.exe 3796 fllffxr.exe 2816 hthnnb.exe 556 1dppj.exe 2960 jdjvp.exe 3200 xxllxrl.exe 4612 hnthbt.exe 4276 nbtnbh.exe 4484 9ddpd.exe 2460 rxxlrlf.exe 3632 hbbnhb.exe 4064 3dvpd.exe 1208 xxrrxfl.exe 2032 hnthtn.exe 2308 7nbnbt.exe 2920 5jdpj.exe 4000 xflxfxr.exe 4840 1hnbhb.exe 4288 jjpdp.exe 4304 rrxrfrr.exe 4760 xrflffl.exe 3164 9hbthh.exe 2456 jjpjd.exe 1156 lffxlrl.exe 2608 bhnhtn.exe 4636 vdjvv.exe 4052 lflrlrl.exe 3500 nnnhnh.exe 4292 nhnbnn.exe 880 vdjvp.exe 4068 lrlflrf.exe 3492 hhhbnh.exe -
resource yara_rule behavioral2/memory/1520-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-581-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-689-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 4404 1520 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 82 PID 1520 wrote to memory of 4404 1520 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 82 PID 1520 wrote to memory of 4404 1520 00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe 82 PID 4404 wrote to memory of 4204 4404 jvddv.exe 83 PID 4404 wrote to memory of 4204 4404 jvddv.exe 83 PID 4404 wrote to memory of 4204 4404 jvddv.exe 83 PID 4204 wrote to memory of 1468 4204 tnhbbt.exe 84 PID 4204 wrote to memory of 1468 4204 tnhbbt.exe 84 PID 4204 wrote to memory of 1468 4204 tnhbbt.exe 84 PID 1468 wrote to memory of 3276 1468 vvvvd.exe 85 PID 1468 wrote to memory of 3276 1468 vvvvd.exe 85 PID 1468 wrote to memory of 3276 1468 vvvvd.exe 85 PID 3276 wrote to memory of 3208 3276 nhhtbb.exe 86 PID 3276 wrote to memory of 3208 3276 nhhtbb.exe 86 PID 3276 wrote to memory of 3208 3276 nhhtbb.exe 86 PID 3208 wrote to memory of 4192 3208 ffxrrfl.exe 87 PID 3208 wrote to memory of 4192 3208 ffxrrfl.exe 87 PID 3208 wrote to memory of 4192 3208 ffxrrfl.exe 87 PID 4192 wrote to memory of 1156 4192 3ppjj.exe 88 PID 4192 wrote to memory of 1156 4192 3ppjj.exe 88 PID 4192 wrote to memory of 1156 4192 3ppjj.exe 88 PID 1156 wrote to memory of 1220 1156 llffxxx.exe 89 PID 1156 wrote to memory of 1220 1156 llffxxx.exe 89 PID 1156 wrote to memory of 1220 1156 llffxxx.exe 89 PID 1220 wrote to memory of 2436 1220 djdjj.exe 90 PID 1220 wrote to memory of 2436 1220 djdjj.exe 90 PID 1220 wrote to memory of 2436 1220 djdjj.exe 90 PID 2436 wrote to memory of 4040 2436 9flrfff.exe 91 PID 2436 wrote to memory of 4040 2436 9flrfff.exe 91 PID 2436 wrote to memory of 4040 2436 9flrfff.exe 91 PID 4040 wrote to memory of 3008 4040 ddjdd.exe 92 PID 4040 wrote to memory of 3008 4040 ddjdd.exe 92 PID 4040 wrote to memory of 3008 4040 ddjdd.exe 92 PID 3008 wrote to memory of 3492 3008 rrxxllx.exe 93 PID 3008 wrote to memory of 3492 3008 rrxxllx.exe 93 PID 3008 wrote to memory of 3492 3008 rrxxllx.exe 93 PID 3492 wrote to memory of 2092 3492 9nttnn.exe 94 PID 3492 wrote to memory of 2092 3492 9nttnn.exe 94 PID 3492 wrote to memory of 2092 3492 9nttnn.exe 94 PID 2092 wrote to memory of 1336 2092 fxfxrrr.exe 95 PID 2092 wrote to memory of 1336 2092 fxfxrrr.exe 95 PID 2092 wrote to memory of 1336 2092 fxfxrrr.exe 95 PID 1336 wrote to memory of 1776 1336 btbtnh.exe 96 PID 1336 wrote to memory of 1776 1336 btbtnh.exe 96 PID 1336 wrote to memory of 1776 1336 btbtnh.exe 96 PID 1776 wrote to memory of 2372 1776 djjjj.exe 97 PID 1776 wrote to memory of 2372 1776 djjjj.exe 97 PID 1776 wrote to memory of 2372 1776 djjjj.exe 97 PID 2372 wrote to memory of 4084 2372 xlffxxx.exe 98 PID 2372 wrote to memory of 4084 2372 xlffxxx.exe 98 PID 2372 wrote to memory of 4084 2372 xlffxxx.exe 98 PID 4084 wrote to memory of 4424 4084 3hnnhn.exe 99 PID 4084 wrote to memory of 4424 4084 3hnnhn.exe 99 PID 4084 wrote to memory of 4424 4084 3hnnhn.exe 99 PID 4424 wrote to memory of 972 4424 pddvp.exe 100 PID 4424 wrote to memory of 972 4424 pddvp.exe 100 PID 4424 wrote to memory of 972 4424 pddvp.exe 100 PID 972 wrote to memory of 4080 972 llllllf.exe 101 PID 972 wrote to memory of 4080 972 llllllf.exe 101 PID 972 wrote to memory of 4080 972 llllllf.exe 101 PID 4080 wrote to memory of 2940 4080 ffrlrrx.exe 102 PID 4080 wrote to memory of 2940 4080 ffrlrrx.exe 102 PID 4080 wrote to memory of 2940 4080 ffrlrrx.exe 102 PID 2940 wrote to memory of 4944 2940 xffxxxx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe"C:\Users\Admin\AppData\Local\Temp\00849b86e66ff522ebd9894fe696469cbdbfc5af86604cbd037656055cdc48d7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\jvddv.exec:\jvddv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
\??\c:\tnhbbt.exec:\tnhbbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\vvvvd.exec:\vvvvd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\nhhtbb.exec:\nhhtbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\ffxrrfl.exec:\ffxrrfl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\3ppjj.exec:\3ppjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\llffxxx.exec:\llffxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\djdjj.exec:\djdjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\9flrfff.exec:\9flrfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\ddjdd.exec:\ddjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\rrxxllx.exec:\rrxxllx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\9nttnn.exec:\9nttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\btbtnh.exec:\btbtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\djjjj.exec:\djjjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1776 -
\??\c:\xlffxxx.exec:\xlffxxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\3hnnhn.exec:\3hnnhn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\pddvp.exec:\pddvp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\llllllf.exec:\llllllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\ffrlrrx.exec:\ffrlrrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\xffxxxx.exec:\xffxxxx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\5ttnbb.exec:\5ttnbb.exe23⤵
- Executes dropped EXE
PID:4944 -
\??\c:\ntbbbb.exec:\ntbbbb.exe24⤵
- Executes dropped EXE
PID:4752 -
\??\c:\xlxlflf.exec:\xlxlflf.exe25⤵
- Executes dropped EXE
PID:4980 -
\??\c:\tnbtnh.exec:\tnbtnh.exe26⤵
- Executes dropped EXE
PID:1764 -
\??\c:\9vvjp.exec:\9vvjp.exe27⤵
- Executes dropped EXE
PID:1080 -
\??\c:\hntntn.exec:\hntntn.exe28⤵
- Executes dropped EXE
PID:2632 -
\??\c:\pjjdp.exec:\pjjdp.exe29⤵
- Executes dropped EXE
PID:448 -
\??\c:\xlrlrll.exec:\xlrlrll.exe30⤵
- Executes dropped EXE
PID:816 -
\??\c:\thhbnh.exec:\thhbnh.exe31⤵
- Executes dropped EXE
PID:1016 -
\??\c:\djppj.exec:\djppj.exe32⤵
- Executes dropped EXE
PID:3684 -
\??\c:\rffrffr.exec:\rffrffr.exe33⤵
- Executes dropped EXE
PID:3544 -
\??\c:\jvjvp.exec:\jvjvp.exe34⤵
- Executes dropped EXE
PID:2968 -
\??\c:\fllffxr.exec:\fllffxr.exe35⤵
- Executes dropped EXE
PID:3796 -
\??\c:\hthnnb.exec:\hthnnb.exe36⤵
- Executes dropped EXE
PID:2816 -
\??\c:\1dppj.exec:\1dppj.exe37⤵
- Executes dropped EXE
PID:556 -
\??\c:\jdjvp.exec:\jdjvp.exe38⤵
- Executes dropped EXE
PID:2960 -
\??\c:\xxllxrl.exec:\xxllxrl.exe39⤵
- Executes dropped EXE
PID:3200 -
\??\c:\hnthbt.exec:\hnthbt.exe40⤵
- Executes dropped EXE
PID:4612 -
\??\c:\nbtnbh.exec:\nbtnbh.exe41⤵
- Executes dropped EXE
PID:4276 -
\??\c:\9ddpd.exec:\9ddpd.exe42⤵
- Executes dropped EXE
PID:4484 -
\??\c:\rxxlrlf.exec:\rxxlrlf.exe43⤵
- Executes dropped EXE
PID:2460 -
\??\c:\hbbnhb.exec:\hbbnhb.exe44⤵
- Executes dropped EXE
PID:3632 -
\??\c:\3dvpd.exec:\3dvpd.exe45⤵
- Executes dropped EXE
PID:4064 -
\??\c:\xxrrxfl.exec:\xxrrxfl.exe46⤵
- Executes dropped EXE
PID:1208 -
\??\c:\hnthtn.exec:\hnthtn.exe47⤵
- Executes dropped EXE
PID:2032 -
\??\c:\7nbnbt.exec:\7nbnbt.exe48⤵
- Executes dropped EXE
PID:2308 -
\??\c:\5jdpj.exec:\5jdpj.exe49⤵
- Executes dropped EXE
PID:2920 -
\??\c:\xflxfxr.exec:\xflxfxr.exe50⤵
- Executes dropped EXE
PID:4000 -
\??\c:\1hnbhb.exec:\1hnbhb.exe51⤵
- Executes dropped EXE
PID:4840 -
\??\c:\jjpdp.exec:\jjpdp.exe52⤵
- Executes dropped EXE
PID:4288 -
\??\c:\rrxrfrr.exec:\rrxrfrr.exe53⤵
- Executes dropped EXE
PID:4304 -
\??\c:\xrflffl.exec:\xrflffl.exe54⤵
- Executes dropped EXE
PID:4760 -
\??\c:\9hbthh.exec:\9hbthh.exe55⤵
- Executes dropped EXE
PID:3164 -
\??\c:\jjpjd.exec:\jjpjd.exe56⤵
- Executes dropped EXE
PID:2456 -
\??\c:\lffxlrl.exec:\lffxlrl.exe57⤵
- Executes dropped EXE
PID:1156 -
\??\c:\bhnhtn.exec:\bhnhtn.exe58⤵
- Executes dropped EXE
PID:2608 -
\??\c:\vdjvv.exec:\vdjvv.exe59⤵
- Executes dropped EXE
PID:4636 -
\??\c:\lflrlrl.exec:\lflrlrl.exe60⤵
- Executes dropped EXE
PID:4052 -
\??\c:\nnnhnh.exec:\nnnhnh.exe61⤵
- Executes dropped EXE
PID:3500 -
\??\c:\nhnbnn.exec:\nhnbnn.exe62⤵
- Executes dropped EXE
PID:4292 -
\??\c:\vdjvp.exec:\vdjvp.exe63⤵
- Executes dropped EXE
PID:880 -
\??\c:\lrlflrf.exec:\lrlflrf.exe64⤵
- Executes dropped EXE
PID:4068 -
\??\c:\hhhbnh.exec:\hhhbnh.exe65⤵
- Executes dropped EXE
PID:3492 -
\??\c:\9jdpv.exec:\9jdpv.exe66⤵PID:2820
-
\??\c:\jjdpj.exec:\jjdpj.exe67⤵PID:2552
-
\??\c:\3rlfxxr.exec:\3rlfxxr.exe68⤵PID:3304
-
\??\c:\bhnhhb.exec:\bhnhhb.exe69⤵PID:3892
-
\??\c:\5bnbhb.exec:\5bnbhb.exe70⤵PID:2348
-
\??\c:\jdvjj.exec:\jdvjj.exe71⤵PID:1988
-
\??\c:\5lrfllr.exec:\5lrfllr.exe72⤵PID:4136
-
\??\c:\7bbtnn.exec:\7bbtnn.exe73⤵PID:4424
-
\??\c:\jppvv.exec:\jppvv.exe74⤵PID:2368
-
\??\c:\9jvdd.exec:\9jvdd.exe75⤵PID:2556
-
\??\c:\lrrrlfx.exec:\lrrrlfx.exe76⤵PID:4044
-
\??\c:\ntthbn.exec:\ntthbn.exe77⤵PID:4392
-
\??\c:\9jjdp.exec:\9jjdp.exe78⤵PID:2496
-
\??\c:\5fxlxxl.exec:\5fxlxxl.exe79⤵PID:1140
-
\??\c:\nbbtnh.exec:\nbbtnh.exe80⤵PID:1872
-
\??\c:\jpvjv.exec:\jpvjv.exe81⤵PID:4980
-
\??\c:\xfrlxrl.exec:\xfrlxrl.exe82⤵PID:1760
-
\??\c:\5xxrrll.exec:\5xxrrll.exe83⤵PID:2880
-
\??\c:\nhhbnh.exec:\nhhbnh.exe84⤵PID:3012
-
\??\c:\3dvpd.exec:\3dvpd.exe85⤵PID:2700
-
\??\c:\9lrlxrf.exec:\9lrlxrf.exe86⤵PID:3596
-
\??\c:\nthbnh.exec:\nthbnh.exe87⤵PID:4300
-
\??\c:\nhthth.exec:\nhthth.exe88⤵PID:3240
-
\??\c:\3pdvd.exec:\3pdvd.exe89⤵PID:3756
-
\??\c:\rffrfxr.exec:\rffrfxr.exe90⤵PID:3824
-
\??\c:\3hbbth.exec:\3hbbth.exe91⤵PID:1068
-
\??\c:\dvjdv.exec:\dvjdv.exe92⤵PID:3140
-
\??\c:\jjpdv.exec:\jjpdv.exe93⤵PID:3556
-
\??\c:\ffrflff.exec:\ffrflff.exe94⤵PID:592
-
\??\c:\nnhbnt.exec:\nnhbnt.exe95⤵PID:3428
-
\??\c:\ddppj.exec:\ddppj.exe96⤵PID:4728
-
\??\c:\fflfxxf.exec:\fflfxxf.exe97⤵PID:1540
-
\??\c:\hbttnn.exec:\hbttnn.exe98⤵PID:1632
-
\??\c:\jjvjj.exec:\jjvjj.exe99⤵PID:4336
-
\??\c:\fllfrrl.exec:\fllfrrl.exe100⤵PID:3524
-
\??\c:\hnhhhh.exec:\hnhhhh.exe101⤵PID:1148
-
\??\c:\nhnhhb.exec:\nhnhhb.exe102⤵
- System Location Discovery: System Language Discovery
PID:3920 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe103⤵PID:3632
-
\??\c:\9lrfxff.exec:\9lrfxff.exe104⤵PID:4836
-
\??\c:\bbnnhh.exec:\bbnnhh.exe105⤵PID:1208
-
\??\c:\7jdvj.exec:\7jdvj.exe106⤵PID:640
-
\??\c:\vvppj.exec:\vvppj.exe107⤵PID:1116
-
\??\c:\rffrfxr.exec:\rffrfxr.exe108⤵PID:392
-
\??\c:\btbtnn.exec:\btbtnn.exe109⤵PID:4808
-
\??\c:\vdvpj.exec:\vdvpj.exe110⤵PID:784
-
\??\c:\pppdp.exec:\pppdp.exe111⤵PID:60
-
\??\c:\flfrfxr.exec:\flfrfxr.exe112⤵PID:4516
-
\??\c:\bbhhbt.exec:\bbhhbt.exe113⤵PID:4760
-
\??\c:\vvvvv.exec:\vvvvv.exe114⤵PID:4408
-
\??\c:\xrxlxrr.exec:\xrxlxrr.exe115⤵PID:2324
-
\??\c:\1bthbn.exec:\1bthbn.exe116⤵PID:4832
-
\??\c:\jvvjv.exec:\jvvjv.exe117⤵PID:4316
-
\??\c:\7jpdv.exec:\7jpdv.exe118⤵PID:3456
-
\??\c:\1lllfxx.exec:\1lllfxx.exe119⤵PID:4356
-
\??\c:\hbthbb.exec:\hbthbb.exe120⤵PID:3000
-
\??\c:\jppjv.exec:\jppjv.exe121⤵PID:4004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-