Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 14:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be.exe
-
Size
454KB
-
MD5
2ead9362f78325ac9d76078961857d83
-
SHA1
3519bf3329eab134dcd4a474e56032914af2b2ff
-
SHA256
8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be
-
SHA512
02739b5a699c51a3aef45bb7b1f3aec92b3000700296dc092a33805396c7f5600872ab1cdf696d15e50321c46bd7b5b9131700ecd6c35ac1ce036df544254d23
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4244-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-581-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-998-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4244 hhntbn.exe 392 jdppv.exe 412 rrfxlrx.exe 1916 bbhbht.exe 1624 dpjpd.exe 4964 rrrllff.exe 5008 pddjp.exe 1088 xlffxlx.exe 1328 nthtth.exe 1720 jdjvv.exe 3968 rffllfx.exe 1020 bhtbhn.exe 5036 ffflrfl.exe 4772 ththht.exe 4460 dppvv.exe 4024 htnthn.exe 4208 ppjpd.exe 2196 xxxxflr.exe 4684 dvvvd.exe 1360 rxrffrr.exe 2572 dvdjj.exe 3740 vdvdj.exe 4516 tbhnnn.exe 5056 ddpvd.exe 3004 bthhbh.exe 688 jjdpd.exe 4064 rrrrlll.exe 1540 nhntbh.exe 3912 frlxfxf.exe 1072 ppjpp.exe 2644 ththhh.exe 4188 lrffrff.exe 3536 bbbtnt.exe 4432 pdpjd.exe 2996 rrrlxlx.exe 4736 3tthbt.exe 3796 dddpp.exe 3504 nbhhbb.exe 4764 ddvvv.exe 3236 nhhnhn.exe 844 jdvpj.exe 2156 lxxllfr.exe 4916 bthttt.exe 1432 htnnht.exe 2836 dppvp.exe 1336 fflffll.exe 1956 1tbtnt.exe 4556 5dpdj.exe 3872 ppjvj.exe 4524 rllxllx.exe 3164 tnntnb.exe 1900 dvjpp.exe 4884 rfxxxff.exe 1020 nnbntn.exe 1816 pvppp.exe 1700 rlxlxfx.exe 3672 pppjd.exe 4460 rxfxrlf.exe 2960 tnttbh.exe 4252 djjjj.exe 1712 xxrrrlf.exe 2304 nntnhh.exe 4840 bhtbhh.exe 2572 rxxrfxr.exe -
resource yara_rule behavioral2/memory/4244-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-581-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthtth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 4244 1500 8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be.exe 84 PID 1500 wrote to memory of 4244 1500 8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be.exe 84 PID 1500 wrote to memory of 4244 1500 8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be.exe 84 PID 4244 wrote to memory of 392 4244 hhntbn.exe 85 PID 4244 wrote to memory of 392 4244 hhntbn.exe 85 PID 4244 wrote to memory of 392 4244 hhntbn.exe 85 PID 392 wrote to memory of 412 392 jdppv.exe 86 PID 392 wrote to memory of 412 392 jdppv.exe 86 PID 392 wrote to memory of 412 392 jdppv.exe 86 PID 412 wrote to memory of 1916 412 rrfxlrx.exe 87 PID 412 wrote to memory of 1916 412 rrfxlrx.exe 87 PID 412 wrote to memory of 1916 412 rrfxlrx.exe 87 PID 1916 wrote to memory of 1624 1916 bbhbht.exe 88 PID 1916 wrote to memory of 1624 1916 bbhbht.exe 88 PID 1916 wrote to memory of 1624 1916 bbhbht.exe 88 PID 1624 wrote to memory of 4964 1624 dpjpd.exe 89 PID 1624 wrote to memory of 4964 1624 dpjpd.exe 89 PID 1624 wrote to memory of 4964 1624 dpjpd.exe 89 PID 4964 wrote to memory of 5008 4964 rrrllff.exe 90 PID 4964 wrote to memory of 5008 4964 rrrllff.exe 90 PID 4964 wrote to memory of 5008 4964 rrrllff.exe 90 PID 5008 wrote to memory of 1088 5008 pddjp.exe 91 PID 5008 wrote to memory of 1088 5008 pddjp.exe 91 PID 5008 wrote to memory of 1088 5008 pddjp.exe 91 PID 1088 wrote to memory of 1328 1088 xlffxlx.exe 92 PID 1088 wrote to memory of 1328 1088 xlffxlx.exe 92 PID 1088 wrote to memory of 1328 1088 xlffxlx.exe 92 PID 1328 wrote to memory of 1720 1328 nthtth.exe 93 PID 1328 wrote to memory of 1720 1328 nthtth.exe 93 PID 1328 wrote to memory of 1720 1328 nthtth.exe 93 PID 1720 wrote to memory of 3968 1720 jdjvv.exe 94 PID 1720 wrote to memory of 3968 1720 jdjvv.exe 94 PID 1720 wrote to memory of 3968 1720 jdjvv.exe 94 PID 3968 wrote to memory of 1020 3968 rffllfx.exe 95 PID 3968 wrote to memory of 1020 3968 rffllfx.exe 95 PID 3968 wrote to memory of 1020 3968 rffllfx.exe 95 PID 1020 wrote to memory of 5036 1020 bhtbhn.exe 96 PID 1020 wrote to memory of 5036 1020 bhtbhn.exe 96 PID 1020 wrote to memory of 5036 1020 bhtbhn.exe 96 PID 5036 wrote to memory of 4772 5036 ffflrfl.exe 97 PID 5036 wrote to memory of 4772 5036 ffflrfl.exe 97 PID 5036 wrote to memory of 4772 5036 ffflrfl.exe 97 PID 4772 wrote to memory of 4460 4772 ththht.exe 99 PID 4772 wrote to memory of 4460 4772 ththht.exe 99 PID 4772 wrote to memory of 4460 4772 ththht.exe 99 PID 4460 wrote to memory of 4024 4460 dppvv.exe 100 PID 4460 wrote to memory of 4024 4460 dppvv.exe 100 PID 4460 wrote to memory of 4024 4460 dppvv.exe 100 PID 4024 wrote to memory of 4208 4024 htnthn.exe 101 PID 4024 wrote to memory of 4208 4024 htnthn.exe 101 PID 4024 wrote to memory of 4208 4024 htnthn.exe 101 PID 4208 wrote to memory of 2196 4208 ppjpd.exe 102 PID 4208 wrote to memory of 2196 4208 ppjpd.exe 102 PID 4208 wrote to memory of 2196 4208 ppjpd.exe 102 PID 2196 wrote to memory of 4684 2196 xxxxflr.exe 103 PID 2196 wrote to memory of 4684 2196 xxxxflr.exe 103 PID 2196 wrote to memory of 4684 2196 xxxxflr.exe 103 PID 4684 wrote to memory of 1360 4684 dvvvd.exe 104 PID 4684 wrote to memory of 1360 4684 dvvvd.exe 104 PID 4684 wrote to memory of 1360 4684 dvvvd.exe 104 PID 1360 wrote to memory of 2572 1360 rxrffrr.exe 105 PID 1360 wrote to memory of 2572 1360 rxrffrr.exe 105 PID 1360 wrote to memory of 2572 1360 rxrffrr.exe 105 PID 2572 wrote to memory of 3740 2572 dvdjj.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be.exe"C:\Users\Admin\AppData\Local\Temp\8e024154f71481cf7e674012754362178903ac682f3ca721dad1998a267725be.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\hhntbn.exec:\hhntbn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\jdppv.exec:\jdppv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\rrfxlrx.exec:\rrfxlrx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\bbhbht.exec:\bbhbht.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\dpjpd.exec:\dpjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\rrrllff.exec:\rrrllff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\pddjp.exec:\pddjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\xlffxlx.exec:\xlffxlx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\nthtth.exec:\nthtth.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\jdjvv.exec:\jdjvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\rffllfx.exec:\rffllfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\bhtbhn.exec:\bhtbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\ffflrfl.exec:\ffflrfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\ththht.exec:\ththht.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\dppvv.exec:\dppvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\htnthn.exec:\htnthn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\ppjpd.exec:\ppjpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\xxxxflr.exec:\xxxxflr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\dvvvd.exec:\dvvvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\rxrffrr.exec:\rxrffrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\dvdjj.exec:\dvdjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\vdvdj.exec:\vdvdj.exe23⤵
- Executes dropped EXE
PID:3740 -
\??\c:\tbhnnn.exec:\tbhnnn.exe24⤵
- Executes dropped EXE
PID:4516 -
\??\c:\ddpvd.exec:\ddpvd.exe25⤵
- Executes dropped EXE
PID:5056 -
\??\c:\bthhbh.exec:\bthhbh.exe26⤵
- Executes dropped EXE
PID:3004 -
\??\c:\jjdpd.exec:\jjdpd.exe27⤵
- Executes dropped EXE
PID:688 -
\??\c:\rrrrlll.exec:\rrrrlll.exe28⤵
- Executes dropped EXE
PID:4064 -
\??\c:\nhntbh.exec:\nhntbh.exe29⤵
- Executes dropped EXE
PID:1540 -
\??\c:\frlxfxf.exec:\frlxfxf.exe30⤵
- Executes dropped EXE
PID:3912 -
\??\c:\ppjpp.exec:\ppjpp.exe31⤵
- Executes dropped EXE
PID:1072 -
\??\c:\ththhh.exec:\ththhh.exe32⤵
- Executes dropped EXE
PID:2644 -
\??\c:\lrffrff.exec:\lrffrff.exe33⤵
- Executes dropped EXE
PID:4188 -
\??\c:\bbbtnt.exec:\bbbtnt.exe34⤵
- Executes dropped EXE
PID:3536 -
\??\c:\pdpjd.exec:\pdpjd.exe35⤵
- Executes dropped EXE
PID:4432 -
\??\c:\rrrlxlx.exec:\rrrlxlx.exe36⤵
- Executes dropped EXE
PID:2996 -
\??\c:\3tthbt.exec:\3tthbt.exe37⤵
- Executes dropped EXE
PID:4736 -
\??\c:\dddpp.exec:\dddpp.exe38⤵
- Executes dropped EXE
PID:3796 -
\??\c:\lxlrxfl.exec:\lxlrxfl.exe39⤵PID:720
-
\??\c:\nbhhbb.exec:\nbhhbb.exe40⤵
- Executes dropped EXE
PID:3504 -
\??\c:\ddvvv.exec:\ddvvv.exe41⤵
- Executes dropped EXE
PID:4764 -
\??\c:\nhhnhn.exec:\nhhnhn.exe42⤵
- Executes dropped EXE
PID:3236 -
\??\c:\jdvpj.exec:\jdvpj.exe43⤵
- Executes dropped EXE
PID:844 -
\??\c:\lxxllfr.exec:\lxxllfr.exe44⤵
- Executes dropped EXE
PID:2156 -
\??\c:\bthttt.exec:\bthttt.exe45⤵
- Executes dropped EXE
PID:4916 -
\??\c:\htnnht.exec:\htnnht.exe46⤵
- Executes dropped EXE
PID:1432 -
\??\c:\dppvp.exec:\dppvp.exe47⤵
- Executes dropped EXE
PID:2836 -
\??\c:\fflffll.exec:\fflffll.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336 -
\??\c:\1tbtnt.exec:\1tbtnt.exe49⤵
- Executes dropped EXE
PID:1956 -
\??\c:\5dpdj.exec:\5dpdj.exe50⤵
- Executes dropped EXE
PID:4556 -
\??\c:\ppjvj.exec:\ppjvj.exe51⤵
- Executes dropped EXE
PID:3872 -
\??\c:\rllxllx.exec:\rllxllx.exe52⤵
- Executes dropped EXE
PID:4524 -
\??\c:\tnntnb.exec:\tnntnb.exe53⤵
- Executes dropped EXE
PID:3164 -
\??\c:\dvjpp.exec:\dvjpp.exe54⤵
- Executes dropped EXE
PID:1900 -
\??\c:\rfxxxff.exec:\rfxxxff.exe55⤵
- Executes dropped EXE
PID:4884 -
\??\c:\nnbntn.exec:\nnbntn.exe56⤵
- Executes dropped EXE
PID:1020 -
\??\c:\pvppp.exec:\pvppp.exe57⤵
- Executes dropped EXE
PID:1816 -
\??\c:\rlxlxfx.exec:\rlxlxfx.exe58⤵
- Executes dropped EXE
PID:1700 -
\??\c:\pppjd.exec:\pppjd.exe59⤵
- Executes dropped EXE
PID:3672 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe60⤵
- Executes dropped EXE
PID:4460 -
\??\c:\tnttbh.exec:\tnttbh.exe61⤵
- Executes dropped EXE
PID:2960 -
\??\c:\djjjj.exec:\djjjj.exe62⤵
- Executes dropped EXE
PID:4252 -
\??\c:\xxrrrlf.exec:\xxrrrlf.exe63⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nntnhh.exec:\nntnhh.exe64⤵
- Executes dropped EXE
PID:2304 -
\??\c:\bhtbhh.exec:\bhtbhh.exe65⤵
- Executes dropped EXE
PID:4840 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe66⤵
- Executes dropped EXE
PID:2572 -
\??\c:\ttbtbt.exec:\ttbtbt.exe67⤵PID:936
-
\??\c:\dddpj.exec:\dddpj.exe68⤵PID:2488
-
\??\c:\vvpjv.exec:\vvpjv.exe69⤵PID:1636
-
\??\c:\lrlfxfl.exec:\lrlfxfl.exe70⤵PID:3152
-
\??\c:\htttnn.exec:\htttnn.exe71⤵PID:4020
-
\??\c:\jvdvp.exec:\jvdvp.exe72⤵PID:4284
-
\??\c:\xfllfxx.exec:\xfllfxx.exe73⤵PID:4796
-
\??\c:\hnhnnh.exec:\hnhnnh.exe74⤵PID:2516
-
\??\c:\jvdvp.exec:\jvdvp.exe75⤵PID:960
-
\??\c:\rlxfxfx.exec:\rlxfxfx.exe76⤵PID:4000
-
\??\c:\tbnntt.exec:\tbnntt.exe77⤵PID:2440
-
\??\c:\5djjd.exec:\5djjd.exe78⤵PID:972
-
\??\c:\jvvjj.exec:\jvvjj.exe79⤵PID:3912
-
\??\c:\rfxrfxf.exec:\rfxrfxf.exe80⤵PID:4144
-
\??\c:\httnhh.exec:\httnhh.exe81⤵PID:1748
-
\??\c:\ddpjj.exec:\ddpjj.exe82⤵PID:3404
-
\??\c:\jjdjd.exec:\jjdjd.exe83⤵PID:3396
-
\??\c:\rllxfxr.exec:\rllxfxr.exe84⤵PID:3536
-
\??\c:\bhhbnb.exec:\bhhbnb.exe85⤵PID:4932
-
\??\c:\vpvpv.exec:\vpvpv.exe86⤵PID:4552
-
\??\c:\llxxlrf.exec:\llxxlrf.exe87⤵PID:4388
-
\??\c:\lffrrrl.exec:\lffrrrl.exe88⤵PID:3616
-
\??\c:\thhnhb.exec:\thhnhb.exe89⤵PID:4764
-
\??\c:\dvvpp.exec:\dvvpp.exe90⤵PID:412
-
\??\c:\xxrfxlf.exec:\xxrfxlf.exe91⤵PID:1908
-
\??\c:\nttthb.exec:\nttthb.exe92⤵PID:3720
-
\??\c:\pvvjp.exec:\pvvjp.exe93⤵PID:2836
-
\??\c:\xxlfrrl.exec:\xxlfrrl.exe94⤵PID:680
-
\??\c:\ntbtht.exec:\ntbtht.exe95⤵PID:3916
-
\??\c:\tbnbbb.exec:\tbnbbb.exe96⤵PID:1720
-
\??\c:\pdddp.exec:\pdddp.exe97⤵PID:3968
-
\??\c:\xxxrlrf.exec:\xxxrlrf.exe98⤵PID:4472
-
\??\c:\hnbttn.exec:\hnbttn.exe99⤵PID:2052
-
\??\c:\pddvj.exec:\pddvj.exe100⤵PID:4772
-
\??\c:\rlrxlrx.exec:\rlrxlrx.exe101⤵PID:1616
-
\??\c:\bhtnbt.exec:\bhtnbt.exe102⤵PID:4460
-
\??\c:\dpvpj.exec:\dpvpj.exe103⤵PID:2960
-
\??\c:\xfrrfxr.exec:\xfrrfxr.exe104⤵PID:4540
-
\??\c:\nhnhhh.exec:\nhnhhh.exe105⤵PID:1712
-
\??\c:\tbbtbb.exec:\tbbtbb.exe106⤵PID:4948
-
\??\c:\pdjpv.exec:\pdjpv.exe107⤵PID:1548
-
\??\c:\flxxrrx.exec:\flxxrrx.exe108⤵PID:5064
-
\??\c:\bnbhht.exec:\bnbhht.exe109⤵PID:4364
-
\??\c:\dvpjp.exec:\dvpjp.exe110⤵PID:2616
-
\??\c:\lrflfff.exec:\lrflfff.exe111⤵PID:5056
-
\??\c:\nntnhb.exec:\nntnhb.exe112⤵PID:2216
-
\??\c:\3jdpj.exec:\3jdpj.exe113⤵PID:4020
-
\??\c:\7xxrrrl.exec:\7xxrrrl.exe114⤵PID:4284
-
\??\c:\1tnbtt.exec:\1tnbtt.exe115⤵PID:404
-
\??\c:\vpvjv.exec:\vpvjv.exe116⤵PID:1436
-
\??\c:\9vdpj.exec:\9vdpj.exe117⤵PID:1812
-
\??\c:\rlxxrrr.exec:\rlxxrrr.exe118⤵PID:1892
-
\??\c:\tntbbb.exec:\tntbbb.exe119⤵PID:4480
-
\??\c:\pvpjp.exec:\pvpjp.exe120⤵PID:3160
-
\??\c:\lxllrrf.exec:\lxllrrf.exe121⤵PID:3912
-
\??\c:\btbhht.exec:\btbhht.exe122⤵PID:904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-