Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe
-
Size
454KB
-
MD5
5a4c339e50b726872c6ad1500982877a
-
SHA1
ce61bb9657ee9642239eea4a85ec85963bedcbd6
-
SHA256
926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf
-
SHA512
01d3ce3416d602122e9661a13315a9c2f400d76ed71262e09222f2d1cbc4c14205e1f7ac52f4f58931bb3275bfdf60f894675e6c56a82e3c0b583f70089114ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe+:q7Tc2NYHUrAwfMp3CD+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1580-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-841-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-1016-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3868 thhthb.exe 4936 frxfxrl.exe 4928 jpdvp.exe 3548 jddvp.exe 4668 3hhthb.exe 2308 jppjd.exe 3280 bnbthb.exe 4804 ffxrfxr.exe 4588 bnhhbt.exe 744 lxxrrlx.exe 2336 pvjvj.exe 4136 tbbnhb.exe 996 btnhtn.exe 532 vjpjp.exe 2992 hnthtn.exe 1620 xlrlxlx.exe 1252 jdjjd.exe 1908 lxrrfxr.exe 1244 9hbnhb.exe 2948 jjddj.exe 1544 rrxrfxr.exe 4764 1btnhb.exe 4340 7jdjj.exe 1896 rxxrlfx.exe 4756 bbnhbt.exe 3796 pddvj.exe 1412 nbbnbb.exe 2400 dvpvj.exe 916 bhnbhh.exe 2416 pddvj.exe 3412 rrlxrlx.exe 3648 httnhh.exe 2592 fllfrlf.exe 948 ntbttn.exe 4220 pvdpd.exe 4280 xffxlfx.exe 2480 nhnhnh.exe 2216 vddvj.exe 3316 xlllxxl.exe 1472 ntbthb.exe 1260 7bnbbt.exe 2596 xrfffll.exe 1312 bnhhtt.exe 5100 pdvjd.exe 4300 lxfrfxr.exe 1912 tnntbh.exe 1580 jdvvv.exe 4512 9rxrfrl.exe 1180 xrlxlfr.exe 1212 ttnhbt.exe 4116 vddjp.exe 4928 9lllfxr.exe 3172 tbnnnb.exe 4716 vpjdp.exe 4536 frrlxfx.exe 4424 ffrflfx.exe 100 bbtnbb.exe 3280 9jddp.exe 224 lffxxff.exe 1916 hhnhht.exe 5044 htnhtt.exe 1560 9pjjd.exe 3956 9rlfrrl.exe 1748 tbbtnh.exe -
resource yara_rule behavioral2/memory/1580-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-699-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-841-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5fxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frflrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bbbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rlfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1580 wrote to memory of 3868 1580 926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe 83 PID 1580 wrote to memory of 3868 1580 926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe 83 PID 1580 wrote to memory of 3868 1580 926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe 83 PID 3868 wrote to memory of 4936 3868 thhthb.exe 84 PID 3868 wrote to memory of 4936 3868 thhthb.exe 84 PID 3868 wrote to memory of 4936 3868 thhthb.exe 84 PID 4936 wrote to memory of 4928 4936 frxfxrl.exe 85 PID 4936 wrote to memory of 4928 4936 frxfxrl.exe 85 PID 4936 wrote to memory of 4928 4936 frxfxrl.exe 85 PID 4928 wrote to memory of 3548 4928 jpdvp.exe 86 PID 4928 wrote to memory of 3548 4928 jpdvp.exe 86 PID 4928 wrote to memory of 3548 4928 jpdvp.exe 86 PID 3548 wrote to memory of 4668 3548 jddvp.exe 87 PID 3548 wrote to memory of 4668 3548 jddvp.exe 87 PID 3548 wrote to memory of 4668 3548 jddvp.exe 87 PID 4668 wrote to memory of 2308 4668 3hhthb.exe 88 PID 4668 wrote to memory of 2308 4668 3hhthb.exe 88 PID 4668 wrote to memory of 2308 4668 3hhthb.exe 88 PID 2308 wrote to memory of 3280 2308 jppjd.exe 89 PID 2308 wrote to memory of 3280 2308 jppjd.exe 89 PID 2308 wrote to memory of 3280 2308 jppjd.exe 89 PID 3280 wrote to memory of 4804 3280 bnbthb.exe 90 PID 3280 wrote to memory of 4804 3280 bnbthb.exe 90 PID 3280 wrote to memory of 4804 3280 bnbthb.exe 90 PID 4804 wrote to memory of 4588 4804 ffxrfxr.exe 91 PID 4804 wrote to memory of 4588 4804 ffxrfxr.exe 91 PID 4804 wrote to memory of 4588 4804 ffxrfxr.exe 91 PID 4588 wrote to memory of 744 4588 bnhhbt.exe 92 PID 4588 wrote to memory of 744 4588 bnhhbt.exe 92 PID 4588 wrote to memory of 744 4588 bnhhbt.exe 92 PID 744 wrote to memory of 2336 744 lxxrrlx.exe 93 PID 744 wrote to memory of 2336 744 lxxrrlx.exe 93 PID 744 wrote to memory of 2336 744 lxxrrlx.exe 93 PID 2336 wrote to memory of 4136 2336 pvjvj.exe 94 PID 2336 wrote to memory of 4136 2336 pvjvj.exe 94 PID 2336 wrote to memory of 4136 2336 pvjvj.exe 94 PID 4136 wrote to memory of 996 4136 tbbnhb.exe 95 PID 4136 wrote to memory of 996 4136 tbbnhb.exe 95 PID 4136 wrote to memory of 996 4136 tbbnhb.exe 95 PID 996 wrote to memory of 532 996 btnhtn.exe 96 PID 996 wrote to memory of 532 996 btnhtn.exe 96 PID 996 wrote to memory of 532 996 btnhtn.exe 96 PID 532 wrote to memory of 2992 532 vjpjp.exe 97 PID 532 wrote to memory of 2992 532 vjpjp.exe 97 PID 532 wrote to memory of 2992 532 vjpjp.exe 97 PID 2992 wrote to memory of 1620 2992 hnthtn.exe 98 PID 2992 wrote to memory of 1620 2992 hnthtn.exe 98 PID 2992 wrote to memory of 1620 2992 hnthtn.exe 98 PID 1620 wrote to memory of 1252 1620 xlrlxlx.exe 99 PID 1620 wrote to memory of 1252 1620 xlrlxlx.exe 99 PID 1620 wrote to memory of 1252 1620 xlrlxlx.exe 99 PID 1252 wrote to memory of 1908 1252 jdjjd.exe 100 PID 1252 wrote to memory of 1908 1252 jdjjd.exe 100 PID 1252 wrote to memory of 1908 1252 jdjjd.exe 100 PID 1908 wrote to memory of 1244 1908 lxrrfxr.exe 101 PID 1908 wrote to memory of 1244 1908 lxrrfxr.exe 101 PID 1908 wrote to memory of 1244 1908 lxrrfxr.exe 101 PID 1244 wrote to memory of 2948 1244 9hbnhb.exe 102 PID 1244 wrote to memory of 2948 1244 9hbnhb.exe 102 PID 1244 wrote to memory of 2948 1244 9hbnhb.exe 102 PID 2948 wrote to memory of 1544 2948 jjddj.exe 103 PID 2948 wrote to memory of 1544 2948 jjddj.exe 103 PID 2948 wrote to memory of 1544 2948 jjddj.exe 103 PID 1544 wrote to memory of 4764 1544 rrxrfxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe"C:\Users\Admin\AppData\Local\Temp\926786eee1ee959512027b39f85f34eb60a6492a5bfd1022b11da3fb25ce1fcf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\thhthb.exec:\thhthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\frxfxrl.exec:\frxfxrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\jpdvp.exec:\jpdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\jddvp.exec:\jddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\3hhthb.exec:\3hhthb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4668 -
\??\c:\jppjd.exec:\jppjd.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\bnbthb.exec:\bnbthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\ffxrfxr.exec:\ffxrfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\bnhhbt.exec:\bnhhbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\lxxrrlx.exec:\lxxrrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\pvjvj.exec:\pvjvj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\tbbnhb.exec:\tbbnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\btnhtn.exec:\btnhtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996 -
\??\c:\vjpjp.exec:\vjpjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\hnthtn.exec:\hnthtn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\xlrlxlx.exec:\xlrlxlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\jdjjd.exec:\jdjjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
\??\c:\lxrrfxr.exec:\lxrrfxr.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\9hbnhb.exec:\9hbnhb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\jjddj.exec:\jjddj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\rrxrfxr.exec:\rrxrfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\1btnhb.exec:\1btnhb.exe23⤵
- Executes dropped EXE
PID:4764 -
\??\c:\7jdjj.exec:\7jdjj.exe24⤵
- Executes dropped EXE
PID:4340 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe25⤵
- Executes dropped EXE
PID:1896 -
\??\c:\bbnhbt.exec:\bbnhbt.exe26⤵
- Executes dropped EXE
PID:4756 -
\??\c:\pddvj.exec:\pddvj.exe27⤵
- Executes dropped EXE
PID:3796 -
\??\c:\nbbnbb.exec:\nbbnbb.exe28⤵
- Executes dropped EXE
PID:1412 -
\??\c:\dvpvj.exec:\dvpvj.exe29⤵
- Executes dropped EXE
PID:2400 -
\??\c:\bhnbhh.exec:\bhnbhh.exe30⤵
- Executes dropped EXE
PID:916 -
\??\c:\pddvj.exec:\pddvj.exe31⤵
- Executes dropped EXE
PID:2416 -
\??\c:\rrlxrlx.exec:\rrlxrlx.exe32⤵
- Executes dropped EXE
PID:3412 -
\??\c:\httnhh.exec:\httnhh.exe33⤵
- Executes dropped EXE
PID:3648 -
\??\c:\fllfrlf.exec:\fllfrlf.exe34⤵
- Executes dropped EXE
PID:2592 -
\??\c:\ntbttn.exec:\ntbttn.exe35⤵
- Executes dropped EXE
PID:948 -
\??\c:\pvdpd.exec:\pvdpd.exe36⤵
- Executes dropped EXE
PID:4220 -
\??\c:\xffxlfx.exec:\xffxlfx.exe37⤵
- Executes dropped EXE
PID:4280 -
\??\c:\nhnhnh.exec:\nhnhnh.exe38⤵
- Executes dropped EXE
PID:2480 -
\??\c:\vddvj.exec:\vddvj.exe39⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xlllxxl.exec:\xlllxxl.exe40⤵
- Executes dropped EXE
PID:3316 -
\??\c:\ntbthb.exec:\ntbthb.exe41⤵
- Executes dropped EXE
PID:1472 -
\??\c:\7bnbbt.exec:\7bnbbt.exe42⤵
- Executes dropped EXE
PID:1260 -
\??\c:\xrfffll.exec:\xrfffll.exe43⤵
- Executes dropped EXE
PID:2596 -
\??\c:\bnhhtt.exec:\bnhhtt.exe44⤵
- Executes dropped EXE
PID:1312 -
\??\c:\pdvjd.exec:\pdvjd.exe45⤵
- Executes dropped EXE
PID:5100 -
\??\c:\lxfrfxr.exec:\lxfrfxr.exe46⤵
- Executes dropped EXE
PID:4300 -
\??\c:\tnntbh.exec:\tnntbh.exe47⤵
- Executes dropped EXE
PID:1912 -
\??\c:\jdvvv.exec:\jdvvv.exe48⤵
- Executes dropped EXE
PID:1580 -
\??\c:\9rxrfrl.exec:\9rxrfrl.exe49⤵
- Executes dropped EXE
PID:4512 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe50⤵
- Executes dropped EXE
PID:1180 -
\??\c:\ttnhbt.exec:\ttnhbt.exe51⤵
- Executes dropped EXE
PID:1212 -
\??\c:\vddjp.exec:\vddjp.exe52⤵
- Executes dropped EXE
PID:4116 -
\??\c:\9lllfxr.exec:\9lllfxr.exe53⤵
- Executes dropped EXE
PID:4928 -
\??\c:\tbnnnb.exec:\tbnnnb.exe54⤵
- Executes dropped EXE
PID:3172 -
\??\c:\vpjdp.exec:\vpjdp.exe55⤵
- Executes dropped EXE
PID:4716 -
\??\c:\frrlxfx.exec:\frrlxfx.exe56⤵
- Executes dropped EXE
PID:4536 -
\??\c:\ffrflfx.exec:\ffrflfx.exe57⤵
- Executes dropped EXE
PID:4424 -
\??\c:\bbtnbb.exec:\bbtnbb.exe58⤵
- Executes dropped EXE
PID:100 -
\??\c:\9jddp.exec:\9jddp.exe59⤵
- Executes dropped EXE
PID:3280 -
\??\c:\lffxxff.exec:\lffxxff.exe60⤵
- Executes dropped EXE
PID:224 -
\??\c:\hhnhht.exec:\hhnhht.exe61⤵
- Executes dropped EXE
PID:1916 -
\??\c:\htnhtt.exec:\htnhtt.exe62⤵
- Executes dropped EXE
PID:5044 -
\??\c:\9pjjd.exec:\9pjjd.exe63⤵
- Executes dropped EXE
PID:1560 -
\??\c:\9rlfrrl.exec:\9rlfrrl.exe64⤵
- Executes dropped EXE
PID:3956 -
\??\c:\tbbtnh.exec:\tbbtnh.exe65⤵
- Executes dropped EXE
PID:1748 -
\??\c:\thhhtb.exec:\thhhtb.exe66⤵PID:3136
-
\??\c:\vdjjp.exec:\vdjjp.exe67⤵PID:1880
-
\??\c:\3xrrlrl.exec:\3xrrlrl.exe68⤵PID:1124
-
\??\c:\3btnbt.exec:\3btnbt.exe69⤵PID:996
-
\??\c:\xrxrffr.exec:\xrxrffr.exe70⤵PID:4752
-
\??\c:\thnhtn.exec:\thnhtn.exe71⤵PID:1704
-
\??\c:\bbbhth.exec:\bbbhth.exe72⤵PID:2992
-
\??\c:\vjvpd.exec:\vjvpd.exe73⤵PID:2488
-
\??\c:\frxlfxr.exec:\frxlfxr.exe74⤵PID:4432
-
\??\c:\bbtnth.exec:\bbtnth.exe75⤵PID:3064
-
\??\c:\djvpd.exec:\djvpd.exe76⤵PID:1468
-
\??\c:\jjdvj.exec:\jjdvj.exe77⤵PID:592
-
\??\c:\rffxrlx.exec:\rffxrlx.exe78⤵PID:4108
-
\??\c:\bbhbnh.exec:\bbhbnh.exe79⤵PID:4908
-
\??\c:\pdddp.exec:\pdddp.exe80⤵PID:2804
-
\??\c:\fflfxxf.exec:\fflfxxf.exe81⤵PID:1684
-
\??\c:\lrffffr.exec:\lrffffr.exe82⤵PID:2584
-
\??\c:\hbbbtn.exec:\hbbbtn.exe83⤵PID:4144
-
\??\c:\djddd.exec:\djddd.exe84⤵PID:1976
-
\??\c:\xrxrlrl.exec:\xrxrlrl.exe85⤵PID:4672
-
\??\c:\nhbttn.exec:\nhbttn.exe86⤵PID:748
-
\??\c:\jpdvp.exec:\jpdvp.exe87⤵PID:1036
-
\??\c:\xxxrxxl.exec:\xxxrxxl.exe88⤵PID:3640
-
\??\c:\btbbth.exec:\btbbth.exe89⤵PID:888
-
\??\c:\vvdvj.exec:\vvdvj.exe90⤵PID:3144
-
\??\c:\ddpjv.exec:\ddpjv.exe91⤵PID:2960
-
\??\c:\xlrfrlx.exec:\xlrfrlx.exe92⤵PID:1492
-
\??\c:\htbtnh.exec:\htbtnh.exe93⤵PID:2600
-
\??\c:\hnnbbh.exec:\hnnbbh.exe94⤵PID:4828
-
\??\c:\vpdpp.exec:\vpdpp.exe95⤵PID:4200
-
\??\c:\5fxrlfx.exec:\5fxrlfx.exe96⤵PID:4356
-
\??\c:\nbhbhh.exec:\nbhbhh.exe97⤵PID:852
-
\??\c:\bbbbtt.exec:\bbbbtt.exe98⤵PID:4784
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe99⤵PID:60
-
\??\c:\lrxxlxl.exec:\lrxxlxl.exe100⤵PID:948
-
\??\c:\btbttn.exec:\btbttn.exe101⤵PID:4220
-
\??\c:\vdjpv.exec:\vdjpv.exe102⤵PID:1756
-
\??\c:\3lrlfxl.exec:\3lrlfxl.exe103⤵PID:1676
-
\??\c:\bthnnn.exec:\bthnnn.exe104⤵PID:2872
-
\??\c:\vjpjv.exec:\vjpjv.exe105⤵PID:1584
-
\??\c:\llxrrxr.exec:\llxrrxr.exe106⤵PID:2812
-
\??\c:\hntnhb.exec:\hntnhb.exe107⤵PID:4508
-
\??\c:\pjdvp.exec:\pjdvp.exe108⤵PID:3928
-
\??\c:\pdvpj.exec:\pdvpj.exe109⤵PID:1336
-
\??\c:\fllrfxr.exec:\fllrfxr.exe110⤵PID:4800
-
\??\c:\nnnnhh.exec:\nnnnhh.exe111⤵PID:3888
-
\??\c:\vpvpd.exec:\vpvpd.exe112⤵PID:4292
-
\??\c:\xlfrfxr.exec:\xlfrfxr.exe113⤵PID:1376
-
\??\c:\bnbbtn.exec:\bnbbtn.exe114⤵PID:1632
-
\??\c:\jddvp.exec:\jddvp.exe115⤵PID:3896
-
\??\c:\9pvjd.exec:\9pvjd.exe116⤵PID:4160
-
\??\c:\llrlxrl.exec:\llrlxrl.exe117⤵PID:3564
-
\??\c:\btnhbt.exec:\btnhbt.exe118⤵PID:3884
-
\??\c:\7tbnhb.exec:\7tbnhb.exe119⤵PID:4932
-
\??\c:\1jdpj.exec:\1jdpj.exe120⤵PID:4368
-
\??\c:\5llfxxr.exec:\5llfxxr.exe121⤵PID:2016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-