Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603.exe
-
Size
455KB
-
MD5
93c625ca7c4acb83168b86b0737867a6
-
SHA1
5ed3038241c333282eb27b878c9e6654f8fdfbfc
-
SHA256
a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603
-
SHA512
77635d300ad6dca7ff3ea8e3d142f1001ae2a7cf436406f8929876ce72bb4810bb44f46782edaebc9dd5939ed2d1b044c68a640ee2dd996ff000edcf83fd9cc3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRL:q7Tc2NYHUrAwfMp3CDRL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/748-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3036-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1652-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-1143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-1602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1592 60260.exe 2740 3hhnbb.exe 3852 68828.exe 1364 7nhhbn.exe 3036 6066660.exe 1100 tthbhh.exe 2040 xxllrxf.exe 4360 c022284.exe 4044 628260.exe 4340 4204886.exe 2796 fflfflx.exe 4884 jdjjd.exe 1652 llrfxxr.exe 4168 fxrfxrx.exe 1628 0268204.exe 3124 hnthbt.exe 4316 020888.exe 2520 48808.exe 4956 u644000.exe 4992 1djvp.exe 4836 vppjj.exe 1948 60600.exe 3280 264280.exe 2840 6622884.exe 4104 jpvvp.exe 1596 pvvpp.exe 4300 1ntttt.exe 3248 1lrfxrl.exe 3420 88482.exe 3916 00228.exe 1192 26444.exe 4100 286668.exe 376 fxfxffx.exe 2728 vdvpd.exe 3936 868268.exe 3672 s2826.exe 2352 04048.exe 5016 82008.exe 4628 bbbhnn.exe 4712 o246004.exe 4408 i026600.exe 2008 htbnhb.exe 1648 tnnhhh.exe 4328 fflfllf.exe 1592 2822688.exe 1740 xxlfllf.exe 3624 dpvpp.exe 1236 btnhtb.exe 1920 dvppj.exe 4540 08600.exe 2708 xrffffr.exe 2316 068880.exe 1816 dpdvv.exe 4268 xxxrllf.exe 1060 hhttnh.exe 4360 xrxxrrr.exe 4880 66600.exe 2032 68666.exe 3452 tbnntb.exe 2796 tnthnb.exe 4884 nntnbb.exe 3288 600266.exe 1064 hntnnn.exe 1748 dvdvj.exe -
resource yara_rule behavioral2/memory/748-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3036-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1652-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-644-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0682.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02488.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c868020.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 428604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e04426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o664040.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fxxllx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 1592 748 a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603.exe 83 PID 748 wrote to memory of 1592 748 a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603.exe 83 PID 748 wrote to memory of 1592 748 a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603.exe 83 PID 1592 wrote to memory of 2740 1592 60260.exe 84 PID 1592 wrote to memory of 2740 1592 60260.exe 84 PID 1592 wrote to memory of 2740 1592 60260.exe 84 PID 2740 wrote to memory of 3852 2740 3hhnbb.exe 85 PID 2740 wrote to memory of 3852 2740 3hhnbb.exe 85 PID 2740 wrote to memory of 3852 2740 3hhnbb.exe 85 PID 3852 wrote to memory of 1364 3852 68828.exe 86 PID 3852 wrote to memory of 1364 3852 68828.exe 86 PID 3852 wrote to memory of 1364 3852 68828.exe 86 PID 1364 wrote to memory of 3036 1364 7nhhbn.exe 87 PID 1364 wrote to memory of 3036 1364 7nhhbn.exe 87 PID 1364 wrote to memory of 3036 1364 7nhhbn.exe 87 PID 3036 wrote to memory of 1100 3036 6066660.exe 88 PID 3036 wrote to memory of 1100 3036 6066660.exe 88 PID 3036 wrote to memory of 1100 3036 6066660.exe 88 PID 1100 wrote to memory of 2040 1100 tthbhh.exe 89 PID 1100 wrote to memory of 2040 1100 tthbhh.exe 89 PID 1100 wrote to memory of 2040 1100 tthbhh.exe 89 PID 2040 wrote to memory of 4360 2040 xxllrxf.exe 90 PID 2040 wrote to memory of 4360 2040 xxllrxf.exe 90 PID 2040 wrote to memory of 4360 2040 xxllrxf.exe 90 PID 4360 wrote to memory of 4044 4360 c022284.exe 91 PID 4360 wrote to memory of 4044 4360 c022284.exe 91 PID 4360 wrote to memory of 4044 4360 c022284.exe 91 PID 4044 wrote to memory of 4340 4044 628260.exe 92 PID 4044 wrote to memory of 4340 4044 628260.exe 92 PID 4044 wrote to memory of 4340 4044 628260.exe 92 PID 4340 wrote to memory of 2796 4340 4204886.exe 93 PID 4340 wrote to memory of 2796 4340 4204886.exe 93 PID 4340 wrote to memory of 2796 4340 4204886.exe 93 PID 2796 wrote to memory of 4884 2796 fflfflx.exe 94 PID 2796 wrote to memory of 4884 2796 fflfflx.exe 94 PID 2796 wrote to memory of 4884 2796 fflfflx.exe 94 PID 4884 wrote to memory of 1652 4884 jdjjd.exe 95 PID 4884 wrote to memory of 1652 4884 jdjjd.exe 95 PID 4884 wrote to memory of 1652 4884 jdjjd.exe 95 PID 1652 wrote to memory of 4168 1652 llrfxxr.exe 96 PID 1652 wrote to memory of 4168 1652 llrfxxr.exe 96 PID 1652 wrote to memory of 4168 1652 llrfxxr.exe 96 PID 4168 wrote to memory of 1628 4168 fxrfxrx.exe 97 PID 4168 wrote to memory of 1628 4168 fxrfxrx.exe 97 PID 4168 wrote to memory of 1628 4168 fxrfxrx.exe 97 PID 1628 wrote to memory of 3124 1628 0268204.exe 98 PID 1628 wrote to memory of 3124 1628 0268204.exe 98 PID 1628 wrote to memory of 3124 1628 0268204.exe 98 PID 3124 wrote to memory of 4316 3124 hnthbt.exe 99 PID 3124 wrote to memory of 4316 3124 hnthbt.exe 99 PID 3124 wrote to memory of 4316 3124 hnthbt.exe 99 PID 4316 wrote to memory of 2520 4316 020888.exe 100 PID 4316 wrote to memory of 2520 4316 020888.exe 100 PID 4316 wrote to memory of 2520 4316 020888.exe 100 PID 2520 wrote to memory of 4956 2520 48808.exe 101 PID 2520 wrote to memory of 4956 2520 48808.exe 101 PID 2520 wrote to memory of 4956 2520 48808.exe 101 PID 4956 wrote to memory of 4992 4956 u644000.exe 102 PID 4956 wrote to memory of 4992 4956 u644000.exe 102 PID 4956 wrote to memory of 4992 4956 u644000.exe 102 PID 4992 wrote to memory of 4836 4992 1djvp.exe 103 PID 4992 wrote to memory of 4836 4992 1djvp.exe 103 PID 4992 wrote to memory of 4836 4992 1djvp.exe 103 PID 4836 wrote to memory of 1948 4836 vppjj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603.exe"C:\Users\Admin\AppData\Local\Temp\a3bb5a8cdc9d92838f6a8f9886d1e298baf619cf851d90aaa9812991f0038603.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\60260.exec:\60260.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1592 -
\??\c:\3hhnbb.exec:\3hhnbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\68828.exec:\68828.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\7nhhbn.exec:\7nhhbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\6066660.exec:\6066660.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\tthbhh.exec:\tthbhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\xxllrxf.exec:\xxllrxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\c022284.exec:\c022284.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\628260.exec:\628260.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\4204886.exec:\4204886.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\fflfflx.exec:\fflfflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\jdjjd.exec:\jdjjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\llrfxxr.exec:\llrfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\fxrfxrx.exec:\fxrfxrx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\0268204.exec:\0268204.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\hnthbt.exec:\hnthbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\020888.exec:\020888.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\48808.exec:\48808.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\u644000.exec:\u644000.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\1djvp.exec:\1djvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\vppjj.exec:\vppjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\60600.exec:\60600.exe23⤵
- Executes dropped EXE
PID:1948 -
\??\c:\264280.exec:\264280.exe24⤵
- Executes dropped EXE
PID:3280 -
\??\c:\6622884.exec:\6622884.exe25⤵
- Executes dropped EXE
PID:2840 -
\??\c:\jpvvp.exec:\jpvvp.exe26⤵
- Executes dropped EXE
PID:4104 -
\??\c:\pvvpp.exec:\pvvpp.exe27⤵
- Executes dropped EXE
PID:1596 -
\??\c:\1ntttt.exec:\1ntttt.exe28⤵
- Executes dropped EXE
PID:4300 -
\??\c:\1lrfxrl.exec:\1lrfxrl.exe29⤵
- Executes dropped EXE
PID:3248 -
\??\c:\88482.exec:\88482.exe30⤵
- Executes dropped EXE
PID:3420 -
\??\c:\00228.exec:\00228.exe31⤵
- Executes dropped EXE
PID:3916 -
\??\c:\26444.exec:\26444.exe32⤵
- Executes dropped EXE
PID:1192 -
\??\c:\286668.exec:\286668.exe33⤵
- Executes dropped EXE
PID:4100 -
\??\c:\fxfxffx.exec:\fxfxffx.exe34⤵
- Executes dropped EXE
PID:376 -
\??\c:\vdvpd.exec:\vdvpd.exe35⤵
- Executes dropped EXE
PID:2728 -
\??\c:\868268.exec:\868268.exe36⤵
- Executes dropped EXE
PID:3936 -
\??\c:\s2826.exec:\s2826.exe37⤵
- Executes dropped EXE
PID:3672 -
\??\c:\04048.exec:\04048.exe38⤵
- Executes dropped EXE
PID:2352 -
\??\c:\82008.exec:\82008.exe39⤵
- Executes dropped EXE
PID:5016 -
\??\c:\bbbhnn.exec:\bbbhnn.exe40⤵
- Executes dropped EXE
PID:4628 -
\??\c:\o246004.exec:\o246004.exe41⤵
- Executes dropped EXE
PID:4712 -
\??\c:\i026600.exec:\i026600.exe42⤵
- Executes dropped EXE
PID:4408 -
\??\c:\htbnhb.exec:\htbnhb.exe43⤵
- Executes dropped EXE
PID:2008 -
\??\c:\tnnhhh.exec:\tnnhhh.exe44⤵
- Executes dropped EXE
PID:1648 -
\??\c:\pjjjd.exec:\pjjjd.exe45⤵PID:4508
-
\??\c:\fflfllf.exec:\fflfllf.exe46⤵
- Executes dropped EXE
PID:4328 -
\??\c:\2822688.exec:\2822688.exe47⤵
- Executes dropped EXE
PID:1592 -
\??\c:\xxlfllf.exec:\xxlfllf.exe48⤵
- Executes dropped EXE
PID:1740 -
\??\c:\dpvpp.exec:\dpvpp.exe49⤵
- Executes dropped EXE
PID:3624 -
\??\c:\btnhtb.exec:\btnhtb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236 -
\??\c:\dvppj.exec:\dvppj.exe51⤵
- Executes dropped EXE
PID:1920 -
\??\c:\08600.exec:\08600.exe52⤵
- Executes dropped EXE
PID:4540 -
\??\c:\xrffffr.exec:\xrffffr.exe53⤵
- Executes dropped EXE
PID:2708 -
\??\c:\068880.exec:\068880.exe54⤵
- Executes dropped EXE
PID:2316 -
\??\c:\dpdvv.exec:\dpdvv.exe55⤵
- Executes dropped EXE
PID:1816 -
\??\c:\xxxrllf.exec:\xxxrllf.exe56⤵
- Executes dropped EXE
PID:4268 -
\??\c:\hhttnh.exec:\hhttnh.exe57⤵
- Executes dropped EXE
PID:1060 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe58⤵
- Executes dropped EXE
PID:4360 -
\??\c:\66600.exec:\66600.exe59⤵
- Executes dropped EXE
PID:4880 -
\??\c:\68666.exec:\68666.exe60⤵
- Executes dropped EXE
PID:2032 -
\??\c:\tbnntb.exec:\tbnntb.exe61⤵
- Executes dropped EXE
PID:3452 -
\??\c:\tnthnb.exec:\tnthnb.exe62⤵
- Executes dropped EXE
PID:2796 -
\??\c:\nntnbb.exec:\nntnbb.exe63⤵
- Executes dropped EXE
PID:4884 -
\??\c:\600266.exec:\600266.exe64⤵
- Executes dropped EXE
PID:3288 -
\??\c:\hntnnn.exec:\hntnnn.exe65⤵
- Executes dropped EXE
PID:1064 -
\??\c:\dvdvj.exec:\dvdvj.exe66⤵
- Executes dropped EXE
PID:1748 -
\??\c:\4888822.exec:\4888822.exe67⤵PID:2384
-
\??\c:\60004.exec:\60004.exe68⤵PID:2280
-
\??\c:\6222082.exec:\6222082.exe69⤵PID:4796
-
\??\c:\c400066.exec:\c400066.exe70⤵PID:3648
-
\??\c:\fflllll.exec:\fflllll.exe71⤵PID:4996
-
\??\c:\jjddd.exec:\jjddd.exe72⤵PID:3960
-
\??\c:\lxllfff.exec:\lxllfff.exe73⤵PID:2972
-
\??\c:\e84822.exec:\e84822.exe74⤵PID:1948
-
\??\c:\vvpjv.exec:\vvpjv.exe75⤵PID:2968
-
\??\c:\4860220.exec:\4860220.exe76⤵PID:864
-
\??\c:\262848.exec:\262848.exe77⤵PID:3676
-
\??\c:\vpvpj.exec:\vpvpj.exe78⤵PID:784
-
\??\c:\06448.exec:\06448.exe79⤵PID:3392
-
\??\c:\84048.exec:\84048.exe80⤵PID:3188
-
\??\c:\6682288.exec:\6682288.exe81⤵PID:2836
-
\??\c:\xlrrllf.exec:\xlrrllf.exe82⤵PID:64
-
\??\c:\84604.exec:\84604.exe83⤵PID:1468
-
\??\c:\rffxxrr.exec:\rffxxrr.exe84⤵PID:4420
-
\??\c:\3tbtbb.exec:\3tbtbb.exe85⤵PID:4516
-
\??\c:\lrxxxxr.exec:\lrxxxxr.exe86⤵PID:4924
-
\??\c:\9bhbhn.exec:\9bhbhn.exe87⤵PID:4560
-
\??\c:\jvjvj.exec:\jvjvj.exe88⤵PID:392
-
\??\c:\ttbnhn.exec:\ttbnhn.exe89⤵PID:5052
-
\??\c:\664244.exec:\664244.exe90⤵PID:2588
-
\??\c:\4420602.exec:\4420602.exe91⤵PID:1480
-
\??\c:\828268.exec:\828268.exe92⤵PID:3084
-
\??\c:\468660.exec:\468660.exe93⤵PID:4564
-
\??\c:\2648004.exec:\2648004.exe94⤵PID:3284
-
\??\c:\vpjdd.exec:\vpjdd.exe95⤵PID:672
-
\??\c:\hnbtnt.exec:\hnbtnt.exe96⤵PID:3980
-
\??\c:\068222.exec:\068222.exe97⤵PID:4364
-
\??\c:\m0262.exec:\m0262.exe98⤵PID:4368
-
\??\c:\2862046.exec:\2862046.exe99⤵PID:2264
-
\??\c:\6060448.exec:\6060448.exe100⤵PID:4224
-
\??\c:\xlrrlrl.exec:\xlrrlrl.exe101⤵PID:4784
-
\??\c:\5jdvp.exec:\5jdvp.exe102⤵PID:2344
-
\??\c:\jdjdv.exec:\jdjdv.exe103⤵PID:3736
-
\??\c:\dpvpp.exec:\dpvpp.exe104⤵PID:1076
-
\??\c:\2204466.exec:\2204466.exe105⤵PID:3852
-
\??\c:\806666.exec:\806666.exe106⤵PID:4448
-
\??\c:\s8426.exec:\s8426.exe107⤵PID:1364
-
\??\c:\pdjdv.exec:\pdjdv.exe108⤵PID:2204
-
\??\c:\7vvvp.exec:\7vvvp.exe109⤵PID:2036
-
\??\c:\vpppj.exec:\vpppj.exe110⤵PID:4832
-
\??\c:\600044.exec:\600044.exe111⤵PID:60
-
\??\c:\ttttnn.exec:\ttttnn.exe112⤵PID:464
-
\??\c:\26822.exec:\26822.exe113⤵PID:2676
-
\??\c:\nhnhhh.exec:\nhnhhh.exe114⤵PID:3920
-
\??\c:\46600.exec:\46600.exe115⤵PID:1476
-
\??\c:\40260.exec:\40260.exe116⤵PID:2448
-
\??\c:\82220.exec:\82220.exe117⤵PID:1460
-
\??\c:\rrxrllf.exec:\rrxrllf.exe118⤵PID:3452
-
\??\c:\888266.exec:\888266.exe119⤵PID:4028
-
\??\c:\djjdj.exec:\djjdj.exe120⤵PID:4884
-
\??\c:\bnttnh.exec:\bnttnh.exe121⤵
- System Location Discovery: System Language Discovery
PID:212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-