Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58N.exe
-
Size
453KB
-
MD5
60f8f55ab89f2f9571ccebb27a8cf810
-
SHA1
8740a87159cd27eb92f0438fbe0a7612964afcd7
-
SHA256
8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58
-
SHA512
0dfde2c88d36f86e6b93a8e8c83b00bb93a42fb4c3667700517a43baddb2a727ec25c4f5b62fb39c0c9e84b66dbe9f6ecbf5cc67012c5f9490581b20f712a7ee
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3240-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-698-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3240-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-721-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-770-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/756-1048-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-1825-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1236 1jpdv.exe 3224 nhtbht.exe 3496 hhthbb.exe 2340 tntnhb.exe 2712 9tbthb.exe 808 lxxlxfr.exe 4304 jjvpd.exe 3536 xllfrlx.exe 4036 rlfxxrl.exe 1528 bnthhb.exe 2004 3vvpd.exe 4812 rffrllf.exe 3044 9bbnhh.exe 2380 jdjvp.exe 2972 jvvvp.exe 4840 9lxllll.exe 3916 bnnhbn.exe 2160 vjpdv.exe 4784 rlxrxxl.exe 4356 httnhb.exe 3704 thhbtn.exe 4552 dpvjd.exe 2660 lxfrfxr.exe 5044 flrfxrl.exe 3216 bnnhbt.exe 4780 jdpjd.exe 3388 jpdvp.exe 1928 lxxlfrf.exe 996 hbbnhh.exe 2428 jddjp.exe 2896 vpvpp.exe 2228 1fxlrlx.exe 4056 bhnhtt.exe 4476 hbbthn.exe 3264 dvjjj.exe 4300 rllfrlf.exe 1164 flrlxxr.exe 4400 5nbtnt.exe 2336 ppvpd.exe 3696 flrrfxr.exe 4480 xlrlfxf.exe 1492 bnnhhb.exe 4352 hbhtnn.exe 2596 pjdpj.exe 4256 9rrlrlx.exe 2700 1hhbtb.exe 2012 ntthnb.exe 3036 dvjjp.exe 3580 5xxxlrl.exe 3588 9bthbb.exe 2432 nnhbnh.exe 3660 vdpdv.exe 3428 flrflfr.exe 2976 tbttnn.exe 1900 btbtnn.exe 1360 vpvvj.exe 1192 xrfxllf.exe 4284 9lxrxlr.exe 2468 tnnhtt.exe 3724 vvpvv.exe 1236 lrllrrf.exe 2800 djjvp.exe 3944 5llfrxr.exe 1992 5ffrffr.exe -
resource yara_rule behavioral2/memory/3240-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-698-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3240-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-721-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-770-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-783-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3240 wrote to memory of 1236 3240 8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58N.exe 82 PID 3240 wrote to memory of 1236 3240 8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58N.exe 82 PID 3240 wrote to memory of 1236 3240 8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58N.exe 82 PID 1236 wrote to memory of 3224 1236 1jpdv.exe 83 PID 1236 wrote to memory of 3224 1236 1jpdv.exe 83 PID 1236 wrote to memory of 3224 1236 1jpdv.exe 83 PID 3224 wrote to memory of 3496 3224 nhtbht.exe 84 PID 3224 wrote to memory of 3496 3224 nhtbht.exe 84 PID 3224 wrote to memory of 3496 3224 nhtbht.exe 84 PID 3496 wrote to memory of 2340 3496 hhthbb.exe 85 PID 3496 wrote to memory of 2340 3496 hhthbb.exe 85 PID 3496 wrote to memory of 2340 3496 hhthbb.exe 85 PID 2340 wrote to memory of 2712 2340 tntnhb.exe 86 PID 2340 wrote to memory of 2712 2340 tntnhb.exe 86 PID 2340 wrote to memory of 2712 2340 tntnhb.exe 86 PID 2712 wrote to memory of 808 2712 9tbthb.exe 87 PID 2712 wrote to memory of 808 2712 9tbthb.exe 87 PID 2712 wrote to memory of 808 2712 9tbthb.exe 87 PID 808 wrote to memory of 4304 808 lxxlxfr.exe 88 PID 808 wrote to memory of 4304 808 lxxlxfr.exe 88 PID 808 wrote to memory of 4304 808 lxxlxfr.exe 88 PID 4304 wrote to memory of 3536 4304 jjvpd.exe 89 PID 4304 wrote to memory of 3536 4304 jjvpd.exe 89 PID 4304 wrote to memory of 3536 4304 jjvpd.exe 89 PID 3536 wrote to memory of 4036 3536 xllfrlx.exe 90 PID 3536 wrote to memory of 4036 3536 xllfrlx.exe 90 PID 3536 wrote to memory of 4036 3536 xllfrlx.exe 90 PID 4036 wrote to memory of 1528 4036 rlfxxrl.exe 91 PID 4036 wrote to memory of 1528 4036 rlfxxrl.exe 91 PID 4036 wrote to memory of 1528 4036 rlfxxrl.exe 91 PID 1528 wrote to memory of 2004 1528 bnthhb.exe 92 PID 1528 wrote to memory of 2004 1528 bnthhb.exe 92 PID 1528 wrote to memory of 2004 1528 bnthhb.exe 92 PID 2004 wrote to memory of 4812 2004 3vvpd.exe 93 PID 2004 wrote to memory of 4812 2004 3vvpd.exe 93 PID 2004 wrote to memory of 4812 2004 3vvpd.exe 93 PID 4812 wrote to memory of 3044 4812 rffrllf.exe 94 PID 4812 wrote to memory of 3044 4812 rffrllf.exe 94 PID 4812 wrote to memory of 3044 4812 rffrllf.exe 94 PID 3044 wrote to memory of 2380 3044 9bbnhh.exe 95 PID 3044 wrote to memory of 2380 3044 9bbnhh.exe 95 PID 3044 wrote to memory of 2380 3044 9bbnhh.exe 95 PID 2380 wrote to memory of 2972 2380 jdjvp.exe 96 PID 2380 wrote to memory of 2972 2380 jdjvp.exe 96 PID 2380 wrote to memory of 2972 2380 jdjvp.exe 96 PID 2972 wrote to memory of 4840 2972 jvvvp.exe 97 PID 2972 wrote to memory of 4840 2972 jvvvp.exe 97 PID 2972 wrote to memory of 4840 2972 jvvvp.exe 97 PID 4840 wrote to memory of 3916 4840 9lxllll.exe 98 PID 4840 wrote to memory of 3916 4840 9lxllll.exe 98 PID 4840 wrote to memory of 3916 4840 9lxllll.exe 98 PID 3916 wrote to memory of 2160 3916 bnnhbn.exe 99 PID 3916 wrote to memory of 2160 3916 bnnhbn.exe 99 PID 3916 wrote to memory of 2160 3916 bnnhbn.exe 99 PID 2160 wrote to memory of 4784 2160 vjpdv.exe 100 PID 2160 wrote to memory of 4784 2160 vjpdv.exe 100 PID 2160 wrote to memory of 4784 2160 vjpdv.exe 100 PID 4784 wrote to memory of 4356 4784 rlxrxxl.exe 101 PID 4784 wrote to memory of 4356 4784 rlxrxxl.exe 101 PID 4784 wrote to memory of 4356 4784 rlxrxxl.exe 101 PID 4356 wrote to memory of 3704 4356 httnhb.exe 102 PID 4356 wrote to memory of 3704 4356 httnhb.exe 102 PID 4356 wrote to memory of 3704 4356 httnhb.exe 102 PID 3704 wrote to memory of 4552 3704 thhbtn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58N.exe"C:\Users\Admin\AppData\Local\Temp\8ce1aa62891fc99859da2a3cbee16509dd8b1d9fee1dc0cb2fd8a9f29f025d58N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\1jpdv.exec:\1jpdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\nhtbht.exec:\nhtbht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\hhthbb.exec:\hhthbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\tntnhb.exec:\tntnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\9tbthb.exec:\9tbthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\lxxlxfr.exec:\lxxlxfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\jjvpd.exec:\jjvpd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\xllfrlx.exec:\xllfrlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\rlfxxrl.exec:\rlfxxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\bnthhb.exec:\bnthhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\3vvpd.exec:\3vvpd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\rffrllf.exec:\rffrllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\9bbnhh.exec:\9bbnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\jdjvp.exec:\jdjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\jvvvp.exec:\jvvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\9lxllll.exec:\9lxllll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\bnnhbn.exec:\bnnhbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\vjpdv.exec:\vjpdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\rlxrxxl.exec:\rlxrxxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\httnhb.exec:\httnhb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\thhbtn.exec:\thhbtn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\dpvjd.exec:\dpvjd.exe23⤵
- Executes dropped EXE
PID:4552 -
\??\c:\lxfrfxr.exec:\lxfrfxr.exe24⤵
- Executes dropped EXE
PID:2660 -
\??\c:\flrfxrl.exec:\flrfxrl.exe25⤵
- Executes dropped EXE
PID:5044 -
\??\c:\bnnhbt.exec:\bnnhbt.exe26⤵
- Executes dropped EXE
PID:3216 -
\??\c:\jdpjd.exec:\jdpjd.exe27⤵
- Executes dropped EXE
PID:4780 -
\??\c:\jpdvp.exec:\jpdvp.exe28⤵
- Executes dropped EXE
PID:3388 -
\??\c:\lxxlfrf.exec:\lxxlfrf.exe29⤵
- Executes dropped EXE
PID:1928 -
\??\c:\hbbnhh.exec:\hbbnhh.exe30⤵
- Executes dropped EXE
PID:996 -
\??\c:\jddjp.exec:\jddjp.exe31⤵
- Executes dropped EXE
PID:2428 -
\??\c:\vpvpp.exec:\vpvpp.exe32⤵
- Executes dropped EXE
PID:2896 -
\??\c:\1fxlrlx.exec:\1fxlrlx.exe33⤵
- Executes dropped EXE
PID:2228 -
\??\c:\bhnhtt.exec:\bhnhtt.exe34⤵
- Executes dropped EXE
PID:4056 -
\??\c:\hbbthn.exec:\hbbthn.exe35⤵
- Executes dropped EXE
PID:4476 -
\??\c:\dvjjj.exec:\dvjjj.exe36⤵
- Executes dropped EXE
PID:3264 -
\??\c:\rllfrlf.exec:\rllfrlf.exe37⤵
- Executes dropped EXE
PID:4300 -
\??\c:\flrlxxr.exec:\flrlxxr.exe38⤵
- Executes dropped EXE
PID:1164 -
\??\c:\5nbtnt.exec:\5nbtnt.exe39⤵
- Executes dropped EXE
PID:4400 -
\??\c:\ppvpd.exec:\ppvpd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
\??\c:\flrrfxr.exec:\flrrfxr.exe41⤵
- Executes dropped EXE
PID:3696 -
\??\c:\xlrlfxf.exec:\xlrlfxf.exe42⤵
- Executes dropped EXE
PID:4480 -
\??\c:\bnnhhb.exec:\bnnhhb.exe43⤵
- Executes dropped EXE
PID:1492 -
\??\c:\hbhtnn.exec:\hbhtnn.exe44⤵
- Executes dropped EXE
PID:4352 -
\??\c:\pjdpj.exec:\pjdpj.exe45⤵
- Executes dropped EXE
PID:2596 -
\??\c:\9rrlrlx.exec:\9rrlrlx.exe46⤵
- Executes dropped EXE
PID:4256 -
\??\c:\1hhbtb.exec:\1hhbtb.exe47⤵
- Executes dropped EXE
PID:2700 -
\??\c:\ntthnb.exec:\ntthnb.exe48⤵
- Executes dropped EXE
PID:2012 -
\??\c:\dvjjp.exec:\dvjjp.exe49⤵
- Executes dropped EXE
PID:3036 -
\??\c:\5xxxlrl.exec:\5xxxlrl.exe50⤵
- Executes dropped EXE
PID:3580 -
\??\c:\9bthbb.exec:\9bthbb.exe51⤵
- Executes dropped EXE
PID:3588 -
\??\c:\nnhbnh.exec:\nnhbnh.exe52⤵
- Executes dropped EXE
PID:2432 -
\??\c:\vdpdv.exec:\vdpdv.exe53⤵
- Executes dropped EXE
PID:3660 -
\??\c:\flrflfr.exec:\flrflfr.exe54⤵
- Executes dropped EXE
PID:3428 -
\??\c:\tbttnn.exec:\tbttnn.exe55⤵
- Executes dropped EXE
PID:2976 -
\??\c:\btbtnn.exec:\btbtnn.exe56⤵
- Executes dropped EXE
PID:1900 -
\??\c:\vpvvj.exec:\vpvvj.exe57⤵
- Executes dropped EXE
PID:1360 -
\??\c:\xrfxllf.exec:\xrfxllf.exe58⤵
- Executes dropped EXE
PID:1192 -
\??\c:\9lxrxlr.exec:\9lxrxlr.exe59⤵
- Executes dropped EXE
PID:4284 -
\??\c:\tnnhtt.exec:\tnnhtt.exe60⤵
- Executes dropped EXE
PID:2468 -
\??\c:\vvpvv.exec:\vvpvv.exe61⤵
- Executes dropped EXE
PID:3724 -
\??\c:\lrllrrf.exec:\lrllrrf.exe62⤵
- Executes dropped EXE
PID:1236 -
\??\c:\djjvp.exec:\djjvp.exe63⤵
- Executes dropped EXE
PID:2800 -
\??\c:\5llfrxr.exec:\5llfrxr.exe64⤵
- Executes dropped EXE
PID:3944 -
\??\c:\5ffrffr.exec:\5ffrffr.exe65⤵
- Executes dropped EXE
PID:1992 -
\??\c:\hbhbnn.exec:\hbhbnn.exe66⤵PID:4900
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe67⤵PID:908
-
\??\c:\thnhbh.exec:\thnhbh.exe68⤵PID:2712
-
\??\c:\djpvd.exec:\djpvd.exe69⤵PID:4928
-
\??\c:\vpddd.exec:\vpddd.exe70⤵PID:2680
-
\??\c:\lxxrffx.exec:\lxxrffx.exe71⤵PID:3924
-
\??\c:\nnbbtt.exec:\nnbbtt.exe72⤵PID:4580
-
\??\c:\djjvp.exec:\djjvp.exe73⤵PID:1380
-
\??\c:\rlrfrxl.exec:\rlrfrxl.exe74⤵PID:1600
-
\??\c:\frrllll.exec:\frrllll.exe75⤵PID:2524
-
\??\c:\1hhhbb.exec:\1hhhbb.exe76⤵PID:992
-
\??\c:\ppppj.exec:\ppppj.exe77⤵PID:2752
-
\??\c:\rllfrrl.exec:\rllfrrl.exe78⤵PID:2576
-
\??\c:\9tbhnn.exec:\9tbhnn.exe79⤵PID:1820
-
\??\c:\dpddp.exec:\dpddp.exe80⤵PID:2052
-
\??\c:\dvvpj.exec:\dvvpj.exe81⤵PID:3424
-
\??\c:\xrlllfx.exec:\xrlllfx.exe82⤵PID:1756
-
\??\c:\bhnnnb.exec:\bhnnnb.exe83⤵PID:3916
-
\??\c:\bbnntt.exec:\bbnntt.exe84⤵PID:2628
-
\??\c:\jpjjd.exec:\jpjjd.exe85⤵PID:4784
-
\??\c:\llllrxr.exec:\llllrxr.exe86⤵PID:3468
-
\??\c:\5hhtnb.exec:\5hhtnb.exe87⤵PID:5036
-
\??\c:\hhhhhn.exec:\hhhhhn.exe88⤵PID:880
-
\??\c:\djpjd.exec:\djpjd.exe89⤵PID:4028
-
\??\c:\rflfrlf.exec:\rflfrlf.exe90⤵PID:3300
-
\??\c:\btbtbb.exec:\btbtbb.exe91⤵PID:4136
-
\??\c:\nhntnt.exec:\nhntnt.exe92⤵PID:4684
-
\??\c:\5vpjv.exec:\5vpjv.exe93⤵PID:4824
-
\??\c:\lrxrxxf.exec:\lrxrxxf.exe94⤵PID:4872
-
\??\c:\5ntnhh.exec:\5ntnhh.exe95⤵PID:996
-
\??\c:\pvvvv.exec:\pvvvv.exe96⤵PID:4440
-
\??\c:\pdjpp.exec:\pdjpp.exe97⤵PID:1524
-
\??\c:\5rrffff.exec:\5rrffff.exe98⤵PID:4308
-
\??\c:\tnbbbh.exec:\tnbbbh.exe99⤵PID:3596
-
\??\c:\hhnhhh.exec:\hhnhhh.exe100⤵PID:756
-
\??\c:\jddvj.exec:\jddvj.exe101⤵PID:632
-
\??\c:\xrxlllf.exec:\xrxlllf.exe102⤵PID:1712
-
\??\c:\thnbtn.exec:\thnbtn.exe103⤵PID:4364
-
\??\c:\jjjdp.exec:\jjjdp.exe104⤵PID:4192
-
\??\c:\lrxlxxl.exec:\lrxlxxl.exe105⤵PID:1624
-
\??\c:\7hnhtn.exec:\7hnhtn.exe106⤵PID:4428
-
\??\c:\bbhbtt.exec:\bbhbtt.exe107⤵PID:3744
-
\??\c:\vjjjv.exec:\vjjjv.exe108⤵
- System Location Discovery: System Language Discovery
PID:3180 -
\??\c:\lfrllfx.exec:\lfrllfx.exe109⤵PID:3336
-
\??\c:\tnhbbb.exec:\tnhbbb.exe110⤵PID:5028
-
\??\c:\pdpjj.exec:\pdpjj.exe111⤵PID:3828
-
\??\c:\jdvjj.exec:\jdvjj.exe112⤵PID:2012
-
\??\c:\frfxrxx.exec:\frfxrxx.exe113⤵PID:2912
-
\??\c:\1hbthh.exec:\1hbthh.exe114⤵PID:4196
-
\??\c:\btttnn.exec:\btttnn.exe115⤵PID:1072
-
\??\c:\lxlfffx.exec:\lxlfffx.exe116⤵PID:3804
-
\??\c:\bntnhb.exec:\bntnhb.exe117⤵PID:2432
-
\??\c:\hnntbn.exec:\hnntbn.exe118⤵PID:2176
-
\??\c:\3vvvp.exec:\3vvvp.exe119⤵PID:3016
-
\??\c:\3rlfxxx.exec:\3rlfxxx.exe120⤵PID:3476
-
\??\c:\hbbtnh.exec:\hbbtnh.exe121⤵PID:5108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-