Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 09:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe
-
Size
454KB
-
MD5
73fd9cebc58cef28121ef5a9fcf2cb57
-
SHA1
258cf8a41c4d3be549207e17df6d8d166a7581d7
-
SHA256
8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43
-
SHA512
75da5e21d3fd6381842e8da705c3113f06928c7593be72534c78582d0b610239f4da7bed573f86c00e35bf40d740a3b24bf8e614497a15ccb2591acdb5081e82
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbes:q7Tc2NYHUrAwfMp3CDs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2396-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-674-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-852-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-1083-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-1375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1140 thbnbt.exe 2356 jvjdd.exe 544 rlrffxf.exe 4824 nnnbth.exe 1600 thhtht.exe 2924 dpjdd.exe 1332 pvdvj.exe 4596 rfrlxrf.exe 3792 xlxlxlf.exe 184 pdvjv.exe 3920 dpjvj.exe 1172 ttthnh.exe 388 1pvjd.exe 552 hnhthb.exe 2548 pjdjv.exe 2236 xffxlfx.exe 3636 ddpdp.exe 1428 rfflxlx.exe 1964 bntthb.exe 1752 lrrfrlx.exe 2388 btnhhb.exe 3476 btnhbt.exe 4176 hbhhbb.exe 2616 rlfxxxx.exe 3172 pjdvp.exe 1784 fxrlfxr.exe 3364 rfrffff.exe 2744 nthbth.exe 3508 xflfrxr.exe 3656 5rllflf.exe 4404 bbhbtn.exe 3000 dddjd.exe 2612 rxfxrrf.exe 2064 xflfxrl.exe 636 pvddv.exe 516 btnhbt.exe 8 jdjpj.exe 3988 xlrrfxl.exe 4616 hhhnhh.exe 4112 3vvpj.exe 4720 xrlffff.exe 3800 lllxrrf.exe 4488 ththbb.exe 4368 vpvpj.exe 920 fxlxlfx.exe 4380 thnnnh.exe 4984 hntnbt.exe 1252 7pdjv.exe 3632 rxxlxrf.exe 5028 tnbhth.exe 5060 vddvp.exe 4308 xllxrlf.exe 4620 1hnhhb.exe 1140 dpvpj.exe 2356 lxffxrl.exe 3200 xxrllff.exe 4824 nhnhbt.exe 4872 jpvjv.exe 2496 5frlxrf.exe 1264 hntnbb.exe 1520 nnthbt.exe 5112 jddjd.exe 1640 9fffxff.exe 1656 frxxrlf.exe -
resource yara_rule behavioral2/memory/2396-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-674-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-852-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-950-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-1083-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxffxxl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 1140 2396 8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe 82 PID 2396 wrote to memory of 1140 2396 8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe 82 PID 2396 wrote to memory of 1140 2396 8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe 82 PID 1140 wrote to memory of 2356 1140 thbnbt.exe 83 PID 1140 wrote to memory of 2356 1140 thbnbt.exe 83 PID 1140 wrote to memory of 2356 1140 thbnbt.exe 83 PID 2356 wrote to memory of 544 2356 jvjdd.exe 84 PID 2356 wrote to memory of 544 2356 jvjdd.exe 84 PID 2356 wrote to memory of 544 2356 jvjdd.exe 84 PID 544 wrote to memory of 4824 544 rlrffxf.exe 85 PID 544 wrote to memory of 4824 544 rlrffxf.exe 85 PID 544 wrote to memory of 4824 544 rlrffxf.exe 85 PID 4824 wrote to memory of 1600 4824 nnnbth.exe 86 PID 4824 wrote to memory of 1600 4824 nnnbth.exe 86 PID 4824 wrote to memory of 1600 4824 nnnbth.exe 86 PID 1600 wrote to memory of 2924 1600 thhtht.exe 87 PID 1600 wrote to memory of 2924 1600 thhtht.exe 87 PID 1600 wrote to memory of 2924 1600 thhtht.exe 87 PID 2924 wrote to memory of 1332 2924 dpjdd.exe 88 PID 2924 wrote to memory of 1332 2924 dpjdd.exe 88 PID 2924 wrote to memory of 1332 2924 dpjdd.exe 88 PID 1332 wrote to memory of 4596 1332 pvdvj.exe 89 PID 1332 wrote to memory of 4596 1332 pvdvj.exe 89 PID 1332 wrote to memory of 4596 1332 pvdvj.exe 89 PID 4596 wrote to memory of 3792 4596 rfrlxrf.exe 90 PID 4596 wrote to memory of 3792 4596 rfrlxrf.exe 90 PID 4596 wrote to memory of 3792 4596 rfrlxrf.exe 90 PID 3792 wrote to memory of 184 3792 xlxlxlf.exe 91 PID 3792 wrote to memory of 184 3792 xlxlxlf.exe 91 PID 3792 wrote to memory of 184 3792 xlxlxlf.exe 91 PID 184 wrote to memory of 3920 184 pdvjv.exe 92 PID 184 wrote to memory of 3920 184 pdvjv.exe 92 PID 184 wrote to memory of 3920 184 pdvjv.exe 92 PID 3920 wrote to memory of 1172 3920 dpjvj.exe 93 PID 3920 wrote to memory of 1172 3920 dpjvj.exe 93 PID 3920 wrote to memory of 1172 3920 dpjvj.exe 93 PID 1172 wrote to memory of 388 1172 ttthnh.exe 94 PID 1172 wrote to memory of 388 1172 ttthnh.exe 94 PID 1172 wrote to memory of 388 1172 ttthnh.exe 94 PID 388 wrote to memory of 552 388 1pvjd.exe 95 PID 388 wrote to memory of 552 388 1pvjd.exe 95 PID 388 wrote to memory of 552 388 1pvjd.exe 95 PID 552 wrote to memory of 2548 552 hnhthb.exe 96 PID 552 wrote to memory of 2548 552 hnhthb.exe 96 PID 552 wrote to memory of 2548 552 hnhthb.exe 96 PID 2548 wrote to memory of 2236 2548 pjdjv.exe 97 PID 2548 wrote to memory of 2236 2548 pjdjv.exe 97 PID 2548 wrote to memory of 2236 2548 pjdjv.exe 97 PID 2236 wrote to memory of 3636 2236 xffxlfx.exe 98 PID 2236 wrote to memory of 3636 2236 xffxlfx.exe 98 PID 2236 wrote to memory of 3636 2236 xffxlfx.exe 98 PID 3636 wrote to memory of 1428 3636 ddpdp.exe 99 PID 3636 wrote to memory of 1428 3636 ddpdp.exe 99 PID 3636 wrote to memory of 1428 3636 ddpdp.exe 99 PID 1428 wrote to memory of 1964 1428 rfflxlx.exe 100 PID 1428 wrote to memory of 1964 1428 rfflxlx.exe 100 PID 1428 wrote to memory of 1964 1428 rfflxlx.exe 100 PID 1964 wrote to memory of 1752 1964 bntthb.exe 101 PID 1964 wrote to memory of 1752 1964 bntthb.exe 101 PID 1964 wrote to memory of 1752 1964 bntthb.exe 101 PID 1752 wrote to memory of 2388 1752 lrrfrlx.exe 102 PID 1752 wrote to memory of 2388 1752 lrrfrlx.exe 102 PID 1752 wrote to memory of 2388 1752 lrrfrlx.exe 102 PID 2388 wrote to memory of 3476 2388 btnhhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe"C:\Users\Admin\AppData\Local\Temp\8323446802499be1ea4363f8612c6462ef6f4077fc2d61067b0b1ba7373d9f43.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\thbnbt.exec:\thbnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\jvjdd.exec:\jvjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\rlrffxf.exec:\rlrffxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\nnnbth.exec:\nnnbth.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\thhtht.exec:\thhtht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\dpjdd.exec:\dpjdd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\pvdvj.exec:\pvdvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
\??\c:\rfrlxrf.exec:\rfrlxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
\??\c:\xlxlxlf.exec:\xlxlxlf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\pdvjv.exec:\pdvjv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\dpjvj.exec:\dpjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\ttthnh.exec:\ttthnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\1pvjd.exec:\1pvjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\hnhthb.exec:\hnhthb.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\pjdjv.exec:\pjdjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\xffxlfx.exec:\xffxlfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\ddpdp.exec:\ddpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\rfflxlx.exec:\rfflxlx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\bntthb.exec:\bntthb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\btnhhb.exec:\btnhhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\btnhbt.exec:\btnhbt.exe23⤵
- Executes dropped EXE
PID:3476 -
\??\c:\hbhhbb.exec:\hbhhbb.exe24⤵
- Executes dropped EXE
PID:4176 -
\??\c:\rlfxxxx.exec:\rlfxxxx.exe25⤵
- Executes dropped EXE
PID:2616 -
\??\c:\pjdvp.exec:\pjdvp.exe26⤵
- Executes dropped EXE
PID:3172 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe27⤵
- Executes dropped EXE
PID:1784 -
\??\c:\rfrffff.exec:\rfrffff.exe28⤵
- Executes dropped EXE
PID:3364 -
\??\c:\nthbth.exec:\nthbth.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744 -
\??\c:\xflfrxr.exec:\xflfrxr.exe30⤵
- Executes dropped EXE
PID:3508 -
\??\c:\5rllflf.exec:\5rllflf.exe31⤵
- Executes dropped EXE
PID:3656 -
\??\c:\bbhbtn.exec:\bbhbtn.exe32⤵
- Executes dropped EXE
PID:4404 -
\??\c:\dddjd.exec:\dddjd.exe33⤵
- Executes dropped EXE
PID:3000 -
\??\c:\rxfxrrf.exec:\rxfxrrf.exe34⤵
- Executes dropped EXE
PID:2612 -
\??\c:\xflfxrl.exec:\xflfxrl.exe35⤵
- Executes dropped EXE
PID:2064 -
\??\c:\pvddv.exec:\pvddv.exe36⤵
- Executes dropped EXE
PID:636 -
\??\c:\btnhbt.exec:\btnhbt.exe37⤵
- Executes dropped EXE
PID:516 -
\??\c:\jdjpj.exec:\jdjpj.exe38⤵
- Executes dropped EXE
PID:8 -
\??\c:\xlrrfxl.exec:\xlrrfxl.exe39⤵
- Executes dropped EXE
PID:3988 -
\??\c:\hhhnhh.exec:\hhhnhh.exe40⤵
- Executes dropped EXE
PID:4616 -
\??\c:\3vvpj.exec:\3vvpj.exe41⤵
- Executes dropped EXE
PID:4112 -
\??\c:\xrlffff.exec:\xrlffff.exe42⤵
- Executes dropped EXE
PID:4720 -
\??\c:\lllxrrf.exec:\lllxrrf.exe43⤵
- Executes dropped EXE
PID:3800 -
\??\c:\ththbb.exec:\ththbb.exe44⤵
- Executes dropped EXE
PID:4488 -
\??\c:\vpvpj.exec:\vpvpj.exe45⤵
- Executes dropped EXE
PID:4368 -
\??\c:\fxlxlfx.exec:\fxlxlfx.exe46⤵
- Executes dropped EXE
PID:920 -
\??\c:\thnnnh.exec:\thnnnh.exe47⤵
- Executes dropped EXE
PID:4380 -
\??\c:\hntnbt.exec:\hntnbt.exe48⤵
- Executes dropped EXE
PID:4984 -
\??\c:\7pdjv.exec:\7pdjv.exe49⤵
- Executes dropped EXE
PID:1252 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe50⤵
- Executes dropped EXE
PID:3632 -
\??\c:\tnbhth.exec:\tnbhth.exe51⤵
- Executes dropped EXE
PID:5028 -
\??\c:\vddvp.exec:\vddvp.exe52⤵
- Executes dropped EXE
PID:5060 -
\??\c:\xllxrlf.exec:\xllxrlf.exe53⤵
- Executes dropped EXE
PID:4308 -
\??\c:\1hnhhb.exec:\1hnhhb.exe54⤵
- Executes dropped EXE
PID:4620 -
\??\c:\dpvpj.exec:\dpvpj.exe55⤵
- Executes dropped EXE
PID:1140 -
\??\c:\lxffxrl.exec:\lxffxrl.exe56⤵
- Executes dropped EXE
PID:2356 -
\??\c:\xxrllff.exec:\xxrllff.exe57⤵
- Executes dropped EXE
PID:3200 -
\??\c:\nhnhbt.exec:\nhnhbt.exe58⤵
- Executes dropped EXE
PID:4824 -
\??\c:\jpvjv.exec:\jpvjv.exe59⤵
- Executes dropped EXE
PID:4872 -
\??\c:\5frlxrf.exec:\5frlxrf.exe60⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hntnbb.exec:\hntnbb.exe61⤵
- Executes dropped EXE
PID:1264 -
\??\c:\nnthbt.exec:\nnthbt.exe62⤵
- Executes dropped EXE
PID:1520 -
\??\c:\jddjd.exec:\jddjd.exe63⤵
- Executes dropped EXE
PID:5112 -
\??\c:\9fffxff.exec:\9fffxff.exe64⤵
- Executes dropped EXE
PID:1640 -
\??\c:\frxxrlf.exec:\frxxrlf.exe65⤵
- Executes dropped EXE
PID:1656 -
\??\c:\bttnnb.exec:\bttnnb.exe66⤵PID:3388
-
\??\c:\jvdvv.exec:\jvdvv.exe67⤵PID:2640
-
\??\c:\xllflfx.exec:\xllflfx.exe68⤵PID:2468
-
\??\c:\tnbttn.exec:\tnbttn.exe69⤵PID:4448
-
\??\c:\pvvvp.exec:\pvvvp.exe70⤵PID:184
-
\??\c:\xrllfxr.exec:\xrllfxr.exe71⤵PID:2652
-
\??\c:\vvdvj.exec:\vvdvj.exe72⤵PID:1108
-
\??\c:\xxlxlfr.exec:\xxlxlfr.exe73⤵PID:1480
-
\??\c:\fflxllr.exec:\fflxllr.exe74⤵PID:1260
-
\??\c:\nbthtn.exec:\nbthtn.exe75⤵PID:1356
-
\??\c:\pvvjv.exec:\pvvjv.exe76⤵PID:2012
-
\??\c:\lffxrll.exec:\lffxrll.exe77⤵PID:4664
-
\??\c:\thnnbn.exec:\thnnbn.exe78⤵PID:1720
-
\??\c:\nhbnbt.exec:\nhbnbt.exe79⤵PID:4480
-
\??\c:\vvdpp.exec:\vvdpp.exe80⤵PID:1836
-
\??\c:\rxlflrl.exec:\rxlflrl.exe81⤵PID:3012
-
\??\c:\bntnbh.exec:\bntnbh.exe82⤵PID:1964
-
\??\c:\pdjvj.exec:\pdjvj.exe83⤵PID:1756
-
\??\c:\vjvjv.exec:\vjvjv.exe84⤵PID:4228
-
\??\c:\lrxxlfr.exec:\lrxxlfr.exe85⤵PID:1196
-
\??\c:\nhtbhb.exec:\nhtbhb.exe86⤵PID:2388
-
\??\c:\vppdv.exec:\vppdv.exe87⤵PID:808
-
\??\c:\jdpvj.exec:\jdpvj.exe88⤵PID:4408
-
\??\c:\rllxxxr.exec:\rllxxxr.exe89⤵PID:2620
-
\??\c:\ntbthb.exec:\ntbthb.exe90⤵PID:3424
-
\??\c:\pvvpv.exec:\pvvpv.exe91⤵PID:3132
-
\??\c:\dpppj.exec:\dpppj.exe92⤵PID:3864
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe93⤵PID:3292
-
\??\c:\ttbhbh.exec:\ttbhbh.exe94⤵PID:4484
-
\??\c:\dddvv.exec:\dddvv.exe95⤵PID:1644
-
\??\c:\rrxrlxl.exec:\rrxrlxl.exe96⤵PID:1016
-
\??\c:\tnhbtb.exec:\tnhbtb.exe97⤵PID:3680
-
\??\c:\djvpd.exec:\djvpd.exe98⤵PID:1028
-
\??\c:\fxrrxxx.exec:\fxrrxxx.exe99⤵PID:2128
-
\??\c:\frlfxlf.exec:\frlfxlf.exe100⤵PID:3080
-
\??\c:\3ntnbb.exec:\3ntnbb.exe101⤵PID:3688
-
\??\c:\dvdpv.exec:\dvdpv.exe102⤵PID:2612
-
\??\c:\lflfxxx.exec:\lflfxxx.exe103⤵PID:3336
-
\??\c:\nhnhtn.exec:\nhnhtn.exe104⤵PID:1688
-
\??\c:\7pdvd.exec:\7pdvd.exe105⤵PID:2868
-
\??\c:\lflxfrr.exec:\lflxfrr.exe106⤵PID:3268
-
\??\c:\flxlxrl.exec:\flxlxrl.exe107⤵PID:3204
-
\??\c:\tnbttn.exec:\tnbttn.exe108⤵PID:812
-
\??\c:\pjdvv.exec:\pjdvv.exe109⤵PID:4940
-
\??\c:\djppp.exec:\djppp.exe110⤵PID:4004
-
\??\c:\btthth.exec:\btthth.exe111⤵PID:1424
-
\??\c:\jdjpd.exec:\jdjpd.exe112⤵PID:1920
-
\??\c:\dvddv.exec:\dvddv.exe113⤵PID:1476
-
\??\c:\5xlxxxx.exec:\5xlxxxx.exe114⤵PID:4164
-
\??\c:\7bbthb.exec:\7bbthb.exe115⤵PID:2428
-
\??\c:\hnnhtn.exec:\hnnhtn.exe116⤵PID:4380
-
\??\c:\dpvjv.exec:\dpvjv.exe117⤵PID:4984
-
\??\c:\fxfxllf.exec:\fxfxllf.exe118⤵PID:4152
-
\??\c:\ttbbbb.exec:\ttbbbb.exe119⤵PID:1524
-
\??\c:\5vvpp.exec:\5vvpp.exe120⤵PID:1236
-
\??\c:\pvdvv.exec:\pvdvv.exe121⤵PID:4304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-