Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9.exe
-
Size
454KB
-
MD5
f5d501ea9a4d0e174bc9b0577c0b27ae
-
SHA1
058bb6836936e389187475bdbb85571ff69d4663
-
SHA256
2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9
-
SHA512
c83da3e8ae7a52664fb3ee4db12cb5352123e1df81dbb6d6cce19a59f81c5b98735bfe6ec91a836c00ae1634a72d576692ba643462a68fdbc1b52881f10b1a2a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeH:q7Tc2NYHUrAwfMp3CDH
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2552-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3748-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2852-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-533-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-912-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-1548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5112 pjdvp.exe 3948 bhnhbb.exe 2064 nhtntt.exe 812 tnhbbt.exe 1320 ppvpp.exe 3644 thnbtn.exe 2300 jjjvd.exe 4584 rlfrlfx.exe 4216 nhhbtn.exe 2180 9vvpj.exe 216 dppdv.exe 440 hbbttb.exe 4248 vpddv.exe 428 1xrlflf.exe 3488 rxfxllf.exe 1352 thhnbb.exe 1448 vddvj.exe 1480 xlxxlrl.exe 2852 htnhbt.exe 1976 bbhhbt.exe 3824 ttbhnh.exe 3208 thnhbb.exe 5024 ddpjp.exe 404 btttnh.exe 2932 thttbn.exe 3228 flxfxlx.exe 1404 nbhhhb.exe 4580 jpvpd.exe 1728 jpjvd.exe 1672 thhhtt.exe 1512 htnhth.exe 3492 xrxrxxr.exe 1940 7pjdv.exe 1916 9lrfrfr.exe 2712 7frlxxr.exe 2596 htthbb.exe 4596 vpdvj.exe 3716 vvvpd.exe 2868 9xrrfff.exe 3156 bnbttt.exe 2728 djpjd.exe 2296 xxxrfxr.exe 2836 rfxrllx.exe 3748 vdvpd.exe 4528 7jdpv.exe 2268 vvpdp.exe 3092 5hhttn.exe 2028 ddpdp.exe 3312 7flfrrl.exe 2064 rrxxflr.exe 812 3rfrfrf.exe 4204 hhhtnh.exe 724 jddpp.exe 1384 5hhthh.exe 312 lflfxrx.exe 2708 bnnhbb.exe 4540 7vdpv.exe 2688 frlxxrf.exe 384 nttbbh.exe 1996 ntnbnh.exe 3444 jdvdd.exe 4844 fffxrxl.exe 440 bbnbbt.exe 2084 bhhthb.exe -
resource yara_rule behavioral2/memory/2552-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3748-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2852-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-797-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2552 wrote to memory of 5112 2552 2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9.exe 82 PID 2552 wrote to memory of 5112 2552 2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9.exe 82 PID 2552 wrote to memory of 5112 2552 2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9.exe 82 PID 5112 wrote to memory of 3948 5112 pjdvp.exe 83 PID 5112 wrote to memory of 3948 5112 pjdvp.exe 83 PID 5112 wrote to memory of 3948 5112 pjdvp.exe 83 PID 3948 wrote to memory of 2064 3948 bhnhbb.exe 84 PID 3948 wrote to memory of 2064 3948 bhnhbb.exe 84 PID 3948 wrote to memory of 2064 3948 bhnhbb.exe 84 PID 2064 wrote to memory of 812 2064 nhtntt.exe 85 PID 2064 wrote to memory of 812 2064 nhtntt.exe 85 PID 2064 wrote to memory of 812 2064 nhtntt.exe 85 PID 812 wrote to memory of 1320 812 tnhbbt.exe 86 PID 812 wrote to memory of 1320 812 tnhbbt.exe 86 PID 812 wrote to memory of 1320 812 tnhbbt.exe 86 PID 1320 wrote to memory of 3644 1320 ppvpp.exe 87 PID 1320 wrote to memory of 3644 1320 ppvpp.exe 87 PID 1320 wrote to memory of 3644 1320 ppvpp.exe 87 PID 3644 wrote to memory of 2300 3644 thnbtn.exe 88 PID 3644 wrote to memory of 2300 3644 thnbtn.exe 88 PID 3644 wrote to memory of 2300 3644 thnbtn.exe 88 PID 2300 wrote to memory of 4584 2300 jjjvd.exe 89 PID 2300 wrote to memory of 4584 2300 jjjvd.exe 89 PID 2300 wrote to memory of 4584 2300 jjjvd.exe 89 PID 4584 wrote to memory of 4216 4584 rlfrlfx.exe 90 PID 4584 wrote to memory of 4216 4584 rlfrlfx.exe 90 PID 4584 wrote to memory of 4216 4584 rlfrlfx.exe 90 PID 4216 wrote to memory of 2180 4216 nhhbtn.exe 91 PID 4216 wrote to memory of 2180 4216 nhhbtn.exe 91 PID 4216 wrote to memory of 2180 4216 nhhbtn.exe 91 PID 2180 wrote to memory of 216 2180 9vvpj.exe 92 PID 2180 wrote to memory of 216 2180 9vvpj.exe 92 PID 2180 wrote to memory of 216 2180 9vvpj.exe 92 PID 216 wrote to memory of 440 216 dppdv.exe 93 PID 216 wrote to memory of 440 216 dppdv.exe 93 PID 216 wrote to memory of 440 216 dppdv.exe 93 PID 440 wrote to memory of 4248 440 hbbttb.exe 94 PID 440 wrote to memory of 4248 440 hbbttb.exe 94 PID 440 wrote to memory of 4248 440 hbbttb.exe 94 PID 4248 wrote to memory of 428 4248 vpddv.exe 95 PID 4248 wrote to memory of 428 4248 vpddv.exe 95 PID 4248 wrote to memory of 428 4248 vpddv.exe 95 PID 428 wrote to memory of 3488 428 1xrlflf.exe 96 PID 428 wrote to memory of 3488 428 1xrlflf.exe 96 PID 428 wrote to memory of 3488 428 1xrlflf.exe 96 PID 3488 wrote to memory of 1352 3488 rxfxllf.exe 97 PID 3488 wrote to memory of 1352 3488 rxfxllf.exe 97 PID 3488 wrote to memory of 1352 3488 rxfxllf.exe 97 PID 1352 wrote to memory of 1448 1352 thhnbb.exe 98 PID 1352 wrote to memory of 1448 1352 thhnbb.exe 98 PID 1352 wrote to memory of 1448 1352 thhnbb.exe 98 PID 1448 wrote to memory of 1480 1448 vddvj.exe 99 PID 1448 wrote to memory of 1480 1448 vddvj.exe 99 PID 1448 wrote to memory of 1480 1448 vddvj.exe 99 PID 1480 wrote to memory of 2852 1480 xlxxlrl.exe 100 PID 1480 wrote to memory of 2852 1480 xlxxlrl.exe 100 PID 1480 wrote to memory of 2852 1480 xlxxlrl.exe 100 PID 2852 wrote to memory of 1976 2852 htnhbt.exe 101 PID 2852 wrote to memory of 1976 2852 htnhbt.exe 101 PID 2852 wrote to memory of 1976 2852 htnhbt.exe 101 PID 1976 wrote to memory of 3824 1976 bbhhbt.exe 102 PID 1976 wrote to memory of 3824 1976 bbhhbt.exe 102 PID 1976 wrote to memory of 3824 1976 bbhhbt.exe 102 PID 3824 wrote to memory of 3208 3824 ttbhnh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9.exe"C:\Users\Admin\AppData\Local\Temp\2f120824aba5b994224413939b621ec95585d704b3926a586a57094d82b8edf9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\pjdvp.exec:\pjdvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\bhnhbb.exec:\bhnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\nhtntt.exec:\nhtntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\tnhbbt.exec:\tnhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\ppvpp.exec:\ppvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\thnbtn.exec:\thnbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\jjjvd.exec:\jjjvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\nhhbtn.exec:\nhhbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\9vvpj.exec:\9vvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2180 -
\??\c:\dppdv.exec:\dppdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\hbbttb.exec:\hbbttb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\vpddv.exec:\vpddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\1xrlflf.exec:\1xrlflf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\rxfxllf.exec:\rxfxllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488 -
\??\c:\thhnbb.exec:\thhnbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\vddvj.exec:\vddvj.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
\??\c:\xlxxlrl.exec:\xlxxlrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\htnhbt.exec:\htnhbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\bbhhbt.exec:\bbhhbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
\??\c:\ttbhnh.exec:\ttbhnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3824 -
\??\c:\thnhbb.exec:\thnhbb.exe23⤵
- Executes dropped EXE
PID:3208 -
\??\c:\ddpjp.exec:\ddpjp.exe24⤵
- Executes dropped EXE
PID:5024 -
\??\c:\btttnh.exec:\btttnh.exe25⤵
- Executes dropped EXE
PID:404 -
\??\c:\thttbn.exec:\thttbn.exe26⤵
- Executes dropped EXE
PID:2932 -
\??\c:\flxfxlx.exec:\flxfxlx.exe27⤵
- Executes dropped EXE
PID:3228 -
\??\c:\nbhhhb.exec:\nbhhhb.exe28⤵
- Executes dropped EXE
PID:1404 -
\??\c:\jpvpd.exec:\jpvpd.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580 -
\??\c:\jpjvd.exec:\jpjvd.exe30⤵
- Executes dropped EXE
PID:1728 -
\??\c:\thhhtt.exec:\thhhtt.exe31⤵
- Executes dropped EXE
PID:1672 -
\??\c:\htnhth.exec:\htnhth.exe32⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xrxrxxr.exec:\xrxrxxr.exe33⤵
- Executes dropped EXE
PID:3492 -
\??\c:\7pjdv.exec:\7pjdv.exe34⤵
- Executes dropped EXE
PID:1940 -
\??\c:\9lrfrfr.exec:\9lrfrfr.exe35⤵
- Executes dropped EXE
PID:1916 -
\??\c:\7frlxxr.exec:\7frlxxr.exe36⤵
- Executes dropped EXE
PID:2712 -
\??\c:\htthbb.exec:\htthbb.exe37⤵
- Executes dropped EXE
PID:2596 -
\??\c:\vpdvj.exec:\vpdvj.exe38⤵
- Executes dropped EXE
PID:4596 -
\??\c:\vvvpd.exec:\vvvpd.exe39⤵
- Executes dropped EXE
PID:3716 -
\??\c:\9xrrfff.exec:\9xrrfff.exe40⤵
- Executes dropped EXE
PID:2868 -
\??\c:\bnbttt.exec:\bnbttt.exe41⤵
- Executes dropped EXE
PID:3156 -
\??\c:\djpjd.exec:\djpjd.exe42⤵
- Executes dropped EXE
PID:2728 -
\??\c:\xxxrfxr.exec:\xxxrfxr.exe43⤵
- Executes dropped EXE
PID:2296 -
\??\c:\rfxrllx.exec:\rfxrllx.exe44⤵
- Executes dropped EXE
PID:2836 -
\??\c:\vdvpd.exec:\vdvpd.exe45⤵
- Executes dropped EXE
PID:3748 -
\??\c:\7jdpv.exec:\7jdpv.exe46⤵
- Executes dropped EXE
PID:4528 -
\??\c:\vvpdp.exec:\vvpdp.exe47⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5hhttn.exec:\5hhttn.exe48⤵
- Executes dropped EXE
PID:3092 -
\??\c:\ddpdp.exec:\ddpdp.exe49⤵
- Executes dropped EXE
PID:2028 -
\??\c:\7flfrrl.exec:\7flfrrl.exe50⤵
- Executes dropped EXE
PID:3312 -
\??\c:\rrxxflr.exec:\rrxxflr.exe51⤵
- Executes dropped EXE
PID:2064 -
\??\c:\3rfrfrf.exec:\3rfrfrf.exe52⤵
- Executes dropped EXE
PID:812 -
\??\c:\hhhtnh.exec:\hhhtnh.exe53⤵
- Executes dropped EXE
PID:4204 -
\??\c:\jddpp.exec:\jddpp.exe54⤵
- Executes dropped EXE
PID:724 -
\??\c:\5hhthh.exec:\5hhthh.exe55⤵
- Executes dropped EXE
PID:1384 -
\??\c:\lflfxrx.exec:\lflfxrx.exe56⤵
- Executes dropped EXE
PID:312 -
\??\c:\bnnhbb.exec:\bnnhbb.exe57⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7vdpv.exec:\7vdpv.exe58⤵
- Executes dropped EXE
PID:4540 -
\??\c:\frlxxrf.exec:\frlxxrf.exe59⤵
- Executes dropped EXE
PID:2688 -
\??\c:\nttbbh.exec:\nttbbh.exe60⤵
- Executes dropped EXE
PID:384 -
\??\c:\ntnbnh.exec:\ntnbnh.exe61⤵
- Executes dropped EXE
PID:1996 -
\??\c:\jdvdd.exec:\jdvdd.exe62⤵
- Executes dropped EXE
PID:3444 -
\??\c:\fffxrxl.exec:\fffxrxl.exe63⤵
- Executes dropped EXE
PID:4844 -
\??\c:\bbnbbt.exec:\bbnbbt.exe64⤵
- Executes dropped EXE
PID:440 -
\??\c:\bhhthb.exec:\bhhthb.exe65⤵
- Executes dropped EXE
PID:2084 -
\??\c:\dpvjj.exec:\dpvjj.exe66⤵PID:736
-
\??\c:\xfflfrf.exec:\xfflfrf.exe67⤵PID:1232
-
\??\c:\tttbbt.exec:\tttbbt.exe68⤵PID:1824
-
\??\c:\5tthhh.exec:\5tthhh.exe69⤵PID:4612
-
\??\c:\vjdjv.exec:\vjdjv.exe70⤵PID:1448
-
\??\c:\rflfxxr.exec:\rflfxxr.exe71⤵PID:3924
-
\??\c:\ttttnn.exec:\ttttnn.exe72⤵PID:1516
-
\??\c:\dpdvp.exec:\dpdvp.exe73⤵PID:2852
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe74⤵PID:1976
-
\??\c:\htbbbb.exec:\htbbbb.exe75⤵PID:3548
-
\??\c:\3bnbtn.exec:\3bnbtn.exe76⤵PID:1364
-
\??\c:\djjjd.exec:\djjjd.exe77⤵PID:1776
-
\??\c:\7rxxrfx.exec:\7rxxrfx.exe78⤵PID:920
-
\??\c:\ntbbnh.exec:\ntbbnh.exe79⤵PID:4920
-
\??\c:\ppvjp.exec:\ppvjp.exe80⤵PID:456
-
\??\c:\jpdjp.exec:\jpdjp.exe81⤵PID:3076
-
\??\c:\3rlxfff.exec:\3rlxfff.exe82⤵PID:4192
-
\??\c:\3ththb.exec:\3ththb.exe83⤵PID:4456
-
\??\c:\9vvpd.exec:\9vvpd.exe84⤵PID:468
-
\??\c:\1fxlfff.exec:\1fxlfff.exe85⤵PID:5064
-
\??\c:\rfffxxx.exec:\rfffxxx.exe86⤵PID:3348
-
\??\c:\3tthth.exec:\3tthth.exe87⤵PID:4284
-
\??\c:\jpjvj.exec:\jpjvj.exe88⤵PID:3480
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe89⤵PID:1560
-
\??\c:\hthhbb.exec:\hthhbb.exe90⤵PID:668
-
\??\c:\ddjdv.exec:\ddjdv.exe91⤵PID:1540
-
\??\c:\5fffxxr.exec:\5fffxxr.exe92⤵PID:5016
-
\??\c:\1rllxxl.exec:\1rllxxl.exe93⤵PID:2304
-
\??\c:\btnnhh.exec:\btnnhh.exe94⤵PID:2596
-
\??\c:\5vvpj.exec:\5vvpj.exe95⤵PID:2144
-
\??\c:\3vvjv.exec:\3vvjv.exe96⤵PID:4012
-
\??\c:\flrrfxr.exec:\flrrfxr.exe97⤵PID:4808
-
\??\c:\hnhhtn.exec:\hnhhtn.exe98⤵PID:3692
-
\??\c:\nhhtbt.exec:\nhhtbt.exe99⤵PID:2636
-
\??\c:\vpjvj.exec:\vpjvj.exe100⤵PID:2296
-
\??\c:\xrfxxll.exec:\xrfxxll.exe101⤵PID:4624
-
\??\c:\tbhbtt.exec:\tbhbtt.exe102⤵PID:4448
-
\??\c:\7vvpd.exec:\7vvpd.exe103⤵PID:2640
-
\??\c:\fllflfx.exec:\fllflfx.exe104⤵PID:948
-
\??\c:\frfrlxr.exec:\frfrlxr.exe105⤵PID:4736
-
\??\c:\3thtbt.exec:\3thtbt.exe106⤵PID:1152
-
\??\c:\jdjdv.exec:\jdjdv.exe107⤵PID:1604
-
\??\c:\rxxlrfx.exec:\rxxlrfx.exe108⤵PID:3232
-
\??\c:\bttntn.exec:\bttntn.exe109⤵PID:4604
-
\??\c:\tnnnhb.exec:\tnnnhb.exe110⤵PID:3540
-
\??\c:\dpjdp.exec:\dpjdp.exe111⤵PID:3980
-
\??\c:\flffrlf.exec:\flffrlf.exe112⤵PID:3520
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe113⤵PID:3664
-
\??\c:\htbthb.exec:\htbthb.exe114⤵PID:1328
-
\??\c:\pdvjv.exec:\pdvjv.exe115⤵PID:4300
-
\??\c:\pdvpj.exec:\pdvpj.exe116⤵PID:4312
-
\??\c:\9rrflrf.exec:\9rrflrf.exe117⤵PID:2060
-
\??\c:\nhbnbn.exec:\nhbnbn.exe118⤵PID:892
-
\??\c:\pjjdv.exec:\pjjdv.exe119⤵PID:4980
-
\??\c:\flfrfxr.exec:\flfrfxr.exe120⤵PID:4224
-
\??\c:\bthbtn.exec:\bthbtn.exe121⤵PID:816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-