Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 02:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76.exe
-
Size
453KB
-
MD5
11539e9317afa476d085c3361405653f
-
SHA1
a1a24f507151a77a5439d7d54bf289d422c13d5d
-
SHA256
9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76
-
SHA512
ba4414daec8404715e92a9bf573e408e137693dd7626b4219dc71465a77c9bd34d7714422be7fe2738cec7b0927ab51de0e9d176e3b977a6914fe0fe739ed5d1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/916-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/824-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-762-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-844-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-1034-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-1465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4216 bhhtnh.exe 468 pjdvv.exe 3348 rlxxrxr.exe 4732 ttbhhh.exe 2904 xrfxxxx.exe 4900 3pdvd.exe 2140 ththhn.exe 1704 pjpjd.exe 5000 rrxrfff.exe 1916 lllfxxx.exe 4076 9htnhb.exe 4644 fflflff.exe 3028 5xfxxxr.exe 4628 1vpvp.exe 1936 frxrrrl.exe 4408 tntnhh.exe 5060 5btthh.exe 3132 fxfrlrl.exe 2388 nhhbtt.exe 3952 fllfxrl.exe 2008 3tnhhh.exe 1620 vpdvv.exe 3416 5rffrlr.exe 2520 bttnnb.exe 2176 5dvjd.exe 2276 frfxrlf.exe 1192 3rxlrlf.exe 1168 tbtntb.exe 2128 tthbhh.exe 1148 jjpdv.exe 1040 nhbbtt.exe 824 xxrrlrx.exe 1908 5jjvp.exe 3500 xxrlffx.exe 2720 fxffrxr.exe 3352 bnnnhh.exe 2144 3flrxfx.exe 436 thtnht.exe 3108 vvdvp.exe 2568 jdpjj.exe 4716 1flflll.exe 2000 tntnnn.exe 116 dpvdv.exe 2216 lxxfxxx.exe 4340 llrlffx.exe 4432 tthbhh.exe 3624 7pddd.exe 1100 rrxrlll.exe 5052 tnnbtn.exe 4508 vjjdv.exe 2732 lxxrlll.exe 4868 nhbbtt.exe 4760 jdddj.exe 3200 1xfrllf.exe 768 1flffrx.exe 1944 7nbtnn.exe 3444 3vvpp.exe 3536 rlllfrr.exe 3436 xfxrrlx.exe 4884 nbbttt.exe 1012 1dddv.exe 2508 9rxxfff.exe 4916 rflfxfx.exe 2828 3bhbtb.exe -
resource yara_rule behavioral2/memory/916-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/824-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-762-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-844-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-1034-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rrrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxffxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 916 wrote to memory of 4216 916 9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76.exe 82 PID 916 wrote to memory of 4216 916 9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76.exe 82 PID 916 wrote to memory of 4216 916 9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76.exe 82 PID 4216 wrote to memory of 468 4216 bhhtnh.exe 83 PID 4216 wrote to memory of 468 4216 bhhtnh.exe 83 PID 4216 wrote to memory of 468 4216 bhhtnh.exe 83 PID 468 wrote to memory of 3348 468 pjdvv.exe 84 PID 468 wrote to memory of 3348 468 pjdvv.exe 84 PID 468 wrote to memory of 3348 468 pjdvv.exe 84 PID 3348 wrote to memory of 4732 3348 rlxxrxr.exe 85 PID 3348 wrote to memory of 4732 3348 rlxxrxr.exe 85 PID 3348 wrote to memory of 4732 3348 rlxxrxr.exe 85 PID 4732 wrote to memory of 2904 4732 ttbhhh.exe 86 PID 4732 wrote to memory of 2904 4732 ttbhhh.exe 86 PID 4732 wrote to memory of 2904 4732 ttbhhh.exe 86 PID 2904 wrote to memory of 4900 2904 xrfxxxx.exe 87 PID 2904 wrote to memory of 4900 2904 xrfxxxx.exe 87 PID 2904 wrote to memory of 4900 2904 xrfxxxx.exe 87 PID 4900 wrote to memory of 2140 4900 3pdvd.exe 88 PID 4900 wrote to memory of 2140 4900 3pdvd.exe 88 PID 4900 wrote to memory of 2140 4900 3pdvd.exe 88 PID 2140 wrote to memory of 1704 2140 ththhn.exe 89 PID 2140 wrote to memory of 1704 2140 ththhn.exe 89 PID 2140 wrote to memory of 1704 2140 ththhn.exe 89 PID 1704 wrote to memory of 5000 1704 pjpjd.exe 90 PID 1704 wrote to memory of 5000 1704 pjpjd.exe 90 PID 1704 wrote to memory of 5000 1704 pjpjd.exe 90 PID 5000 wrote to memory of 1916 5000 rrxrfff.exe 91 PID 5000 wrote to memory of 1916 5000 rrxrfff.exe 91 PID 5000 wrote to memory of 1916 5000 rrxrfff.exe 91 PID 1916 wrote to memory of 4076 1916 lllfxxx.exe 92 PID 1916 wrote to memory of 4076 1916 lllfxxx.exe 92 PID 1916 wrote to memory of 4076 1916 lllfxxx.exe 92 PID 4076 wrote to memory of 4644 4076 9htnhb.exe 93 PID 4076 wrote to memory of 4644 4076 9htnhb.exe 93 PID 4076 wrote to memory of 4644 4076 9htnhb.exe 93 PID 4644 wrote to memory of 3028 4644 fflflff.exe 94 PID 4644 wrote to memory of 3028 4644 fflflff.exe 94 PID 4644 wrote to memory of 3028 4644 fflflff.exe 94 PID 3028 wrote to memory of 4628 3028 5xfxxxr.exe 95 PID 3028 wrote to memory of 4628 3028 5xfxxxr.exe 95 PID 3028 wrote to memory of 4628 3028 5xfxxxr.exe 95 PID 4628 wrote to memory of 1936 4628 1vpvp.exe 96 PID 4628 wrote to memory of 1936 4628 1vpvp.exe 96 PID 4628 wrote to memory of 1936 4628 1vpvp.exe 96 PID 1936 wrote to memory of 4408 1936 frxrrrl.exe 97 PID 1936 wrote to memory of 4408 1936 frxrrrl.exe 97 PID 1936 wrote to memory of 4408 1936 frxrrrl.exe 97 PID 4408 wrote to memory of 5060 4408 tntnhh.exe 98 PID 4408 wrote to memory of 5060 4408 tntnhh.exe 98 PID 4408 wrote to memory of 5060 4408 tntnhh.exe 98 PID 5060 wrote to memory of 3132 5060 5btthh.exe 99 PID 5060 wrote to memory of 3132 5060 5btthh.exe 99 PID 5060 wrote to memory of 3132 5060 5btthh.exe 99 PID 3132 wrote to memory of 2388 3132 fxfrlrl.exe 100 PID 3132 wrote to memory of 2388 3132 fxfrlrl.exe 100 PID 3132 wrote to memory of 2388 3132 fxfrlrl.exe 100 PID 2388 wrote to memory of 3952 2388 nhhbtt.exe 101 PID 2388 wrote to memory of 3952 2388 nhhbtt.exe 101 PID 2388 wrote to memory of 3952 2388 nhhbtt.exe 101 PID 3952 wrote to memory of 2008 3952 fllfxrl.exe 102 PID 3952 wrote to memory of 2008 3952 fllfxrl.exe 102 PID 3952 wrote to memory of 2008 3952 fllfxrl.exe 102 PID 2008 wrote to memory of 1620 2008 3tnhhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76.exe"C:\Users\Admin\AppData\Local\Temp\9a8b05de94c6f8ee589d98a833eb419cafa8acf6249c0139d0ad920b98deaa76.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\bhhtnh.exec:\bhhtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\pjdvv.exec:\pjdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\rlxxrxr.exec:\rlxxrxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\ttbhhh.exec:\ttbhhh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\xrfxxxx.exec:\xrfxxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\3pdvd.exec:\3pdvd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\ththhn.exec:\ththhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\pjpjd.exec:\pjpjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\rrxrfff.exec:\rrxrfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\lllfxxx.exec:\lllfxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\9htnhb.exec:\9htnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\fflflff.exec:\fflflff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\5xfxxxr.exec:\5xfxxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\1vpvp.exec:\1vpvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\frxrrrl.exec:\frxrrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\tntnhh.exec:\tntnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\5btthh.exec:\5btthh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\fxfrlrl.exec:\fxfrlrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\nhhbtt.exec:\nhhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\fllfxrl.exec:\fllfxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
\??\c:\3tnhhh.exec:\3tnhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\vpdvv.exec:\vpdvv.exe23⤵
- Executes dropped EXE
PID:1620 -
\??\c:\5rffrlr.exec:\5rffrlr.exe24⤵
- Executes dropped EXE
PID:3416 -
\??\c:\bttnnb.exec:\bttnnb.exe25⤵
- Executes dropped EXE
PID:2520 -
\??\c:\5dvjd.exec:\5dvjd.exe26⤵
- Executes dropped EXE
PID:2176 -
\??\c:\frfxrlf.exec:\frfxrlf.exe27⤵
- Executes dropped EXE
PID:2276 -
\??\c:\3rxlrlf.exec:\3rxlrlf.exe28⤵
- Executes dropped EXE
PID:1192 -
\??\c:\tbtntb.exec:\tbtntb.exe29⤵
- Executes dropped EXE
PID:1168 -
\??\c:\tthbhh.exec:\tthbhh.exe30⤵
- Executes dropped EXE
PID:2128 -
\??\c:\jjpdv.exec:\jjpdv.exe31⤵
- Executes dropped EXE
PID:1148 -
\??\c:\nhbbtt.exec:\nhbbtt.exe32⤵
- Executes dropped EXE
PID:1040 -
\??\c:\xxrrlrx.exec:\xxrrlrx.exe33⤵
- Executes dropped EXE
PID:824 -
\??\c:\5jjvp.exec:\5jjvp.exe34⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xxrlffx.exec:\xxrlffx.exe35⤵
- Executes dropped EXE
PID:3500 -
\??\c:\fxffrxr.exec:\fxffrxr.exe36⤵
- Executes dropped EXE
PID:2720 -
\??\c:\bnnnhh.exec:\bnnnhh.exe37⤵
- Executes dropped EXE
PID:3352 -
\??\c:\3flrxfx.exec:\3flrxfx.exe38⤵
- Executes dropped EXE
PID:2144 -
\??\c:\thtnht.exec:\thtnht.exe39⤵
- Executes dropped EXE
PID:436 -
\??\c:\vvdvp.exec:\vvdvp.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3108 -
\??\c:\jdpjj.exec:\jdpjj.exe41⤵
- Executes dropped EXE
PID:2568 -
\??\c:\1flflll.exec:\1flflll.exe42⤵
- Executes dropped EXE
PID:4716 -
\??\c:\tntnnn.exec:\tntnnn.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
\??\c:\dpvdv.exec:\dpvdv.exe44⤵
- Executes dropped EXE
PID:116 -
\??\c:\lxxfxxx.exec:\lxxfxxx.exe45⤵
- Executes dropped EXE
PID:2216 -
\??\c:\llrlffx.exec:\llrlffx.exe46⤵
- Executes dropped EXE
PID:4340 -
\??\c:\tthbhh.exec:\tthbhh.exe47⤵
- Executes dropped EXE
PID:4432 -
\??\c:\7pddd.exec:\7pddd.exe48⤵
- Executes dropped EXE
PID:3624 -
\??\c:\rrxrlll.exec:\rrxrlll.exe49⤵
- Executes dropped EXE
PID:1100 -
\??\c:\tnnbtn.exec:\tnnbtn.exe50⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vjjdv.exec:\vjjdv.exe51⤵
- Executes dropped EXE
PID:4508 -
\??\c:\lxxrlll.exec:\lxxrlll.exe52⤵
- Executes dropped EXE
PID:2732 -
\??\c:\nhbbtt.exec:\nhbbtt.exe53⤵
- Executes dropped EXE
PID:4868 -
\??\c:\jdddj.exec:\jdddj.exe54⤵
- Executes dropped EXE
PID:4760 -
\??\c:\1xfrllf.exec:\1xfrllf.exe55⤵
- Executes dropped EXE
PID:3200 -
\??\c:\1flffrx.exec:\1flffrx.exe56⤵
- Executes dropped EXE
PID:768 -
\??\c:\7nbtnn.exec:\7nbtnn.exe57⤵
- Executes dropped EXE
PID:1944 -
\??\c:\3vvpp.exec:\3vvpp.exe58⤵
- Executes dropped EXE
PID:3444 -
\??\c:\rlllfrr.exec:\rlllfrr.exe59⤵
- Executes dropped EXE
PID:3536 -
\??\c:\xfxrrlx.exec:\xfxrrlx.exe60⤵
- Executes dropped EXE
PID:3436 -
\??\c:\nbbttt.exec:\nbbttt.exe61⤵
- Executes dropped EXE
PID:4884 -
\??\c:\1dddv.exec:\1dddv.exe62⤵
- Executes dropped EXE
PID:1012 -
\??\c:\9rxxfff.exec:\9rxxfff.exe63⤵
- Executes dropped EXE
PID:2508 -
\??\c:\rflfxfx.exec:\rflfxfx.exe64⤵
- Executes dropped EXE
PID:4916 -
\??\c:\3bhbtb.exec:\3bhbtb.exe65⤵
- Executes dropped EXE
PID:2828 -
\??\c:\1djjd.exec:\1djjd.exe66⤵PID:2944
-
\??\c:\lfxrxrx.exec:\lfxrxrx.exe67⤵PID:556
-
\??\c:\hhtntt.exec:\hhtntt.exe68⤵PID:3812
-
\??\c:\ntbtnn.exec:\ntbtnn.exe69⤵PID:732
-
\??\c:\pddvp.exec:\pddvp.exe70⤵PID:1364
-
\??\c:\rrrlllf.exec:\rrrlllf.exe71⤵PID:2832
-
\??\c:\thbnht.exec:\thbnht.exe72⤵PID:2424
-
\??\c:\thhhbb.exec:\thhhbb.exe73⤵PID:4272
-
\??\c:\vppvp.exec:\vppvp.exe74⤵PID:3848
-
\??\c:\thnnhh.exec:\thnnhh.exe75⤵PID:4420
-
\??\c:\dvppp.exec:\dvppp.exe76⤵PID:4540
-
\??\c:\xfrlflf.exec:\xfrlflf.exe77⤵PID:2436
-
\??\c:\3httnt.exec:\3httnt.exe78⤵PID:3940
-
\??\c:\ddvjv.exec:\ddvjv.exe79⤵PID:464
-
\??\c:\7djdv.exec:\7djdv.exe80⤵PID:828
-
\??\c:\xfxffff.exec:\xfxffff.exe81⤵PID:980
-
\??\c:\bnnhbb.exec:\bnnhbb.exe82⤵PID:2764
-
\??\c:\ppvpj.exec:\ppvpj.exe83⤵PID:2176
-
\??\c:\5ppvp.exec:\5ppvp.exe84⤵PID:1480
-
\??\c:\3xfrxxr.exec:\3xfrxxr.exe85⤵PID:4940
-
\??\c:\tntnht.exec:\tntnht.exe86⤵PID:2132
-
\??\c:\7ppjd.exec:\7ppjd.exe87⤵PID:540
-
\??\c:\frxxrll.exec:\frxxrll.exe88⤵PID:1720
-
\??\c:\3ffxllr.exec:\3ffxllr.exe89⤵PID:2952
-
\??\c:\5bhhbt.exec:\5bhhbt.exe90⤵PID:2540
-
\??\c:\jppvv.exec:\jppvv.exe91⤵PID:2608
-
\??\c:\xlrlffx.exec:\xlrlffx.exe92⤵PID:824
-
\??\c:\nhhbhn.exec:\nhhbhn.exe93⤵PID:3256
-
\??\c:\thtbbt.exec:\thtbbt.exe94⤵PID:2956
-
\??\c:\vvvjv.exec:\vvvjv.exe95⤵
- System Location Discovery: System Language Discovery
PID:1460 -
\??\c:\lflfxxf.exec:\lflfxxf.exe96⤵PID:4936
-
\??\c:\tnbtnb.exec:\tnbtnb.exe97⤵PID:1872
-
\??\c:\pddvv.exec:\pddvv.exe98⤵PID:1856
-
\??\c:\fxfxxxx.exec:\fxfxxxx.exe99⤵PID:640
-
\??\c:\rrxrrrx.exec:\rrxrrrx.exe100⤵PID:4852
-
\??\c:\btnhhh.exec:\btnhhh.exe101⤵PID:3768
-
\??\c:\vdjdv.exec:\vdjdv.exe102⤵PID:4912
-
\??\c:\llrflrl.exec:\llrflrl.exe103⤵PID:3232
-
\??\c:\htnhbt.exec:\htnhbt.exe104⤵PID:116
-
\??\c:\hhbtnn.exec:\hhbtnn.exe105⤵PID:2216
-
\??\c:\ppvpv.exec:\ppvpv.exe106⤵PID:656
-
\??\c:\3vvpp.exec:\3vvpp.exe107⤵PID:2280
-
\??\c:\5rfxffl.exec:\5rfxffl.exe108⤵PID:4224
-
\??\c:\5bhhnn.exec:\5bhhnn.exe109⤵PID:4472
-
\??\c:\ppjdp.exec:\ppjdp.exe110⤵PID:320
-
\??\c:\xxlfrrl.exec:\xxlfrrl.exe111⤵PID:2192
-
\??\c:\nhttnt.exec:\nhttnt.exe112⤵PID:4332
-
\??\c:\pvdjp.exec:\pvdjp.exe113⤵PID:4844
-
\??\c:\rlrlxlf.exec:\rlrlxlf.exe114⤵PID:764
-
\??\c:\1nnbnh.exec:\1nnbnh.exe115⤵PID:3076
-
\??\c:\ntbbbb.exec:\ntbbbb.exe116⤵PID:1808
-
\??\c:\vpvvv.exec:\vpvvv.exe117⤵PID:2140
-
\??\c:\fflflrl.exec:\fflflrl.exe118⤵PID:3444
-
\??\c:\tnhbtt.exec:\tnhbtt.exe119⤵PID:3308
-
\??\c:\jvdpd.exec:\jvdpd.exe120⤵PID:2692
-
\??\c:\7djdp.exec:\7djdp.exe121⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-