Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a.exe
-
Size
454KB
-
MD5
6ad08210bd73ebbb76ba2e38ec7edfd0
-
SHA1
4fdb547b55f79484a8d1878ba5dfe3122af1cabf
-
SHA256
1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a
-
SHA512
73b55df5f917a0931c4bce4f1e5538150783dc87173ed2bbc320bf5b0a7fe260ec1075576b6e377a63c6113b093ad420a35de3a928ec717f55994e1b6274497f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeqg:q7Tc2NYHUrAwfMp3CDf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3936-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4244-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-701-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-1023-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-1319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-1341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 940 hhhtbt.exe 2392 nhnnnh.exe 4932 thhbtn.exe 4804 vjppj.exe 2708 7pvpj.exe 4536 5pddv.exe 3188 1ntnnn.exe 3872 xrrlfff.exe 1636 tbhbbb.exe 3152 ntbttt.exe 2344 xflfxxr.exe 2436 tbnhbt.exe 1192 3vpvj.exe 3968 9ntnbb.exe 3064 dppjd.exe 4496 ppdvp.exe 228 lrrlfxr.exe 3620 nnnhbb.exe 2612 djpdv.exe 3516 fxxlfxr.exe 5088 frlllfx.exe 4488 xrxlffr.exe 3120 tnnbbb.exe 4236 fxrlxrf.exe 2632 thnbtb.exe 1736 bhbtnh.exe 4636 ppvvv.exe 3004 3rxxllr.exe 2332 vjjdv.exe 5096 btnhtn.exe 4900 thnhnh.exe 1488 xllfrlf.exe 4856 ntthbt.exe 2712 9rllxrf.exe 2264 tnnhtt.exe 2620 3nnbbt.exe 2860 3xrlffx.exe 3272 djpdv.exe 1204 3pjdd.exe 4112 rfrlfxr.exe 2876 bnbhhb.exe 2056 pdjdv.exe 3168 ppvpj.exe 2044 fxxrrrr.exe 1080 hbnhbb.exe 2884 dvjdj.exe 4852 jvjvj.exe 5008 5xxlxfr.exe 1484 nbnbbt.exe 3704 jdjvp.exe 3928 lflxrrx.exe 1120 3xrrlrl.exe 4804 btnhbb.exe 2752 ddpjv.exe 5012 rffxrfx.exe 2524 bbtnbt.exe 972 thbthh.exe 760 jvjdv.exe 516 frfxllf.exe 3188 tttbbh.exe 2872 vdvpj.exe 408 xlrffxf.exe 2520 bthbtt.exe 2344 pvvvv.exe -
resource yara_rule behavioral2/memory/3936-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4244-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-633-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-701-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3936 wrote to memory of 940 3936 1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a.exe 83 PID 3936 wrote to memory of 940 3936 1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a.exe 83 PID 3936 wrote to memory of 940 3936 1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a.exe 83 PID 940 wrote to memory of 2392 940 hhhtbt.exe 84 PID 940 wrote to memory of 2392 940 hhhtbt.exe 84 PID 940 wrote to memory of 2392 940 hhhtbt.exe 84 PID 2392 wrote to memory of 4932 2392 nhnnnh.exe 85 PID 2392 wrote to memory of 4932 2392 nhnnnh.exe 85 PID 2392 wrote to memory of 4932 2392 nhnnnh.exe 85 PID 4932 wrote to memory of 4804 4932 thhbtn.exe 86 PID 4932 wrote to memory of 4804 4932 thhbtn.exe 86 PID 4932 wrote to memory of 4804 4932 thhbtn.exe 86 PID 4804 wrote to memory of 2708 4804 vjppj.exe 87 PID 4804 wrote to memory of 2708 4804 vjppj.exe 87 PID 4804 wrote to memory of 2708 4804 vjppj.exe 87 PID 2708 wrote to memory of 4536 2708 7pvpj.exe 88 PID 2708 wrote to memory of 4536 2708 7pvpj.exe 88 PID 2708 wrote to memory of 4536 2708 7pvpj.exe 88 PID 4536 wrote to memory of 3188 4536 5pddv.exe 89 PID 4536 wrote to memory of 3188 4536 5pddv.exe 89 PID 4536 wrote to memory of 3188 4536 5pddv.exe 89 PID 3188 wrote to memory of 3872 3188 1ntnnn.exe 90 PID 3188 wrote to memory of 3872 3188 1ntnnn.exe 90 PID 3188 wrote to memory of 3872 3188 1ntnnn.exe 90 PID 3872 wrote to memory of 1636 3872 xrrlfff.exe 91 PID 3872 wrote to memory of 1636 3872 xrrlfff.exe 91 PID 3872 wrote to memory of 1636 3872 xrrlfff.exe 91 PID 1636 wrote to memory of 3152 1636 tbhbbb.exe 92 PID 1636 wrote to memory of 3152 1636 tbhbbb.exe 92 PID 1636 wrote to memory of 3152 1636 tbhbbb.exe 92 PID 3152 wrote to memory of 2344 3152 ntbttt.exe 93 PID 3152 wrote to memory of 2344 3152 ntbttt.exe 93 PID 3152 wrote to memory of 2344 3152 ntbttt.exe 93 PID 2344 wrote to memory of 2436 2344 xflfxxr.exe 94 PID 2344 wrote to memory of 2436 2344 xflfxxr.exe 94 PID 2344 wrote to memory of 2436 2344 xflfxxr.exe 94 PID 2436 wrote to memory of 1192 2436 tbnhbt.exe 95 PID 2436 wrote to memory of 1192 2436 tbnhbt.exe 95 PID 2436 wrote to memory of 1192 2436 tbnhbt.exe 95 PID 1192 wrote to memory of 3968 1192 3vpvj.exe 96 PID 1192 wrote to memory of 3968 1192 3vpvj.exe 96 PID 1192 wrote to memory of 3968 1192 3vpvj.exe 96 PID 3968 wrote to memory of 3064 3968 9ntnbb.exe 97 PID 3968 wrote to memory of 3064 3968 9ntnbb.exe 97 PID 3968 wrote to memory of 3064 3968 9ntnbb.exe 97 PID 3064 wrote to memory of 4496 3064 dppjd.exe 98 PID 3064 wrote to memory of 4496 3064 dppjd.exe 98 PID 3064 wrote to memory of 4496 3064 dppjd.exe 98 PID 4496 wrote to memory of 228 4496 ppdvp.exe 99 PID 4496 wrote to memory of 228 4496 ppdvp.exe 99 PID 4496 wrote to memory of 228 4496 ppdvp.exe 99 PID 228 wrote to memory of 3620 228 lrrlfxr.exe 100 PID 228 wrote to memory of 3620 228 lrrlfxr.exe 100 PID 228 wrote to memory of 3620 228 lrrlfxr.exe 100 PID 3620 wrote to memory of 2612 3620 nnnhbb.exe 101 PID 3620 wrote to memory of 2612 3620 nnnhbb.exe 101 PID 3620 wrote to memory of 2612 3620 nnnhbb.exe 101 PID 2612 wrote to memory of 3516 2612 djpdv.exe 102 PID 2612 wrote to memory of 3516 2612 djpdv.exe 102 PID 2612 wrote to memory of 3516 2612 djpdv.exe 102 PID 3516 wrote to memory of 5088 3516 fxxlfxr.exe 103 PID 3516 wrote to memory of 5088 3516 fxxlfxr.exe 103 PID 3516 wrote to memory of 5088 3516 fxxlfxr.exe 103 PID 5088 wrote to memory of 4488 5088 frlllfx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a.exe"C:\Users\Admin\AppData\Local\Temp\1b63982db861259c66a362dcafab9373e0dd0408d0c1e7a26c39a134457b7a7a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\hhhtbt.exec:\hhhtbt.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\nhnnnh.exec:\nhnnnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\thhbtn.exec:\thhbtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\vjppj.exec:\vjppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\7pvpj.exec:\7pvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\5pddv.exec:\5pddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\1ntnnn.exec:\1ntnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\xrrlfff.exec:\xrrlfff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\tbhbbb.exec:\tbhbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\ntbttt.exec:\ntbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\xflfxxr.exec:\xflfxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2344 -
\??\c:\tbnhbt.exec:\tbnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\3vpvj.exec:\3vpvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\9ntnbb.exec:\9ntnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\dppjd.exec:\dppjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\ppdvp.exec:\ppdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\lrrlfxr.exec:\lrrlfxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\nnnhbb.exec:\nnnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3620 -
\??\c:\djpdv.exec:\djpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3516 -
\??\c:\frlllfx.exec:\frlllfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\xrxlffr.exec:\xrxlffr.exe23⤵
- Executes dropped EXE
PID:4488 -
\??\c:\tnnbbb.exec:\tnnbbb.exe24⤵
- Executes dropped EXE
PID:3120 -
\??\c:\fxrlxrf.exec:\fxrlxrf.exe25⤵
- Executes dropped EXE
PID:4236 -
\??\c:\thnbtb.exec:\thnbtb.exe26⤵
- Executes dropped EXE
PID:2632 -
\??\c:\bhbtnh.exec:\bhbtnh.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\ppvvv.exec:\ppvvv.exe28⤵
- Executes dropped EXE
PID:4636 -
\??\c:\3rxxllr.exec:\3rxxllr.exe29⤵
- Executes dropped EXE
PID:3004 -
\??\c:\vjjdv.exec:\vjjdv.exe30⤵
- Executes dropped EXE
PID:2332 -
\??\c:\btnhtn.exec:\btnhtn.exe31⤵
- Executes dropped EXE
PID:5096 -
\??\c:\thnhnh.exec:\thnhnh.exe32⤵
- Executes dropped EXE
PID:4900 -
\??\c:\xllfrlf.exec:\xllfrlf.exe33⤵
- Executes dropped EXE
PID:1488 -
\??\c:\ntthbt.exec:\ntthbt.exe34⤵
- Executes dropped EXE
PID:4856 -
\??\c:\9rllxrf.exec:\9rllxrf.exe35⤵
- Executes dropped EXE
PID:2712 -
\??\c:\tnnhtt.exec:\tnnhtt.exe36⤵
- Executes dropped EXE
PID:2264 -
\??\c:\3nnbbt.exec:\3nnbbt.exe37⤵
- Executes dropped EXE
PID:2620 -
\??\c:\3xrlffx.exec:\3xrlffx.exe38⤵
- Executes dropped EXE
PID:2860 -
\??\c:\djpdv.exec:\djpdv.exe39⤵
- Executes dropped EXE
PID:3272 -
\??\c:\3pjdd.exec:\3pjdd.exe40⤵
- Executes dropped EXE
PID:1204 -
\??\c:\rfrlfxr.exec:\rfrlfxr.exe41⤵
- Executes dropped EXE
PID:4112 -
\??\c:\bnbhhb.exec:\bnbhhb.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\pdjdv.exec:\pdjdv.exe43⤵
- Executes dropped EXE
PID:2056 -
\??\c:\ppvpj.exec:\ppvpj.exe44⤵
- Executes dropped EXE
PID:3168 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe45⤵
- Executes dropped EXE
PID:2044 -
\??\c:\hbnhbb.exec:\hbnhbb.exe46⤵
- Executes dropped EXE
PID:1080 -
\??\c:\dvjdj.exec:\dvjdj.exe47⤵
- Executes dropped EXE
PID:2884 -
\??\c:\jvjvj.exec:\jvjvj.exe48⤵
- Executes dropped EXE
PID:4852 -
\??\c:\5xxlxfr.exec:\5xxlxfr.exe49⤵
- Executes dropped EXE
PID:5008 -
\??\c:\nbnbbt.exec:\nbnbbt.exe50⤵
- Executes dropped EXE
PID:1484 -
\??\c:\jdjvp.exec:\jdjvp.exe51⤵
- Executes dropped EXE
PID:3704 -
\??\c:\lflxrrx.exec:\lflxrrx.exe52⤵
- Executes dropped EXE
PID:3928 -
\??\c:\3xrrlrl.exec:\3xrrlrl.exe53⤵
- Executes dropped EXE
PID:1120 -
\??\c:\btnhbb.exec:\btnhbb.exe54⤵
- Executes dropped EXE
PID:4804 -
\??\c:\ddpjv.exec:\ddpjv.exe55⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rffxrfx.exec:\rffxrfx.exe56⤵
- Executes dropped EXE
PID:5012 -
\??\c:\bbtnbt.exec:\bbtnbt.exe57⤵
- Executes dropped EXE
PID:2524 -
\??\c:\thbthh.exec:\thbthh.exe58⤵
- Executes dropped EXE
PID:972 -
\??\c:\jvjdv.exec:\jvjdv.exe59⤵
- Executes dropped EXE
PID:760 -
\??\c:\frfxllf.exec:\frfxllf.exe60⤵
- Executes dropped EXE
PID:516 -
\??\c:\tttbbh.exec:\tttbbh.exe61⤵
- Executes dropped EXE
PID:3188 -
\??\c:\vdvpj.exec:\vdvpj.exe62⤵
- Executes dropped EXE
PID:2872 -
\??\c:\xlrffxf.exec:\xlrffxf.exe63⤵
- Executes dropped EXE
PID:408 -
\??\c:\bthbtt.exec:\bthbtt.exe64⤵
- Executes dropped EXE
PID:2520 -
\??\c:\pvvvv.exec:\pvvvv.exe65⤵
- Executes dropped EXE
PID:2344 -
\??\c:\pdpjd.exec:\pdpjd.exe66⤵PID:2696
-
\??\c:\rrxrxxf.exec:\rrxrxxf.exe67⤵PID:3496
-
\??\c:\thhbnn.exec:\thhbnn.exe68⤵PID:4624
-
\??\c:\jppjv.exec:\jppjv.exe69⤵PID:2836
-
\??\c:\jjvpd.exec:\jjvpd.exe70⤵PID:4356
-
\??\c:\fxlflll.exec:\fxlflll.exe71⤵PID:5116
-
\??\c:\bthbnn.exec:\bthbnn.exe72⤵PID:832
-
\??\c:\3nnhbt.exec:\3nnhbt.exe73⤵PID:1296
-
\??\c:\vpvdj.exec:\vpvdj.exe74⤵PID:3504
-
\??\c:\fxlfrxr.exec:\fxlfrxr.exe75⤵PID:2492
-
\??\c:\bhnhhb.exec:\bhnhhb.exe76⤵PID:3620
-
\??\c:\dpddd.exec:\dpddd.exe77⤵PID:3684
-
\??\c:\rlrlffx.exec:\rlrlffx.exe78⤵PID:3240
-
\??\c:\9fllrxx.exec:\9fllrxx.exe79⤵PID:4500
-
\??\c:\ttttbb.exec:\ttttbb.exe80⤵PID:3744
-
\??\c:\3jdvp.exec:\3jdvp.exe81⤵PID:644
-
\??\c:\7vvjv.exec:\7vvjv.exe82⤵PID:4540
-
\??\c:\lrxlfxl.exec:\lrxlfxl.exe83⤵PID:4104
-
\??\c:\htbtnh.exec:\htbtnh.exe84⤵PID:2096
-
\??\c:\vdpjd.exec:\vdpjd.exe85⤵PID:5092
-
\??\c:\3fxxllx.exec:\3fxxllx.exe86⤵PID:4868
-
\??\c:\btnhbb.exec:\btnhbb.exe87⤵PID:2656
-
\??\c:\5hnhht.exec:\5hnhht.exe88⤵PID:1784
-
\??\c:\dpvpd.exec:\dpvpd.exe89⤵PID:1720
-
\??\c:\xxlrrlr.exec:\xxlrrlr.exe90⤵PID:1876
-
\??\c:\tttnhb.exec:\tttnhb.exe91⤵PID:5096
-
\??\c:\9djdp.exec:\9djdp.exe92⤵
- System Location Discovery: System Language Discovery
PID:1376 -
\??\c:\fffxrrl.exec:\fffxrrl.exe93⤵PID:4244
-
\??\c:\xllffxr.exec:\xllffxr.exe94⤵PID:4368
-
\??\c:\hbbtnh.exec:\hbbtnh.exe95⤵PID:2212
-
\??\c:\thhbbt.exec:\thhbbt.exe96⤵PID:2208
-
\??\c:\jvpjd.exec:\jvpjd.exe97⤵PID:3528
-
\??\c:\lxfrlff.exec:\lxfrlff.exe98⤵PID:4816
-
\??\c:\3bhbnn.exec:\3bhbnn.exe99⤵PID:3212
-
\??\c:\nhntnb.exec:\nhntnb.exe100⤵PID:2240
-
\??\c:\vjpdv.exec:\vjpdv.exe101⤵PID:2376
-
\??\c:\rllfxrl.exec:\rllfxrl.exe102⤵PID:2740
-
\??\c:\rrrrrrr.exec:\rrrrrrr.exe103⤵PID:1208
-
\??\c:\btnbnh.exec:\btnbnh.exe104⤵PID:64
-
\??\c:\7pdjj.exec:\7pdjj.exe105⤵PID:2556
-
\??\c:\vjvjj.exec:\vjvjj.exe106⤵PID:4344
-
\??\c:\fxrlrlf.exec:\fxrlrlf.exe107⤵PID:4348
-
\??\c:\5nnhbb.exec:\5nnhbb.exe108⤵PID:2084
-
\??\c:\vpdvp.exec:\vpdvp.exe109⤵PID:1740
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe110⤵PID:940
-
\??\c:\9bbtnn.exec:\9bbtnn.exe111⤵PID:4892
-
\??\c:\bbbtnn.exec:\bbbtnn.exe112⤵PID:4564
-
\??\c:\3pvpj.exec:\3pvpj.exe113⤵PID:4524
-
\??\c:\rflxrrr.exec:\rflxrrr.exe114⤵PID:4312
-
\??\c:\thnnhh.exec:\thnnhh.exe115⤵PID:112
-
\??\c:\vdpjd.exec:\vdpjd.exe116⤵PID:3764
-
\??\c:\rflfrrf.exec:\rflfrrf.exe117⤵PID:2308
-
\??\c:\7nhhth.exec:\7nhhth.exe118⤵PID:4536
-
\??\c:\3btnhn.exec:\3btnhn.exe119⤵PID:4472
-
\??\c:\vvppj.exec:\vvppj.exe120⤵PID:2688
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe121⤵PID:2016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-