Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2024, 03:23
Behavioral task
behavioral1
Sample
1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47.exe
-
Size
97KB
-
MD5
25016851fe25c961431476e6efdbbe99
-
SHA1
29331be1629d1d4403f086e60415ab03e2a095b3
-
SHA256
1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47
-
SHA512
4d8628c90ed3bf9e3b31154781dd1bd8ece5d550721f945dba484ef5f401b4344094b9252af30077310ef563fb2e32aee16111af2caa949e273d699b7c2893ef
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgJ:8cm4FmowdHoSgWrXUgJ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1852-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4904-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3228-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5028-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2888-42-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2564-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-52-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1452-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1980-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3720-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3940-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3516-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-119-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-140-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3480-151-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3036-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/392-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/408-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2800-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4504-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/940-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2852-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-243-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3012-246-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1828-257-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2616-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2128-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1768-292-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4728-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-374-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2936-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2128-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2368-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3216-431-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-831-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-882-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1752 htbhbb.exe 4904 lffrrlf.exe 3228 04426.exe 4884 0264264.exe 5028 rxxrrrr.exe 1356 4226420.exe 2888 k00006.exe 2564 288648.exe 3544 240082.exe 4560 tnhbhb.exe 2408 822020.exe 2924 2404826.exe 1616 httbbn.exe 1452 vvddp.exe 1980 462604.exe 1560 pjpjd.exe 3940 jvdjd.exe 2400 fxrrflx.exe 3720 vpvjv.exe 4088 1fxfxxl.exe 1088 pvpjp.exe 3148 lflfxfr.exe 228 q84200.exe 3332 tnnbnh.exe 3516 nnbnth.exe 1028 5flfrrx.exe 1768 6448042.exe 4496 tnnbbh.exe 3480 8862884.exe 2820 vdjvj.exe 5116 pjjdj.exe 4472 280268.exe 2276 0404606.exe 4928 thnhbt.exe 3036 86424.exe 796 tntnhn.exe 3760 bhnnhn.exe 4952 rxxllfx.exe 392 pdpjd.exe 2392 nbhbth.exe 2588 vvdjp.exe 516 4264000.exe 408 4880086.exe 4984 frxxrxx.exe 4432 lffrfff.exe 2800 xrrrffx.exe 4616 62248.exe 4504 ppdvd.exe 940 w08800.exe 5008 480644.exe 4084 fxllrxx.exe 1328 nhbbbh.exe 4324 264468.exe 5072 q04606.exe 3196 46464.exe 2204 4646242.exe 2852 484208.exe 4308 446606.exe 3120 040860.exe 4596 620806.exe 2376 hhbbbb.exe 3252 002240.exe 2556 bhthth.exe 2908 bntnbb.exe -
resource yara_rule behavioral2/memory/1852-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cda-3.dat upx behavioral2/memory/1852-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce1-9.dat upx behavioral2/memory/4904-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1752-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce2-12.dat upx behavioral2/memory/4904-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce3-19.dat upx behavioral2/memory/3228-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4884-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce4-25.dat upx behavioral2/memory/5028-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce5-30.dat upx behavioral2/memory/1356-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce6-36.dat upx behavioral2/files/0x0007000000023ce7-40.dat upx behavioral2/memory/2888-42-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2564-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ce8-46.dat upx behavioral2/files/0x0007000000023ce9-49.dat upx behavioral2/memory/3544-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4560-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cea-55.dat upx behavioral2/memory/4560-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ceb-60.dat upx behavioral2/memory/2408-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cec-65.dat upx behavioral2/memory/2924-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1616-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ced-72.dat upx behavioral2/memory/1452-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cee-77.dat upx behavioral2/files/0x0007000000023cef-80.dat upx behavioral2/memory/1560-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1980-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf0-86.dat upx behavioral2/memory/1560-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023cde-91.dat upx behavioral2/files/0x0007000000023cf1-96.dat upx behavioral2/memory/2400-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf2-101.dat upx behavioral2/memory/4088-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3720-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf3-108.dat upx behavioral2/memory/3148-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf4-112.dat upx behavioral2/memory/3940-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf5-116.dat upx behavioral2/files/0x0007000000023cf6-121.dat upx behavioral2/memory/3332-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf7-126.dat upx behavioral2/memory/3516-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf8-131.dat upx behavioral2/memory/1028-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/228-119-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cf9-136.dat upx behavioral2/memory/1768-140-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cfa-142.dat upx behavioral2/files/0x0007000000023cfb-145.dat upx behavioral2/memory/4496-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cfd-150.dat upx behavioral2/memory/3480-151-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cfe-155.dat upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46220.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2240000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24400.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w62860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4628806.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2062844.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4488406.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1752 1852 1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47.exe 85 PID 1852 wrote to memory of 1752 1852 1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47.exe 85 PID 1852 wrote to memory of 1752 1852 1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47.exe 85 PID 1752 wrote to memory of 4904 1752 htbhbb.exe 86 PID 1752 wrote to memory of 4904 1752 htbhbb.exe 86 PID 1752 wrote to memory of 4904 1752 htbhbb.exe 86 PID 4904 wrote to memory of 3228 4904 lffrrlf.exe 87 PID 4904 wrote to memory of 3228 4904 lffrrlf.exe 87 PID 4904 wrote to memory of 3228 4904 lffrrlf.exe 87 PID 3228 wrote to memory of 4884 3228 04426.exe 88 PID 3228 wrote to memory of 4884 3228 04426.exe 88 PID 3228 wrote to memory of 4884 3228 04426.exe 88 PID 4884 wrote to memory of 5028 4884 0264264.exe 89 PID 4884 wrote to memory of 5028 4884 0264264.exe 89 PID 4884 wrote to memory of 5028 4884 0264264.exe 89 PID 5028 wrote to memory of 1356 5028 rxxrrrr.exe 90 PID 5028 wrote to memory of 1356 5028 rxxrrrr.exe 90 PID 5028 wrote to memory of 1356 5028 rxxrrrr.exe 90 PID 1356 wrote to memory of 2888 1356 4226420.exe 91 PID 1356 wrote to memory of 2888 1356 4226420.exe 91 PID 1356 wrote to memory of 2888 1356 4226420.exe 91 PID 2888 wrote to memory of 2564 2888 k00006.exe 93 PID 2888 wrote to memory of 2564 2888 k00006.exe 93 PID 2888 wrote to memory of 2564 2888 k00006.exe 93 PID 2564 wrote to memory of 3544 2564 288648.exe 95 PID 2564 wrote to memory of 3544 2564 288648.exe 95 PID 2564 wrote to memory of 3544 2564 288648.exe 95 PID 3544 wrote to memory of 4560 3544 240082.exe 96 PID 3544 wrote to memory of 4560 3544 240082.exe 96 PID 3544 wrote to memory of 4560 3544 240082.exe 96 PID 4560 wrote to memory of 2408 4560 tnhbhb.exe 97 PID 4560 wrote to memory of 2408 4560 tnhbhb.exe 97 PID 4560 wrote to memory of 2408 4560 tnhbhb.exe 97 PID 2408 wrote to memory of 2924 2408 822020.exe 98 PID 2408 wrote to memory of 2924 2408 822020.exe 98 PID 2408 wrote to memory of 2924 2408 822020.exe 98 PID 2924 wrote to memory of 1616 2924 2404826.exe 99 PID 2924 wrote to memory of 1616 2924 2404826.exe 99 PID 2924 wrote to memory of 1616 2924 2404826.exe 99 PID 1616 wrote to memory of 1452 1616 httbbn.exe 100 PID 1616 wrote to memory of 1452 1616 httbbn.exe 100 PID 1616 wrote to memory of 1452 1616 httbbn.exe 100 PID 1452 wrote to memory of 1980 1452 vvddp.exe 101 PID 1452 wrote to memory of 1980 1452 vvddp.exe 101 PID 1452 wrote to memory of 1980 1452 vvddp.exe 101 PID 1980 wrote to memory of 1560 1980 462604.exe 102 PID 1980 wrote to memory of 1560 1980 462604.exe 102 PID 1980 wrote to memory of 1560 1980 462604.exe 102 PID 1560 wrote to memory of 3940 1560 pjpjd.exe 103 PID 1560 wrote to memory of 3940 1560 pjpjd.exe 103 PID 1560 wrote to memory of 3940 1560 pjpjd.exe 103 PID 3940 wrote to memory of 2400 3940 jvdjd.exe 104 PID 3940 wrote to memory of 2400 3940 jvdjd.exe 104 PID 3940 wrote to memory of 2400 3940 jvdjd.exe 104 PID 2400 wrote to memory of 3720 2400 fxrrflx.exe 105 PID 2400 wrote to memory of 3720 2400 fxrrflx.exe 105 PID 2400 wrote to memory of 3720 2400 fxrrflx.exe 105 PID 3720 wrote to memory of 4088 3720 vpvjv.exe 107 PID 3720 wrote to memory of 4088 3720 vpvjv.exe 107 PID 3720 wrote to memory of 4088 3720 vpvjv.exe 107 PID 4088 wrote to memory of 1088 4088 1fxfxxl.exe 108 PID 4088 wrote to memory of 1088 4088 1fxfxxl.exe 108 PID 4088 wrote to memory of 1088 4088 1fxfxxl.exe 108 PID 1088 wrote to memory of 3148 1088 pvpjp.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47.exe"C:\Users\Admin\AppData\Local\Temp\1f8a88f830631bd075e61e917a002ba8c1105d27b208841453252467bfd48b47.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\htbhbb.exec:\htbhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\lffrrlf.exec:\lffrrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\04426.exec:\04426.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\0264264.exec:\0264264.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\4226420.exec:\4226420.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\k00006.exec:\k00006.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\288648.exec:\288648.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\240082.exec:\240082.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\tnhbhb.exec:\tnhbhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\822020.exec:\822020.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\2404826.exec:\2404826.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\httbbn.exec:\httbbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\vvddp.exec:\vvddp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\462604.exec:\462604.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\pjpjd.exec:\pjpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\jvdjd.exec:\jvdjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\fxrrflx.exec:\fxrrflx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\vpvjv.exec:\vpvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\1fxfxxl.exec:\1fxfxxl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\pvpjp.exec:\pvpjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\lflfxfr.exec:\lflfxfr.exe23⤵
- Executes dropped EXE
PID:3148 -
\??\c:\q84200.exec:\q84200.exe24⤵
- Executes dropped EXE
PID:228 -
\??\c:\tnnbnh.exec:\tnnbnh.exe25⤵
- Executes dropped EXE
PID:3332 -
\??\c:\nnbnth.exec:\nnbnth.exe26⤵
- Executes dropped EXE
PID:3516 -
\??\c:\5flfrrx.exec:\5flfrrx.exe27⤵
- Executes dropped EXE
PID:1028 -
\??\c:\6448042.exec:\6448042.exe28⤵
- Executes dropped EXE
PID:1768 -
\??\c:\tnnbbh.exec:\tnnbbh.exe29⤵
- Executes dropped EXE
PID:4496 -
\??\c:\8862884.exec:\8862884.exe30⤵
- Executes dropped EXE
PID:3480 -
\??\c:\vdjvj.exec:\vdjvj.exe31⤵
- Executes dropped EXE
PID:2820 -
\??\c:\pjjdj.exec:\pjjdj.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5116 -
\??\c:\280268.exec:\280268.exe33⤵
- Executes dropped EXE
PID:4472 -
\??\c:\0404606.exec:\0404606.exe34⤵
- Executes dropped EXE
PID:2276 -
\??\c:\thnhbt.exec:\thnhbt.exe35⤵
- Executes dropped EXE
PID:4928 -
\??\c:\86424.exec:\86424.exe36⤵
- Executes dropped EXE
PID:3036 -
\??\c:\tntnhn.exec:\tntnhn.exe37⤵
- Executes dropped EXE
PID:796 -
\??\c:\bhnnhn.exec:\bhnnhn.exe38⤵
- Executes dropped EXE
PID:3760 -
\??\c:\rxxllfx.exec:\rxxllfx.exe39⤵
- Executes dropped EXE
PID:4952 -
\??\c:\pdpjd.exec:\pdpjd.exe40⤵
- Executes dropped EXE
PID:392 -
\??\c:\nbhbth.exec:\nbhbth.exe41⤵
- Executes dropped EXE
PID:2392 -
\??\c:\vvdjp.exec:\vvdjp.exe42⤵
- Executes dropped EXE
PID:2588 -
\??\c:\4264000.exec:\4264000.exe43⤵
- Executes dropped EXE
PID:516 -
\??\c:\4880086.exec:\4880086.exe44⤵
- Executes dropped EXE
PID:408 -
\??\c:\frxxrxx.exec:\frxxrxx.exe45⤵
- Executes dropped EXE
PID:4984 -
\??\c:\lffrfff.exec:\lffrfff.exe46⤵
- Executes dropped EXE
PID:4432 -
\??\c:\xrrrffx.exec:\xrrrffx.exe47⤵
- Executes dropped EXE
PID:2800 -
\??\c:\62248.exec:\62248.exe48⤵
- Executes dropped EXE
PID:4616 -
\??\c:\ppdvd.exec:\ppdvd.exe49⤵
- Executes dropped EXE
PID:4504 -
\??\c:\w08800.exec:\w08800.exe50⤵
- Executes dropped EXE
PID:940 -
\??\c:\480644.exec:\480644.exe51⤵
- Executes dropped EXE
PID:5008 -
\??\c:\fxllrxx.exec:\fxllrxx.exe52⤵
- Executes dropped EXE
PID:4084 -
\??\c:\nhbbbh.exec:\nhbbbh.exe53⤵
- Executes dropped EXE
PID:1328 -
\??\c:\264468.exec:\264468.exe54⤵
- Executes dropped EXE
PID:4324 -
\??\c:\q04606.exec:\q04606.exe55⤵
- Executes dropped EXE
PID:5072 -
\??\c:\46464.exec:\46464.exe56⤵
- Executes dropped EXE
PID:3196 -
\??\c:\4646242.exec:\4646242.exe57⤵
- Executes dropped EXE
PID:2204 -
\??\c:\484208.exec:\484208.exe58⤵
- Executes dropped EXE
PID:2852 -
\??\c:\446606.exec:\446606.exe59⤵
- Executes dropped EXE
PID:4308 -
\??\c:\040860.exec:\040860.exe60⤵
- Executes dropped EXE
PID:3120 -
\??\c:\620806.exec:\620806.exe61⤵
- Executes dropped EXE
PID:4596 -
\??\c:\hhbbbb.exec:\hhbbbb.exe62⤵
- Executes dropped EXE
PID:2376 -
\??\c:\002240.exec:\002240.exe63⤵
- Executes dropped EXE
PID:3252 -
\??\c:\bhthth.exec:\bhthth.exe64⤵
- Executes dropped EXE
PID:2556 -
\??\c:\bntnbb.exec:\bntnbb.exe65⤵
- Executes dropped EXE
PID:2908 -
\??\c:\8222646.exec:\8222646.exe66⤵PID:3352
-
\??\c:\7llrfff.exec:\7llrfff.exe67⤵PID:3012
-
\??\c:\866082.exec:\866082.exe68⤵PID:2936
-
\??\c:\hbtttb.exec:\hbtttb.exe69⤵PID:2524
-
\??\c:\pvvpj.exec:\pvvpj.exe70⤵PID:2452
-
\??\c:\nhtbbh.exec:\nhtbbh.exe71⤵PID:2552
-
\??\c:\pppvp.exec:\pppvp.exe72⤵PID:1828
-
\??\c:\02640.exec:\02640.exe73⤵PID:4624
-
\??\c:\4042060.exec:\4042060.exe74⤵PID:4452
-
\??\c:\flllfff.exec:\flllfff.exe75⤵PID:220
-
\??\c:\028008.exec:\028008.exe76⤵PID:4352
-
\??\c:\pjjpp.exec:\pjjpp.exe77⤵PID:2616
-
\??\c:\dvdvv.exec:\dvdvv.exe78⤵PID:2168
-
\??\c:\djpdv.exec:\djpdv.exe79⤵PID:2128
-
\??\c:\022200.exec:\022200.exe80⤵PID:3148
-
\??\c:\vpppj.exec:\vpppj.exe81⤵PID:3568
-
\??\c:\u688448.exec:\u688448.exe82⤵PID:3008
-
\??\c:\flrlffx.exec:\flrlffx.exe83⤵PID:2296
-
\??\c:\bnhhhn.exec:\bnhhhn.exe84⤵PID:1280
-
\??\c:\4400066.exec:\4400066.exe85⤵PID:3512
-
\??\c:\066602.exec:\066602.exe86⤵PID:636
-
\??\c:\jppjj.exec:\jppjj.exe87⤵PID:1768
-
\??\c:\lflllll.exec:\lflllll.exe88⤵PID:764
-
\??\c:\7jjjj.exec:\7jjjj.exe89⤵PID:4728
-
\??\c:\9bbhhn.exec:\9bbhhn.exe90⤵PID:2096
-
\??\c:\bnntnt.exec:\bnntnt.exe91⤵PID:1632
-
\??\c:\48426.exec:\48426.exe92⤵PID:1176
-
\??\c:\tbbhhb.exec:\tbbhhb.exe93⤵PID:4828
-
\??\c:\nttttb.exec:\nttttb.exe94⤵PID:4916
-
\??\c:\bbhbtt.exec:\bbhbtt.exe95⤵PID:4928
-
\??\c:\0886622.exec:\0886622.exe96⤵PID:3832
-
\??\c:\26028.exec:\26028.exe97⤵PID:796
-
\??\c:\thnhbh.exec:\thnhbh.exe98⤵PID:1740
-
\??\c:\hbhbbt.exec:\hbhbbt.exe99⤵PID:2728
-
\??\c:\06866.exec:\06866.exe100⤵PID:4956
-
\??\c:\26668.exec:\26668.exe101⤵PID:1096
-
\??\c:\tbnnhh.exec:\tbnnhh.exe102⤵
- System Location Discovery: System Language Discovery
PID:2588 -
\??\c:\q04628.exec:\q04628.exe103⤵PID:516
-
\??\c:\0668024.exec:\0668024.exe104⤵PID:408
-
\??\c:\8606668.exec:\8606668.exe105⤵PID:1260
-
\??\c:\vvvpv.exec:\vvvpv.exe106⤵PID:4476
-
\??\c:\lfrlrlf.exec:\lfrlrlf.exe107⤵PID:2216
-
\??\c:\djpvd.exec:\djpvd.exe108⤵PID:3300
-
\??\c:\4404822.exec:\4404822.exe109⤵PID:64
-
\??\c:\680426.exec:\680426.exe110⤵PID:2024
-
\??\c:\4408226.exec:\4408226.exe111⤵PID:1660
-
\??\c:\2060886.exec:\2060886.exe112⤵PID:5008
-
\??\c:\jddvj.exec:\jddvj.exe113⤵PID:1100
-
\??\c:\88482.exec:\88482.exe114⤵PID:1084
-
\??\c:\466426.exec:\466426.exe115⤵PID:5028
-
\??\c:\222604.exec:\222604.exe116⤵PID:2016
-
\??\c:\04688.exec:\04688.exe117⤵PID:2040
-
\??\c:\822482.exec:\822482.exe118⤵PID:3248
-
\??\c:\vddvp.exec:\vddvp.exe119⤵PID:4320
-
\??\c:\djjdv.exec:\djjdv.exe120⤵PID:736
-
\??\c:\6068208.exec:\6068208.exe121⤵PID:1448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-