Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 20:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe
-
Size
347KB
-
MD5
0de95bd87f843c0056a6b5857c176c39
-
SHA1
0c4bc06ac82bd47a8bd8ba46b85c10e83428f698
-
SHA256
2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30
-
SHA512
eff6f75235fb386cf8ae5554076a138b3f6128f1ea5261f16929443cc18872ab73e3aaf668438dca81dfbdccaed4a2409bba4e7e01e9ef5662ada52c0b7a24b6
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAd:l7TcbWXZshJX2VGdd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1284-5-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3012-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4120-20-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1032-25-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3036-67-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1824-251-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2208-312-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4448-308-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1796-292-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4836-288-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2428-275-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1052-271-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3372-255-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4360-235-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1568-231-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1452-219-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1148-216-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2192-206-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3848-199-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1216-195-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3588-182-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1368-176-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4256-165-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4236-154-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1820-138-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2364-132-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4412-126-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4512-120-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3320-114-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4448-108-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4792-102-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1224-96-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1964-87-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/440-79-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2764-73-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/852-61-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2304-55-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5012-49-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1052-43-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1668-38-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4408-32-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/556-18-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4224-339-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3620-343-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3852-356-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4936-390-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2104-403-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4836-438-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2304-448-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1092-458-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5064-462-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1484-472-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2944-491-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/828-507-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4768-538-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4080-558-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/468-583-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4608-638-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4144-642-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2344-709-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1300-1353-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2372-1366-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4424-1497-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3320-1670-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3012 5llfxrr.exe 556 hbhbhh.exe 4120 82242.exe 1032 xxxxlfx.exe 4408 04444.exe 1668 04662.exe 1052 nbtnbt.exe 5012 0800888.exe 2304 g0604.exe 852 866040.exe 3036 q24440.exe 2764 m6460.exe 440 5djdv.exe 1964 rllxllf.exe 4964 4006668.exe 1224 jdjdd.exe 4792 dpjpd.exe 4448 ppvpp.exe 3320 868640.exe 4512 044840.exe 4412 w64480.exe 2364 bthbnt.exe 1820 rxfxllf.exe 4948 lxxxrrl.exe 3368 2660448.exe 4236 nbnhhh.exe 4400 vjjpd.exe 4256 04060.exe 1516 btnhbb.exe 1368 660088.exe 3588 jvvpd.exe 1492 lxfxllf.exe 2408 xlfxffl.exe 1216 28486.exe 3848 jvpvv.exe 2632 4860000.exe 2192 u682222.exe 3204 3hnhhn.exe 2204 5xflfff.exe 1148 3hhbbb.exe 1452 ffffrrf.exe 3948 6244826.exe 3676 2626004.exe 4592 k68260.exe 1568 vjjdp.exe 1956 0226604.exe 4660 rllfxxr.exe 1476 1fxxfxf.exe 4632 86604.exe 1824 bntnbn.exe 3372 ntbtnn.exe 4028 vdjdp.exe 2212 8688846.exe 976 tnnhbt.exe 4668 0622266.exe 1052 7ppdv.exe 2428 s2664.exe 4016 w24484.exe 1924 280480.exe 2868 004044.exe 4836 64404.exe 1796 24682.exe 1684 q86002.exe 1652 462664.exe -
resource yara_rule behavioral2/memory/3012-7-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1284-5-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3012-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4120-20-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1032-25-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3036-67-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1824-251-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2208-312-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4448-308-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1796-292-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4836-288-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2428-275-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1052-271-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3372-255-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4360-235-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1568-231-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1452-219-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1148-216-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2192-206-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3848-199-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1216-195-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3588-182-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1368-176-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4256-165-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4236-154-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1820-138-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2364-132-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4412-126-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4512-120-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3320-114-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4448-108-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4792-102-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1224-96-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1964-87-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/440-79-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2764-73-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/852-61-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2304-55-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5012-49-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1052-43-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1668-38-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4408-32-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/556-18-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4224-339-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3620-343-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3852-356-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4936-390-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2104-403-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1668-414-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4836-438-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2304-448-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1092-458-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5064-462-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1484-472-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2944-491-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/828-507-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4768-538-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4080-558-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/468-583-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4608-638-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4144-642-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2344-709-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4188-872-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1684-1023-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6222222.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 420420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 208660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8404264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 800040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86282.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1284 wrote to memory of 3012 1284 2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe 83 PID 1284 wrote to memory of 3012 1284 2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe 83 PID 1284 wrote to memory of 3012 1284 2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe 83 PID 3012 wrote to memory of 556 3012 5llfxrr.exe 84 PID 3012 wrote to memory of 556 3012 5llfxrr.exe 84 PID 3012 wrote to memory of 556 3012 5llfxrr.exe 84 PID 556 wrote to memory of 4120 556 hbhbhh.exe 85 PID 556 wrote to memory of 4120 556 hbhbhh.exe 85 PID 556 wrote to memory of 4120 556 hbhbhh.exe 85 PID 4120 wrote to memory of 1032 4120 82242.exe 86 PID 4120 wrote to memory of 1032 4120 82242.exe 86 PID 4120 wrote to memory of 1032 4120 82242.exe 86 PID 1032 wrote to memory of 4408 1032 xxxxlfx.exe 87 PID 1032 wrote to memory of 4408 1032 xxxxlfx.exe 87 PID 1032 wrote to memory of 4408 1032 xxxxlfx.exe 87 PID 4408 wrote to memory of 1668 4408 04444.exe 88 PID 4408 wrote to memory of 1668 4408 04444.exe 88 PID 4408 wrote to memory of 1668 4408 04444.exe 88 PID 1668 wrote to memory of 1052 1668 04662.exe 89 PID 1668 wrote to memory of 1052 1668 04662.exe 89 PID 1668 wrote to memory of 1052 1668 04662.exe 89 PID 1052 wrote to memory of 5012 1052 nbtnbt.exe 90 PID 1052 wrote to memory of 5012 1052 nbtnbt.exe 90 PID 1052 wrote to memory of 5012 1052 nbtnbt.exe 90 PID 5012 wrote to memory of 2304 5012 0800888.exe 91 PID 5012 wrote to memory of 2304 5012 0800888.exe 91 PID 5012 wrote to memory of 2304 5012 0800888.exe 91 PID 2304 wrote to memory of 852 2304 g0604.exe 92 PID 2304 wrote to memory of 852 2304 g0604.exe 92 PID 2304 wrote to memory of 852 2304 g0604.exe 92 PID 852 wrote to memory of 3036 852 866040.exe 93 PID 852 wrote to memory of 3036 852 866040.exe 93 PID 852 wrote to memory of 3036 852 866040.exe 93 PID 3036 wrote to memory of 2764 3036 q24440.exe 94 PID 3036 wrote to memory of 2764 3036 q24440.exe 94 PID 3036 wrote to memory of 2764 3036 q24440.exe 94 PID 2764 wrote to memory of 440 2764 m6460.exe 95 PID 2764 wrote to memory of 440 2764 m6460.exe 95 PID 2764 wrote to memory of 440 2764 m6460.exe 95 PID 440 wrote to memory of 1964 440 5djdv.exe 96 PID 440 wrote to memory of 1964 440 5djdv.exe 96 PID 440 wrote to memory of 1964 440 5djdv.exe 96 PID 1964 wrote to memory of 4964 1964 rllxllf.exe 97 PID 1964 wrote to memory of 4964 1964 rllxllf.exe 97 PID 1964 wrote to memory of 4964 1964 rllxllf.exe 97 PID 4964 wrote to memory of 1224 4964 4006668.exe 98 PID 4964 wrote to memory of 1224 4964 4006668.exe 98 PID 4964 wrote to memory of 1224 4964 4006668.exe 98 PID 1224 wrote to memory of 4792 1224 jdjdd.exe 99 PID 1224 wrote to memory of 4792 1224 jdjdd.exe 99 PID 1224 wrote to memory of 4792 1224 jdjdd.exe 99 PID 4792 wrote to memory of 4448 4792 dpjpd.exe 100 PID 4792 wrote to memory of 4448 4792 dpjpd.exe 100 PID 4792 wrote to memory of 4448 4792 dpjpd.exe 100 PID 4448 wrote to memory of 3320 4448 ppvpp.exe 101 PID 4448 wrote to memory of 3320 4448 ppvpp.exe 101 PID 4448 wrote to memory of 3320 4448 ppvpp.exe 101 PID 3320 wrote to memory of 4512 3320 868640.exe 102 PID 3320 wrote to memory of 4512 3320 868640.exe 102 PID 3320 wrote to memory of 4512 3320 868640.exe 102 PID 4512 wrote to memory of 4412 4512 044840.exe 103 PID 4512 wrote to memory of 4412 4512 044840.exe 103 PID 4512 wrote to memory of 4412 4512 044840.exe 103 PID 4412 wrote to memory of 2364 4412 w64480.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe"C:\Users\Admin\AppData\Local\Temp\2788c1f61eae2a0ad4d2c0cb18cc441fa2e15541e877e5a816cb08ab6a379b30.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\5llfxrr.exec:\5llfxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\hbhbhh.exec:\hbhbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\82242.exec:\82242.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\xxxxlfx.exec:\xxxxlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\04444.exec:\04444.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\04662.exec:\04662.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\nbtnbt.exec:\nbtnbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\0800888.exec:\0800888.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\g0604.exec:\g0604.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304 -
\??\c:\866040.exec:\866040.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:852 -
\??\c:\q24440.exec:\q24440.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\m6460.exec:\m6460.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\5djdv.exec:\5djdv.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\rllxllf.exec:\rllxllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
\??\c:\4006668.exec:\4006668.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\jdjdd.exec:\jdjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
\??\c:\dpjpd.exec:\dpjpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\ppvpp.exec:\ppvpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\868640.exec:\868640.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\044840.exec:\044840.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\w64480.exec:\w64480.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\bthbnt.exec:\bthbnt.exe23⤵
- Executes dropped EXE
PID:2364 -
\??\c:\rxfxllf.exec:\rxfxllf.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe25⤵
- Executes dropped EXE
PID:4948 -
\??\c:\2660448.exec:\2660448.exe26⤵
- Executes dropped EXE
PID:3368 -
\??\c:\nbnhhh.exec:\nbnhhh.exe27⤵
- Executes dropped EXE
PID:4236 -
\??\c:\vjjpd.exec:\vjjpd.exe28⤵
- Executes dropped EXE
PID:4400 -
\??\c:\04060.exec:\04060.exe29⤵
- Executes dropped EXE
PID:4256 -
\??\c:\btnhbb.exec:\btnhbb.exe30⤵
- Executes dropped EXE
PID:1516 -
\??\c:\660088.exec:\660088.exe31⤵
- Executes dropped EXE
PID:1368 -
\??\c:\jvvpd.exec:\jvvpd.exe32⤵
- Executes dropped EXE
PID:3588 -
\??\c:\lxfxllf.exec:\lxfxllf.exe33⤵
- Executes dropped EXE
PID:1492 -
\??\c:\xlfxffl.exec:\xlfxffl.exe34⤵
- Executes dropped EXE
PID:2408 -
\??\c:\28486.exec:\28486.exe35⤵
- Executes dropped EXE
PID:1216 -
\??\c:\jvpvv.exec:\jvpvv.exe36⤵
- Executes dropped EXE
PID:3848 -
\??\c:\4860000.exec:\4860000.exe37⤵
- Executes dropped EXE
PID:2632 -
\??\c:\u682222.exec:\u682222.exe38⤵
- Executes dropped EXE
PID:2192 -
\??\c:\3hnhhn.exec:\3hnhhn.exe39⤵
- Executes dropped EXE
PID:3204 -
\??\c:\5xflfff.exec:\5xflfff.exe40⤵
- Executes dropped EXE
PID:2204 -
\??\c:\3hhbbb.exec:\3hhbbb.exe41⤵
- Executes dropped EXE
PID:1148 -
\??\c:\ffffrrf.exec:\ffffrrf.exe42⤵
- Executes dropped EXE
PID:1452 -
\??\c:\6244826.exec:\6244826.exe43⤵
- Executes dropped EXE
PID:3948 -
\??\c:\2626004.exec:\2626004.exe44⤵
- Executes dropped EXE
PID:3676 -
\??\c:\k68260.exec:\k68260.exe45⤵
- Executes dropped EXE
PID:4592 -
\??\c:\vjjdp.exec:\vjjdp.exe46⤵
- Executes dropped EXE
PID:1568 -
\??\c:\dpvjj.exec:\dpvjj.exe47⤵PID:4360
-
\??\c:\0226604.exec:\0226604.exe48⤵
- Executes dropped EXE
PID:1956 -
\??\c:\rllfxxr.exec:\rllfxxr.exe49⤵
- Executes dropped EXE
PID:4660 -
\??\c:\1fxxfxf.exec:\1fxxfxf.exe50⤵
- Executes dropped EXE
PID:1476 -
\??\c:\86604.exec:\86604.exe51⤵
- Executes dropped EXE
PID:4632 -
\??\c:\bntnbn.exec:\bntnbn.exe52⤵
- Executes dropped EXE
PID:1824 -
\??\c:\ntbtnn.exec:\ntbtnn.exe53⤵
- Executes dropped EXE
PID:3372 -
\??\c:\vdjdp.exec:\vdjdp.exe54⤵
- Executes dropped EXE
PID:4028 -
\??\c:\8688846.exec:\8688846.exe55⤵
- Executes dropped EXE
PID:2212 -
\??\c:\tnnhbt.exec:\tnnhbt.exe56⤵
- Executes dropped EXE
PID:976 -
\??\c:\0622266.exec:\0622266.exe57⤵
- Executes dropped EXE
PID:4668 -
\??\c:\7ppdv.exec:\7ppdv.exe58⤵
- Executes dropped EXE
PID:1052 -
\??\c:\s2664.exec:\s2664.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\w24484.exec:\w24484.exe60⤵
- Executes dropped EXE
PID:4016 -
\??\c:\280480.exec:\280480.exe61⤵
- Executes dropped EXE
PID:1924 -
\??\c:\004044.exec:\004044.exe62⤵
- Executes dropped EXE
PID:2868 -
\??\c:\64404.exec:\64404.exe63⤵
- Executes dropped EXE
PID:4836 -
\??\c:\24682.exec:\24682.exe64⤵
- Executes dropped EXE
PID:1796 -
\??\c:\q86002.exec:\q86002.exe65⤵
- Executes dropped EXE
PID:1684 -
\??\c:\462664.exec:\462664.exe66⤵
- Executes dropped EXE
PID:1652 -
\??\c:\tnnhtt.exec:\tnnhtt.exe67⤵PID:1116
-
\??\c:\m8042.exec:\m8042.exe68⤵PID:2372
-
\??\c:\dppjv.exec:\dppjv.exe69⤵PID:4448
-
\??\c:\rxffxxr.exec:\rxffxxr.exe70⤵PID:1392
-
\??\c:\vvpjd.exec:\vvpjd.exe71⤵PID:2208
-
\??\c:\7rrlllf.exec:\7rrlllf.exe72⤵PID:2112
-
\??\c:\jpvpj.exec:\jpvpj.exe73⤵PID:4040
-
\??\c:\40604.exec:\40604.exe74⤵PID:2268
-
\??\c:\4848440.exec:\4848440.exe75⤵PID:1820
-
\??\c:\0886488.exec:\0886488.exe76⤵PID:396
-
\??\c:\btbtbb.exec:\btbtbb.exe77⤵PID:4236
-
\??\c:\62248.exec:\62248.exe78⤵PID:4224
-
\??\c:\nntttn.exec:\nntttn.exe79⤵PID:3620
-
\??\c:\xrrlflf.exec:\xrrlflf.exe80⤵PID:2144
-
\??\c:\i404822.exec:\i404822.exe81⤵PID:4556
-
\??\c:\7vjdj.exec:\7vjdj.exe82⤵PID:4220
-
\??\c:\0660686.exec:\0660686.exe83⤵PID:3852
-
\??\c:\bhhbbt.exec:\bhhbbt.exe84⤵PID:2408
-
\??\c:\pjjpd.exec:\pjjpd.exe85⤵PID:4080
-
\??\c:\vpvjp.exec:\vpvjp.exe86⤵PID:2632
-
\??\c:\rflfffx.exec:\rflfffx.exe87⤵PID:3344
-
\??\c:\6240666.exec:\6240666.exe88⤵PID:4472
-
\??\c:\m4666.exec:\m4666.exe89⤵PID:1576
-
\??\c:\640088.exec:\640088.exe90⤵PID:3948
-
\??\c:\260444.exec:\260444.exe91⤵PID:3136
-
\??\c:\02888.exec:\02888.exe92⤵PID:3052
-
\??\c:\0288046.exec:\0288046.exe93⤵PID:4264
-
\??\c:\6620208.exec:\6620208.exe94⤵PID:4936
-
\??\c:\vdjvp.exec:\vdjvp.exe95⤵PID:2820
-
\??\c:\hhbnbt.exec:\hhbnbt.exe96⤵PID:4660
-
\??\c:\4620088.exec:\4620088.exe97⤵PID:2072
-
\??\c:\4642080.exec:\4642080.exe98⤵PID:2104
-
\??\c:\s6644.exec:\s6644.exe99⤵PID:3372
-
\??\c:\2888042.exec:\2888042.exe100⤵PID:4332
-
\??\c:\882082.exec:\882082.exe101⤵PID:3024
-
\??\c:\60088.exec:\60088.exe102⤵PID:1668
-
\??\c:\lxxlxrf.exec:\lxxlxrf.exe103⤵PID:3992
-
\??\c:\fllxfxl.exec:\fllxfxl.exe104⤵PID:1052
-
\??\c:\0822648.exec:\0822648.exe105⤵PID:940
-
\??\c:\88208.exec:\88208.exe106⤵PID:5000
-
\??\c:\o060660.exec:\o060660.exe107⤵PID:4532
-
\??\c:\lrxrlff.exec:\lrxrlff.exe108⤵PID:1432
-
\??\c:\2486482.exec:\2486482.exe109⤵PID:4836
-
\??\c:\lrxlxlf.exec:\lrxlxlf.exe110⤵PID:1796
-
\??\c:\5xxrfxl.exec:\5xxrfxl.exe111⤵PID:1860
-
\??\c:\jpdpj.exec:\jpdpj.exe112⤵PID:2304
-
\??\c:\frlfxfl.exec:\frlfxfl.exe113⤵PID:5060
-
\??\c:\8404264.exec:\8404264.exe114⤵
- System Location Discovery: System Language Discovery
PID:1688 -
\??\c:\hntnht.exec:\hntnht.exe115⤵PID:1092
-
\??\c:\000242.exec:\000242.exe116⤵PID:5064
-
\??\c:\084604.exec:\084604.exe117⤵PID:1936
-
\??\c:\xfxfrlx.exec:\xfxfrlx.exe118⤵PID:3484
-
\??\c:\vdvjv.exec:\vdvjv.exe119⤵PID:1484
-
\??\c:\dvpvj.exec:\dvpvj.exe120⤵PID:1296
-
\??\c:\flrxlrr.exec:\flrxlrr.exe121⤵PID:4684
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-