Analysis
-
max time kernel
120s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 09:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8.exe
-
Size
456KB
-
MD5
c8e9da04487de43cd92ef3afc0a5573a
-
SHA1
917dffbce31082a5a4b9379adf27598bf2e0d805
-
SHA256
1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8
-
SHA512
052659d83daef2199e58adfb66aa01cfa74702872eac2a612cec51fc15df7174137169f4e405a6aa8985c724845349c5afb56bad14859a32a850d93060a14260
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbep:q7Tc2NYHUrAwfMp3CDp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/696-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-740-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-916-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-1024-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-1270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-1671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-1810-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1052 nthhbb.exe 3084 btnhbb.exe 3548 rlrxxrl.exe 708 bnbbbb.exe 1028 jvdvp.exe 1188 llrrrxx.exe 1032 hbhbtn.exe 3624 tnnntt.exe 1796 jvjdv.exe 3396 xxrlfll.exe 4280 vvvdv.exe 1616 nnnntt.exe 3148 3hnnnn.exe 2444 7jpjd.exe 4912 fffxxrr.exe 1728 vdppv.exe 2900 7flfxxr.exe 2856 1hbtnn.exe 5052 7djdj.exe 1544 lflffff.exe 3880 nbnnhh.exe 2020 vpddv.exe 3940 3lffxfr.exe 736 rrfxrrl.exe 3236 xxllxrf.exe 3996 bbbbth.exe 3876 ffllrxx.exe 2476 bbbbhn.exe 888 pddjd.exe 2348 pvjvp.exe 3848 1rfxrrl.exe 4152 ffrlxxr.exe 1856 vpjjd.exe 1412 lxlfxrl.exe 392 vpdpd.exe 2880 rfxrlll.exe 2424 jppvv.exe 2844 xlrlfxr.exe 3516 thtttt.exe 3928 djjdd.exe 4872 9xrlxxr.exe 4348 lffxrrl.exe 4468 5tnhnn.exe 4436 vpdjj.exe 1788 1llxlll.exe 2344 hbhbbb.exe 1340 vvdjp.exe 4996 djvpj.exe 3624 rrrlxlf.exe 2744 thtbnb.exe 3596 jjdvp.exe 3932 dvvpj.exe 4280 1rrlffx.exe 1624 1hnhhh.exe 2096 dpppj.exe 2500 rfrlllr.exe 1952 lxfxrxr.exe 4076 nhbtnn.exe 5112 jpdpp.exe 1728 dvjdd.exe 2316 lfxrlll.exe 1392 bttnhh.exe 1324 jddjp.exe 1532 ddddd.exe -
resource yara_rule behavioral2/memory/696-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2856-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-740-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-906-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-916-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-956-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-987-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9btnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xffffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 696 wrote to memory of 1052 696 1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8.exe 82 PID 696 wrote to memory of 1052 696 1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8.exe 82 PID 696 wrote to memory of 1052 696 1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8.exe 82 PID 1052 wrote to memory of 3084 1052 nthhbb.exe 83 PID 1052 wrote to memory of 3084 1052 nthhbb.exe 83 PID 1052 wrote to memory of 3084 1052 nthhbb.exe 83 PID 3084 wrote to memory of 3548 3084 btnhbb.exe 84 PID 3084 wrote to memory of 3548 3084 btnhbb.exe 84 PID 3084 wrote to memory of 3548 3084 btnhbb.exe 84 PID 3548 wrote to memory of 708 3548 rlrxxrl.exe 85 PID 3548 wrote to memory of 708 3548 rlrxxrl.exe 85 PID 3548 wrote to memory of 708 3548 rlrxxrl.exe 85 PID 708 wrote to memory of 1028 708 bnbbbb.exe 86 PID 708 wrote to memory of 1028 708 bnbbbb.exe 86 PID 708 wrote to memory of 1028 708 bnbbbb.exe 86 PID 1028 wrote to memory of 1188 1028 jvdvp.exe 87 PID 1028 wrote to memory of 1188 1028 jvdvp.exe 87 PID 1028 wrote to memory of 1188 1028 jvdvp.exe 87 PID 1188 wrote to memory of 1032 1188 llrrrxx.exe 88 PID 1188 wrote to memory of 1032 1188 llrrrxx.exe 88 PID 1188 wrote to memory of 1032 1188 llrrrxx.exe 88 PID 1032 wrote to memory of 3624 1032 hbhbtn.exe 89 PID 1032 wrote to memory of 3624 1032 hbhbtn.exe 89 PID 1032 wrote to memory of 3624 1032 hbhbtn.exe 89 PID 3624 wrote to memory of 1796 3624 tnnntt.exe 90 PID 3624 wrote to memory of 1796 3624 tnnntt.exe 90 PID 3624 wrote to memory of 1796 3624 tnnntt.exe 90 PID 1796 wrote to memory of 3396 1796 jvjdv.exe 91 PID 1796 wrote to memory of 3396 1796 jvjdv.exe 91 PID 1796 wrote to memory of 3396 1796 jvjdv.exe 91 PID 3396 wrote to memory of 4280 3396 xxrlfll.exe 92 PID 3396 wrote to memory of 4280 3396 xxrlfll.exe 92 PID 3396 wrote to memory of 4280 3396 xxrlfll.exe 92 PID 4280 wrote to memory of 1616 4280 vvvdv.exe 93 PID 4280 wrote to memory of 1616 4280 vvvdv.exe 93 PID 4280 wrote to memory of 1616 4280 vvvdv.exe 93 PID 1616 wrote to memory of 3148 1616 nnnntt.exe 94 PID 1616 wrote to memory of 3148 1616 nnnntt.exe 94 PID 1616 wrote to memory of 3148 1616 nnnntt.exe 94 PID 3148 wrote to memory of 2444 3148 3hnnnn.exe 95 PID 3148 wrote to memory of 2444 3148 3hnnnn.exe 95 PID 3148 wrote to memory of 2444 3148 3hnnnn.exe 95 PID 2444 wrote to memory of 4912 2444 7jpjd.exe 96 PID 2444 wrote to memory of 4912 2444 7jpjd.exe 96 PID 2444 wrote to memory of 4912 2444 7jpjd.exe 96 PID 4912 wrote to memory of 1728 4912 fffxxrr.exe 97 PID 4912 wrote to memory of 1728 4912 fffxxrr.exe 97 PID 4912 wrote to memory of 1728 4912 fffxxrr.exe 97 PID 1728 wrote to memory of 2900 1728 vdppv.exe 98 PID 1728 wrote to memory of 2900 1728 vdppv.exe 98 PID 1728 wrote to memory of 2900 1728 vdppv.exe 98 PID 2900 wrote to memory of 2856 2900 7flfxxr.exe 99 PID 2900 wrote to memory of 2856 2900 7flfxxr.exe 99 PID 2900 wrote to memory of 2856 2900 7flfxxr.exe 99 PID 2856 wrote to memory of 5052 2856 1hbtnn.exe 100 PID 2856 wrote to memory of 5052 2856 1hbtnn.exe 100 PID 2856 wrote to memory of 5052 2856 1hbtnn.exe 100 PID 5052 wrote to memory of 1544 5052 7djdj.exe 101 PID 5052 wrote to memory of 1544 5052 7djdj.exe 101 PID 5052 wrote to memory of 1544 5052 7djdj.exe 101 PID 1544 wrote to memory of 3880 1544 lflffff.exe 102 PID 1544 wrote to memory of 3880 1544 lflffff.exe 102 PID 1544 wrote to memory of 3880 1544 lflffff.exe 102 PID 3880 wrote to memory of 2020 3880 nbnnhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8.exe"C:\Users\Admin\AppData\Local\Temp\1fc546e2921566b68c669bbc16ac718d37d0fabee83f906555f1f5979e639eb8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\nthhbb.exec:\nthhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\btnhbb.exec:\btnhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\rlrxxrl.exec:\rlrxxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548 -
\??\c:\bnbbbb.exec:\bnbbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\jvdvp.exec:\jvdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\llrrrxx.exec:\llrrrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
\??\c:\hbhbtn.exec:\hbhbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\tnnntt.exec:\tnnntt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\jvjdv.exec:\jvjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\xxrlfll.exec:\xxrlfll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\vvvdv.exec:\vvvdv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\nnnntt.exec:\nnnntt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\3hnnnn.exec:\3hnnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\7jpjd.exec:\7jpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\fffxxrr.exec:\fffxxrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\vdppv.exec:\vdppv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\7flfxxr.exec:\7flfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\1hbtnn.exec:\1hbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
\??\c:\7djdj.exec:\7djdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\lflffff.exec:\lflffff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\nbnnhh.exec:\nbnnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\vpddv.exec:\vpddv.exe23⤵
- Executes dropped EXE
PID:2020 -
\??\c:\3lffxfr.exec:\3lffxfr.exe24⤵
- Executes dropped EXE
PID:3940 -
\??\c:\rrfxrrl.exec:\rrfxrrl.exe25⤵
- Executes dropped EXE
PID:736 -
\??\c:\xxllxrf.exec:\xxllxrf.exe26⤵
- Executes dropped EXE
PID:3236 -
\??\c:\bbbbth.exec:\bbbbth.exe27⤵
- Executes dropped EXE
PID:3996 -
\??\c:\ffllrxx.exec:\ffllrxx.exe28⤵
- Executes dropped EXE
PID:3876 -
\??\c:\bbbbhn.exec:\bbbbhn.exe29⤵
- Executes dropped EXE
PID:2476 -
\??\c:\pddjd.exec:\pddjd.exe30⤵
- Executes dropped EXE
PID:888 -
\??\c:\pvjvp.exec:\pvjvp.exe31⤵
- Executes dropped EXE
PID:2348 -
\??\c:\1rfxrrl.exec:\1rfxrrl.exe32⤵
- Executes dropped EXE
PID:3848 -
\??\c:\ffrlxxr.exec:\ffrlxxr.exe33⤵
- Executes dropped EXE
PID:4152 -
\??\c:\vpjjd.exec:\vpjjd.exe34⤵
- Executes dropped EXE
PID:1856 -
\??\c:\lxlfxrl.exec:\lxlfxrl.exe35⤵
- Executes dropped EXE
PID:1412 -
\??\c:\vpdpd.exec:\vpdpd.exe36⤵
- Executes dropped EXE
PID:392 -
\??\c:\rfxrlll.exec:\rfxrlll.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\jppvv.exec:\jppvv.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe39⤵
- Executes dropped EXE
PID:2844 -
\??\c:\thtttt.exec:\thtttt.exe40⤵
- Executes dropped EXE
PID:3516 -
\??\c:\djjdd.exec:\djjdd.exe41⤵
- Executes dropped EXE
PID:3928 -
\??\c:\9xrlxxr.exec:\9xrlxxr.exe42⤵
- Executes dropped EXE
PID:4872 -
\??\c:\lffxrrl.exec:\lffxrrl.exe43⤵
- Executes dropped EXE
PID:4348 -
\??\c:\5tnhnn.exec:\5tnhnn.exe44⤵
- Executes dropped EXE
PID:4468 -
\??\c:\vpdjj.exec:\vpdjj.exe45⤵
- Executes dropped EXE
PID:4436 -
\??\c:\1llxlll.exec:\1llxlll.exe46⤵
- Executes dropped EXE
PID:1788 -
\??\c:\hbhbbb.exec:\hbhbbb.exe47⤵
- Executes dropped EXE
PID:2344 -
\??\c:\vvdjp.exec:\vvdjp.exe48⤵
- Executes dropped EXE
PID:1340 -
\??\c:\djvpj.exec:\djvpj.exe49⤵
- Executes dropped EXE
PID:4996 -
\??\c:\rrrlxlf.exec:\rrrlxlf.exe50⤵
- Executes dropped EXE
PID:3624 -
\??\c:\thtbnb.exec:\thtbnb.exe51⤵
- Executes dropped EXE
PID:2744 -
\??\c:\jjdvp.exec:\jjdvp.exe52⤵
- Executes dropped EXE
PID:3596 -
\??\c:\dvvpj.exec:\dvvpj.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3932 -
\??\c:\1rrlffx.exec:\1rrlffx.exe54⤵
- Executes dropped EXE
PID:4280 -
\??\c:\1hnhhh.exec:\1hnhhh.exe55⤵
- Executes dropped EXE
PID:1624 -
\??\c:\dpppj.exec:\dpppj.exe56⤵
- Executes dropped EXE
PID:2096 -
\??\c:\rfrlllr.exec:\rfrlllr.exe57⤵
- Executes dropped EXE
PID:2500 -
\??\c:\lxfxrxr.exec:\lxfxrxr.exe58⤵
- Executes dropped EXE
PID:1952 -
\??\c:\nhbtnn.exec:\nhbtnn.exe59⤵
- Executes dropped EXE
PID:4076 -
\??\c:\jpdpp.exec:\jpdpp.exe60⤵
- Executes dropped EXE
PID:5112 -
\??\c:\dvjdd.exec:\dvjdd.exe61⤵
- Executes dropped EXE
PID:1728 -
\??\c:\lfxrlll.exec:\lfxrlll.exe62⤵
- Executes dropped EXE
PID:2316 -
\??\c:\bttnhh.exec:\bttnhh.exe63⤵
- Executes dropped EXE
PID:1392 -
\??\c:\jddjp.exec:\jddjp.exe64⤵
- Executes dropped EXE
PID:1324 -
\??\c:\ddddd.exec:\ddddd.exe65⤵
- Executes dropped EXE
PID:1532 -
\??\c:\xrfxxxf.exec:\xrfxxxf.exe66⤵PID:5016
-
\??\c:\nnbbtt.exec:\nnbbtt.exe67⤵PID:1544
-
\??\c:\djjdd.exec:\djjdd.exe68⤵PID:2848
-
\??\c:\pjpjd.exec:\pjpjd.exe69⤵PID:2920
-
\??\c:\frxxrrl.exec:\frxxrrl.exe70⤵PID:1984
-
\??\c:\thhbbb.exec:\thhbbb.exe71⤵PID:4080
-
\??\c:\frrlxrl.exec:\frrlxrl.exe72⤵PID:1516
-
\??\c:\xflfxrl.exec:\xflfxrl.exe73⤵PID:3676
-
\??\c:\hbbtnn.exec:\hbbtnn.exe74⤵PID:2260
-
\??\c:\vvpvd.exec:\vvpvd.exe75⤵PID:8
-
\??\c:\7lfrlfx.exec:\7lfrlfx.exe76⤵PID:1748
-
\??\c:\bthbhb.exec:\bthbhb.exe77⤵PID:2808
-
\??\c:\jjppp.exec:\jjppp.exe78⤵PID:2032
-
\??\c:\dvvvp.exec:\dvvvp.exe79⤵PID:1432
-
\??\c:\xrfxxrr.exec:\xrfxxrr.exe80⤵PID:3876
-
\??\c:\hnthhh.exec:\hnthhh.exe81⤵PID:832
-
\??\c:\pjddp.exec:\pjddp.exe82⤵PID:996
-
\??\c:\rlrllll.exec:\rlrllll.exe83⤵PID:568
-
\??\c:\9xlfffl.exec:\9xlfffl.exe84⤵PID:2540
-
\??\c:\7nnhbn.exec:\7nnhbn.exe85⤵PID:1588
-
\??\c:\jdjpp.exec:\jdjpp.exe86⤵PID:3464
-
\??\c:\ddvvv.exec:\ddvvv.exe87⤵
- System Location Discovery: System Language Discovery
PID:2148 -
\??\c:\xxfxfxf.exec:\xxfxfxf.exe88⤵PID:1680
-
\??\c:\bbhbbb.exec:\bbhbbb.exe89⤵PID:1600
-
\??\c:\pjpjd.exec:\pjpjd.exe90⤵PID:3840
-
\??\c:\lxfxlfx.exec:\lxfxlfx.exe91⤵PID:1496
-
\??\c:\nhhhbt.exec:\nhhhbt.exe92⤵PID:1408
-
\??\c:\pjdvp.exec:\pjdvp.exe93⤵PID:536
-
\??\c:\xrrrrfx.exec:\xrrrrfx.exe94⤵PID:3076
-
\??\c:\lxfrlll.exec:\lxfrlll.exe95⤵PID:2372
-
\??\c:\hbbnhb.exec:\hbbnhb.exe96⤵PID:4444
-
\??\c:\3pdvj.exec:\3pdvj.exe97⤵PID:1732
-
\??\c:\7lfxrlx.exec:\7lfxrlx.exe98⤵PID:3504
-
\??\c:\ntbthn.exec:\ntbthn.exe99⤵PID:4364
-
\??\c:\1jjdd.exec:\1jjdd.exe100⤵PID:3700
-
\??\c:\pjjdv.exec:\pjjdv.exe101⤵PID:920
-
\??\c:\lfrlxxr.exec:\lfrlxxr.exe102⤵PID:4672
-
\??\c:\3hbbth.exec:\3hbbth.exe103⤵PID:3572
-
\??\c:\dvdvv.exec:\dvdvv.exe104⤵PID:3316
-
\??\c:\rffxlfx.exec:\rffxlfx.exe105⤵PID:3084
-
\??\c:\hbbtnn.exec:\hbbtnn.exe106⤵PID:1476
-
\??\c:\vvjdp.exec:\vvjdp.exe107⤵PID:3904
-
\??\c:\vjpjd.exec:\vjpjd.exe108⤵PID:1468
-
\??\c:\nbbnbt.exec:\nbbnbt.exe109⤵PID:4660
-
\??\c:\tntnhh.exec:\tntnhh.exe110⤵PID:540
-
\??\c:\dvvpj.exec:\dvvpj.exe111⤵PID:1644
-
\??\c:\pvpdd.exec:\pvpdd.exe112⤵PID:4484
-
\??\c:\hnnbtn.exec:\hnnbtn.exe113⤵PID:3744
-
\??\c:\3nbntt.exec:\3nbntt.exe114⤵PID:444
-
\??\c:\pdpdv.exec:\pdpdv.exe115⤵PID:1536
-
\??\c:\rfrlffl.exec:\rfrlffl.exe116⤵PID:1348
-
\??\c:\bhbbtt.exec:\bhbbtt.exe117⤵PID:4120
-
\??\c:\vdddv.exec:\vdddv.exe118⤵
- System Location Discovery: System Language Discovery
PID:1924 -
\??\c:\9lrfxrl.exec:\9lrfxrl.exe119⤵PID:5084
-
\??\c:\5nnhbt.exec:\5nnhbt.exe120⤵PID:1968
-
\??\c:\nttnbt.exec:\nttnbt.exe121⤵PID:1624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-