Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe
-
Size
454KB
-
MD5
20b0b7432eb483956423590cb15b1b66
-
SHA1
9e52b1e41407bae74996d7376b3f7219e08a7b5b
-
SHA256
8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988
-
SHA512
3f176395a2540b683cb53367ec192eb1cd2d23f527ec675b449cb23a66685478eb3bced95a48789e34f48fb52e37e1f49a423d30aabe922b083f906d2de2f939
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4972-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-499-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-923-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-1126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-1305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4836 9hthtb.exe 4936 vpjdp.exe 1920 rxxlfxl.exe 956 dppvp.exe 4020 7rffrlf.exe 3016 nnntnh.exe 2364 frxrflx.exe 4316 hhtnth.exe 1760 pppjj.exe 1204 nhbnbt.exe 2796 nhbthh.exe 2284 vdjdv.exe 2672 flllfff.exe 3140 hntnnt.exe 4384 lrrfxrl.exe 4572 vpjdd.exe 3172 3jpjj.exe 3032 lxfxrrr.exe 4948 9thtnh.exe 3864 jddvp.exe 2148 lxlflfx.exe 1560 7tnnnt.exe 4472 1jvpd.exe 2988 3xfxxxx.exe 644 tnthbh.exe 1136 pvdpd.exe 3972 3frlffx.exe 4788 3pdpd.exe 4344 btnhhb.exe 4520 vjpdd.exe 4236 9thbtt.exe 1396 5xfrfxr.exe 1620 xrrlxxr.exe 656 vppjd.exe 4036 5rfrlff.exe 4916 hbhtnn.exe 816 dddvp.exe 3976 xffrffr.exe 2232 5tthtn.exe 944 xxxrllf.exe 4232 bbhhtt.exe 3008 ddvdd.exe 4040 fxfxxxr.exe 2272 5hnhhh.exe 2724 dvdpp.exe 4456 lflfrfx.exe 468 1rxxrfx.exe 3476 hbnbtt.exe 4836 9vppp.exe 4100 rlrrrrx.exe 1192 1xlrxxf.exe 3352 9jdpj.exe 2140 jddpj.exe 4464 rfrllfl.exe 3112 3hbbtt.exe 1872 jdjvv.exe 3016 5xlfrll.exe 3980 xrlxrlx.exe 2592 tntnhb.exe 2804 pvdvp.exe 1188 jjpjd.exe 372 fflxrlf.exe 116 ntbnnb.exe 2468 dpjpp.exe -
resource yara_rule behavioral2/memory/4836-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-923-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4972 wrote to memory of 4836 4972 8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe 85 PID 4972 wrote to memory of 4836 4972 8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe 85 PID 4972 wrote to memory of 4836 4972 8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe 85 PID 4836 wrote to memory of 4936 4836 9hthtb.exe 86 PID 4836 wrote to memory of 4936 4836 9hthtb.exe 86 PID 4836 wrote to memory of 4936 4836 9hthtb.exe 86 PID 4936 wrote to memory of 1920 4936 vpjdp.exe 87 PID 4936 wrote to memory of 1920 4936 vpjdp.exe 87 PID 4936 wrote to memory of 1920 4936 vpjdp.exe 87 PID 1920 wrote to memory of 956 1920 rxxlfxl.exe 88 PID 1920 wrote to memory of 956 1920 rxxlfxl.exe 88 PID 1920 wrote to memory of 956 1920 rxxlfxl.exe 88 PID 956 wrote to memory of 4020 956 dppvp.exe 89 PID 956 wrote to memory of 4020 956 dppvp.exe 89 PID 956 wrote to memory of 4020 956 dppvp.exe 89 PID 4020 wrote to memory of 3016 4020 7rffrlf.exe 90 PID 4020 wrote to memory of 3016 4020 7rffrlf.exe 90 PID 4020 wrote to memory of 3016 4020 7rffrlf.exe 90 PID 3016 wrote to memory of 2364 3016 nnntnh.exe 91 PID 3016 wrote to memory of 2364 3016 nnntnh.exe 91 PID 3016 wrote to memory of 2364 3016 nnntnh.exe 91 PID 2364 wrote to memory of 4316 2364 frxrflx.exe 92 PID 2364 wrote to memory of 4316 2364 frxrflx.exe 92 PID 2364 wrote to memory of 4316 2364 frxrflx.exe 92 PID 4316 wrote to memory of 1760 4316 hhtnth.exe 93 PID 4316 wrote to memory of 1760 4316 hhtnth.exe 93 PID 4316 wrote to memory of 1760 4316 hhtnth.exe 93 PID 1760 wrote to memory of 1204 1760 pppjj.exe 94 PID 1760 wrote to memory of 1204 1760 pppjj.exe 94 PID 1760 wrote to memory of 1204 1760 pppjj.exe 94 PID 1204 wrote to memory of 2796 1204 nhbnbt.exe 95 PID 1204 wrote to memory of 2796 1204 nhbnbt.exe 95 PID 1204 wrote to memory of 2796 1204 nhbnbt.exe 95 PID 2796 wrote to memory of 2284 2796 nhbthh.exe 96 PID 2796 wrote to memory of 2284 2796 nhbthh.exe 96 PID 2796 wrote to memory of 2284 2796 nhbthh.exe 96 PID 2284 wrote to memory of 2672 2284 vdjdv.exe 97 PID 2284 wrote to memory of 2672 2284 vdjdv.exe 97 PID 2284 wrote to memory of 2672 2284 vdjdv.exe 97 PID 2672 wrote to memory of 3140 2672 flllfff.exe 98 PID 2672 wrote to memory of 3140 2672 flllfff.exe 98 PID 2672 wrote to memory of 3140 2672 flllfff.exe 98 PID 3140 wrote to memory of 4384 3140 hntnnt.exe 99 PID 3140 wrote to memory of 4384 3140 hntnnt.exe 99 PID 3140 wrote to memory of 4384 3140 hntnnt.exe 99 PID 4384 wrote to memory of 4572 4384 lrrfxrl.exe 100 PID 4384 wrote to memory of 4572 4384 lrrfxrl.exe 100 PID 4384 wrote to memory of 4572 4384 lrrfxrl.exe 100 PID 4572 wrote to memory of 3172 4572 vpjdd.exe 101 PID 4572 wrote to memory of 3172 4572 vpjdd.exe 101 PID 4572 wrote to memory of 3172 4572 vpjdd.exe 101 PID 3172 wrote to memory of 3032 3172 3jpjj.exe 102 PID 3172 wrote to memory of 3032 3172 3jpjj.exe 102 PID 3172 wrote to memory of 3032 3172 3jpjj.exe 102 PID 3032 wrote to memory of 4948 3032 lxfxrrr.exe 103 PID 3032 wrote to memory of 4948 3032 lxfxrrr.exe 103 PID 3032 wrote to memory of 4948 3032 lxfxrrr.exe 103 PID 4948 wrote to memory of 3864 4948 9thtnh.exe 104 PID 4948 wrote to memory of 3864 4948 9thtnh.exe 104 PID 4948 wrote to memory of 3864 4948 9thtnh.exe 104 PID 3864 wrote to memory of 2148 3864 jddvp.exe 105 PID 3864 wrote to memory of 2148 3864 jddvp.exe 105 PID 3864 wrote to memory of 2148 3864 jddvp.exe 105 PID 2148 wrote to memory of 1560 2148 lxlflfx.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe"C:\Users\Admin\AppData\Local\Temp\8302dc22ca50968a9d53bba9fd2f800d11e2b6e62ce771e2f9d9cfa6803d3988.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
\??\c:\9hthtb.exec:\9hthtb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\vpjdp.exec:\vpjdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\rxxlfxl.exec:\rxxlfxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1920 -
\??\c:\dppvp.exec:\dppvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956 -
\??\c:\7rffrlf.exec:\7rffrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\nnntnh.exec:\nnntnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\frxrflx.exec:\frxrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\hhtnth.exec:\hhtnth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\pppjj.exec:\pppjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\nhbnbt.exec:\nhbnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\nhbthh.exec:\nhbthh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\vdjdv.exec:\vdjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\flllfff.exec:\flllfff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
\??\c:\hntnnt.exec:\hntnnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\vpjdd.exec:\vpjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\3jpjj.exec:\3jpjj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\9thtnh.exec:\9thtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\jddvp.exec:\jddvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3864 -
\??\c:\lxlflfx.exec:\lxlflfx.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\7tnnnt.exec:\7tnnnt.exe23⤵
- Executes dropped EXE
PID:1560 -
\??\c:\1jvpd.exec:\1jvpd.exe24⤵
- Executes dropped EXE
PID:4472 -
\??\c:\3xfxxxx.exec:\3xfxxxx.exe25⤵
- Executes dropped EXE
PID:2988 -
\??\c:\tnthbh.exec:\tnthbh.exe26⤵
- Executes dropped EXE
PID:644 -
\??\c:\pvdpd.exec:\pvdpd.exe27⤵
- Executes dropped EXE
PID:1136 -
\??\c:\3frlffx.exec:\3frlffx.exe28⤵
- Executes dropped EXE
PID:3972 -
\??\c:\3pdpd.exec:\3pdpd.exe29⤵
- Executes dropped EXE
PID:4788 -
\??\c:\btnhhb.exec:\btnhhb.exe30⤵
- Executes dropped EXE
PID:4344 -
\??\c:\vjpdd.exec:\vjpdd.exe31⤵
- Executes dropped EXE
PID:4520 -
\??\c:\9thbtt.exec:\9thbtt.exe32⤵
- Executes dropped EXE
PID:4236 -
\??\c:\5xfrfxr.exec:\5xfrfxr.exe33⤵
- Executes dropped EXE
PID:1396 -
\??\c:\xrrlxxr.exec:\xrrlxxr.exe34⤵
- Executes dropped EXE
PID:1620 -
\??\c:\vppjd.exec:\vppjd.exe35⤵
- Executes dropped EXE
PID:656 -
\??\c:\5rfrlff.exec:\5rfrlff.exe36⤵
- Executes dropped EXE
PID:4036 -
\??\c:\hbhtnn.exec:\hbhtnn.exe37⤵
- Executes dropped EXE
PID:4916 -
\??\c:\dddvp.exec:\dddvp.exe38⤵
- Executes dropped EXE
PID:816 -
\??\c:\xffrffr.exec:\xffrffr.exe39⤵
- Executes dropped EXE
PID:3976 -
\??\c:\5tthtn.exec:\5tthtn.exe40⤵
- Executes dropped EXE
PID:2232 -
\??\c:\xxxrllf.exec:\xxxrllf.exe41⤵
- Executes dropped EXE
PID:944 -
\??\c:\bbhhtt.exec:\bbhhtt.exe42⤵
- Executes dropped EXE
PID:4232 -
\??\c:\ddvdd.exec:\ddvdd.exe43⤵
- Executes dropped EXE
PID:3008 -
\??\c:\fxfxxxr.exec:\fxfxxxr.exe44⤵
- Executes dropped EXE
PID:4040 -
\??\c:\5hnhhh.exec:\5hnhhh.exe45⤵
- Executes dropped EXE
PID:2272 -
\??\c:\dvdpp.exec:\dvdpp.exe46⤵
- Executes dropped EXE
PID:2724 -
\??\c:\lflfrfx.exec:\lflfrfx.exe47⤵
- Executes dropped EXE
PID:4456 -
\??\c:\1rxxrfx.exec:\1rxxrfx.exe48⤵
- Executes dropped EXE
PID:468 -
\??\c:\hbnbtt.exec:\hbnbtt.exe49⤵
- Executes dropped EXE
PID:3476 -
\??\c:\9vppp.exec:\9vppp.exe50⤵
- Executes dropped EXE
PID:4836 -
\??\c:\rlrrrrx.exec:\rlrrrrx.exe51⤵
- Executes dropped EXE
PID:4100 -
\??\c:\1xlrxxf.exec:\1xlrxxf.exe52⤵
- Executes dropped EXE
PID:1192 -
\??\c:\9jdpj.exec:\9jdpj.exe53⤵
- Executes dropped EXE
PID:3352 -
\??\c:\jddpj.exec:\jddpj.exe54⤵
- Executes dropped EXE
PID:2140 -
\??\c:\rfrllfl.exec:\rfrllfl.exe55⤵
- Executes dropped EXE
PID:4464 -
\??\c:\3hbbtt.exec:\3hbbtt.exe56⤵
- Executes dropped EXE
PID:3112 -
\??\c:\jdjvv.exec:\jdjvv.exe57⤵
- Executes dropped EXE
PID:1872 -
\??\c:\5xlfrll.exec:\5xlfrll.exe58⤵
- Executes dropped EXE
PID:3016 -
\??\c:\xrlxrlx.exec:\xrlxrlx.exe59⤵
- Executes dropped EXE
PID:3980 -
\??\c:\tntnhb.exec:\tntnhb.exe60⤵
- Executes dropped EXE
PID:2592 -
\??\c:\pvdvp.exec:\pvdvp.exe61⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jjpjd.exec:\jjpjd.exe62⤵
- Executes dropped EXE
PID:1188 -
\??\c:\fflxrlf.exec:\fflxrlf.exe63⤵
- Executes dropped EXE
PID:372 -
\??\c:\ntbnnb.exec:\ntbnnb.exe64⤵
- Executes dropped EXE
PID:116 -
\??\c:\dpjpp.exec:\dpjpp.exe65⤵
- Executes dropped EXE
PID:2468 -
\??\c:\frxrfff.exec:\frxrfff.exe66⤵PID:2196
-
\??\c:\llrlfxf.exec:\llrlfxf.exe67⤵PID:676
-
\??\c:\ttnhbb.exec:\ttnhbb.exe68⤵
- System Location Discovery: System Language Discovery
PID:4768 -
\??\c:\9htnhb.exec:\9htnhb.exe69⤵PID:2292
-
\??\c:\ddvpv.exec:\ddvpv.exe70⤵PID:4644
-
\??\c:\fffxxxx.exec:\fffxxxx.exe71⤵PID:2432
-
\??\c:\thhhhb.exec:\thhhhb.exe72⤵PID:3172
-
\??\c:\nthhth.exec:\nthhth.exe73⤵PID:692
-
\??\c:\dpdpp.exec:\dpdpp.exe74⤵PID:1452
-
\??\c:\rfxlxlx.exec:\rfxlxlx.exe75⤵PID:2216
-
\??\c:\9nbbtt.exec:\9nbbtt.exe76⤵PID:3864
-
\??\c:\jvdvp.exec:\jvdvp.exe77⤵PID:2464
-
\??\c:\llfxffx.exec:\llfxffx.exe78⤵PID:2984
-
\??\c:\flrrrxf.exec:\flrrrxf.exe79⤵
- System Location Discovery: System Language Discovery
PID:3408 -
\??\c:\tttnbt.exec:\tttnbt.exe80⤵PID:4632
-
\??\c:\jppdj.exec:\jppdj.exe81⤵PID:1948
-
\??\c:\fxrlxrx.exec:\fxrlxrx.exe82⤵PID:4532
-
\??\c:\nbhbtn.exec:\nbhbtn.exe83⤵PID:1900
-
\??\c:\9vpjd.exec:\9vpjd.exe84⤵PID:3024
-
\??\c:\pvdpd.exec:\pvdpd.exe85⤵PID:2668
-
\??\c:\xrrlfxr.exec:\xrrlfxr.exe86⤵PID:2504
-
\??\c:\nbhhtb.exec:\nbhhtb.exe87⤵PID:2676
-
\??\c:\vdjvp.exec:\vdjvp.exe88⤵PID:3752
-
\??\c:\rxfrfxr.exec:\rxfrfxr.exe89⤵PID:2716
-
\??\c:\hthttn.exec:\hthttn.exe90⤵PID:4304
-
\??\c:\vddpd.exec:\vddpd.exe91⤵
- System Location Discovery: System Language Discovery
PID:3384 -
\??\c:\lxlfrfr.exec:\lxlfrfr.exe92⤵PID:1376
-
\??\c:\fffxrlx.exec:\fffxrlx.exe93⤵PID:4668
-
\??\c:\1ttnhn.exec:\1ttnhn.exe94⤵PID:1828
-
\??\c:\jvvpv.exec:\jvvpv.exe95⤵PID:4148
-
\??\c:\xlfrfxf.exec:\xlfrfxf.exe96⤵PID:3004
-
\??\c:\lfxxxfr.exec:\lfxxxfr.exe97⤵PID:2648
-
\??\c:\bnnbnh.exec:\bnnbnh.exe98⤵PID:3348
-
\??\c:\pjvjj.exec:\pjvjj.exe99⤵PID:4028
-
\??\c:\3pjvv.exec:\3pjvv.exe100⤵PID:3484
-
\??\c:\rrffxrl.exec:\rrffxrl.exe101⤵PID:3916
-
\??\c:\tnnhtn.exec:\tnnhtn.exe102⤵PID:3756
-
\??\c:\jdjvp.exec:\jdjvp.exe103⤵PID:1144
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe104⤵PID:3936
-
\??\c:\lfxrxlf.exec:\lfxrxlf.exe105⤵PID:3440
-
\??\c:\thnhtn.exec:\thnhtn.exe106⤵PID:1640
-
\??\c:\dpvvp.exec:\dpvvp.exe107⤵PID:3176
-
\??\c:\7dvjd.exec:\7dvjd.exe108⤵PID:3496
-
\??\c:\fllfxxr.exec:\fllfxxr.exe109⤵PID:2776
-
\??\c:\btbthh.exec:\btbthh.exe110⤵PID:3920
-
\??\c:\vvvpd.exec:\vvvpd.exe111⤵PID:5056
-
\??\c:\tnnbnh.exec:\tnnbnh.exe112⤵PID:1920
-
\??\c:\7thbnh.exec:\7thbnh.exe113⤵PID:2652
-
\??\c:\ppdvv.exec:\ppdvv.exe114⤵PID:3588
-
\??\c:\5xrfrrx.exec:\5xrfrrx.exe115⤵PID:4464
-
\??\c:\nhnhth.exec:\nhnhth.exe116⤵PID:3112
-
\??\c:\bntntt.exec:\bntntt.exe117⤵PID:1872
-
\??\c:\vvdjv.exec:\vvdjv.exe118⤵PID:3016
-
\??\c:\rllxlfx.exec:\rllxlfx.exe119⤵PID:3980
-
\??\c:\htbnbt.exec:\htbnbt.exe120⤵PID:5096
-
\??\c:\ththtn.exec:\ththtn.exe121⤵PID:3544
-
\??\c:\vjjvp.exec:\vjjvp.exe122⤵PID:1760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-