Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe
-
Size
456KB
-
MD5
1275ac8c581a0c7b5144340f4c05df69
-
SHA1
da9f1de28ae1eebc93d597b16973d99ba395ca9a
-
SHA256
bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c
-
SHA512
8a249fae4020eff9514b4bca0a42edb24a18cc2c0e1a81078c40daf7580bd254f1139f75eb51fc4465c359e730d54a768f85b09194a3c2933dc15fa8711d34d8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR6:q7Tc2NYHUrAwfMp3CDR6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1760-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2344-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3808-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-743-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-768-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-775-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-1227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-1532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-1664-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3544 hbtnhb.exe 2340 pjjjd.exe 3112 xlrllff.exe 4944 bthbhn.exe 4168 tnnbtn.exe 980 jdpjj.exe 1388 ffllffl.exe 2400 nnbthh.exe 4800 7nhhhn.exe 1292 ttbhhn.exe 1488 nhhttn.exe 4804 vpdvd.exe 2512 3xrrlll.exe 3536 hbhbbt.exe 4204 3rxrxrx.exe 3400 thhnnt.exe 3208 jdvvp.exe 1296 lxxxrrx.exe 4520 tnhbtt.exe 4024 djjdv.exe 4452 xxxlxxl.exe 448 thhhbb.exe 4572 pjddv.exe 548 flxrllf.exe 5104 hbnhhh.exe 2344 jdvpp.exe 2080 lffxxxx.exe 4112 dvjpv.exe 4708 dvpjd.exe 4484 nbttbn.exe 3060 dvvpj.exe 2100 fxrrllf.exe 1976 lfllfxr.exe 1476 nbbbbh.exe 4604 1jpjj.exe 3176 5fxlxrl.exe 3272 nhnntn.exe 3452 hthbnh.exe 1048 djvpd.exe 4340 dddvd.exe 2168 lxxrlfx.exe 3436 xrfffff.exe 4360 nhnhnh.exe 1320 thnnbb.exe 4984 ppjdv.exe 1840 xllfrrr.exe 3572 7fxrrrl.exe 3952 5bhbtb.exe 2976 5dvdp.exe 4576 lffxllf.exe 4744 9ffxllf.exe 2876 btnhbb.exe 4544 jpddv.exe 980 ddjjj.exe 1388 3ddvv.exe 3104 pjdpj.exe 2768 xxffrrl.exe 4876 9rrlffx.exe 3808 3djdd.exe 1368 lrxrlll.exe 628 3bnbbt.exe 2316 dppjd.exe 1852 jddvj.exe 4724 frllxff.exe -
resource yara_rule behavioral2/memory/1760-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2344-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3808-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-743-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-768-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-775-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-785-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rlxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 3544 1760 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 82 PID 1760 wrote to memory of 3544 1760 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 82 PID 1760 wrote to memory of 3544 1760 bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe 82 PID 3544 wrote to memory of 2340 3544 hbtnhb.exe 83 PID 3544 wrote to memory of 2340 3544 hbtnhb.exe 83 PID 3544 wrote to memory of 2340 3544 hbtnhb.exe 83 PID 2340 wrote to memory of 3112 2340 pjjjd.exe 84 PID 2340 wrote to memory of 3112 2340 pjjjd.exe 84 PID 2340 wrote to memory of 3112 2340 pjjjd.exe 84 PID 3112 wrote to memory of 4944 3112 xlrllff.exe 85 PID 3112 wrote to memory of 4944 3112 xlrllff.exe 85 PID 3112 wrote to memory of 4944 3112 xlrllff.exe 85 PID 4944 wrote to memory of 4168 4944 bthbhn.exe 86 PID 4944 wrote to memory of 4168 4944 bthbhn.exe 86 PID 4944 wrote to memory of 4168 4944 bthbhn.exe 86 PID 4168 wrote to memory of 980 4168 tnnbtn.exe 87 PID 4168 wrote to memory of 980 4168 tnnbtn.exe 87 PID 4168 wrote to memory of 980 4168 tnnbtn.exe 87 PID 980 wrote to memory of 1388 980 jdpjj.exe 88 PID 980 wrote to memory of 1388 980 jdpjj.exe 88 PID 980 wrote to memory of 1388 980 jdpjj.exe 88 PID 1388 wrote to memory of 2400 1388 ffllffl.exe 89 PID 1388 wrote to memory of 2400 1388 ffllffl.exe 89 PID 1388 wrote to memory of 2400 1388 ffllffl.exe 89 PID 2400 wrote to memory of 4800 2400 nnbthh.exe 90 PID 2400 wrote to memory of 4800 2400 nnbthh.exe 90 PID 2400 wrote to memory of 4800 2400 nnbthh.exe 90 PID 4800 wrote to memory of 1292 4800 7nhhhn.exe 91 PID 4800 wrote to memory of 1292 4800 7nhhhn.exe 91 PID 4800 wrote to memory of 1292 4800 7nhhhn.exe 91 PID 1292 wrote to memory of 1488 1292 ttbhhn.exe 92 PID 1292 wrote to memory of 1488 1292 ttbhhn.exe 92 PID 1292 wrote to memory of 1488 1292 ttbhhn.exe 92 PID 1488 wrote to memory of 4804 1488 nhhttn.exe 93 PID 1488 wrote to memory of 4804 1488 nhhttn.exe 93 PID 1488 wrote to memory of 4804 1488 nhhttn.exe 93 PID 4804 wrote to memory of 2512 4804 vpdvd.exe 94 PID 4804 wrote to memory of 2512 4804 vpdvd.exe 94 PID 4804 wrote to memory of 2512 4804 vpdvd.exe 94 PID 2512 wrote to memory of 3536 2512 3xrrlll.exe 95 PID 2512 wrote to memory of 3536 2512 3xrrlll.exe 95 PID 2512 wrote to memory of 3536 2512 3xrrlll.exe 95 PID 3536 wrote to memory of 4204 3536 hbhbbt.exe 96 PID 3536 wrote to memory of 4204 3536 hbhbbt.exe 96 PID 3536 wrote to memory of 4204 3536 hbhbbt.exe 96 PID 4204 wrote to memory of 3400 4204 3rxrxrx.exe 97 PID 4204 wrote to memory of 3400 4204 3rxrxrx.exe 97 PID 4204 wrote to memory of 3400 4204 3rxrxrx.exe 97 PID 3400 wrote to memory of 3208 3400 thhnnt.exe 98 PID 3400 wrote to memory of 3208 3400 thhnnt.exe 98 PID 3400 wrote to memory of 3208 3400 thhnnt.exe 98 PID 3208 wrote to memory of 1296 3208 jdvvp.exe 99 PID 3208 wrote to memory of 1296 3208 jdvvp.exe 99 PID 3208 wrote to memory of 1296 3208 jdvvp.exe 99 PID 1296 wrote to memory of 4520 1296 lxxxrrx.exe 100 PID 1296 wrote to memory of 4520 1296 lxxxrrx.exe 100 PID 1296 wrote to memory of 4520 1296 lxxxrrx.exe 100 PID 4520 wrote to memory of 4024 4520 tnhbtt.exe 101 PID 4520 wrote to memory of 4024 4520 tnhbtt.exe 101 PID 4520 wrote to memory of 4024 4520 tnhbtt.exe 101 PID 4024 wrote to memory of 4452 4024 djjdv.exe 102 PID 4024 wrote to memory of 4452 4024 djjdv.exe 102 PID 4024 wrote to memory of 4452 4024 djjdv.exe 102 PID 4452 wrote to memory of 448 4452 xxxlxxl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"C:\Users\Admin\AppData\Local\Temp\bf8bc193fb1abd9a58749902bbaad6f2a21d497ad6811a1e70ca28c9d6ca892c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\hbtnhb.exec:\hbtnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\pjjjd.exec:\pjjjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\xlrllff.exec:\xlrllff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\bthbhn.exec:\bthbhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
\??\c:\tnnbtn.exec:\tnnbtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\jdpjj.exec:\jdpjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
\??\c:\ffllffl.exec:\ffllffl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\nnbthh.exec:\nnbthh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\7nhhhn.exec:\7nhhhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\ttbhhn.exec:\ttbhhn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\nhhttn.exec:\nhhttn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\vpdvd.exec:\vpdvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\3xrrlll.exec:\3xrrlll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\hbhbbt.exec:\hbhbbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\3rxrxrx.exec:\3rxrxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\thhnnt.exec:\thhnnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\jdvvp.exec:\jdvvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\lxxxrrx.exec:\lxxxrrx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\tnhbtt.exec:\tnhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\djjdv.exec:\djjdv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\xxxlxxl.exec:\xxxlxxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\thhhbb.exec:\thhhbb.exe23⤵
- Executes dropped EXE
PID:448 -
\??\c:\pjddv.exec:\pjddv.exe24⤵
- Executes dropped EXE
PID:4572 -
\??\c:\flxrllf.exec:\flxrllf.exe25⤵
- Executes dropped EXE
PID:548 -
\??\c:\hbnhhh.exec:\hbnhhh.exe26⤵
- Executes dropped EXE
PID:5104 -
\??\c:\jdvpp.exec:\jdvpp.exe27⤵
- Executes dropped EXE
PID:2344 -
\??\c:\lffxxxx.exec:\lffxxxx.exe28⤵
- Executes dropped EXE
PID:2080 -
\??\c:\dvjpv.exec:\dvjpv.exe29⤵
- Executes dropped EXE
PID:4112 -
\??\c:\dvpjd.exec:\dvpjd.exe30⤵
- Executes dropped EXE
PID:4708 -
\??\c:\nbttbn.exec:\nbttbn.exe31⤵
- Executes dropped EXE
PID:4484 -
\??\c:\dvvpj.exec:\dvvpj.exe32⤵
- Executes dropped EXE
PID:3060 -
\??\c:\fxrrllf.exec:\fxrrllf.exe33⤵
- Executes dropped EXE
PID:2100 -
\??\c:\lfllfxr.exec:\lfllfxr.exe34⤵
- Executes dropped EXE
PID:1976 -
\??\c:\nbbbbh.exec:\nbbbbh.exe35⤵
- Executes dropped EXE
PID:1476 -
\??\c:\1jpjj.exec:\1jpjj.exe36⤵
- Executes dropped EXE
PID:4604 -
\??\c:\5fxlxrl.exec:\5fxlxrl.exe37⤵
- Executes dropped EXE
PID:3176 -
\??\c:\nhnntn.exec:\nhnntn.exe38⤵
- Executes dropped EXE
PID:3272 -
\??\c:\hthbnh.exec:\hthbnh.exe39⤵
- Executes dropped EXE
PID:3452 -
\??\c:\djvpd.exec:\djvpd.exe40⤵
- Executes dropped EXE
PID:1048 -
\??\c:\dddvd.exec:\dddvd.exe41⤵
- Executes dropped EXE
PID:4340 -
\??\c:\lxxrlfx.exec:\lxxrlfx.exe42⤵
- Executes dropped EXE
PID:2168 -
\??\c:\xrfffff.exec:\xrfffff.exe43⤵
- Executes dropped EXE
PID:3436 -
\??\c:\nhnhnh.exec:\nhnhnh.exe44⤵
- Executes dropped EXE
PID:4360 -
\??\c:\thnnbb.exec:\thnnbb.exe45⤵
- Executes dropped EXE
PID:1320 -
\??\c:\ppjdv.exec:\ppjdv.exe46⤵
- Executes dropped EXE
PID:4984 -
\??\c:\xllfrrr.exec:\xllfrrr.exe47⤵
- Executes dropped EXE
PID:1840 -
\??\c:\7fxrrrl.exec:\7fxrrrl.exe48⤵
- Executes dropped EXE
PID:3572 -
\??\c:\5bhbtb.exec:\5bhbtb.exe49⤵
- Executes dropped EXE
PID:3952 -
\??\c:\5dvdp.exec:\5dvdp.exe50⤵
- Executes dropped EXE
PID:2976 -
\??\c:\lffxllf.exec:\lffxllf.exe51⤵
- Executes dropped EXE
PID:4576 -
\??\c:\9ffxllf.exec:\9ffxllf.exe52⤵
- Executes dropped EXE
PID:4744 -
\??\c:\btnhbb.exec:\btnhbb.exe53⤵
- Executes dropped EXE
PID:2876 -
\??\c:\jpddv.exec:\jpddv.exe54⤵
- Executes dropped EXE
PID:4544 -
\??\c:\ddjjj.exec:\ddjjj.exe55⤵
- Executes dropped EXE
PID:980 -
\??\c:\3ddvv.exec:\3ddvv.exe56⤵
- Executes dropped EXE
PID:1388 -
\??\c:\pjdpj.exec:\pjdpj.exe57⤵
- Executes dropped EXE
PID:3104 -
\??\c:\xxffrrl.exec:\xxffrrl.exe58⤵
- Executes dropped EXE
PID:2768 -
\??\c:\9rrlffx.exec:\9rrlffx.exe59⤵
- Executes dropped EXE
PID:4876 -
\??\c:\3djdd.exec:\3djdd.exe60⤵
- Executes dropped EXE
PID:3808 -
\??\c:\lrxrlll.exec:\lrxrlll.exe61⤵
- Executes dropped EXE
PID:1368 -
\??\c:\3bnbbt.exec:\3bnbbt.exe62⤵
- Executes dropped EXE
PID:628 -
\??\c:\dppjd.exec:\dppjd.exe63⤵
- Executes dropped EXE
PID:2316 -
\??\c:\jddvj.exec:\jddvj.exe64⤵
- Executes dropped EXE
PID:1852 -
\??\c:\frllxff.exec:\frllxff.exe65⤵
- Executes dropped EXE
PID:4724 -
\??\c:\bnnbth.exec:\bnnbth.exe66⤵PID:2560
-
\??\c:\vvvpd.exec:\vvvpd.exe67⤵PID:760
-
\??\c:\3ddvj.exec:\3ddvj.exe68⤵PID:2088
-
\??\c:\rxxrxrl.exec:\rxxrxrl.exe69⤵PID:2056
-
\??\c:\9hhhbn.exec:\9hhhbn.exe70⤵PID:532
-
\??\c:\vvdvp.exec:\vvdvp.exe71⤵PID:1888
-
\??\c:\lxrlxxr.exec:\lxrlxxr.exe72⤵PID:2584
-
\??\c:\rrlrrlr.exec:\rrlrrlr.exe73⤵PID:3948
-
\??\c:\hnnbth.exec:\hnnbth.exe74⤵PID:1536
-
\??\c:\vjjdd.exec:\vjjdd.exe75⤵PID:1340
-
\??\c:\frrrlfl.exec:\frrrlfl.exe76⤵PID:3624
-
\??\c:\nbbnhh.exec:\nbbnhh.exe77⤵PID:5028
-
\??\c:\7hhbtt.exec:\7hhbtt.exe78⤵PID:3576
-
\??\c:\pjjdv.exec:\pjjdv.exe79⤵PID:3168
-
\??\c:\lxxlfxr.exec:\lxxlfxr.exe80⤵PID:4956
-
\??\c:\tbhhth.exec:\tbhhth.exe81⤵PID:4348
-
\??\c:\tbhbtt.exec:\tbhbtt.exe82⤵
- System Location Discovery: System Language Discovery
PID:5096 -
\??\c:\pppdp.exec:\pppdp.exe83⤵PID:2060
-
\??\c:\fxxlffx.exec:\fxxlffx.exe84⤵PID:4976
-
\??\c:\tnhhbb.exec:\tnhhbb.exe85⤵PID:5104
-
\??\c:\9xfrlrx.exec:\9xfrlrx.exe86⤵PID:3664
-
\??\c:\thhtht.exec:\thhtht.exe87⤵PID:1196
-
\??\c:\7bthtn.exec:\7bthtn.exe88⤵PID:1784
-
\??\c:\dppdp.exec:\dppdp.exe89⤵PID:3224
-
\??\c:\hbtnbb.exec:\hbtnbb.exe90⤵PID:4036
-
\??\c:\htbhhh.exec:\htbhhh.exe91⤵PID:2292
-
\??\c:\7jdvd.exec:\7jdvd.exe92⤵PID:3892
-
\??\c:\xxfrfxl.exec:\xxfrfxl.exe93⤵PID:1236
-
\??\c:\hbbtnh.exec:\hbbtnh.exe94⤵PID:3416
-
\??\c:\pjdvj.exec:\pjdvj.exe95⤵PID:3232
-
\??\c:\rrxxlrx.exec:\rrxxlrx.exe96⤵PID:3136
-
\??\c:\tnnbtn.exec:\tnnbtn.exe97⤵PID:4652
-
\??\c:\7nhtnh.exec:\7nhtnh.exe98⤵PID:4768
-
\??\c:\5vvvv.exec:\5vvvv.exe99⤵PID:5056
-
\??\c:\rllflfx.exec:\rllflfx.exe100⤵PID:4152
-
\??\c:\bnhhth.exec:\bnhhth.exe101⤵PID:3132
-
\??\c:\tbbthb.exec:\tbbthb.exe102⤵PID:2000
-
\??\c:\jvvpp.exec:\jvvpp.exe103⤵PID:964
-
\??\c:\3xfxrlr.exec:\3xfxrlr.exe104⤵PID:1156
-
\??\c:\lxxrfxl.exec:\lxxrfxl.exe105⤵PID:4964
-
\??\c:\hbtnbb.exec:\hbtnbb.exe106⤵PID:1384
-
\??\c:\vpvpj.exec:\vpvpj.exe107⤵PID:3440
-
\??\c:\fxxrfxr.exec:\fxxrfxr.exe108⤵PID:2440
-
\??\c:\xlxffxr.exec:\xlxffxr.exe109⤵PID:4360
-
\??\c:\hhhnht.exec:\hhhnht.exe110⤵PID:2164
-
\??\c:\vvddv.exec:\vvddv.exe111⤵PID:1868
-
\??\c:\jpvjd.exec:\jpvjd.exe112⤵PID:2544
-
\??\c:\1rlfrll.exec:\1rlfrll.exe113⤵PID:4136
-
\??\c:\ttthhb.exec:\ttthhb.exe114⤵PID:2252
-
\??\c:\dvdvd.exec:\dvdvd.exe115⤵PID:3952
-
\??\c:\frffxrl.exec:\frffxrl.exe116⤵PID:2976
-
\??\c:\rrrxffx.exec:\rrrxffx.exe117⤵PID:4576
-
\??\c:\1pjdv.exec:\1pjdv.exe118⤵PID:2932
-
\??\c:\jpjpd.exec:\jpjpd.exe119⤵PID:4200
-
\??\c:\1lfxllx.exec:\1lfxllx.exe120⤵PID:4788
-
\??\c:\3nnhbt.exec:\3nnhbt.exe121⤵PID:4748
-
\??\c:\dvdvp.exec:\dvdvp.exe122⤵PID:4760
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-