Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 04:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1.exe
-
Size
456KB
-
MD5
9fa14e964c3b6a4992d5f4b80a178191
-
SHA1
aa93eac8e562c1e57182c69997f426b21f0e7f6a
-
SHA256
8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1
-
SHA512
6a6cea25820611121e83632fc43dc95db6b422feffc1ed2a92418aa0a9fc8c0f1c80d8da398445668f2982f842bc3b531ed021607bf7a5214464e20f15a20ded
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRn:q7Tc2NYHUrAwfMp3CDRn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/876-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-749-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-962-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3900 thbnht.exe 2208 pjjjj.exe 1844 frrlxxr.exe 1340 lxfxrlr.exe 4804 1nnhtt.exe 3744 1hnhtn.exe 3780 rlfxlfr.exe 916 5lfxrlf.exe 2560 jvpdd.exe 4868 jppjp.exe 2992 7rfxxxr.exe 1416 5ddvp.exe 4760 vdpdd.exe 3776 xxfxllf.exe 4072 9nnhbb.exe 4716 jvvjd.exe 3572 hhtbtn.exe 4264 frxrffx.exe 1072 9hnbht.exe 2356 djjvp.exe 3016 pjjdv.exe 1664 dppjv.exe 1780 rxfxrrl.exe 1676 1btthn.exe 3596 jdvjv.exe 976 vdjdj.exe 4732 1rxrffl.exe 4700 dvddv.exe 1120 7lfrlfx.exe 2608 1ddvp.exe 2784 bhntnh.exe 3788 jvdpv.exe 4544 btnhbt.exe 3584 7ppjd.exe 3704 frrfrlx.exe 3288 tbhbnh.exe 2352 djpjv.exe 2288 frxrrll.exe 1848 5xrlrrx.exe 2228 nnbbbb.exe 2988 ddpvp.exe 708 1xrlxrl.exe 2196 nhhtnh.exe 1052 5thbnn.exe 3012 1pddp.exe 2084 9xxlxxr.exe 3908 nbhbtt.exe 4896 pdjdj.exe 1324 xxlfffl.exe 4428 5llfxxr.exe 4736 3hbthb.exe 5012 jvvjd.exe 2208 5ddvp.exe 1844 rflxxrr.exe 3220 hnnhbt.exe 3544 9dvjd.exe 3536 djjjv.exe 3744 rxffrlr.exe 4728 btbtbt.exe 1564 dpvvp.exe 376 lfffxxx.exe 3112 btnbhb.exe 3696 jvpdp.exe 1232 lxflfff.exe -
resource yara_rule behavioral2/memory/3900-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-749-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-801-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7htnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3frllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 876 wrote to memory of 3900 876 8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1.exe 83 PID 876 wrote to memory of 3900 876 8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1.exe 83 PID 876 wrote to memory of 3900 876 8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1.exe 83 PID 3900 wrote to memory of 2208 3900 thbnht.exe 84 PID 3900 wrote to memory of 2208 3900 thbnht.exe 84 PID 3900 wrote to memory of 2208 3900 thbnht.exe 84 PID 2208 wrote to memory of 1844 2208 pjjjj.exe 85 PID 2208 wrote to memory of 1844 2208 pjjjj.exe 85 PID 2208 wrote to memory of 1844 2208 pjjjj.exe 85 PID 1844 wrote to memory of 1340 1844 frrlxxr.exe 86 PID 1844 wrote to memory of 1340 1844 frrlxxr.exe 86 PID 1844 wrote to memory of 1340 1844 frrlxxr.exe 86 PID 1340 wrote to memory of 4804 1340 lxfxrlr.exe 87 PID 1340 wrote to memory of 4804 1340 lxfxrlr.exe 87 PID 1340 wrote to memory of 4804 1340 lxfxrlr.exe 87 PID 4804 wrote to memory of 3744 4804 1nnhtt.exe 88 PID 4804 wrote to memory of 3744 4804 1nnhtt.exe 88 PID 4804 wrote to memory of 3744 4804 1nnhtt.exe 88 PID 3744 wrote to memory of 3780 3744 1hnhtn.exe 89 PID 3744 wrote to memory of 3780 3744 1hnhtn.exe 89 PID 3744 wrote to memory of 3780 3744 1hnhtn.exe 89 PID 3780 wrote to memory of 916 3780 rlfxlfr.exe 90 PID 3780 wrote to memory of 916 3780 rlfxlfr.exe 90 PID 3780 wrote to memory of 916 3780 rlfxlfr.exe 90 PID 916 wrote to memory of 2560 916 5lfxrlf.exe 91 PID 916 wrote to memory of 2560 916 5lfxrlf.exe 91 PID 916 wrote to memory of 2560 916 5lfxrlf.exe 91 PID 2560 wrote to memory of 4868 2560 jvpdd.exe 92 PID 2560 wrote to memory of 4868 2560 jvpdd.exe 92 PID 2560 wrote to memory of 4868 2560 jvpdd.exe 92 PID 4868 wrote to memory of 2992 4868 jppjp.exe 93 PID 4868 wrote to memory of 2992 4868 jppjp.exe 93 PID 4868 wrote to memory of 2992 4868 jppjp.exe 93 PID 2992 wrote to memory of 1416 2992 7rfxxxr.exe 94 PID 2992 wrote to memory of 1416 2992 7rfxxxr.exe 94 PID 2992 wrote to memory of 1416 2992 7rfxxxr.exe 94 PID 1416 wrote to memory of 4760 1416 5ddvp.exe 95 PID 1416 wrote to memory of 4760 1416 5ddvp.exe 95 PID 1416 wrote to memory of 4760 1416 5ddvp.exe 95 PID 4760 wrote to memory of 3776 4760 vdpdd.exe 96 PID 4760 wrote to memory of 3776 4760 vdpdd.exe 96 PID 4760 wrote to memory of 3776 4760 vdpdd.exe 96 PID 3776 wrote to memory of 4072 3776 xxfxllf.exe 97 PID 3776 wrote to memory of 4072 3776 xxfxllf.exe 97 PID 3776 wrote to memory of 4072 3776 xxfxllf.exe 97 PID 4072 wrote to memory of 4716 4072 9nnhbb.exe 98 PID 4072 wrote to memory of 4716 4072 9nnhbb.exe 98 PID 4072 wrote to memory of 4716 4072 9nnhbb.exe 98 PID 4716 wrote to memory of 3572 4716 jvvjd.exe 99 PID 4716 wrote to memory of 3572 4716 jvvjd.exe 99 PID 4716 wrote to memory of 3572 4716 jvvjd.exe 99 PID 3572 wrote to memory of 4264 3572 hhtbtn.exe 100 PID 3572 wrote to memory of 4264 3572 hhtbtn.exe 100 PID 3572 wrote to memory of 4264 3572 hhtbtn.exe 100 PID 4264 wrote to memory of 1072 4264 frxrffx.exe 101 PID 4264 wrote to memory of 1072 4264 frxrffx.exe 101 PID 4264 wrote to memory of 1072 4264 frxrffx.exe 101 PID 1072 wrote to memory of 2356 1072 9hnbht.exe 102 PID 1072 wrote to memory of 2356 1072 9hnbht.exe 102 PID 1072 wrote to memory of 2356 1072 9hnbht.exe 102 PID 2356 wrote to memory of 3016 2356 djjvp.exe 103 PID 2356 wrote to memory of 3016 2356 djjvp.exe 103 PID 2356 wrote to memory of 3016 2356 djjvp.exe 103 PID 3016 wrote to memory of 1664 3016 pjjdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1.exe"C:\Users\Admin\AppData\Local\Temp\8dda96d9d077081b72322a1bebd1d1fc1fd9cb46906d0839300ddb519e4cc5f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\thbnht.exec:\thbnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\pjjjj.exec:\pjjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\frrlxxr.exec:\frrlxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\lxfxrlr.exec:\lxfxrlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
\??\c:\1nnhtt.exec:\1nnhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\1hnhtn.exec:\1hnhtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\rlfxlfr.exec:\rlfxlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\5lfxrlf.exec:\5lfxrlf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\jvpdd.exec:\jvpdd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\jppjp.exec:\jppjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\7rfxxxr.exec:\7rfxxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\5ddvp.exec:\5ddvp.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\vdpdd.exec:\vdpdd.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\xxfxllf.exec:\xxfxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3776 -
\??\c:\9nnhbb.exec:\9nnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\jvvjd.exec:\jvvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\hhtbtn.exec:\hhtbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\frxrffx.exec:\frxrffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\9hnbht.exec:\9hnbht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\djjvp.exec:\djjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\pjjdv.exec:\pjjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\dppjv.exec:\dppjv.exe23⤵
- Executes dropped EXE
PID:1664 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe24⤵
- Executes dropped EXE
PID:1780 -
\??\c:\1btthn.exec:\1btthn.exe25⤵
- Executes dropped EXE
PID:1676 -
\??\c:\jdvjv.exec:\jdvjv.exe26⤵
- Executes dropped EXE
PID:3596 -
\??\c:\vdjdj.exec:\vdjdj.exe27⤵
- Executes dropped EXE
PID:976 -
\??\c:\1rxrffl.exec:\1rxrffl.exe28⤵
- Executes dropped EXE
PID:4732 -
\??\c:\dvddv.exec:\dvddv.exe29⤵
- Executes dropped EXE
PID:4700 -
\??\c:\7lfrlfx.exec:\7lfrlfx.exe30⤵
- Executes dropped EXE
PID:1120 -
\??\c:\1ddvp.exec:\1ddvp.exe31⤵
- Executes dropped EXE
PID:2608 -
\??\c:\bhntnh.exec:\bhntnh.exe32⤵
- Executes dropped EXE
PID:2784 -
\??\c:\jvdpv.exec:\jvdpv.exe33⤵
- Executes dropped EXE
PID:3788 -
\??\c:\btnhbt.exec:\btnhbt.exe34⤵
- Executes dropped EXE
PID:4544 -
\??\c:\7ppjd.exec:\7ppjd.exe35⤵
- Executes dropped EXE
PID:3584 -
\??\c:\frrfrlx.exec:\frrfrlx.exe36⤵
- Executes dropped EXE
PID:3704 -
\??\c:\tbhbnh.exec:\tbhbnh.exe37⤵
- Executes dropped EXE
PID:3288 -
\??\c:\djpjv.exec:\djpjv.exe38⤵
- Executes dropped EXE
PID:2352 -
\??\c:\frxrrll.exec:\frxrrll.exe39⤵
- Executes dropped EXE
PID:2288 -
\??\c:\5xrlrrx.exec:\5xrlrrx.exe40⤵
- Executes dropped EXE
PID:1848 -
\??\c:\nnbbbb.exec:\nnbbbb.exe41⤵
- Executes dropped EXE
PID:2228 -
\??\c:\ddpvp.exec:\ddpvp.exe42⤵
- Executes dropped EXE
PID:2988 -
\??\c:\1xrlxrl.exec:\1xrlxrl.exe43⤵
- Executes dropped EXE
PID:708 -
\??\c:\nhhtnh.exec:\nhhtnh.exe44⤵
- Executes dropped EXE
PID:2196 -
\??\c:\5thbnn.exec:\5thbnn.exe45⤵
- Executes dropped EXE
PID:1052 -
\??\c:\1pddp.exec:\1pddp.exe46⤵
- Executes dropped EXE
PID:3012 -
\??\c:\9xxlxxr.exec:\9xxlxxr.exe47⤵
- Executes dropped EXE
PID:2084 -
\??\c:\nbhbtt.exec:\nbhbtt.exe48⤵
- Executes dropped EXE
PID:3908 -
\??\c:\pdjdj.exec:\pdjdj.exe49⤵
- Executes dropped EXE
PID:4896 -
\??\c:\xxlfffl.exec:\xxlfffl.exe50⤵
- Executes dropped EXE
PID:1324 -
\??\c:\5llfxxr.exec:\5llfxxr.exe51⤵
- Executes dropped EXE
PID:4428 -
\??\c:\3hbthb.exec:\3hbthb.exe52⤵
- Executes dropped EXE
PID:4736 -
\??\c:\jvvjd.exec:\jvvjd.exe53⤵
- Executes dropped EXE
PID:5012 -
\??\c:\5ddvp.exec:\5ddvp.exe54⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rflxxrr.exec:\rflxxrr.exe55⤵
- Executes dropped EXE
PID:1844 -
\??\c:\hnnhbt.exec:\hnnhbt.exe56⤵
- Executes dropped EXE
PID:3220 -
\??\c:\9dvjd.exec:\9dvjd.exe57⤵
- Executes dropped EXE
PID:3544 -
\??\c:\djjjv.exec:\djjjv.exe58⤵
- Executes dropped EXE
PID:3536 -
\??\c:\rxffrlr.exec:\rxffrlr.exe59⤵
- Executes dropped EXE
PID:3744 -
\??\c:\btbtbt.exec:\btbtbt.exe60⤵
- Executes dropped EXE
PID:4728 -
\??\c:\dpvvp.exec:\dpvvp.exe61⤵
- Executes dropped EXE
PID:1564 -
\??\c:\lfffxxx.exec:\lfffxxx.exe62⤵
- Executes dropped EXE
PID:376 -
\??\c:\btnbhb.exec:\btnbhb.exe63⤵
- Executes dropped EXE
PID:3112 -
\??\c:\jvpdp.exec:\jvpdp.exe64⤵
- Executes dropped EXE
PID:3696 -
\??\c:\lxflfff.exec:\lxflfff.exe65⤵
- Executes dropped EXE
PID:1232 -
\??\c:\hbnnhh.exec:\hbnnhh.exe66⤵PID:2000
-
\??\c:\9nthth.exec:\9nthth.exe67⤵PID:2136
-
\??\c:\vdpdp.exec:\vdpdp.exe68⤵PID:3664
-
\??\c:\rfrxrfx.exec:\rfrxrfx.exe69⤵PID:2448
-
\??\c:\httnbb.exec:\httnbb.exe70⤵PID:4652
-
\??\c:\vdjdd.exec:\vdjdd.exe71⤵PID:4612
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe72⤵PID:4860
-
\??\c:\5ttthb.exec:\5ttthb.exe73⤵PID:1628
-
\??\c:\hbhbbb.exec:\hbhbbb.exe74⤵PID:4824
-
\??\c:\dpdvv.exec:\dpdvv.exe75⤵PID:1808
-
\??\c:\fffxlfx.exec:\fffxlfx.exe76⤵PID:1164
-
\??\c:\hhhhht.exec:\hhhhht.exe77⤵PID:1492
-
\??\c:\djpjv.exec:\djpjv.exe78⤵PID:4904
-
\??\c:\lfxrffx.exec:\lfxrffx.exe79⤵PID:440
-
\??\c:\lxfffxf.exec:\lxfffxf.exe80⤵PID:468
-
\??\c:\bttttt.exec:\bttttt.exe81⤵PID:552
-
\??\c:\jpdvj.exec:\jpdvj.exe82⤵PID:748
-
\??\c:\fflfxrf.exec:\fflfxrf.exe83⤵PID:3712
-
\??\c:\tntnbt.exec:\tntnbt.exe84⤵PID:3276
-
\??\c:\djvpd.exec:\djvpd.exe85⤵PID:3100
-
\??\c:\lxfxffx.exec:\lxfxffx.exe86⤵PID:796
-
\??\c:\1xlxrlf.exec:\1xlxrlf.exe87⤵PID:1716
-
\??\c:\bhbbnn.exec:\bhbbnn.exe88⤵PID:2712
-
\??\c:\dpvdp.exec:\dpvdp.exe89⤵PID:1328
-
\??\c:\5rrlxxr.exec:\5rrlxxr.exe90⤵PID:4116
-
\??\c:\3lffxfx.exec:\3lffxfx.exe91⤵PID:3204
-
\??\c:\bhnhbt.exec:\bhnhbt.exe92⤵PID:1720
-
\??\c:\5pjdv.exec:\5pjdv.exe93⤵PID:2548
-
\??\c:\xffxrxr.exec:\xffxrxr.exe94⤵PID:1596
-
\??\c:\9bbtnn.exec:\9bbtnn.exe95⤵PID:1580
-
\??\c:\vvjjj.exec:\vvjjj.exe96⤵PID:1828
-
\??\c:\9rlfrrr.exec:\9rlfrrr.exe97⤵PID:1880
-
\??\c:\bhnnhh.exec:\bhnnhh.exe98⤵PID:3704
-
\??\c:\bnthbt.exec:\bnthbt.exe99⤵PID:3288
-
\??\c:\vjdjp.exec:\vjdjp.exe100⤵PID:392
-
\??\c:\5fffxrl.exec:\5fffxrl.exe101⤵PID:3372
-
\??\c:\bttnbb.exec:\bttnbb.exe102⤵PID:756
-
\??\c:\ddjdd.exec:\ddjdd.exe103⤵PID:3860
-
\??\c:\ppvpd.exec:\ppvpd.exe104⤵PID:4176
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe105⤵PID:1812
-
\??\c:\nhhnhh.exec:\nhhnhh.exe106⤵PID:372
-
\??\c:\9dpjj.exec:\9dpjj.exe107⤵PID:3740
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe108⤵PID:2276
-
\??\c:\nntnnt.exec:\nntnnt.exe109⤵PID:4416
-
\??\c:\1nhthb.exec:\1nhthb.exe110⤵PID:4404
-
\??\c:\3vdpd.exec:\3vdpd.exe111⤵PID:2216
-
\??\c:\lffrfxr.exec:\lffrfxr.exe112⤵PID:1100
-
\??\c:\hntnhh.exec:\hntnhh.exe113⤵PID:4324
-
\??\c:\pdpjv.exec:\pdpjv.exe114⤵PID:4916
-
\??\c:\5fxrffx.exec:\5fxrffx.exe115⤵PID:1376
-
\??\c:\bhhbbb.exec:\bhhbbb.exe116⤵
- System Location Discovery: System Language Discovery
PID:1048 -
\??\c:\hbhbnh.exec:\hbhbnh.exe117⤵PID:2208
-
\??\c:\7vvpd.exec:\7vvpd.exe118⤵PID:264
-
\??\c:\xrxlxxr.exec:\xrxlxxr.exe119⤵PID:3076
-
\??\c:\bnhthb.exec:\bnhthb.exe120⤵PID:3544
-
\??\c:\vpvjj.exec:\vpvjj.exe121⤵PID:4456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-