Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 04:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819.exe
-
Size
454KB
-
MD5
00ebe5aa3e0cfa89b5d66da611833774
-
SHA1
03c2951df57b5427f310d4c230d0b969ed66ef1d
-
SHA256
d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819
-
SHA512
534c7935ec0847bad84d9dcbd5b8a19322ae0cd4a850cda4a7b9b07d3a5e45c5a83812b38f9a4afba2c840dca5281fd506db737ec7748587dfdbc0e55caa0ac9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAben:q7Tc2NYHUrAwfMp3CDn
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1620-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-992-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-1114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-1256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3024 bhhthb.exe 2256 3jjvj.exe 1460 jvpdv.exe 1756 frlxxrr.exe 4104 5tthtn.exe 2516 dppdp.exe 1344 9pdvp.exe 4192 hhnbtn.exe 760 vvjdp.exe 748 bbhthb.exe 392 nbtnhb.exe 3360 5nbthb.exe 3084 rrrfrrf.exe 220 lrxflfr.exe 2992 vdvjd.exe 3368 btnhtn.exe 4700 vjpdp.exe 4564 7rrfrfx.exe 4264 pddvv.exe 5024 dddvp.exe 2552 lfxrlfx.exe 2148 3nhnbb.exe 3016 jddpv.exe 2156 rfxlfrl.exe 2596 jvvjv.exe 2916 hhhtnh.exe 4216 xrrllfx.exe 3484 7jvpv.exe 2056 rrrlllf.exe 4356 dvdvj.exe 3168 rrlxllx.exe 1912 djvpp.exe 2064 rxrlffr.exe 4992 bbhbtt.exe 4996 pjpjj.exe 4532 flfxfff.exe 1244 hbntbn.exe 1684 vpvdv.exe 1096 fxllfff.exe 2140 7ntnhn.exe 2284 1pdvp.exe 1260 frxlxrf.exe 744 7nhbnt.exe 2876 hhhhhh.exe 4112 ppdvd.exe 4656 fllfllf.exe 1320 tttthh.exe 3232 vdppv.exe 1168 llrlxxr.exe 4420 5hhthb.exe 4972 bhnhbb.exe 3104 dvdjj.exe 4496 fffxrlf.exe 2136 ntntbb.exe 2208 jdvjp.exe 2448 rfxflxf.exe 4640 nbthbn.exe 3552 jjvpj.exe 2904 xlffrrf.exe 4852 thbbnh.exe 3272 hbhbtt.exe 2756 jddvp.exe 1536 lxxlfrl.exe 3844 hbbbtt.exe -
resource yara_rule behavioral2/memory/1620-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-611-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlffxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlfr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 3024 1620 d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819.exe 82 PID 1620 wrote to memory of 3024 1620 d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819.exe 82 PID 1620 wrote to memory of 3024 1620 d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819.exe 82 PID 3024 wrote to memory of 2256 3024 bhhthb.exe 83 PID 3024 wrote to memory of 2256 3024 bhhthb.exe 83 PID 3024 wrote to memory of 2256 3024 bhhthb.exe 83 PID 2256 wrote to memory of 1460 2256 3jjvj.exe 84 PID 2256 wrote to memory of 1460 2256 3jjvj.exe 84 PID 2256 wrote to memory of 1460 2256 3jjvj.exe 84 PID 1460 wrote to memory of 1756 1460 jvpdv.exe 85 PID 1460 wrote to memory of 1756 1460 jvpdv.exe 85 PID 1460 wrote to memory of 1756 1460 jvpdv.exe 85 PID 1756 wrote to memory of 4104 1756 frlxxrr.exe 86 PID 1756 wrote to memory of 4104 1756 frlxxrr.exe 86 PID 1756 wrote to memory of 4104 1756 frlxxrr.exe 86 PID 4104 wrote to memory of 2516 4104 5tthtn.exe 87 PID 4104 wrote to memory of 2516 4104 5tthtn.exe 87 PID 4104 wrote to memory of 2516 4104 5tthtn.exe 87 PID 2516 wrote to memory of 1344 2516 dppdp.exe 88 PID 2516 wrote to memory of 1344 2516 dppdp.exe 88 PID 2516 wrote to memory of 1344 2516 dppdp.exe 88 PID 1344 wrote to memory of 4192 1344 9pdvp.exe 89 PID 1344 wrote to memory of 4192 1344 9pdvp.exe 89 PID 1344 wrote to memory of 4192 1344 9pdvp.exe 89 PID 4192 wrote to memory of 760 4192 hhnbtn.exe 90 PID 4192 wrote to memory of 760 4192 hhnbtn.exe 90 PID 4192 wrote to memory of 760 4192 hhnbtn.exe 90 PID 760 wrote to memory of 748 760 vvjdp.exe 91 PID 760 wrote to memory of 748 760 vvjdp.exe 91 PID 760 wrote to memory of 748 760 vvjdp.exe 91 PID 748 wrote to memory of 392 748 bbhthb.exe 92 PID 748 wrote to memory of 392 748 bbhthb.exe 92 PID 748 wrote to memory of 392 748 bbhthb.exe 92 PID 392 wrote to memory of 3360 392 nbtnhb.exe 93 PID 392 wrote to memory of 3360 392 nbtnhb.exe 93 PID 392 wrote to memory of 3360 392 nbtnhb.exe 93 PID 3360 wrote to memory of 3084 3360 5nbthb.exe 94 PID 3360 wrote to memory of 3084 3360 5nbthb.exe 94 PID 3360 wrote to memory of 3084 3360 5nbthb.exe 94 PID 3084 wrote to memory of 220 3084 rrrfrrf.exe 95 PID 3084 wrote to memory of 220 3084 rrrfrrf.exe 95 PID 3084 wrote to memory of 220 3084 rrrfrrf.exe 95 PID 220 wrote to memory of 2992 220 lrxflfr.exe 96 PID 220 wrote to memory of 2992 220 lrxflfr.exe 96 PID 220 wrote to memory of 2992 220 lrxflfr.exe 96 PID 2992 wrote to memory of 3368 2992 vdvjd.exe 97 PID 2992 wrote to memory of 3368 2992 vdvjd.exe 97 PID 2992 wrote to memory of 3368 2992 vdvjd.exe 97 PID 3368 wrote to memory of 4700 3368 btnhtn.exe 98 PID 3368 wrote to memory of 4700 3368 btnhtn.exe 98 PID 3368 wrote to memory of 4700 3368 btnhtn.exe 98 PID 4700 wrote to memory of 4564 4700 vjpdp.exe 99 PID 4700 wrote to memory of 4564 4700 vjpdp.exe 99 PID 4700 wrote to memory of 4564 4700 vjpdp.exe 99 PID 4564 wrote to memory of 4264 4564 7rrfrfx.exe 100 PID 4564 wrote to memory of 4264 4564 7rrfrfx.exe 100 PID 4564 wrote to memory of 4264 4564 7rrfrfx.exe 100 PID 4264 wrote to memory of 5024 4264 pddvv.exe 101 PID 4264 wrote to memory of 5024 4264 pddvv.exe 101 PID 4264 wrote to memory of 5024 4264 pddvv.exe 101 PID 5024 wrote to memory of 2552 5024 dddvp.exe 102 PID 5024 wrote to memory of 2552 5024 dddvp.exe 102 PID 5024 wrote to memory of 2552 5024 dddvp.exe 102 PID 2552 wrote to memory of 2148 2552 lfxrlfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819.exe"C:\Users\Admin\AppData\Local\Temp\d6c182e7bb0c8e193a6df458cb7e8ac8d0629f61f05dd4d878fe124f043d9819.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
\??\c:\bhhthb.exec:\bhhthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\3jjvj.exec:\3jjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\jvpdv.exec:\jvpdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\frlxxrr.exec:\frlxxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\5tthtn.exec:\5tthtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\dppdp.exec:\dppdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\9pdvp.exec:\9pdvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\hhnbtn.exec:\hhnbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\vvjdp.exec:\vvjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\bbhthb.exec:\bbhthb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\nbtnhb.exec:\nbtnhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
\??\c:\5nbthb.exec:\5nbthb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\rrrfrrf.exec:\rrrfrrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\lrxflfr.exec:\lrxflfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\vdvjd.exec:\vdvjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\btnhtn.exec:\btnhtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\vjpdp.exec:\vjpdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\7rrfrfx.exec:\7rrfrfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\pddvv.exec:\pddvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4264 -
\??\c:\dddvp.exec:\dddvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\3nhnbb.exec:\3nhnbb.exe23⤵
- Executes dropped EXE
PID:2148 -
\??\c:\jddpv.exec:\jddpv.exe24⤵
- Executes dropped EXE
PID:3016 -
\??\c:\rfxlfrl.exec:\rfxlfrl.exe25⤵
- Executes dropped EXE
PID:2156 -
\??\c:\jvvjv.exec:\jvvjv.exe26⤵
- Executes dropped EXE
PID:2596 -
\??\c:\hhhtnh.exec:\hhhtnh.exe27⤵
- Executes dropped EXE
PID:2916 -
\??\c:\xrrllfx.exec:\xrrllfx.exe28⤵
- Executes dropped EXE
PID:4216 -
\??\c:\7jvpv.exec:\7jvpv.exe29⤵
- Executes dropped EXE
PID:3484 -
\??\c:\rrrlllf.exec:\rrrlllf.exe30⤵
- Executes dropped EXE
PID:2056 -
\??\c:\dvdvj.exec:\dvdvj.exe31⤵
- Executes dropped EXE
PID:4356 -
\??\c:\rrlxllx.exec:\rrlxllx.exe32⤵
- Executes dropped EXE
PID:3168 -
\??\c:\djvpp.exec:\djvpp.exe33⤵
- Executes dropped EXE
PID:1912 -
\??\c:\rxrlffr.exec:\rxrlffr.exe34⤵
- Executes dropped EXE
PID:2064 -
\??\c:\bbhbtt.exec:\bbhbtt.exe35⤵
- Executes dropped EXE
PID:4992 -
\??\c:\pjpjj.exec:\pjpjj.exe36⤵
- Executes dropped EXE
PID:4996 -
\??\c:\flfxfff.exec:\flfxfff.exe37⤵
- Executes dropped EXE
PID:4532 -
\??\c:\hbntbn.exec:\hbntbn.exe38⤵
- Executes dropped EXE
PID:1244 -
\??\c:\vpvdv.exec:\vpvdv.exe39⤵
- Executes dropped EXE
PID:1684 -
\??\c:\fxllfff.exec:\fxllfff.exe40⤵
- Executes dropped EXE
PID:1096 -
\??\c:\7ntnhn.exec:\7ntnhn.exe41⤵
- Executes dropped EXE
PID:2140 -
\??\c:\1pdvp.exec:\1pdvp.exe42⤵
- Executes dropped EXE
PID:2284 -
\??\c:\frxlxrf.exec:\frxlxrf.exe43⤵
- Executes dropped EXE
PID:1260 -
\??\c:\7nhbnt.exec:\7nhbnt.exe44⤵
- Executes dropped EXE
PID:744 -
\??\c:\hhhhhh.exec:\hhhhhh.exe45⤵
- Executes dropped EXE
PID:2876 -
\??\c:\ppdvd.exec:\ppdvd.exe46⤵
- Executes dropped EXE
PID:4112 -
\??\c:\fllfllf.exec:\fllfllf.exe47⤵
- Executes dropped EXE
PID:4656 -
\??\c:\tttthh.exec:\tttthh.exe48⤵
- Executes dropped EXE
PID:1320 -
\??\c:\vdppv.exec:\vdppv.exe49⤵
- Executes dropped EXE
PID:3232 -
\??\c:\llrlxxr.exec:\llrlxxr.exe50⤵
- Executes dropped EXE
PID:1168 -
\??\c:\5hhthb.exec:\5hhthb.exe51⤵
- Executes dropped EXE
PID:4420 -
\??\c:\bhnhbb.exec:\bhnhbb.exe52⤵
- Executes dropped EXE
PID:4972 -
\??\c:\dvdjj.exec:\dvdjj.exe53⤵
- Executes dropped EXE
PID:3104 -
\??\c:\fffxrlf.exec:\fffxrlf.exe54⤵
- Executes dropped EXE
PID:4496 -
\??\c:\ntntbb.exec:\ntntbb.exe55⤵
- Executes dropped EXE
PID:2136 -
\??\c:\jdvjp.exec:\jdvjp.exe56⤵
- Executes dropped EXE
PID:2208 -
\??\c:\rfxflxf.exec:\rfxflxf.exe57⤵
- Executes dropped EXE
PID:2448 -
\??\c:\nbthbn.exec:\nbthbn.exe58⤵
- Executes dropped EXE
PID:4640 -
\??\c:\jjvpj.exec:\jjvpj.exe59⤵
- Executes dropped EXE
PID:3552 -
\??\c:\xlffrrf.exec:\xlffrrf.exe60⤵
- Executes dropped EXE
PID:2904 -
\??\c:\thbbnh.exec:\thbbnh.exe61⤵
- Executes dropped EXE
PID:4852 -
\??\c:\hbhbtt.exec:\hbhbtt.exe62⤵
- Executes dropped EXE
PID:3272 -
\??\c:\jddvp.exec:\jddvp.exe63⤵
- Executes dropped EXE
PID:2756 -
\??\c:\lxxlfrl.exec:\lxxlfrl.exe64⤵
- Executes dropped EXE
PID:1536 -
\??\c:\hbbbtt.exec:\hbbbtt.exe65⤵
- Executes dropped EXE
PID:3844 -
\??\c:\tnntnn.exec:\tnntnn.exe66⤵PID:4192
-
\??\c:\jvdvp.exec:\jvdvp.exe67⤵
- System Location Discovery: System Language Discovery
PID:4620 -
\??\c:\9llxlff.exec:\9llxlff.exe68⤵PID:640
-
\??\c:\tnnbtn.exec:\tnnbtn.exe69⤵PID:2848
-
\??\c:\jdpdp.exec:\jdpdp.exe70⤵PID:2884
-
\??\c:\xffrlfx.exec:\xffrlfx.exe71⤵PID:3116
-
\??\c:\tnbttb.exec:\tnbttb.exe72⤵PID:3180
-
\??\c:\btnbhh.exec:\btnbhh.exe73⤵PID:2936
-
\??\c:\rlfrlff.exec:\rlfrlff.exe74⤵PID:3864
-
\??\c:\xffxxxx.exec:\xffxxxx.exe75⤵PID:1144
-
\??\c:\1thhbb.exec:\1thhbb.exe76⤵PID:2468
-
\??\c:\djjdd.exec:\djjdd.exe77⤵PID:992
-
\??\c:\xrrrffx.exec:\xrrrffx.exe78⤵PID:2992
-
\??\c:\htbttt.exec:\htbttt.exe79⤵PID:4732
-
\??\c:\vjpjd.exec:\vjpjd.exe80⤵PID:552
-
\??\c:\llxrrfl.exec:\llxrrfl.exe81⤵PID:3220
-
\??\c:\tnbtnn.exec:\tnbtnn.exe82⤵PID:112
-
\??\c:\vjpjd.exec:\vjpjd.exe83⤵PID:5068
-
\??\c:\vpjjj.exec:\vpjjj.exe84⤵PID:1748
-
\??\c:\nbtnhb.exec:\nbtnhb.exe85⤵PID:4312
-
\??\c:\ppjpp.exec:\ppjpp.exe86⤵PID:4608
-
\??\c:\fxrxlxf.exec:\fxrxlxf.exe87⤵PID:2276
-
\??\c:\9hhhbt.exec:\9hhhbt.exe88⤵PID:996
-
\??\c:\vdpjd.exec:\vdpjd.exe89⤵PID:3460
-
\??\c:\xxxffll.exec:\xxxffll.exe90⤵PID:3924
-
\??\c:\lxrfxlf.exec:\lxrfxlf.exe91⤵PID:1680
-
\??\c:\bhnhbb.exec:\bhnhbb.exe92⤵PID:3828
-
\??\c:\jdpvp.exec:\jdpvp.exe93⤵PID:4676
-
\??\c:\fxrlrff.exec:\fxrlrff.exe94⤵PID:2120
-
\??\c:\1fxlxlx.exec:\1fxlxlx.exe95⤵PID:2636
-
\??\c:\5bbthb.exec:\5bbthb.exe96⤵PID:2180
-
\??\c:\pjvpd.exec:\pjvpd.exe97⤵PID:3484
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe98⤵PID:2056
-
\??\c:\hhnbnh.exec:\hhnbnh.exe99⤵PID:436
-
\??\c:\5vpjp.exec:\5vpjp.exe100⤵PID:432
-
\??\c:\vdvpj.exec:\vdvpj.exe101⤵PID:3168
-
\??\c:\5xrlrrf.exec:\5xrlrrf.exe102⤵PID:1912
-
\??\c:\5hthtt.exec:\5hthtt.exe103⤵PID:4728
-
\??\c:\vjppd.exec:\vjppd.exe104⤵PID:2660
-
\??\c:\jdvpj.exec:\jdvpj.exe105⤵PID:712
-
\??\c:\fxxlxlf.exec:\fxxlxlf.exe106⤵PID:376
-
\??\c:\nhhtnb.exec:\nhhtnb.exe107⤵PID:1724
-
\??\c:\ddjvj.exec:\ddjvj.exe108⤵PID:5060
-
\??\c:\fxlfffl.exec:\fxlfffl.exe109⤵PID:2928
-
\??\c:\btbhhh.exec:\btbhhh.exe110⤵PID:1772
-
\??\c:\pvvpd.exec:\pvvpd.exe111⤵PID:4188
-
\??\c:\llxrrll.exec:\llxrrll.exe112⤵
- System Location Discovery: System Language Discovery
PID:4940 -
\??\c:\tthtnb.exec:\tthtnb.exe113⤵PID:1260
-
\??\c:\bnhhbb.exec:\bnhhbb.exe114⤵PID:1704
-
\??\c:\jdjdv.exec:\jdjdv.exe115⤵PID:2876
-
\??\c:\xxllrrr.exec:\xxllrrr.exe116⤵PID:4388
-
\??\c:\thtnhh.exec:\thtnhh.exe117⤵PID:4400
-
\??\c:\nbntbh.exec:\nbntbh.exe118⤵PID:4304
-
\??\c:\vjdvp.exec:\vjdvp.exe119⤵PID:2312
-
\??\c:\7lrlflf.exec:\7lrlflf.exe120⤵PID:4984
-
\??\c:\tbhbnn.exec:\tbhbnn.exe121⤵PID:4516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-