Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 21:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e.exe
-
Size
454KB
-
MD5
b08059df499c6b915ba8fe6e31f29e72
-
SHA1
f2745afbd5e4062b79c5c14fcc39dc17ce9027be
-
SHA256
2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e
-
SHA512
1cf2b7329b9a4e9ed497a0d774fd772f621550f38b173e31dd7096ca49e3cd15f0b53457d00afd78a60f9dfe8f66f9c8e755d4804c22b1f1510d27d98a306b12
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetX:q7Tc2NYHUrAwfMp3CDtX
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1864-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/976-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3352-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-481-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-640-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2440 240000.exe 1836 nhbbbb.exe 4224 u884806.exe 4756 046000.exe 1568 0888848.exe 3352 lffxxxr.exe 2504 tbhhtt.exe 1468 lrlxfxl.exe 1400 bbhbth.exe 2424 pjjdd.exe 2692 600262.exe 2416 820044.exe 3008 vjpjj.exe 5088 600444.exe 3304 9rxxffr.exe 3644 lfrrlxr.exe 4692 888802.exe 832 04044.exe 2068 tnnnhh.exe 5016 468666.exe 4428 nhtntt.exe 3640 rlllfff.exe 2212 nnhhbb.exe 372 bbhbtt.exe 1648 0882222.exe 1476 04488.exe 4052 fflrrrx.exe 1464 040820.exe 4196 3nnhbb.exe 976 48482.exe 4972 266824.exe 4568 a2826.exe 4324 rxfxrrl.exe 3344 pdvpj.exe 720 028266.exe 1256 xrrlrll.exe 2428 vppjj.exe 4024 3ttnnn.exe 1120 440444.exe 1888 0400602.exe 4788 482822.exe 2768 684822.exe 4148 xflxllf.exe 4020 862266.exe 3612 fxfxflr.exe 4576 pvvvv.exe 964 flrlffx.exe 3812 nntttt.exe 2404 bthnnt.exe 1544 6628226.exe 3588 dvjpd.exe 696 062600.exe 4220 824844.exe 2840 jpvpp.exe 3332 pdjdd.exe 1192 lxlxfff.exe 4408 2206224.exe 2676 40604.exe 4852 1bttnh.exe 2164 pvddd.exe 3084 nhhhht.exe 1752 26226.exe 3696 tbtnhh.exe 4048 bnhbhh.exe -
resource yara_rule behavioral2/memory/2440-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/976-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3352-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3768-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-955-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80404.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language k46066.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language s6820.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1864 wrote to memory of 2440 1864 2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e.exe 83 PID 1864 wrote to memory of 2440 1864 2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e.exe 83 PID 1864 wrote to memory of 2440 1864 2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e.exe 83 PID 2440 wrote to memory of 1836 2440 240000.exe 84 PID 2440 wrote to memory of 1836 2440 240000.exe 84 PID 2440 wrote to memory of 1836 2440 240000.exe 84 PID 1836 wrote to memory of 4224 1836 nhbbbb.exe 85 PID 1836 wrote to memory of 4224 1836 nhbbbb.exe 85 PID 1836 wrote to memory of 4224 1836 nhbbbb.exe 85 PID 4224 wrote to memory of 4756 4224 u884806.exe 86 PID 4224 wrote to memory of 4756 4224 u884806.exe 86 PID 4224 wrote to memory of 4756 4224 u884806.exe 86 PID 4756 wrote to memory of 1568 4756 046000.exe 148 PID 4756 wrote to memory of 1568 4756 046000.exe 148 PID 4756 wrote to memory of 1568 4756 046000.exe 148 PID 1568 wrote to memory of 3352 1568 0888848.exe 88 PID 1568 wrote to memory of 3352 1568 0888848.exe 88 PID 1568 wrote to memory of 3352 1568 0888848.exe 88 PID 3352 wrote to memory of 2504 3352 lffxxxr.exe 89 PID 3352 wrote to memory of 2504 3352 lffxxxr.exe 89 PID 3352 wrote to memory of 2504 3352 lffxxxr.exe 89 PID 2504 wrote to memory of 1468 2504 tbhhtt.exe 90 PID 2504 wrote to memory of 1468 2504 tbhhtt.exe 90 PID 2504 wrote to memory of 1468 2504 tbhhtt.exe 90 PID 1468 wrote to memory of 1400 1468 lrlxfxl.exe 91 PID 1468 wrote to memory of 1400 1468 lrlxfxl.exe 91 PID 1468 wrote to memory of 1400 1468 lrlxfxl.exe 91 PID 1400 wrote to memory of 2424 1400 bbhbth.exe 92 PID 1400 wrote to memory of 2424 1400 bbhbth.exe 92 PID 1400 wrote to memory of 2424 1400 bbhbth.exe 92 PID 2424 wrote to memory of 2692 2424 pjjdd.exe 93 PID 2424 wrote to memory of 2692 2424 pjjdd.exe 93 PID 2424 wrote to memory of 2692 2424 pjjdd.exe 93 PID 2692 wrote to memory of 2416 2692 600262.exe 94 PID 2692 wrote to memory of 2416 2692 600262.exe 94 PID 2692 wrote to memory of 2416 2692 600262.exe 94 PID 2416 wrote to memory of 3008 2416 820044.exe 95 PID 2416 wrote to memory of 3008 2416 820044.exe 95 PID 2416 wrote to memory of 3008 2416 820044.exe 95 PID 3008 wrote to memory of 5088 3008 vjpjj.exe 96 PID 3008 wrote to memory of 5088 3008 vjpjj.exe 96 PID 3008 wrote to memory of 5088 3008 vjpjj.exe 96 PID 5088 wrote to memory of 3304 5088 600444.exe 97 PID 5088 wrote to memory of 3304 5088 600444.exe 97 PID 5088 wrote to memory of 3304 5088 600444.exe 97 PID 3304 wrote to memory of 3644 3304 9rxxffr.exe 98 PID 3304 wrote to memory of 3644 3304 9rxxffr.exe 98 PID 3304 wrote to memory of 3644 3304 9rxxffr.exe 98 PID 3644 wrote to memory of 4692 3644 lfrrlxr.exe 99 PID 3644 wrote to memory of 4692 3644 lfrrlxr.exe 99 PID 3644 wrote to memory of 4692 3644 lfrrlxr.exe 99 PID 4692 wrote to memory of 832 4692 888802.exe 100 PID 4692 wrote to memory of 832 4692 888802.exe 100 PID 4692 wrote to memory of 832 4692 888802.exe 100 PID 832 wrote to memory of 2068 832 04044.exe 101 PID 832 wrote to memory of 2068 832 04044.exe 101 PID 832 wrote to memory of 2068 832 04044.exe 101 PID 2068 wrote to memory of 5016 2068 tnnnhh.exe 102 PID 2068 wrote to memory of 5016 2068 tnnnhh.exe 102 PID 2068 wrote to memory of 5016 2068 tnnnhh.exe 102 PID 5016 wrote to memory of 4428 5016 468666.exe 103 PID 5016 wrote to memory of 4428 5016 468666.exe 103 PID 5016 wrote to memory of 4428 5016 468666.exe 103 PID 4428 wrote to memory of 3640 4428 nhtntt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e.exe"C:\Users\Admin\AppData\Local\Temp\2b3ffc75e4e9262cd784ceef21575be7cf3bfd99bd364adeeedb960e8ad6626e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\240000.exec:\240000.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
\??\c:\nhbbbb.exec:\nhbbbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1836 -
\??\c:\u884806.exec:\u884806.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\046000.exec:\046000.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\0888848.exec:\0888848.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\lffxxxr.exec:\lffxxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352 -
\??\c:\tbhhtt.exec:\tbhhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\lrlxfxl.exec:\lrlxfxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\bbhbth.exec:\bbhbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\pjjdd.exec:\pjjdd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
\??\c:\600262.exec:\600262.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\820044.exec:\820044.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\vjpjj.exec:\vjpjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\600444.exec:\600444.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\9rxxffr.exec:\9rxxffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3304 -
\??\c:\lfrrlxr.exec:\lfrrlxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\888802.exec:\888802.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\04044.exec:\04044.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\tnnnhh.exec:\tnnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\468666.exec:\468666.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
\??\c:\nhtntt.exec:\nhtntt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\rlllfff.exec:\rlllfff.exe23⤵
- Executes dropped EXE
PID:3640 -
\??\c:\nnhhbb.exec:\nnhhbb.exe24⤵
- Executes dropped EXE
PID:2212 -
\??\c:\bbhbtt.exec:\bbhbtt.exe25⤵
- Executes dropped EXE
PID:372 -
\??\c:\0882222.exec:\0882222.exe26⤵
- Executes dropped EXE
PID:1648 -
\??\c:\04488.exec:\04488.exe27⤵
- Executes dropped EXE
PID:1476 -
\??\c:\fflrrrx.exec:\fflrrrx.exe28⤵
- Executes dropped EXE
PID:4052 -
\??\c:\040820.exec:\040820.exe29⤵
- Executes dropped EXE
PID:1464 -
\??\c:\3nnhbb.exec:\3nnhbb.exe30⤵
- Executes dropped EXE
PID:4196 -
\??\c:\48482.exec:\48482.exe31⤵
- Executes dropped EXE
PID:976 -
\??\c:\266824.exec:\266824.exe32⤵
- Executes dropped EXE
PID:4972 -
\??\c:\a2826.exec:\a2826.exe33⤵
- Executes dropped EXE
PID:4568 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe34⤵
- Executes dropped EXE
PID:4324 -
\??\c:\pdvpj.exec:\pdvpj.exe35⤵
- Executes dropped EXE
PID:3344 -
\??\c:\028266.exec:\028266.exe36⤵
- Executes dropped EXE
PID:720 -
\??\c:\xrrlrll.exec:\xrrlrll.exe37⤵
- Executes dropped EXE
PID:1256 -
\??\c:\vppjj.exec:\vppjj.exe38⤵
- Executes dropped EXE
PID:2428 -
\??\c:\3ttnnn.exec:\3ttnnn.exe39⤵
- Executes dropped EXE
PID:4024 -
\??\c:\440444.exec:\440444.exe40⤵
- Executes dropped EXE
PID:1120 -
\??\c:\0400602.exec:\0400602.exe41⤵
- Executes dropped EXE
PID:1888 -
\??\c:\482822.exec:\482822.exe42⤵
- Executes dropped EXE
PID:4788 -
\??\c:\684822.exec:\684822.exe43⤵
- Executes dropped EXE
PID:2768 -
\??\c:\xflxllf.exec:\xflxllf.exe44⤵
- Executes dropped EXE
PID:4148 -
\??\c:\862266.exec:\862266.exe45⤵
- Executes dropped EXE
PID:4020 -
\??\c:\fxfxflr.exec:\fxfxflr.exe46⤵
- Executes dropped EXE
PID:3612 -
\??\c:\pvvvv.exec:\pvvvv.exe47⤵
- Executes dropped EXE
PID:4576 -
\??\c:\flrlffx.exec:\flrlffx.exe48⤵
- Executes dropped EXE
PID:964 -
\??\c:\nntttt.exec:\nntttt.exe49⤵
- Executes dropped EXE
PID:3812 -
\??\c:\bthnnt.exec:\bthnnt.exe50⤵
- Executes dropped EXE
PID:2404 -
\??\c:\6628226.exec:\6628226.exe51⤵
- Executes dropped EXE
PID:1544 -
\??\c:\dvjpd.exec:\dvjpd.exe52⤵
- Executes dropped EXE
PID:3588 -
\??\c:\062600.exec:\062600.exe53⤵
- Executes dropped EXE
PID:696 -
\??\c:\824844.exec:\824844.exe54⤵
- Executes dropped EXE
PID:4220 -
\??\c:\jpvpp.exec:\jpvpp.exe55⤵
- Executes dropped EXE
PID:2840 -
\??\c:\pdjdd.exec:\pdjdd.exe56⤵
- Executes dropped EXE
PID:3332 -
\??\c:\lxlxfff.exec:\lxlxfff.exe57⤵
- Executes dropped EXE
PID:1192 -
\??\c:\2206224.exec:\2206224.exe58⤵
- Executes dropped EXE
PID:4408 -
\??\c:\40604.exec:\40604.exe59⤵
- Executes dropped EXE
PID:2676 -
\??\c:\1bttnh.exec:\1bttnh.exe60⤵
- Executes dropped EXE
PID:4852 -
\??\c:\pvddd.exec:\pvddd.exe61⤵
- Executes dropped EXE
PID:2164 -
\??\c:\nhhhht.exec:\nhhhht.exe62⤵
- Executes dropped EXE
PID:3084 -
\??\c:\26226.exec:\26226.exe63⤵
- Executes dropped EXE
PID:1752 -
\??\c:\tbtnhh.exec:\tbtnhh.exe64⤵
- Executes dropped EXE
PID:3696 -
\??\c:\bnhbhh.exec:\bnhbhh.exe65⤵
- Executes dropped EXE
PID:4048 -
\??\c:\8404444.exec:\8404444.exe66⤵PID:3768
-
\??\c:\6084680.exec:\6084680.exe67⤵PID:1568
-
\??\c:\264066.exec:\264066.exe68⤵PID:4316
-
\??\c:\6660864.exec:\6660864.exe69⤵PID:5012
-
\??\c:\xxxlfll.exec:\xxxlfll.exe70⤵PID:1524
-
\??\c:\nhbbbh.exec:\nhbbbh.exe71⤵PID:2108
-
\??\c:\ddvpd.exec:\ddvpd.exe72⤵PID:3808
-
\??\c:\ffxlrrf.exec:\ffxlrrf.exe73⤵PID:1824
-
\??\c:\bhnbbn.exec:\bhnbbn.exe74⤵PID:4124
-
\??\c:\842284.exec:\842284.exe75⤵PID:2276
-
\??\c:\nbhhbh.exec:\nbhhbh.exe76⤵PID:4000
-
\??\c:\8664484.exec:\8664484.exe77⤵PID:4832
-
\??\c:\nnbtbb.exec:\nnbtbb.exe78⤵PID:4648
-
\??\c:\9flrlff.exec:\9flrlff.exe79⤵PID:3636
-
\??\c:\thttnt.exec:\thttnt.exe80⤵PID:2672
-
\??\c:\84222.exec:\84222.exe81⤵PID:3284
-
\??\c:\9ntbtt.exec:\9ntbtt.exe82⤵PID:4924
-
\??\c:\lfffxll.exec:\lfffxll.exe83⤵PID:4468
-
\??\c:\jjppj.exec:\jjppj.exe84⤵PID:1868
-
\??\c:\2068806.exec:\2068806.exe85⤵PID:3252
-
\??\c:\8684002.exec:\8684002.exe86⤵PID:536
-
\??\c:\44048.exec:\44048.exe87⤵PID:2960
-
\??\c:\bbhnnt.exec:\bbhnnt.exe88⤵PID:2536
-
\??\c:\dvvpj.exec:\dvvpj.exe89⤵PID:3616
-
\??\c:\28826.exec:\28826.exe90⤵PID:3804
-
\??\c:\djvvp.exec:\djvvp.exe91⤵PID:1416
-
\??\c:\jvdjv.exec:\jvdjv.exe92⤵
- System Location Discovery: System Language Discovery
PID:1624 -
\??\c:\dpvpj.exec:\dpvpj.exe93⤵PID:4008
-
\??\c:\8282840.exec:\8282840.exe94⤵PID:4368
-
\??\c:\3ffrrrr.exec:\3ffrrrr.exe95⤵PID:3828
-
\??\c:\6046006.exec:\6046006.exe96⤵PID:2820
-
\??\c:\bbttnn.exec:\bbttnn.exe97⤵PID:4452
-
\??\c:\fflfllf.exec:\fflfllf.exe98⤵PID:4032
-
\??\c:\40682.exec:\40682.exe99⤵PID:4188
-
\??\c:\i022206.exec:\i022206.exe100⤵PID:912
-
\??\c:\w42822.exec:\w42822.exe101⤵PID:3192
-
\??\c:\0862660.exec:\0862660.exe102⤵PID:8
-
\??\c:\820448.exec:\820448.exe103⤵PID:4620
-
\??\c:\46648.exec:\46648.exe104⤵PID:4484
-
\??\c:\vjdvj.exec:\vjdvj.exe105⤵PID:2932
-
\??\c:\0848826.exec:\0848826.exe106⤵PID:728
-
\??\c:\00068.exec:\00068.exe107⤵PID:1164
-
\??\c:\dvjdj.exec:\dvjdj.exe108⤵PID:3408
-
\??\c:\g8086.exec:\g8086.exe109⤵PID:2324
-
\??\c:\464868.exec:\464868.exe110⤵PID:3776
-
\??\c:\lllxrlf.exec:\lllxrlf.exe111⤵PID:2332
-
\??\c:\s6820.exec:\s6820.exe112⤵
- System Location Discovery: System Language Discovery
PID:2576 -
\??\c:\02228.exec:\02228.exe113⤵PID:3340
-
\??\c:\httnbt.exec:\httnbt.exe114⤵PID:2676
-
\??\c:\frlfrlf.exec:\frlfrlf.exe115⤵PID:2028
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe116⤵PID:3084
-
\??\c:\jjppv.exec:\jjppv.exe117⤵PID:2040
-
\??\c:\7thbtn.exec:\7thbtn.exe118⤵PID:4120
-
\??\c:\k42082.exec:\k42082.exe119⤵PID:4940
-
\??\c:\ttbhtt.exec:\ttbhtt.exe120⤵PID:3768
-
\??\c:\thbnbt.exec:\thbnbt.exe121⤵PID:3144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-