Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe
-
Size
454KB
-
MD5
b36ef2aff69ebe19735d0e6d72f14b77
-
SHA1
ca5e56afbf9cbfeb8ec31fb3d4413e5b4c846985
-
SHA256
b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5
-
SHA512
d5bcb4f49a55f0113698670b3851605de5493cd6f263c625a6fa700782d0c80711ea979fa3eafaa8a3fbff419e5b5d708dfe3517c7efe0f8b1336e0327d850c8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3504-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2892-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1564-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-783-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-802-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-1116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3504 jvpjd.exe 4344 bthbhh.exe 4100 bnnhbt.exe 3188 hnnbnh.exe 2708 rxxllxx.exe 1468 1dpjd.exe 1272 268484.exe 556 rflfffx.exe 2904 rxxlfxr.exe 2384 q80000.exe 1364 622006.exe 1160 xxrlffx.exe 4804 62822.exe 708 040400.exe 4040 pdjdv.exe 3760 vdpjd.exe 3468 dpvpp.exe 4624 u682626.exe 3976 5ffxrll.exe 2964 068260.exe 3028 440044.exe 1844 7bhbtb.exe 2408 088444.exe 5004 406066.exe 4080 bnttnn.exe 3648 7ffxrlf.exe 5080 tnnhhb.exe 4320 684882.exe 2024 0860640.exe 1308 jdppd.exe 4068 60862.exe 1680 xrrlflf.exe 852 jddvp.exe 4220 fffrlfx.exe 1284 xlllxxr.exe 1572 q68440.exe 5084 rxlxrlf.exe 4384 7xfxxxr.exe 4836 q48068.exe 5008 22488.exe 2896 lxffxrl.exe 4284 c848226.exe 1568 lfrrrrl.exe 208 9tbttt.exe 4852 828600.exe 2832 7bbtnn.exe 1416 7lrrrrl.exe 4100 lflfflr.exe 1764 u064826.exe 4392 1jjdv.exe 2708 828266.exe 4900 088082.exe 1216 pjvpp.exe 4628 0466268.exe 3160 6404848.exe 3864 44282.exe 2752 hthbbb.exe 3576 fxxrlll.exe 1072 4062822.exe 4408 xlrlxrl.exe 940 jdvvj.exe 3720 pjdvp.exe 1288 bttnhh.exe 2892 btbnnh.exe -
resource yara_rule behavioral2/memory/3504-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2892-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-783-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 622006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 88006.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4026604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0060666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i048264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6462682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 268484.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 068600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrlxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4622660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 3504 4860 b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe 85 PID 4860 wrote to memory of 3504 4860 b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe 85 PID 4860 wrote to memory of 3504 4860 b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe 85 PID 3504 wrote to memory of 4344 3504 jvpjd.exe 86 PID 3504 wrote to memory of 4344 3504 jvpjd.exe 86 PID 3504 wrote to memory of 4344 3504 jvpjd.exe 86 PID 4344 wrote to memory of 4100 4344 bthbhh.exe 87 PID 4344 wrote to memory of 4100 4344 bthbhh.exe 87 PID 4344 wrote to memory of 4100 4344 bthbhh.exe 87 PID 4100 wrote to memory of 3188 4100 bnnhbt.exe 88 PID 4100 wrote to memory of 3188 4100 bnnhbt.exe 88 PID 4100 wrote to memory of 3188 4100 bnnhbt.exe 88 PID 3188 wrote to memory of 2708 3188 hnnbnh.exe 89 PID 3188 wrote to memory of 2708 3188 hnnbnh.exe 89 PID 3188 wrote to memory of 2708 3188 hnnbnh.exe 89 PID 2708 wrote to memory of 1468 2708 rxxllxx.exe 90 PID 2708 wrote to memory of 1468 2708 rxxllxx.exe 90 PID 2708 wrote to memory of 1468 2708 rxxllxx.exe 90 PID 1468 wrote to memory of 1272 1468 1dpjd.exe 91 PID 1468 wrote to memory of 1272 1468 1dpjd.exe 91 PID 1468 wrote to memory of 1272 1468 1dpjd.exe 91 PID 1272 wrote to memory of 556 1272 268484.exe 92 PID 1272 wrote to memory of 556 1272 268484.exe 92 PID 1272 wrote to memory of 556 1272 268484.exe 92 PID 556 wrote to memory of 2904 556 rflfffx.exe 93 PID 556 wrote to memory of 2904 556 rflfffx.exe 93 PID 556 wrote to memory of 2904 556 rflfffx.exe 93 PID 2904 wrote to memory of 2384 2904 rxxlfxr.exe 94 PID 2904 wrote to memory of 2384 2904 rxxlfxr.exe 94 PID 2904 wrote to memory of 2384 2904 rxxlfxr.exe 94 PID 2384 wrote to memory of 1364 2384 q80000.exe 95 PID 2384 wrote to memory of 1364 2384 q80000.exe 95 PID 2384 wrote to memory of 1364 2384 q80000.exe 95 PID 1364 wrote to memory of 1160 1364 622006.exe 96 PID 1364 wrote to memory of 1160 1364 622006.exe 96 PID 1364 wrote to memory of 1160 1364 622006.exe 96 PID 1160 wrote to memory of 4804 1160 xxrlffx.exe 97 PID 1160 wrote to memory of 4804 1160 xxrlffx.exe 97 PID 1160 wrote to memory of 4804 1160 xxrlffx.exe 97 PID 4804 wrote to memory of 708 4804 62822.exe 98 PID 4804 wrote to memory of 708 4804 62822.exe 98 PID 4804 wrote to memory of 708 4804 62822.exe 98 PID 708 wrote to memory of 4040 708 040400.exe 99 PID 708 wrote to memory of 4040 708 040400.exe 99 PID 708 wrote to memory of 4040 708 040400.exe 99 PID 4040 wrote to memory of 3760 4040 pdjdv.exe 100 PID 4040 wrote to memory of 3760 4040 pdjdv.exe 100 PID 4040 wrote to memory of 3760 4040 pdjdv.exe 100 PID 3760 wrote to memory of 3468 3760 vdpjd.exe 101 PID 3760 wrote to memory of 3468 3760 vdpjd.exe 101 PID 3760 wrote to memory of 3468 3760 vdpjd.exe 101 PID 3468 wrote to memory of 4624 3468 dpvpp.exe 102 PID 3468 wrote to memory of 4624 3468 dpvpp.exe 102 PID 3468 wrote to memory of 4624 3468 dpvpp.exe 102 PID 4624 wrote to memory of 3976 4624 u682626.exe 103 PID 4624 wrote to memory of 3976 4624 u682626.exe 103 PID 4624 wrote to memory of 3976 4624 u682626.exe 103 PID 3976 wrote to memory of 2964 3976 5ffxrll.exe 104 PID 3976 wrote to memory of 2964 3976 5ffxrll.exe 104 PID 3976 wrote to memory of 2964 3976 5ffxrll.exe 104 PID 2964 wrote to memory of 3028 2964 068260.exe 105 PID 2964 wrote to memory of 3028 2964 068260.exe 105 PID 2964 wrote to memory of 3028 2964 068260.exe 105 PID 3028 wrote to memory of 1844 3028 440044.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe"C:\Users\Admin\AppData\Local\Temp\b90d3deb27b8ab734a441fd29583f69e8a5bf5ac1be89a247b2a4d3e654aacc5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\jvpjd.exec:\jvpjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\bthbhh.exec:\bthbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\bnnhbt.exec:\bnnhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\hnnbnh.exec:\hnnbnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\rxxllxx.exec:\rxxllxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\1dpjd.exec:\1dpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\268484.exec:\268484.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\rflfffx.exec:\rflfffx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\rxxlfxr.exec:\rxxlfxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\q80000.exec:\q80000.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\622006.exec:\622006.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\xxrlffx.exec:\xxrlffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\62822.exec:\62822.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\040400.exec:\040400.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:708 -
\??\c:\pdjdv.exec:\pdjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\vdpjd.exec:\vdpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\dpvpp.exec:\dpvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\u682626.exec:\u682626.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\5ffxrll.exec:\5ffxrll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\068260.exec:\068260.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\440044.exec:\440044.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\7bhbtb.exec:\7bhbtb.exe23⤵
- Executes dropped EXE
PID:1844 -
\??\c:\088444.exec:\088444.exe24⤵
- Executes dropped EXE
PID:2408 -
\??\c:\406066.exec:\406066.exe25⤵
- Executes dropped EXE
PID:5004 -
\??\c:\bnttnn.exec:\bnttnn.exe26⤵
- Executes dropped EXE
PID:4080 -
\??\c:\7ffxrlf.exec:\7ffxrlf.exe27⤵
- Executes dropped EXE
PID:3648 -
\??\c:\tnnhhb.exec:\tnnhhb.exe28⤵
- Executes dropped EXE
PID:5080 -
\??\c:\684882.exec:\684882.exe29⤵
- Executes dropped EXE
PID:4320 -
\??\c:\0860640.exec:\0860640.exe30⤵
- Executes dropped EXE
PID:2024 -
\??\c:\jdppd.exec:\jdppd.exe31⤵
- Executes dropped EXE
PID:1308 -
\??\c:\60862.exec:\60862.exe32⤵
- Executes dropped EXE
PID:4068 -
\??\c:\xrrlflf.exec:\xrrlflf.exe33⤵
- Executes dropped EXE
PID:1680 -
\??\c:\jddvp.exec:\jddvp.exe34⤵
- Executes dropped EXE
PID:852 -
\??\c:\fffrlfx.exec:\fffrlfx.exe35⤵
- Executes dropped EXE
PID:4220 -
\??\c:\xlllxxr.exec:\xlllxxr.exe36⤵
- Executes dropped EXE
PID:1284 -
\??\c:\q68440.exec:\q68440.exe37⤵
- Executes dropped EXE
PID:1572 -
\??\c:\rxlxrlf.exec:\rxlxrlf.exe38⤵
- Executes dropped EXE
PID:5084 -
\??\c:\7xfxxxr.exec:\7xfxxxr.exe39⤵
- Executes dropped EXE
PID:4384 -
\??\c:\q48068.exec:\q48068.exe40⤵
- Executes dropped EXE
PID:4836 -
\??\c:\22488.exec:\22488.exe41⤵
- Executes dropped EXE
PID:5008 -
\??\c:\lxffxrl.exec:\lxffxrl.exe42⤵
- Executes dropped EXE
PID:2896 -
\??\c:\c848226.exec:\c848226.exe43⤵
- Executes dropped EXE
PID:4284 -
\??\c:\lfrrrrl.exec:\lfrrrrl.exe44⤵
- Executes dropped EXE
PID:1568 -
\??\c:\9tbttt.exec:\9tbttt.exe45⤵
- Executes dropped EXE
PID:208 -
\??\c:\828600.exec:\828600.exe46⤵
- Executes dropped EXE
PID:4852 -
\??\c:\7bbtnn.exec:\7bbtnn.exe47⤵
- Executes dropped EXE
PID:2832 -
\??\c:\7lrrrrl.exec:\7lrrrrl.exe48⤵
- Executes dropped EXE
PID:1416 -
\??\c:\lflfflr.exec:\lflfflr.exe49⤵
- Executes dropped EXE
PID:4100 -
\??\c:\u064826.exec:\u064826.exe50⤵
- Executes dropped EXE
PID:1764 -
\??\c:\1jjdv.exec:\1jjdv.exe51⤵
- Executes dropped EXE
PID:4392 -
\??\c:\828266.exec:\828266.exe52⤵
- Executes dropped EXE
PID:2708 -
\??\c:\088082.exec:\088082.exe53⤵
- Executes dropped EXE
PID:4900 -
\??\c:\pjvpp.exec:\pjvpp.exe54⤵
- Executes dropped EXE
PID:1216 -
\??\c:\0466268.exec:\0466268.exe55⤵
- Executes dropped EXE
PID:4628 -
\??\c:\6404848.exec:\6404848.exe56⤵
- Executes dropped EXE
PID:3160 -
\??\c:\44282.exec:\44282.exe57⤵
- Executes dropped EXE
PID:3864 -
\??\c:\hthbbb.exec:\hthbbb.exe58⤵
- Executes dropped EXE
PID:2752 -
\??\c:\fxxrlll.exec:\fxxrlll.exe59⤵
- Executes dropped EXE
PID:3576 -
\??\c:\4062822.exec:\4062822.exe60⤵
- Executes dropped EXE
PID:1072 -
\??\c:\xlrlxrl.exec:\xlrlxrl.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
\??\c:\jdvvj.exec:\jdvvj.exe62⤵
- Executes dropped EXE
PID:940 -
\??\c:\pjdvp.exec:\pjdvp.exe63⤵
- Executes dropped EXE
PID:3720 -
\??\c:\bttnhh.exec:\bttnhh.exe64⤵
- Executes dropped EXE
PID:1288 -
\??\c:\btbnnh.exec:\btbnnh.exe65⤵
- Executes dropped EXE
PID:2892 -
\??\c:\866600.exec:\866600.exe66⤵PID:4500
-
\??\c:\802660.exec:\802660.exe67⤵PID:2884
-
\??\c:\040446.exec:\040446.exe68⤵PID:4568
-
\??\c:\04004.exec:\04004.exe69⤵PID:2604
-
\??\c:\844488.exec:\844488.exe70⤵PID:4664
-
\??\c:\w46482.exec:\w46482.exe71⤵PID:3940
-
\??\c:\pvvvj.exec:\pvvvj.exe72⤵PID:3516
-
\??\c:\bnttbh.exec:\bnttbh.exe73⤵PID:4328
-
\??\c:\3vddp.exec:\3vddp.exe74⤵PID:5040
-
\??\c:\3hhbtt.exec:\3hhbtt.exe75⤵PID:2128
-
\??\c:\frfxxxf.exec:\frfxxxf.exe76⤵PID:5028
-
\??\c:\c460004.exec:\c460004.exe77⤵PID:3060
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe78⤵PID:4932
-
\??\c:\280460.exec:\280460.exe79⤵PID:2268
-
\??\c:\4808260.exec:\4808260.exe80⤵PID:4884
-
\??\c:\htbtnt.exec:\htbtnt.exe81⤵PID:3980
-
\??\c:\nbtbtt.exec:\nbtbtt.exe82⤵PID:1004
-
\??\c:\jvpdj.exec:\jvpdj.exe83⤵PID:2640
-
\??\c:\tbnbbt.exec:\tbnbbt.exe84⤵PID:3624
-
\??\c:\28648.exec:\28648.exe85⤵PID:372
-
\??\c:\62860.exec:\62860.exe86⤵PID:4472
-
\??\c:\vdvpv.exec:\vdvpv.exe87⤵PID:1828
-
\??\c:\pjjjd.exec:\pjjjd.exe88⤵PID:4636
-
\??\c:\i462244.exec:\i462244.exe89⤵PID:1564
-
\??\c:\ppjvp.exec:\ppjvp.exe90⤵PID:1308
-
\??\c:\3dvvp.exec:\3dvvp.exe91⤵PID:4448
-
\??\c:\6060000.exec:\6060000.exe92⤵PID:348
-
\??\c:\6006000.exec:\6006000.exe93⤵PID:3916
-
\??\c:\86888.exec:\86888.exe94⤵PID:3436
-
\??\c:\jdpdd.exec:\jdpdd.exe95⤵PID:3100
-
\??\c:\002666.exec:\002666.exe96⤵PID:4832
-
\??\c:\djvvd.exec:\djvvd.exe97⤵PID:4484
-
\??\c:\6620486.exec:\6620486.exe98⤵PID:4400
-
\??\c:\u404260.exec:\u404260.exe99⤵PID:3528
-
\??\c:\tnbtbb.exec:\tnbtbb.exe100⤵PID:3968
-
\??\c:\7llxrrl.exec:\7llxrrl.exe101⤵PID:2788
-
\??\c:\k68648.exec:\k68648.exe102⤵PID:4476
-
\??\c:\206488.exec:\206488.exe103⤵PID:3380
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe104⤵PID:2912
-
\??\c:\nbhnnh.exec:\nbhnnh.exe105⤵PID:208
-
\??\c:\82084.exec:\82084.exe106⤵PID:4876
-
\??\c:\lrflxrl.exec:\lrflxrl.exe107⤵PID:2832
-
\??\c:\thhthh.exec:\thhthh.exe108⤵PID:1380
-
\??\c:\862488.exec:\862488.exe109⤵PID:1088
-
\??\c:\frxlfxr.exec:\frxlfxr.exe110⤵PID:3188
-
\??\c:\lxffflr.exec:\lxffflr.exe111⤵PID:1804
-
\??\c:\xflxllx.exec:\xflxllx.exe112⤵PID:3472
-
\??\c:\3jddp.exec:\3jddp.exe113⤵PID:4928
-
\??\c:\84428.exec:\84428.exe114⤵PID:4444
-
\??\c:\0680686.exec:\0680686.exe115⤵PID:820
-
\??\c:\rllfflf.exec:\rllfflf.exe116⤵PID:3828
-
\??\c:\8048260.exec:\8048260.exe117⤵PID:3704
-
\??\c:\7tthtn.exec:\7tthtn.exe118⤵PID:4524
-
\??\c:\62048.exec:\62048.exe119⤵PID:60
-
\??\c:\rfxrxrx.exec:\rfxrxrx.exe120⤵PID:2304
-
\??\c:\8664820.exec:\8664820.exe121⤵PID:3816
-
\??\c:\bhnbtn.exec:\bhnbtn.exe122⤵PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-