Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a.exe
-
Size
456KB
-
MD5
254f06adf78ae1223269f6dd14b3d2e8
-
SHA1
67ecc863e8c699c82f5223f4dece78cfbb378528
-
SHA256
ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a
-
SHA512
b8fd4fce9cd71a69f0b4908447309108b2c414e401377bce109a3ada4c21dbc6253e45e5f8308b6f0dd5a6d2a3827511d3bf347b1d8efa499b44844753803a09
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRl:q7Tc2NYHUrAwfMp3CDRl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4276-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-532-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-716-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-785-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4160 jdppj.exe 540 bhhthb.exe 2684 jvjdv.exe 4832 xffxxrl.exe 4860 hbnnht.exe 4028 fxrrrrr.exe 2744 7hntth.exe 4780 xrxrrll.exe 2416 tnnttt.exe 3692 ffxxxxx.exe 3220 hnhhtb.exe 1496 5xlxrxr.exe 4088 rxrllll.exe 3456 9vdvv.exe 464 vvddj.exe 3176 nnntbn.exe 880 pjvvv.exe 3124 fxxrrrl.exe 4196 1lfxxrr.exe 3556 hntnht.exe 4024 pddvp.exe 4516 1bnnht.exe 8 vvvvv.exe 1972 9ffrxrl.exe 612 hbbbtt.exe 512 fllxfxr.exe 748 djvvv.exe 1236 ppdvd.exe 4992 fxfxrrr.exe 3004 htbbtb.exe 4228 dvvpj.exe 4932 hhhnbt.exe 2964 hnbnnt.exe 3548 jpjjv.exe 1960 hbbnnh.exe 656 vppdv.exe 440 bhhbtt.exe 3660 dpdvp.exe 3172 xlfrlfx.exe 396 thtnbt.exe 2256 lxxlrll.exe 2144 bnthnn.exe 4956 vdvpj.exe 3480 lfxrlfr.exe 2340 nnhbnn.exe 4392 7hnhbn.exe 4300 ffffxxx.exe 2444 tnhtnn.exe 4256 ppvpd.exe 4692 xlxflll.exe 4568 rxlfxfx.exe 2684 7nbttb.exe 3964 9djjv.exe 436 frxxrrr.exe 4740 htbttt.exe 2588 jdjjd.exe 208 llrlxrl.exe 1228 bhnhhh.exe 4836 pjpjj.exe 1160 5xxrxxf.exe 3784 bbhbbn.exe 4580 nnbthh.exe 4756 5vppj.exe 2080 xrfxllf.exe -
resource yara_rule behavioral2/memory/4276-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-716-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-785-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrllf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4276 wrote to memory of 4160 4276 ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a.exe 82 PID 4276 wrote to memory of 4160 4276 ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a.exe 82 PID 4276 wrote to memory of 4160 4276 ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a.exe 82 PID 4160 wrote to memory of 540 4160 jdppj.exe 83 PID 4160 wrote to memory of 540 4160 jdppj.exe 83 PID 4160 wrote to memory of 540 4160 jdppj.exe 83 PID 540 wrote to memory of 2684 540 bhhthb.exe 84 PID 540 wrote to memory of 2684 540 bhhthb.exe 84 PID 540 wrote to memory of 2684 540 bhhthb.exe 84 PID 2684 wrote to memory of 4832 2684 jvjdv.exe 85 PID 2684 wrote to memory of 4832 2684 jvjdv.exe 85 PID 2684 wrote to memory of 4832 2684 jvjdv.exe 85 PID 4832 wrote to memory of 4860 4832 xffxxrl.exe 86 PID 4832 wrote to memory of 4860 4832 xffxxrl.exe 86 PID 4832 wrote to memory of 4860 4832 xffxxrl.exe 86 PID 4860 wrote to memory of 4028 4860 hbnnht.exe 87 PID 4860 wrote to memory of 4028 4860 hbnnht.exe 87 PID 4860 wrote to memory of 4028 4860 hbnnht.exe 87 PID 4028 wrote to memory of 2744 4028 fxrrrrr.exe 88 PID 4028 wrote to memory of 2744 4028 fxrrrrr.exe 88 PID 4028 wrote to memory of 2744 4028 fxrrrrr.exe 88 PID 2744 wrote to memory of 4780 2744 7hntth.exe 89 PID 2744 wrote to memory of 4780 2744 7hntth.exe 89 PID 2744 wrote to memory of 4780 2744 7hntth.exe 89 PID 4780 wrote to memory of 2416 4780 xrxrrll.exe 90 PID 4780 wrote to memory of 2416 4780 xrxrrll.exe 90 PID 4780 wrote to memory of 2416 4780 xrxrrll.exe 90 PID 2416 wrote to memory of 3692 2416 tnnttt.exe 91 PID 2416 wrote to memory of 3692 2416 tnnttt.exe 91 PID 2416 wrote to memory of 3692 2416 tnnttt.exe 91 PID 3692 wrote to memory of 3220 3692 ffxxxxx.exe 92 PID 3692 wrote to memory of 3220 3692 ffxxxxx.exe 92 PID 3692 wrote to memory of 3220 3692 ffxxxxx.exe 92 PID 3220 wrote to memory of 1496 3220 hnhhtb.exe 93 PID 3220 wrote to memory of 1496 3220 hnhhtb.exe 93 PID 3220 wrote to memory of 1496 3220 hnhhtb.exe 93 PID 1496 wrote to memory of 4088 1496 5xlxrxr.exe 94 PID 1496 wrote to memory of 4088 1496 5xlxrxr.exe 94 PID 1496 wrote to memory of 4088 1496 5xlxrxr.exe 94 PID 4088 wrote to memory of 3456 4088 rxrllll.exe 95 PID 4088 wrote to memory of 3456 4088 rxrllll.exe 95 PID 4088 wrote to memory of 3456 4088 rxrllll.exe 95 PID 3456 wrote to memory of 464 3456 9vdvv.exe 96 PID 3456 wrote to memory of 464 3456 9vdvv.exe 96 PID 3456 wrote to memory of 464 3456 9vdvv.exe 96 PID 464 wrote to memory of 3176 464 vvddj.exe 97 PID 464 wrote to memory of 3176 464 vvddj.exe 97 PID 464 wrote to memory of 3176 464 vvddj.exe 97 PID 3176 wrote to memory of 880 3176 nnntbn.exe 98 PID 3176 wrote to memory of 880 3176 nnntbn.exe 98 PID 3176 wrote to memory of 880 3176 nnntbn.exe 98 PID 880 wrote to memory of 3124 880 pjvvv.exe 99 PID 880 wrote to memory of 3124 880 pjvvv.exe 99 PID 880 wrote to memory of 3124 880 pjvvv.exe 99 PID 3124 wrote to memory of 4196 3124 fxxrrrl.exe 100 PID 3124 wrote to memory of 4196 3124 fxxrrrl.exe 100 PID 3124 wrote to memory of 4196 3124 fxxrrrl.exe 100 PID 4196 wrote to memory of 3556 4196 1lfxxrr.exe 101 PID 4196 wrote to memory of 3556 4196 1lfxxrr.exe 101 PID 4196 wrote to memory of 3556 4196 1lfxxrr.exe 101 PID 3556 wrote to memory of 4024 3556 hntnht.exe 102 PID 3556 wrote to memory of 4024 3556 hntnht.exe 102 PID 3556 wrote to memory of 4024 3556 hntnht.exe 102 PID 4024 wrote to memory of 4516 4024 pddvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a.exe"C:\Users\Admin\AppData\Local\Temp\ad5236a2a757a0605d5cfa9d615046ff3397ff9a71189ce1d1c1adc4e0db191a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\jdppj.exec:\jdppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\bhhthb.exec:\bhhthb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\jvjdv.exec:\jvjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
\??\c:\xffxxrl.exec:\xffxxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\hbnnht.exec:\hbnnht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\7hntth.exec:\7hntth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\xrxrrll.exec:\xrxrrll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
\??\c:\tnnttt.exec:\tnnttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\hnhhtb.exec:\hnhhtb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\5xlxrxr.exec:\5xlxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\rxrllll.exec:\rxrllll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\9vdvv.exec:\9vdvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\vvddj.exec:\vvddj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\nnntbn.exec:\nnntbn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\pjvvv.exec:\pjvvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\1lfxxrr.exec:\1lfxxrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\hntnht.exec:\hntnht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\pddvp.exec:\pddvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\1bnnht.exec:\1bnnht.exe23⤵
- Executes dropped EXE
PID:4516 -
\??\c:\vvvvv.exec:\vvvvv.exe24⤵
- Executes dropped EXE
PID:8 -
\??\c:\9ffrxrl.exec:\9ffrxrl.exe25⤵
- Executes dropped EXE
PID:1972 -
\??\c:\hbbbtt.exec:\hbbbtt.exe26⤵
- Executes dropped EXE
PID:612 -
\??\c:\fllxfxr.exec:\fllxfxr.exe27⤵
- Executes dropped EXE
PID:512 -
\??\c:\djvvv.exec:\djvvv.exe28⤵
- Executes dropped EXE
PID:748 -
\??\c:\ppdvd.exec:\ppdvd.exe29⤵
- Executes dropped EXE
PID:1236 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe30⤵
- Executes dropped EXE
PID:4992 -
\??\c:\htbbtb.exec:\htbbtb.exe31⤵
- Executes dropped EXE
PID:3004 -
\??\c:\dvvpj.exec:\dvvpj.exe32⤵
- Executes dropped EXE
PID:4228 -
\??\c:\hhhnbt.exec:\hhhnbt.exe33⤵
- Executes dropped EXE
PID:4932 -
\??\c:\hnbnnt.exec:\hnbnnt.exe34⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jpjjv.exec:\jpjjv.exe35⤵
- Executes dropped EXE
PID:3548 -
\??\c:\hbbnnh.exec:\hbbnnh.exe36⤵
- Executes dropped EXE
PID:1960 -
\??\c:\vppdv.exec:\vppdv.exe37⤵
- Executes dropped EXE
PID:656 -
\??\c:\bhhbtt.exec:\bhhbtt.exe38⤵
- Executes dropped EXE
PID:440 -
\??\c:\dpdvp.exec:\dpdvp.exe39⤵
- Executes dropped EXE
PID:3660 -
\??\c:\xlfrlfx.exec:\xlfrlfx.exe40⤵
- Executes dropped EXE
PID:3172 -
\??\c:\thtnbt.exec:\thtnbt.exe41⤵
- Executes dropped EXE
PID:396 -
\??\c:\lxxlrll.exec:\lxxlrll.exe42⤵
- Executes dropped EXE
PID:2256 -
\??\c:\bnthnn.exec:\bnthnn.exe43⤵
- Executes dropped EXE
PID:2144 -
\??\c:\vdvpj.exec:\vdvpj.exe44⤵
- Executes dropped EXE
PID:4956 -
\??\c:\lfxrlfr.exec:\lfxrlfr.exe45⤵
- Executes dropped EXE
PID:3480 -
\??\c:\nnhbnn.exec:\nnhbnn.exe46⤵
- Executes dropped EXE
PID:2340 -
\??\c:\7hnhbn.exec:\7hnhbn.exe47⤵
- Executes dropped EXE
PID:4392 -
\??\c:\ffffxxx.exec:\ffffxxx.exe48⤵
- Executes dropped EXE
PID:4300 -
\??\c:\tnhtnn.exec:\tnhtnn.exe49⤵
- Executes dropped EXE
PID:2444 -
\??\c:\ppvpd.exec:\ppvpd.exe50⤵
- Executes dropped EXE
PID:4256 -
\??\c:\xlxflll.exec:\xlxflll.exe51⤵
- Executes dropped EXE
PID:4692 -
\??\c:\rxlfxfx.exec:\rxlfxfx.exe52⤵
- Executes dropped EXE
PID:4568 -
\??\c:\7nbttb.exec:\7nbttb.exe53⤵
- Executes dropped EXE
PID:2684 -
\??\c:\9djjv.exec:\9djjv.exe54⤵
- Executes dropped EXE
PID:3964 -
\??\c:\frxxrrr.exec:\frxxrrr.exe55⤵
- Executes dropped EXE
PID:436 -
\??\c:\htbttt.exec:\htbttt.exe56⤵
- Executes dropped EXE
PID:4740 -
\??\c:\jdjjd.exec:\jdjjd.exe57⤵
- Executes dropped EXE
PID:2588 -
\??\c:\llrlxrl.exec:\llrlxrl.exe58⤵
- Executes dropped EXE
PID:208 -
\??\c:\bhnhhh.exec:\bhnhhh.exe59⤵
- Executes dropped EXE
PID:1228 -
\??\c:\pjpjj.exec:\pjpjj.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4836 -
\??\c:\5xxrxxf.exec:\5xxrxxf.exe61⤵
- Executes dropped EXE
PID:1160 -
\??\c:\bbhbbn.exec:\bbhbbn.exe62⤵
- Executes dropped EXE
PID:3784 -
\??\c:\nnbthh.exec:\nnbthh.exe63⤵
- Executes dropped EXE
PID:4580 -
\??\c:\5vppj.exec:\5vppj.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\xrfxllf.exec:\xrfxllf.exe65⤵
- Executes dropped EXE
PID:2080 -
\??\c:\ttnhnn.exec:\ttnhnn.exe66⤵PID:1056
-
\??\c:\jjpjv.exec:\jjpjv.exe67⤵PID:3944
-
\??\c:\frllfff.exec:\frllfff.exe68⤵PID:4068
-
\??\c:\lrrlflf.exec:\lrrlflf.exe69⤵PID:5112
-
\??\c:\hbbtnn.exec:\hbbtnn.exe70⤵PID:3456
-
\??\c:\vvdpv.exec:\vvdpv.exe71⤵PID:3156
-
\??\c:\rrxfllx.exec:\rrxfllx.exe72⤵PID:2468
-
\??\c:\tnbbhh.exec:\tnbbhh.exe73⤵PID:1568
-
\??\c:\jvvvp.exec:\jvvvp.exe74⤵PID:880
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe75⤵PID:3124
-
\??\c:\llxrrxf.exec:\llxrrxf.exe76⤵PID:4444
-
\??\c:\nnbbhh.exec:\nnbbhh.exe77⤵PID:852
-
\??\c:\vjdjp.exec:\vjdjp.exe78⤵
- System Location Discovery: System Language Discovery
PID:2516 -
\??\c:\3xlfxxr.exec:\3xlfxxr.exe79⤵PID:4528
-
\??\c:\ttbttt.exec:\ttbttt.exe80⤵PID:4516
-
\??\c:\ddddd.exec:\ddddd.exe81⤵PID:1920
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe82⤵PID:4820
-
\??\c:\1ffffll.exec:\1ffffll.exe83⤵PID:1204
-
\??\c:\nbhnnn.exec:\nbhnnn.exe84⤵PID:2512
-
\??\c:\pvvjd.exec:\pvvjd.exe85⤵PID:2912
-
\??\c:\xxffrll.exec:\xxffrll.exe86⤵PID:512
-
\??\c:\tnttnn.exec:\tnttnn.exe87⤵PID:832
-
\??\c:\pdvjj.exec:\pdvjj.exe88⤵PID:456
-
\??\c:\djvvj.exec:\djvvj.exe89⤵PID:4336
-
\??\c:\xrlfxrr.exec:\xrlfxrr.exe90⤵PID:4992
-
\??\c:\nhnnbn.exec:\nhnnbn.exe91⤵PID:4548
-
\??\c:\jjddv.exec:\jjddv.exe92⤵PID:3004
-
\??\c:\frxrllf.exec:\frxrllf.exe93⤵PID:4228
-
\??\c:\hhttnt.exec:\hhttnt.exe94⤵PID:2792
-
\??\c:\bbnnhh.exec:\bbnnhh.exe95⤵PID:3084
-
\??\c:\jpppj.exec:\jpppj.exe96⤵PID:2956
-
\??\c:\xxrrlff.exec:\xxrrlff.exe97⤵PID:2844
-
\??\c:\5bbtth.exec:\5bbtth.exe98⤵PID:656
-
\??\c:\jvjdv.exec:\jvjdv.exe99⤵PID:4268
-
\??\c:\flxxxrr.exec:\flxxxrr.exe100⤵PID:3180
-
\??\c:\tnbtnn.exec:\tnbtnn.exe101⤵PID:3252
-
\??\c:\dpvvv.exec:\dpvvv.exe102⤵PID:3644
-
\??\c:\9rffffr.exec:\9rffffr.exe103⤵PID:3564
-
\??\c:\rlrlllf.exec:\rlrlllf.exe104⤵PID:2508
-
\??\c:\ttbbbn.exec:\ttbbbn.exe105⤵PID:4916
-
\??\c:\5jjdj.exec:\5jjdj.exe106⤵PID:4052
-
\??\c:\lxxrlrl.exec:\lxxrlrl.exe107⤵PID:2696
-
\??\c:\thhbtb.exec:\thhbtb.exe108⤵PID:4308
-
\??\c:\jjjvj.exec:\jjjvj.exe109⤵PID:4416
-
\??\c:\7xxlfxr.exec:\7xxlfxr.exe110⤵PID:1064
-
\??\c:\btttnh.exec:\btttnh.exe111⤵PID:2292
-
\??\c:\jdjdd.exec:\jdjdd.exe112⤵PID:4160
-
\??\c:\flffxll.exec:\flffxll.exe113⤵PID:2436
-
\??\c:\xxllffx.exec:\xxllffx.exe114⤵PID:4108
-
\??\c:\nbtntn.exec:\nbtntn.exe115⤵PID:2684
-
\??\c:\ppdvd.exec:\ppdvd.exe116⤵PID:4948
-
\??\c:\jppjp.exec:\jppjp.exe117⤵
- System Location Discovery: System Language Discovery
PID:436 -
\??\c:\fllllll.exec:\fllllll.exe118⤵PID:4740
-
\??\c:\bhhhhh.exec:\bhhhhh.exe119⤵PID:2228
-
\??\c:\7vjdj.exec:\7vjdj.exe120⤵PID:2744
-
\??\c:\llrrrll.exec:\llrrrll.exe121⤵PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-