Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cfN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cfN.exe
-
Size
453KB
-
MD5
92d4abcd36de51f48d961caae1306d20
-
SHA1
11d3e1cab60873f2d7ce35957d10338cb99e9c3c
-
SHA256
584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cf
-
SHA512
2fb0a3781d197cc14878eeff5bdf9145ebc1e3724aeb5a6bb61d0436d1d531696a4ad361d10fa45451e091212384d9051baf67afe19257181fa7801872213a56
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbef:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2156-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-483-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-1540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4852 jpvjd.exe 2400 tnthbt.exe 3380 hbbbnh.exe 3332 frxxxxx.exe 3740 ntbttt.exe 4872 rlrrrrr.exe 3016 5ttbtb.exe 3948 htbttt.exe 3916 1rlllll.exe 4356 vjppj.exe 3376 lxlffff.exe 924 3vddj.exe 836 lxlffxx.exe 3136 lxfxfxr.exe 3944 5pjdv.exe 2032 lflfxrr.exe 1572 9nnhhh.exe 772 7xxrllf.exe 5100 nttntt.exe 3256 vpddv.exe 404 frrlffx.exe 2252 rrxlllf.exe 680 nhhhbt.exe 1088 vpppj.exe 4764 dvddj.exe 2980 frffxfx.exe 2964 3hhnhh.exe 1016 xrrrlll.exe 1444 rlfxrrl.exe 4744 nhbttt.exe 3468 3ntntt.exe 2200 thnhhn.exe 1868 pjddv.exe 3472 ttbtbb.exe 1620 xrxrlfx.exe 2272 1ffxrrl.exe 5072 jvdvd.exe 1988 3djjp.exe 3664 9frlfrl.exe 776 nthbnn.exe 1660 ddddd.exe 4440 lxfxxxr.exe 5004 nhbbtt.exe 4160 bbbbtt.exe 4852 rlrlrrr.exe 2192 lrfrlll.exe 1752 nttttt.exe 5064 3pvpj.exe 4204 1tnnhn.exe 2540 pjvpp.exe 2580 frffxxr.exe 1416 tbthbb.exe 2500 hhnhhh.exe 372 pdjdp.exe 3456 xxfxrrl.exe 4448 nhhhhh.exe 4312 vjjdd.exe 4356 rrrrrrr.exe 3492 rfrlllf.exe 4724 hhbbbt.exe 3384 pvdvp.exe 2352 lffxxlf.exe 968 tnnhbb.exe 3308 nhhhhh.exe -
resource yara_rule behavioral2/memory/2156-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-483-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-701-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 4852 2156 584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cfN.exe 83 PID 2156 wrote to memory of 4852 2156 584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cfN.exe 83 PID 2156 wrote to memory of 4852 2156 584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cfN.exe 83 PID 4852 wrote to memory of 2400 4852 jpvjd.exe 84 PID 4852 wrote to memory of 2400 4852 jpvjd.exe 84 PID 4852 wrote to memory of 2400 4852 jpvjd.exe 84 PID 2400 wrote to memory of 3380 2400 tnthbt.exe 85 PID 2400 wrote to memory of 3380 2400 tnthbt.exe 85 PID 2400 wrote to memory of 3380 2400 tnthbt.exe 85 PID 3380 wrote to memory of 3332 3380 hbbbnh.exe 86 PID 3380 wrote to memory of 3332 3380 hbbbnh.exe 86 PID 3380 wrote to memory of 3332 3380 hbbbnh.exe 86 PID 3332 wrote to memory of 3740 3332 frxxxxx.exe 87 PID 3332 wrote to memory of 3740 3332 frxxxxx.exe 87 PID 3332 wrote to memory of 3740 3332 frxxxxx.exe 87 PID 3740 wrote to memory of 4872 3740 ntbttt.exe 88 PID 3740 wrote to memory of 4872 3740 ntbttt.exe 88 PID 3740 wrote to memory of 4872 3740 ntbttt.exe 88 PID 4872 wrote to memory of 3016 4872 rlrrrrr.exe 89 PID 4872 wrote to memory of 3016 4872 rlrrrrr.exe 89 PID 4872 wrote to memory of 3016 4872 rlrrrrr.exe 89 PID 3016 wrote to memory of 3948 3016 5ttbtb.exe 90 PID 3016 wrote to memory of 3948 3016 5ttbtb.exe 90 PID 3016 wrote to memory of 3948 3016 5ttbtb.exe 90 PID 3948 wrote to memory of 3916 3948 htbttt.exe 91 PID 3948 wrote to memory of 3916 3948 htbttt.exe 91 PID 3948 wrote to memory of 3916 3948 htbttt.exe 91 PID 3916 wrote to memory of 4356 3916 1rlllll.exe 92 PID 3916 wrote to memory of 4356 3916 1rlllll.exe 92 PID 3916 wrote to memory of 4356 3916 1rlllll.exe 92 PID 4356 wrote to memory of 3376 4356 vjppj.exe 93 PID 4356 wrote to memory of 3376 4356 vjppj.exe 93 PID 4356 wrote to memory of 3376 4356 vjppj.exe 93 PID 3376 wrote to memory of 924 3376 lxlffff.exe 94 PID 3376 wrote to memory of 924 3376 lxlffff.exe 94 PID 3376 wrote to memory of 924 3376 lxlffff.exe 94 PID 924 wrote to memory of 836 924 3vddj.exe 95 PID 924 wrote to memory of 836 924 3vddj.exe 95 PID 924 wrote to memory of 836 924 3vddj.exe 95 PID 836 wrote to memory of 3136 836 lxlffxx.exe 96 PID 836 wrote to memory of 3136 836 lxlffxx.exe 96 PID 836 wrote to memory of 3136 836 lxlffxx.exe 96 PID 3136 wrote to memory of 3944 3136 lxfxfxr.exe 97 PID 3136 wrote to memory of 3944 3136 lxfxfxr.exe 97 PID 3136 wrote to memory of 3944 3136 lxfxfxr.exe 97 PID 3944 wrote to memory of 2032 3944 5pjdv.exe 98 PID 3944 wrote to memory of 2032 3944 5pjdv.exe 98 PID 3944 wrote to memory of 2032 3944 5pjdv.exe 98 PID 2032 wrote to memory of 1572 2032 lflfxrr.exe 99 PID 2032 wrote to memory of 1572 2032 lflfxrr.exe 99 PID 2032 wrote to memory of 1572 2032 lflfxrr.exe 99 PID 1572 wrote to memory of 772 1572 9nnhhh.exe 100 PID 1572 wrote to memory of 772 1572 9nnhhh.exe 100 PID 1572 wrote to memory of 772 1572 9nnhhh.exe 100 PID 772 wrote to memory of 5100 772 7xxrllf.exe 101 PID 772 wrote to memory of 5100 772 7xxrllf.exe 101 PID 772 wrote to memory of 5100 772 7xxrllf.exe 101 PID 5100 wrote to memory of 3256 5100 nttntt.exe 102 PID 5100 wrote to memory of 3256 5100 nttntt.exe 102 PID 5100 wrote to memory of 3256 5100 nttntt.exe 102 PID 3256 wrote to memory of 404 3256 vpddv.exe 103 PID 3256 wrote to memory of 404 3256 vpddv.exe 103 PID 3256 wrote to memory of 404 3256 vpddv.exe 103 PID 404 wrote to memory of 2252 404 frrlffx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cfN.exe"C:\Users\Admin\AppData\Local\Temp\584e704930b002073688bff1025442e759494609fcafb07ecf54254e142c64cfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\jpvjd.exec:\jpvjd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\tnthbt.exec:\tnthbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\hbbbnh.exec:\hbbbnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\frxxxxx.exec:\frxxxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\ntbttt.exec:\ntbttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\5ttbtb.exec:\5ttbtb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\htbttt.exec:\htbttt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\1rlllll.exec:\1rlllll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\vjppj.exec:\vjppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\lxlffff.exec:\lxlffff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\3vddj.exec:\3vddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\lxlffxx.exec:\lxlffxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\lxfxfxr.exec:\lxfxfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\5pjdv.exec:\5pjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\lflfxrr.exec:\lflfxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\9nnhhh.exec:\9nnhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\7xxrllf.exec:\7xxrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\nttntt.exec:\nttntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\vpddv.exec:\vpddv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
\??\c:\frrlffx.exec:\frrlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\rrxlllf.exec:\rrxlllf.exe23⤵
- Executes dropped EXE
PID:2252 -
\??\c:\nhhhbt.exec:\nhhhbt.exe24⤵
- Executes dropped EXE
PID:680 -
\??\c:\vpppj.exec:\vpppj.exe25⤵
- Executes dropped EXE
PID:1088 -
\??\c:\dvddj.exec:\dvddj.exe26⤵
- Executes dropped EXE
PID:4764 -
\??\c:\frffxfx.exec:\frffxfx.exe27⤵
- Executes dropped EXE
PID:2980 -
\??\c:\3hhnhh.exec:\3hhnhh.exe28⤵
- Executes dropped EXE
PID:2964 -
\??\c:\xrrrlll.exec:\xrrrlll.exe29⤵
- Executes dropped EXE
PID:1016 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe30⤵
- Executes dropped EXE
PID:1444 -
\??\c:\nhbttt.exec:\nhbttt.exe31⤵
- Executes dropped EXE
PID:4744 -
\??\c:\3ntntt.exec:\3ntntt.exe32⤵
- Executes dropped EXE
PID:3468 -
\??\c:\thnhhn.exec:\thnhhn.exe33⤵
- Executes dropped EXE
PID:2200 -
\??\c:\pjddv.exec:\pjddv.exe34⤵
- Executes dropped EXE
PID:1868 -
\??\c:\ttbtbb.exec:\ttbtbb.exe35⤵
- Executes dropped EXE
PID:3472 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe36⤵
- Executes dropped EXE
PID:1620 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe37⤵
- Executes dropped EXE
PID:2272 -
\??\c:\jvdvd.exec:\jvdvd.exe38⤵
- Executes dropped EXE
PID:5072 -
\??\c:\3djjp.exec:\3djjp.exe39⤵
- Executes dropped EXE
PID:1988 -
\??\c:\9frlfrl.exec:\9frlfrl.exe40⤵
- Executes dropped EXE
PID:3664 -
\??\c:\nthbnn.exec:\nthbnn.exe41⤵
- Executes dropped EXE
PID:776 -
\??\c:\ddddd.exec:\ddddd.exe42⤵
- Executes dropped EXE
PID:1660 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe43⤵
- Executes dropped EXE
PID:4440 -
\??\c:\nhbbtt.exec:\nhbbtt.exe44⤵
- Executes dropped EXE
PID:5004 -
\??\c:\bbbbtt.exec:\bbbbtt.exe45⤵
- Executes dropped EXE
PID:4160 -
\??\c:\rlrlrrr.exec:\rlrlrrr.exe46⤵
- Executes dropped EXE
PID:4852 -
\??\c:\lrfrlll.exec:\lrfrlll.exe47⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nttttt.exec:\nttttt.exe48⤵
- Executes dropped EXE
PID:1752 -
\??\c:\3pvpj.exec:\3pvpj.exe49⤵
- Executes dropped EXE
PID:5064 -
\??\c:\1tnnhn.exec:\1tnnhn.exe50⤵
- Executes dropped EXE
PID:4204 -
\??\c:\pjvpp.exec:\pjvpp.exe51⤵
- Executes dropped EXE
PID:2540 -
\??\c:\frffxxr.exec:\frffxxr.exe52⤵
- Executes dropped EXE
PID:2580 -
\??\c:\tbthbb.exec:\tbthbb.exe53⤵
- Executes dropped EXE
PID:1416 -
\??\c:\hhnhhh.exec:\hhnhhh.exe54⤵
- Executes dropped EXE
PID:2500 -
\??\c:\pdjdp.exec:\pdjdp.exe55⤵
- Executes dropped EXE
PID:372 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe56⤵
- Executes dropped EXE
PID:3456 -
\??\c:\nhhhhh.exec:\nhhhhh.exe57⤵
- Executes dropped EXE
PID:4448 -
\??\c:\vjjdd.exec:\vjjdd.exe58⤵
- Executes dropped EXE
PID:4312 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe59⤵
- Executes dropped EXE
PID:4356 -
\??\c:\rfrlllf.exec:\rfrlllf.exe60⤵
- Executes dropped EXE
PID:3492 -
\??\c:\hhbbbt.exec:\hhbbbt.exe61⤵
- Executes dropped EXE
PID:4724 -
\??\c:\pvdvp.exec:\pvdvp.exe62⤵
- Executes dropped EXE
PID:3384 -
\??\c:\lffxxlf.exec:\lffxxlf.exe63⤵
- Executes dropped EXE
PID:2352 -
\??\c:\tnnhbb.exec:\tnnhbb.exe64⤵
- Executes dropped EXE
PID:968 -
\??\c:\nhhhhh.exec:\nhhhhh.exe65⤵
- Executes dropped EXE
PID:3308 -
\??\c:\vppjv.exec:\vppjv.exe66⤵PID:764
-
\??\c:\lffrffr.exec:\lffrffr.exe67⤵PID:1932
-
\??\c:\flrxrrl.exec:\flrxrrl.exe68⤵PID:4276
-
\??\c:\bthhnn.exec:\bthhnn.exe69⤵PID:2088
-
\??\c:\vdpjp.exec:\vdpjp.exe70⤵PID:448
-
\??\c:\rrxxrxr.exec:\rrxxrxr.exe71⤵PID:1068
-
\??\c:\htbhnt.exec:\htbhnt.exe72⤵PID:2720
-
\??\c:\tttnnh.exec:\tttnnh.exe73⤵PID:5092
-
\??\c:\pjjdv.exec:\pjjdv.exe74⤵PID:3276
-
\??\c:\ffxrxxf.exec:\ffxrxxf.exe75⤵PID:3112
-
\??\c:\bnnnnn.exec:\bnnnnn.exe76⤵PID:2588
-
\??\c:\dvvpj.exec:\dvvpj.exe77⤵PID:4912
-
\??\c:\jvjdv.exec:\jvjdv.exe78⤵PID:1568
-
\??\c:\xlrlfff.exec:\xlrlfff.exe79⤵PID:2872
-
\??\c:\tttttb.exec:\tttttb.exe80⤵PID:1360
-
\??\c:\pjvvp.exec:\pjvvp.exe81⤵PID:860
-
\??\c:\xrxlffx.exec:\xrxlffx.exe82⤵PID:1440
-
\??\c:\3rlfxxr.exec:\3rlfxxr.exe83⤵PID:964
-
\??\c:\nnbthh.exec:\nnbthh.exe84⤵PID:3756
-
\??\c:\dpvpd.exec:\dpvpd.exe85⤵PID:4532
-
\??\c:\1frrlll.exec:\1frrlll.exe86⤵PID:4468
-
\??\c:\1tbtnh.exec:\1tbtnh.exe87⤵PID:3864
-
\??\c:\nhnhbt.exec:\nhnhbt.exe88⤵PID:3988
-
\??\c:\xlxrxxf.exec:\xlxrxxf.exe89⤵PID:1816
-
\??\c:\fxxrxxr.exec:\fxxrxxr.exe90⤵PID:3220
-
\??\c:\tbhbtn.exec:\tbhbtn.exe91⤵PID:3636
-
\??\c:\pjpvp.exec:\pjpvp.exe92⤵PID:1412
-
\??\c:\vppjp.exec:\vppjp.exe93⤵PID:1140
-
\??\c:\3xrrrxx.exec:\3xrrrxx.exe94⤵PID:4592
-
\??\c:\hntnbb.exec:\hntnbb.exe95⤵PID:4876
-
\??\c:\pjjjd.exec:\pjjjd.exe96⤵PID:4908
-
\??\c:\9lxrllf.exec:\9lxrllf.exe97⤵PID:4236
-
\??\c:\llllfff.exec:\llllfff.exe98⤵PID:4300
-
\??\c:\bbnnbb.exec:\bbnnbb.exe99⤵PID:4440
-
\??\c:\djvvp.exec:\djvvp.exe100⤵PID:880
-
\??\c:\jjdpp.exec:\jjdpp.exe101⤵PID:2308
-
\??\c:\lfrlffx.exec:\lfrlffx.exe102⤵PID:4692
-
\??\c:\bbhbtn.exec:\bbhbtn.exe103⤵PID:1180
-
\??\c:\pjdjp.exec:\pjdjp.exe104⤵PID:432
-
\??\c:\lfrrlll.exec:\lfrrlll.exe105⤵PID:3332
-
\??\c:\7ffxflr.exec:\7ffxflr.exe106⤵PID:1004
-
\??\c:\bttnhh.exec:\bttnhh.exe107⤵PID:2224
-
\??\c:\jddvj.exec:\jddvj.exe108⤵PID:408
-
\??\c:\lfrrrrr.exec:\lfrrrrr.exe109⤵PID:3080
-
\??\c:\5lrrxrx.exec:\5lrrxrx.exe110⤵PID:4520
-
\??\c:\thhtnh.exec:\thhtnh.exe111⤵PID:4128
-
\??\c:\ddjvj.exec:\ddjvj.exe112⤵PID:4012
-
\??\c:\1fxlfxr.exec:\1fxlfxr.exe113⤵PID:3916
-
\??\c:\1hhbtt.exec:\1hhbtt.exe114⤵PID:2320
-
\??\c:\7pdvv.exec:\7pdvv.exe115⤵PID:1924
-
\??\c:\7djdv.exec:\7djdv.exe116⤵PID:3376
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe117⤵PID:1296
-
\??\c:\bbhhbb.exec:\bbhhbb.exe118⤵PID:4732
-
\??\c:\7bnhbb.exec:\7bnhbb.exe119⤵PID:2092
-
\??\c:\dvddv.exec:\dvddv.exe120⤵PID:3712
-
\??\c:\rllfrrl.exec:\rllfrrl.exe121⤵PID:1744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-