Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe
-
Size
456KB
-
MD5
6fd11f5640c34e69c87b0ba5cc4be046
-
SHA1
22462831a8df18193ba38945011dcd8ff380682a
-
SHA256
8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc
-
SHA512
7674ad501a7ca745de5c92cb35d909126508076149b555fcec56b9bdb56415ca97fb530c656383b9213ca1dc02c079d2121fad3426e5497c0521391fcd738ce3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRc:q7Tc2NYHUrAwfMp3CDRc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1336-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3848-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-1386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-1901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1260 7vjdp.exe 3988 rrrlxlf.exe 4796 btnhnh.exe 996 pppjp.exe 4952 ntbthh.exe 2360 7rlxlfr.exe 4424 tnbttt.exe 4692 xfrlfxr.exe 4488 xxlrfxx.exe 3976 3tbtnn.exe 2104 fflfllr.exe 3480 bbhthb.exe 1896 xrffrlx.exe 3092 3thhnt.exe 540 vpdjj.exe 2128 lrxrrrr.exe 2296 dvpvp.exe 936 tnbhnt.exe 2160 jpddv.exe 1252 xxlfxfx.exe 2096 pjvpd.exe 2736 rlrllll.exe 5000 tnnhnh.exe 1316 fxlrllx.exe 1556 pjvpv.exe 4400 hnbhtb.exe 3408 rlrlffx.exe 864 1dddd.exe 592 rflflfl.exe 2380 vpvvj.exe 4480 1tbtnn.exe 1640 9djvp.exe 1492 xrfllrr.exe 2972 nntbbb.exe 4340 jpdvv.exe 2408 xflfffx.exe 3368 pdjjd.exe 2200 lflffff.exe 804 bttnhh.exe 4968 djvpj.exe 1312 vjjjd.exe 2032 lrxrlff.exe 3136 ntbttn.exe 3600 xfxrllx.exe 2364 rllfxrl.exe 2796 ttnhhh.exe 2764 vpvpj.exe 4312 3rlxlfx.exe 4304 ntbbbb.exe 1336 jdvpv.exe 4188 1lrrllf.exe 4956 bbttnh.exe 1260 vjvjv.exe 3444 fxxlxll.exe 4564 thhbtn.exe 2992 3hnnhh.exe 2072 pddvp.exe 5064 ntbtnn.exe 932 hbbbhh.exe 4424 ddppv.exe 2020 lllfrrl.exe 1096 hhthbn.exe 3692 5hhbtt.exe 3392 dpdvv.exe -
resource yara_rule behavioral2/memory/1336-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3848-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbnnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1260 1336 8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe 83 PID 1336 wrote to memory of 1260 1336 8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe 83 PID 1336 wrote to memory of 1260 1336 8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe 83 PID 1260 wrote to memory of 3988 1260 7vjdp.exe 84 PID 1260 wrote to memory of 3988 1260 7vjdp.exe 84 PID 1260 wrote to memory of 3988 1260 7vjdp.exe 84 PID 3988 wrote to memory of 4796 3988 rrrlxlf.exe 85 PID 3988 wrote to memory of 4796 3988 rrrlxlf.exe 85 PID 3988 wrote to memory of 4796 3988 rrrlxlf.exe 85 PID 4796 wrote to memory of 996 4796 btnhnh.exe 86 PID 4796 wrote to memory of 996 4796 btnhnh.exe 86 PID 4796 wrote to memory of 996 4796 btnhnh.exe 86 PID 996 wrote to memory of 4952 996 pppjp.exe 87 PID 996 wrote to memory of 4952 996 pppjp.exe 87 PID 996 wrote to memory of 4952 996 pppjp.exe 87 PID 4952 wrote to memory of 2360 4952 ntbthh.exe 88 PID 4952 wrote to memory of 2360 4952 ntbthh.exe 88 PID 4952 wrote to memory of 2360 4952 ntbthh.exe 88 PID 2360 wrote to memory of 4424 2360 7rlxlfr.exe 89 PID 2360 wrote to memory of 4424 2360 7rlxlfr.exe 89 PID 2360 wrote to memory of 4424 2360 7rlxlfr.exe 89 PID 4424 wrote to memory of 4692 4424 tnbttt.exe 90 PID 4424 wrote to memory of 4692 4424 tnbttt.exe 90 PID 4424 wrote to memory of 4692 4424 tnbttt.exe 90 PID 4692 wrote to memory of 4488 4692 xfrlfxr.exe 91 PID 4692 wrote to memory of 4488 4692 xfrlfxr.exe 91 PID 4692 wrote to memory of 4488 4692 xfrlfxr.exe 91 PID 4488 wrote to memory of 3976 4488 xxlrfxx.exe 92 PID 4488 wrote to memory of 3976 4488 xxlrfxx.exe 92 PID 4488 wrote to memory of 3976 4488 xxlrfxx.exe 92 PID 3976 wrote to memory of 2104 3976 3tbtnn.exe 93 PID 3976 wrote to memory of 2104 3976 3tbtnn.exe 93 PID 3976 wrote to memory of 2104 3976 3tbtnn.exe 93 PID 2104 wrote to memory of 3480 2104 fflfllr.exe 94 PID 2104 wrote to memory of 3480 2104 fflfllr.exe 94 PID 2104 wrote to memory of 3480 2104 fflfllr.exe 94 PID 3480 wrote to memory of 1896 3480 bbhthb.exe 95 PID 3480 wrote to memory of 1896 3480 bbhthb.exe 95 PID 3480 wrote to memory of 1896 3480 bbhthb.exe 95 PID 1896 wrote to memory of 3092 1896 xrffrlx.exe 96 PID 1896 wrote to memory of 3092 1896 xrffrlx.exe 96 PID 1896 wrote to memory of 3092 1896 xrffrlx.exe 96 PID 3092 wrote to memory of 540 3092 3thhnt.exe 97 PID 3092 wrote to memory of 540 3092 3thhnt.exe 97 PID 3092 wrote to memory of 540 3092 3thhnt.exe 97 PID 540 wrote to memory of 2128 540 vpdjj.exe 98 PID 540 wrote to memory of 2128 540 vpdjj.exe 98 PID 540 wrote to memory of 2128 540 vpdjj.exe 98 PID 2128 wrote to memory of 2296 2128 lrxrrrr.exe 99 PID 2128 wrote to memory of 2296 2128 lrxrrrr.exe 99 PID 2128 wrote to memory of 2296 2128 lrxrrrr.exe 99 PID 2296 wrote to memory of 936 2296 dvpvp.exe 100 PID 2296 wrote to memory of 936 2296 dvpvp.exe 100 PID 2296 wrote to memory of 936 2296 dvpvp.exe 100 PID 936 wrote to memory of 2160 936 tnbhnt.exe 101 PID 936 wrote to memory of 2160 936 tnbhnt.exe 101 PID 936 wrote to memory of 2160 936 tnbhnt.exe 101 PID 2160 wrote to memory of 1252 2160 jpddv.exe 102 PID 2160 wrote to memory of 1252 2160 jpddv.exe 102 PID 2160 wrote to memory of 1252 2160 jpddv.exe 102 PID 1252 wrote to memory of 2096 1252 xxlfxfx.exe 103 PID 1252 wrote to memory of 2096 1252 xxlfxfx.exe 103 PID 1252 wrote to memory of 2096 1252 xxlfxfx.exe 103 PID 2096 wrote to memory of 2736 2096 pjvpd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe"C:\Users\Admin\AppData\Local\Temp\8cf8dcb983c32d70e8a2d2ce7b976bac2186228316fe40cc89d05f0f0fbcfccc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\7vjdp.exec:\7vjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1260 -
\??\c:\rrrlxlf.exec:\rrrlxlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
\??\c:\btnhnh.exec:\btnhnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\pppjp.exec:\pppjp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\ntbthh.exec:\ntbthh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\7rlxlfr.exec:\7rlxlfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\tnbttt.exec:\tnbttt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\xxlrfxx.exec:\xxlrfxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\3tbtnn.exec:\3tbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\fflfllr.exec:\fflfllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\bbhthb.exec:\bbhthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\xrffrlx.exec:\xrffrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\3thhnt.exec:\3thhnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\vpdjj.exec:\vpdjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\dvpvp.exec:\dvpvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\tnbhnt.exec:\tnbhnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\jpddv.exec:\jpddv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\xxlfxfx.exec:\xxlfxfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\pjvpd.exec:\pjvpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\rlrllll.exec:\rlrllll.exe23⤵
- Executes dropped EXE
PID:2736 -
\??\c:\tnnhnh.exec:\tnnhnh.exe24⤵
- Executes dropped EXE
PID:5000 -
\??\c:\fxlrllx.exec:\fxlrllx.exe25⤵
- Executes dropped EXE
PID:1316 -
\??\c:\pjvpv.exec:\pjvpv.exe26⤵
- Executes dropped EXE
PID:1556 -
\??\c:\hnbhtb.exec:\hnbhtb.exe27⤵
- Executes dropped EXE
PID:4400 -
\??\c:\rlrlffx.exec:\rlrlffx.exe28⤵
- Executes dropped EXE
PID:3408 -
\??\c:\1dddd.exec:\1dddd.exe29⤵
- Executes dropped EXE
PID:864 -
\??\c:\rflflfl.exec:\rflflfl.exe30⤵
- Executes dropped EXE
PID:592 -
\??\c:\vpvvj.exec:\vpvvj.exe31⤵
- Executes dropped EXE
PID:2380 -
\??\c:\1tbtnn.exec:\1tbtnn.exe32⤵
- Executes dropped EXE
PID:4480 -
\??\c:\9djvp.exec:\9djvp.exe33⤵
- Executes dropped EXE
PID:1640 -
\??\c:\xrfllrr.exec:\xrfllrr.exe34⤵
- Executes dropped EXE
PID:1492 -
\??\c:\nntbbb.exec:\nntbbb.exe35⤵
- Executes dropped EXE
PID:2972 -
\??\c:\jpdvv.exec:\jpdvv.exe36⤵
- Executes dropped EXE
PID:4340 -
\??\c:\xflfffx.exec:\xflfffx.exe37⤵
- Executes dropped EXE
PID:2408 -
\??\c:\pdjjd.exec:\pdjjd.exe38⤵
- Executes dropped EXE
PID:3368 -
\??\c:\lflffff.exec:\lflffff.exe39⤵
- Executes dropped EXE
PID:2200 -
\??\c:\bttnhh.exec:\bttnhh.exe40⤵
- Executes dropped EXE
PID:804 -
\??\c:\djvpj.exec:\djvpj.exe41⤵
- Executes dropped EXE
PID:4968 -
\??\c:\vjjjd.exec:\vjjjd.exe42⤵
- Executes dropped EXE
PID:1312 -
\??\c:\lrxrlff.exec:\lrxrlff.exe43⤵
- Executes dropped EXE
PID:2032 -
\??\c:\ntbttn.exec:\ntbttn.exe44⤵
- Executes dropped EXE
PID:3136 -
\??\c:\xfxrllx.exec:\xfxrllx.exe45⤵
- Executes dropped EXE
PID:3600 -
\??\c:\rllfxrl.exec:\rllfxrl.exe46⤵
- Executes dropped EXE
PID:2364 -
\??\c:\ttnhhh.exec:\ttnhhh.exe47⤵
- Executes dropped EXE
PID:2796 -
\??\c:\vpvpj.exec:\vpvpj.exe48⤵
- Executes dropped EXE
PID:2764 -
\??\c:\3rlxlfx.exec:\3rlxlfx.exe49⤵
- Executes dropped EXE
PID:4312 -
\??\c:\ntbbbb.exec:\ntbbbb.exe50⤵
- Executes dropped EXE
PID:4304 -
\??\c:\jdvpv.exec:\jdvpv.exe51⤵
- Executes dropped EXE
PID:1336 -
\??\c:\1lrrllf.exec:\1lrrllf.exe52⤵
- Executes dropped EXE
PID:4188 -
\??\c:\bbttnh.exec:\bbttnh.exe53⤵
- Executes dropped EXE
PID:4956 -
\??\c:\vjvjv.exec:\vjvjv.exe54⤵
- Executes dropped EXE
PID:1260 -
\??\c:\fxxlxll.exec:\fxxlxll.exe55⤵
- Executes dropped EXE
PID:3444 -
\??\c:\thhbtn.exec:\thhbtn.exe56⤵
- Executes dropped EXE
PID:4564 -
\??\c:\3hnnhh.exec:\3hnnhh.exe57⤵
- Executes dropped EXE
PID:2992 -
\??\c:\pddvp.exec:\pddvp.exe58⤵
- Executes dropped EXE
PID:2072 -
\??\c:\ntbtnn.exec:\ntbtnn.exe59⤵
- Executes dropped EXE
PID:5064 -
\??\c:\hbbbhh.exec:\hbbbhh.exe60⤵
- Executes dropped EXE
PID:932 -
\??\c:\ddppv.exec:\ddppv.exe61⤵
- Executes dropped EXE
PID:4424 -
\??\c:\lllfrrl.exec:\lllfrrl.exe62⤵
- Executes dropped EXE
PID:2020 -
\??\c:\hhthbn.exec:\hhthbn.exe63⤵
- Executes dropped EXE
PID:1096 -
\??\c:\5hhbtt.exec:\5hhbtt.exe64⤵
- Executes dropped EXE
PID:3692 -
\??\c:\dpdvv.exec:\dpdvv.exe65⤵
- Executes dropped EXE
PID:3392 -
\??\c:\9rrfxxr.exec:\9rrfxxr.exe66⤵PID:3992
-
\??\c:\tnhhbb.exec:\tnhhbb.exe67⤵PID:5060
-
\??\c:\3bhbhh.exec:\3bhbhh.exe68⤵PID:2104
-
\??\c:\jvdvj.exec:\jvdvj.exe69⤵PID:1964
-
\??\c:\rlrllll.exec:\rlrllll.exe70⤵PID:2420
-
\??\c:\nbbhbh.exec:\nbbhbh.exe71⤵PID:3876
-
\??\c:\pjvpj.exec:\pjvpj.exe72⤵PID:3924
-
\??\c:\xrxxxrr.exec:\xrxxxrr.exe73⤵PID:2372
-
\??\c:\nhbtbb.exec:\nhbtbb.exe74⤵PID:4664
-
\??\c:\1hbtnt.exec:\1hbtnt.exe75⤵PID:2352
-
\??\c:\vpvpj.exec:\vpvpj.exe76⤵PID:2520
-
\??\c:\lflfxrr.exec:\lflfxrr.exe77⤵PID:544
-
\??\c:\xxrxxxx.exec:\xxrxxxx.exe78⤵PID:3952
-
\??\c:\bhtnnh.exec:\bhtnnh.exe79⤵PID:2160
-
\??\c:\vjpjd.exec:\vjpjd.exe80⤵PID:1612
-
\??\c:\lfxlrlf.exec:\lfxlrlf.exe81⤵PID:4548
-
\??\c:\tnthbb.exec:\tnthbb.exe82⤵PID:4876
-
\??\c:\nhhbnn.exec:\nhhbnn.exe83⤵PID:2736
-
\??\c:\vjvvv.exec:\vjvvv.exe84⤵PID:4396
-
\??\c:\9xrxrfx.exec:\9xrxrfx.exe85⤵PID:4592
-
\??\c:\bthbhh.exec:\bthbhh.exe86⤵PID:4724
-
\??\c:\7ttnhh.exec:\7ttnhh.exe87⤵PID:4244
-
\??\c:\vppjd.exec:\vppjd.exe88⤵PID:444
-
\??\c:\fxlfffx.exec:\fxlfffx.exe89⤵PID:4864
-
\??\c:\bntnbt.exec:\bntnbt.exe90⤵PID:3848
-
\??\c:\dddvp.exec:\dddvp.exe91⤵PID:1040
-
\??\c:\vjvdd.exec:\vjvdd.exe92⤵PID:4720
-
\??\c:\3lrrrxx.exec:\3lrrrxx.exe93⤵PID:2612
-
\??\c:\hbtnhh.exec:\hbtnhh.exe94⤵PID:2380
-
\??\c:\ddjdp.exec:\ddjdp.exe95⤵PID:2056
-
\??\c:\lxxlxxr.exec:\lxxlxxr.exe96⤵PID:2556
-
\??\c:\9fllflf.exec:\9fllflf.exe97⤵PID:3176
-
\??\c:\ntttnh.exec:\ntttnh.exe98⤵PID:796
-
\??\c:\vjjvp.exec:\vjjvp.exe99⤵PID:4712
-
\??\c:\rrxrxrx.exec:\rrxrxrx.exe100⤵PID:4340
-
\??\c:\tthhbb.exec:\tthhbb.exe101⤵PID:2408
-
\??\c:\9hnhbb.exec:\9hnhbb.exe102⤵PID:3368
-
\??\c:\jjjpp.exec:\jjjpp.exe103⤵PID:184
-
\??\c:\lffrrll.exec:\lffrrll.exe104⤵PID:804
-
\??\c:\hbbbhh.exec:\hbbbhh.exe105⤵PID:336
-
\??\c:\vpvjd.exec:\vpvjd.exe106⤵PID:2092
-
\??\c:\5jpdv.exec:\5jpdv.exe107⤵PID:3928
-
\??\c:\llxlfrx.exec:\llxlfrx.exe108⤵PID:1108
-
\??\c:\hbhbnh.exec:\hbhbnh.exe109⤵PID:4896
-
\??\c:\pddpd.exec:\pddpd.exe110⤵PID:3244
-
\??\c:\lrrfffl.exec:\lrrfffl.exe111⤵PID:1060
-
\??\c:\5bhbnn.exec:\5bhbnn.exe112⤵PID:4316
-
\??\c:\jdpjd.exec:\jdpjd.exe113⤵PID:4312
-
\??\c:\pjdvj.exec:\pjdvj.exe114⤵PID:4576
-
\??\c:\lffxlfx.exec:\lffxlfx.exe115⤵PID:4924
-
\??\c:\hbhtnh.exec:\hbhtnh.exe116⤵PID:4756
-
\??\c:\vpppj.exec:\vpppj.exe117⤵PID:3152
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe118⤵PID:1736
-
\??\c:\thtnnn.exec:\thtnnn.exe119⤵PID:548
-
\??\c:\5djdv.exec:\5djdv.exe120⤵PID:3812
-
\??\c:\frlfxlf.exec:\frlfxlf.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-