Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe
-
Size
456KB
-
MD5
3799c66fab41c45c55aa6ab406d340b4
-
SHA1
0ad46dc0dc1efa53fa0d2b260b56e560e215b9f9
-
SHA256
c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd
-
SHA512
4d46fb8a51da53890ca5fd887e9049085036a1f4ff19b7390c59b6386b4d6ad9273092722c8f5bd86128c6e2eeff757f36cc02e2e3796943a11a79cacd5a71c3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRx:q7Tc2NYHUrAwfMp3CDRx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2112-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/848-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-858-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-1169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-1515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4032 frxlxll.exe 4192 jdddv.exe 3476 hthntb.exe 2756 dpvpd.exe 212 1xrlrxf.exe 2160 thnhbb.exe 2804 hbthnh.exe 2152 jjvpp.exe 4352 ttbtnh.exe 2924 rllfxlx.exe 1116 htthbn.exe 3304 7nnbnh.exe 3116 dddpj.exe 1996 lxrxffx.exe 3292 rlrxrrl.exe 3388 jdjvj.exe 1936 lffxfxr.exe 4748 nbtnhb.exe 3532 llxrxrr.exe 948 pdjdp.exe 3032 lrfrflr.exe 4488 pdjpp.exe 4968 nbhttb.exe 1328 rflxlfr.exe 760 bbhntn.exe 3420 7pvpj.exe 1000 rlxxlfx.exe 848 5vjpd.exe 2480 tbhthh.exe 1076 5vjdd.exe 3924 lffrrff.exe 5052 bnhtht.exe 5024 vjvjj.exe 2308 lrrxrlx.exe 2984 bnnhtn.exe 1736 dvpdv.exe 4832 9jjvd.exe 3968 rlrfxll.exe 4452 ttbthb.exe 3148 bbnbnb.exe 3632 9pjdv.exe 2360 1xlfrrl.exe 3480 rrrfrlx.exe 3476 hnnbbt.exe 3656 pddpd.exe 3356 fffrfxl.exe 3824 hthtbt.exe 4648 bntnhb.exe 2160 1dpdp.exe 3528 rlfxrlf.exe 3128 fxfxlfx.exe 4228 tnhbnh.exe 3428 3pjjv.exe 3124 7frfrlx.exe 4864 9nnbtn.exe 1744 dppdp.exe 3364 pvvpp.exe 4976 lxxlfxf.exe 3288 bbhbtn.exe 1796 pjpdp.exe 2952 3xrlxxr.exe 4396 3bhthb.exe 4708 1tbntn.exe 944 vvdpv.exe -
resource yara_rule behavioral2/memory/2112-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/848-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-858-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxfrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 4032 2112 c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe 83 PID 2112 wrote to memory of 4032 2112 c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe 83 PID 2112 wrote to memory of 4032 2112 c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe 83 PID 4032 wrote to memory of 4192 4032 frxlxll.exe 84 PID 4032 wrote to memory of 4192 4032 frxlxll.exe 84 PID 4032 wrote to memory of 4192 4032 frxlxll.exe 84 PID 4192 wrote to memory of 3476 4192 jdddv.exe 85 PID 4192 wrote to memory of 3476 4192 jdddv.exe 85 PID 4192 wrote to memory of 3476 4192 jdddv.exe 85 PID 3476 wrote to memory of 2756 3476 hthntb.exe 86 PID 3476 wrote to memory of 2756 3476 hthntb.exe 86 PID 3476 wrote to memory of 2756 3476 hthntb.exe 86 PID 2756 wrote to memory of 212 2756 dpvpd.exe 87 PID 2756 wrote to memory of 212 2756 dpvpd.exe 87 PID 2756 wrote to memory of 212 2756 dpvpd.exe 87 PID 212 wrote to memory of 2160 212 1xrlrxf.exe 88 PID 212 wrote to memory of 2160 212 1xrlrxf.exe 88 PID 212 wrote to memory of 2160 212 1xrlrxf.exe 88 PID 2160 wrote to memory of 2804 2160 thnhbb.exe 89 PID 2160 wrote to memory of 2804 2160 thnhbb.exe 89 PID 2160 wrote to memory of 2804 2160 thnhbb.exe 89 PID 2804 wrote to memory of 2152 2804 hbthnh.exe 90 PID 2804 wrote to memory of 2152 2804 hbthnh.exe 90 PID 2804 wrote to memory of 2152 2804 hbthnh.exe 90 PID 2152 wrote to memory of 4352 2152 jjvpp.exe 91 PID 2152 wrote to memory of 4352 2152 jjvpp.exe 91 PID 2152 wrote to memory of 4352 2152 jjvpp.exe 91 PID 4352 wrote to memory of 2924 4352 ttbtnh.exe 92 PID 4352 wrote to memory of 2924 4352 ttbtnh.exe 92 PID 4352 wrote to memory of 2924 4352 ttbtnh.exe 92 PID 2924 wrote to memory of 1116 2924 rllfxlx.exe 93 PID 2924 wrote to memory of 1116 2924 rllfxlx.exe 93 PID 2924 wrote to memory of 1116 2924 rllfxlx.exe 93 PID 1116 wrote to memory of 3304 1116 htthbn.exe 94 PID 1116 wrote to memory of 3304 1116 htthbn.exe 94 PID 1116 wrote to memory of 3304 1116 htthbn.exe 94 PID 3304 wrote to memory of 3116 3304 7nnbnh.exe 95 PID 3304 wrote to memory of 3116 3304 7nnbnh.exe 95 PID 3304 wrote to memory of 3116 3304 7nnbnh.exe 95 PID 3116 wrote to memory of 1996 3116 dddpj.exe 96 PID 3116 wrote to memory of 1996 3116 dddpj.exe 96 PID 3116 wrote to memory of 1996 3116 dddpj.exe 96 PID 1996 wrote to memory of 3292 1996 lxrxffx.exe 97 PID 1996 wrote to memory of 3292 1996 lxrxffx.exe 97 PID 1996 wrote to memory of 3292 1996 lxrxffx.exe 97 PID 3292 wrote to memory of 3388 3292 rlrxrrl.exe 98 PID 3292 wrote to memory of 3388 3292 rlrxrrl.exe 98 PID 3292 wrote to memory of 3388 3292 rlrxrrl.exe 98 PID 3388 wrote to memory of 1936 3388 jdjvj.exe 99 PID 3388 wrote to memory of 1936 3388 jdjvj.exe 99 PID 3388 wrote to memory of 1936 3388 jdjvj.exe 99 PID 1936 wrote to memory of 4748 1936 lffxfxr.exe 100 PID 1936 wrote to memory of 4748 1936 lffxfxr.exe 100 PID 1936 wrote to memory of 4748 1936 lffxfxr.exe 100 PID 4748 wrote to memory of 3532 4748 nbtnhb.exe 101 PID 4748 wrote to memory of 3532 4748 nbtnhb.exe 101 PID 4748 wrote to memory of 3532 4748 nbtnhb.exe 101 PID 3532 wrote to memory of 948 3532 llxrxrr.exe 102 PID 3532 wrote to memory of 948 3532 llxrxrr.exe 102 PID 3532 wrote to memory of 948 3532 llxrxrr.exe 102 PID 948 wrote to memory of 3032 948 pdjdp.exe 103 PID 948 wrote to memory of 3032 948 pdjdp.exe 103 PID 948 wrote to memory of 3032 948 pdjdp.exe 103 PID 3032 wrote to memory of 4488 3032 lrfrflr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe"C:\Users\Admin\AppData\Local\Temp\c23a039393be37a4a8d4b066e0949d64b149badb94913cae6eced62ad3bbc4fd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\frxlxll.exec:\frxlxll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\jdddv.exec:\jdddv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\hthntb.exec:\hthntb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\dpvpd.exec:\dpvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\1xrlrxf.exec:\1xrlrxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\thnhbb.exec:\thnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\hbthnh.exec:\hbthnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\jjvpp.exec:\jjvpp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152 -
\??\c:\ttbtnh.exec:\ttbtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
\??\c:\rllfxlx.exec:\rllfxlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\htthbn.exec:\htthbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\7nnbnh.exec:\7nnbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\dddpj.exec:\dddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\lxrxffx.exec:\lxrxffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\rlrxrrl.exec:\rlrxrrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292 -
\??\c:\jdjvj.exec:\jdjvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\lffxfxr.exec:\lffxfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\nbtnhb.exec:\nbtnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\llxrxrr.exec:\llxrxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
\??\c:\pdjdp.exec:\pdjdp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\lrfrflr.exec:\lrfrflr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\pdjpp.exec:\pdjpp.exe23⤵
- Executes dropped EXE
PID:4488 -
\??\c:\nbhttb.exec:\nbhttb.exe24⤵
- Executes dropped EXE
PID:4968 -
\??\c:\rflxlfr.exec:\rflxlfr.exe25⤵
- Executes dropped EXE
PID:1328 -
\??\c:\bbhntn.exec:\bbhntn.exe26⤵
- Executes dropped EXE
PID:760 -
\??\c:\7pvpj.exec:\7pvpj.exe27⤵
- Executes dropped EXE
PID:3420 -
\??\c:\rlxxlfx.exec:\rlxxlfx.exe28⤵
- Executes dropped EXE
PID:1000 -
\??\c:\5vjpd.exec:\5vjpd.exe29⤵
- Executes dropped EXE
PID:848 -
\??\c:\tbhthh.exec:\tbhthh.exe30⤵
- Executes dropped EXE
PID:2480 -
\??\c:\5vjdd.exec:\5vjdd.exe31⤵
- Executes dropped EXE
PID:1076 -
\??\c:\lffrrff.exec:\lffrrff.exe32⤵
- Executes dropped EXE
PID:3924 -
\??\c:\bnhtht.exec:\bnhtht.exe33⤵
- Executes dropped EXE
PID:5052 -
\??\c:\vjvjj.exec:\vjvjj.exe34⤵
- Executes dropped EXE
PID:5024 -
\??\c:\lrrxrlx.exec:\lrrxrlx.exe35⤵
- Executes dropped EXE
PID:2308 -
\??\c:\bnnhtn.exec:\bnnhtn.exe36⤵
- Executes dropped EXE
PID:2984 -
\??\c:\dvpdv.exec:\dvpdv.exe37⤵
- Executes dropped EXE
PID:1736 -
\??\c:\9jjvd.exec:\9jjvd.exe38⤵
- Executes dropped EXE
PID:4832 -
\??\c:\rlrfxll.exec:\rlrfxll.exe39⤵
- Executes dropped EXE
PID:3968 -
\??\c:\ttbthb.exec:\ttbthb.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452 -
\??\c:\bbnbnb.exec:\bbnbnb.exe41⤵
- Executes dropped EXE
PID:3148 -
\??\c:\9pjdv.exec:\9pjdv.exe42⤵
- Executes dropped EXE
PID:3632 -
\??\c:\1xlfrrl.exec:\1xlfrrl.exe43⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rrrfrlx.exec:\rrrfrlx.exe44⤵
- Executes dropped EXE
PID:3480 -
\??\c:\hnnbbt.exec:\hnnbbt.exe45⤵
- Executes dropped EXE
PID:3476 -
\??\c:\pddpd.exec:\pddpd.exe46⤵
- Executes dropped EXE
PID:3656 -
\??\c:\fffrfxl.exec:\fffrfxl.exe47⤵
- Executes dropped EXE
PID:3356 -
\??\c:\hthtbt.exec:\hthtbt.exe48⤵
- Executes dropped EXE
PID:3824 -
\??\c:\bntnhb.exec:\bntnhb.exe49⤵
- Executes dropped EXE
PID:4648 -
\??\c:\1dpdp.exec:\1dpdp.exe50⤵
- Executes dropped EXE
PID:2160 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe51⤵
- Executes dropped EXE
PID:3528 -
\??\c:\fxfxlfx.exec:\fxfxlfx.exe52⤵
- Executes dropped EXE
PID:3128 -
\??\c:\tnhbnh.exec:\tnhbnh.exe53⤵
- Executes dropped EXE
PID:4228 -
\??\c:\3pjjv.exec:\3pjjv.exe54⤵
- Executes dropped EXE
PID:3428 -
\??\c:\7frfrlx.exec:\7frfrlx.exe55⤵
- Executes dropped EXE
PID:3124 -
\??\c:\9nnbtn.exec:\9nnbtn.exe56⤵
- Executes dropped EXE
PID:4864 -
\??\c:\dppdp.exec:\dppdp.exe57⤵
- Executes dropped EXE
PID:1744 -
\??\c:\pvvpp.exec:\pvvpp.exe58⤵
- Executes dropped EXE
PID:3364 -
\??\c:\lxxlfxf.exec:\lxxlfxf.exe59⤵
- Executes dropped EXE
PID:4976 -
\??\c:\bbhbtn.exec:\bbhbtn.exe60⤵
- Executes dropped EXE
PID:3288 -
\??\c:\pjpdp.exec:\pjpdp.exe61⤵
- Executes dropped EXE
PID:1796 -
\??\c:\3xrlxxr.exec:\3xrlxxr.exe62⤵
- Executes dropped EXE
PID:2952 -
\??\c:\3bhthb.exec:\3bhthb.exe63⤵
- Executes dropped EXE
PID:4396 -
\??\c:\1tbntn.exec:\1tbntn.exe64⤵
- Executes dropped EXE
PID:4708 -
\??\c:\vvdpv.exec:\vvdpv.exe65⤵
- Executes dropped EXE
PID:944 -
\??\c:\fxfrfxr.exec:\fxfrfxr.exe66⤵PID:3216
-
\??\c:\tnhhhn.exec:\tnhhhn.exe67⤵PID:224
-
\??\c:\vvvjd.exec:\vvvjd.exe68⤵PID:2568
-
\??\c:\fflfrrf.exec:\fflfrrf.exe69⤵PID:2420
-
\??\c:\bbbnbt.exec:\bbbnbt.exe70⤵
- System Location Discovery: System Language Discovery
PID:3424 -
\??\c:\pjvpv.exec:\pjvpv.exe71⤵PID:1704
-
\??\c:\jdvpd.exec:\jdvpd.exe72⤵PID:1948
-
\??\c:\xflfrrr.exec:\xflfrrr.exe73⤵PID:4956
-
\??\c:\thhtbh.exec:\thhtbh.exe74⤵PID:2340
-
\??\c:\jvdvd.exec:\jvdvd.exe75⤵PID:1808
-
\??\c:\1frlrlx.exec:\1frlrlx.exe76⤵PID:408
-
\??\c:\7tnbnh.exec:\7tnbnh.exe77⤵PID:1004
-
\??\c:\7pvpj.exec:\7pvpj.exe78⤵PID:2680
-
\??\c:\5pvpj.exec:\5pvpj.exe79⤵PID:4072
-
\??\c:\xflfrrl.exec:\xflfrrl.exe80⤵PID:4752
-
\??\c:\thnbbt.exec:\thnbbt.exe81⤵PID:1772
-
\??\c:\1dvvj.exec:\1dvvj.exe82⤵PID:3420
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe83⤵PID:4776
-
\??\c:\5xrxrlx.exec:\5xrxrlx.exe84⤵
- System Location Discovery: System Language Discovery
PID:1000 -
\??\c:\nhhbtn.exec:\nhhbtn.exe85⤵PID:1352
-
\??\c:\djjdj.exec:\djjdj.exe86⤵PID:2472
-
\??\c:\dppdp.exec:\dppdp.exe87⤵PID:2204
-
\??\c:\rllfxxr.exec:\rllfxxr.exe88⤵PID:4296
-
\??\c:\ttbnnh.exec:\ttbnnh.exe89⤵PID:1084
-
\??\c:\hththb.exec:\hththb.exe90⤵PID:380
-
\??\c:\pvvvp.exec:\pvvvp.exe91⤵PID:1784
-
\??\c:\xrlfrlf.exec:\xrlfrlf.exe92⤵PID:632
-
\??\c:\rxfrfxf.exec:\rxfrfxf.exe93⤵PID:4068
-
\??\c:\tttnbt.exec:\tttnbt.exe94⤵PID:2308
-
\??\c:\jvdpj.exec:\jvdpj.exe95⤵PID:1228
-
\??\c:\lxfxllf.exec:\lxfxllf.exe96⤵PID:3744
-
\??\c:\thhthb.exec:\thhthb.exe97⤵PID:220
-
\??\c:\tnnbnh.exec:\tnnbnh.exe98⤵PID:4312
-
\??\c:\jjjpj.exec:\jjjpj.exe99⤵PID:4088
-
\??\c:\7rrfrlx.exec:\7rrfrlx.exe100⤵PID:852
-
\??\c:\3tttbt.exec:\3tttbt.exe101⤵PID:5076
-
\??\c:\djpdv.exec:\djpdv.exe102⤵PID:1216
-
\??\c:\fllrlrf.exec:\fllrlrf.exe103⤵PID:2228
-
\??\c:\3ffrffr.exec:\3ffrffr.exe104⤵PID:2700
-
\??\c:\tbbnbn.exec:\tbbnbn.exe105⤵PID:1264
-
\??\c:\jdpdv.exec:\jdpdv.exe106⤵PID:4252
-
\??\c:\dpdvd.exec:\dpdvd.exe107⤵PID:2200
-
\??\c:\3flfrlx.exec:\3flfrlx.exe108⤵PID:3356
-
\??\c:\5bnbnh.exec:\5bnbnh.exe109⤵PID:3824
-
\??\c:\nbbthb.exec:\nbbthb.exe110⤵PID:4648
-
\??\c:\dpvjv.exec:\dpvjv.exe111⤵PID:2160
-
\??\c:\fllfxlf.exec:\fllfxlf.exe112⤵PID:4528
-
\??\c:\tnthtn.exec:\tnthtn.exe113⤵PID:3128
-
\??\c:\pjpdd.exec:\pjpdd.exe114⤵PID:1056
-
\??\c:\7fxlxrf.exec:\7fxlxrf.exe115⤵PID:2180
-
\??\c:\bbbhbt.exec:\bbbhbt.exe116⤵PID:1548
-
\??\c:\djvvj.exec:\djvvj.exe117⤵PID:4728
-
\??\c:\jjjvd.exec:\jjjvd.exe118⤵PID:3328
-
\??\c:\lxfllfr.exec:\lxfllfr.exe119⤵PID:1528
-
\??\c:\nnnbhb.exec:\nnnbhb.exe120⤵PID:5064
-
\??\c:\9nbnhb.exec:\9nbnhb.exe121⤵PID:3028
-
\??\c:\jdvvj.exec:\jdvvj.exe122⤵PID:4456
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-