Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe
-
Size
454KB
-
MD5
3e30647e9c2965c84324601a062a7fbd
-
SHA1
b6f24d9722d86d643c40ad76f8ab42f57d6dd639
-
SHA256
fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653
-
SHA512
ac3acd9128748f61ce4a13b075f0e9ef7d44c1a6995f750f48524f89078d49f378051992e6c29053eed659ff03e06817a6bd9b3d3e33465f6feb41a99f7efda4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3544-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1780-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3776-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3632-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-472-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-516-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-1596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3128 5hnhhh.exe 1780 pjdvp.exe 4848 hbnnnh.exe 4292 bbhbbt.exe 4528 xfrrrff.exe 2160 vvjvp.exe 4572 thbnnb.exe 1484 lffffll.exe 1676 ppddd.exe 4168 9lfxrlf.exe 5032 btnhtt.exe 4472 xfxrxlr.exe 3316 hbhbtn.exe 3760 hhtnhb.exe 4164 nntntn.exe 3380 vpvvv.exe 3220 xxrlffx.exe 3592 bbtnnh.exe 3724 3tnnhn.exe 2036 ntbbtb.exe 1720 llrrrrx.exe 1800 rlrlrlr.exe 2736 bhnnhh.exe 4532 vvddd.exe 3248 nhhbnt.exe 4316 jvvpd.exe 1992 9llfxfx.exe 336 1llxrrl.exe 4608 7nnhhb.exe 1112 bhbbtn.exe 3276 ffffllf.exe 3692 htnhhh.exe 3776 jjpjp.exe 3116 vvjdd.exe 3820 xxfxxxr.exe 4612 tbbbtt.exe 3492 5lrrllf.exe 3476 bbbtnn.exe 2660 ttbttt.exe 2620 xfxlfxx.exe 1632 7hbbtb.exe 3628 ppvvp.exe 4764 jvvpp.exe 2572 9ttnhb.exe 4552 1dpjp.exe 4888 1rfffff.exe 2680 bbhhhn.exe 2576 jdjjd.exe 4388 hntbbh.exe 2500 5ppjv.exe 4504 5lffxff.exe 2616 fllfxxr.exe 3844 btttbb.exe 5100 1pdvp.exe 4884 5pvpj.exe 4820 xxfxrfx.exe 4964 nnnnhn.exe 2544 jpvjv.exe 4500 vdppj.exe 2936 lfllffx.exe 2072 hbbbtt.exe 5084 jjpjd.exe 3504 lrfxfxf.exe 2764 fxfxrrr.exe -
resource yara_rule behavioral2/memory/3544-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1780-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3776-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3632-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-738-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllxfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3544 wrote to memory of 3128 3544 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 83 PID 3544 wrote to memory of 3128 3544 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 83 PID 3544 wrote to memory of 3128 3544 fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe 83 PID 3128 wrote to memory of 1780 3128 5hnhhh.exe 84 PID 3128 wrote to memory of 1780 3128 5hnhhh.exe 84 PID 3128 wrote to memory of 1780 3128 5hnhhh.exe 84 PID 1780 wrote to memory of 4848 1780 pjdvp.exe 85 PID 1780 wrote to memory of 4848 1780 pjdvp.exe 85 PID 1780 wrote to memory of 4848 1780 pjdvp.exe 85 PID 4848 wrote to memory of 4292 4848 hbnnnh.exe 86 PID 4848 wrote to memory of 4292 4848 hbnnnh.exe 86 PID 4848 wrote to memory of 4292 4848 hbnnnh.exe 86 PID 4292 wrote to memory of 4528 4292 bbhbbt.exe 87 PID 4292 wrote to memory of 4528 4292 bbhbbt.exe 87 PID 4292 wrote to memory of 4528 4292 bbhbbt.exe 87 PID 4528 wrote to memory of 2160 4528 xfrrrff.exe 88 PID 4528 wrote to memory of 2160 4528 xfrrrff.exe 88 PID 4528 wrote to memory of 2160 4528 xfrrrff.exe 88 PID 2160 wrote to memory of 4572 2160 vvjvp.exe 89 PID 2160 wrote to memory of 4572 2160 vvjvp.exe 89 PID 2160 wrote to memory of 4572 2160 vvjvp.exe 89 PID 4572 wrote to memory of 1484 4572 thbnnb.exe 90 PID 4572 wrote to memory of 1484 4572 thbnnb.exe 90 PID 4572 wrote to memory of 1484 4572 thbnnb.exe 90 PID 1484 wrote to memory of 1676 1484 lffffll.exe 91 PID 1484 wrote to memory of 1676 1484 lffffll.exe 91 PID 1484 wrote to memory of 1676 1484 lffffll.exe 91 PID 1676 wrote to memory of 4168 1676 ppddd.exe 92 PID 1676 wrote to memory of 4168 1676 ppddd.exe 92 PID 1676 wrote to memory of 4168 1676 ppddd.exe 92 PID 4168 wrote to memory of 5032 4168 9lfxrlf.exe 93 PID 4168 wrote to memory of 5032 4168 9lfxrlf.exe 93 PID 4168 wrote to memory of 5032 4168 9lfxrlf.exe 93 PID 5032 wrote to memory of 4472 5032 btnhtt.exe 94 PID 5032 wrote to memory of 4472 5032 btnhtt.exe 94 PID 5032 wrote to memory of 4472 5032 btnhtt.exe 94 PID 4472 wrote to memory of 3316 4472 xfxrxlr.exe 95 PID 4472 wrote to memory of 3316 4472 xfxrxlr.exe 95 PID 4472 wrote to memory of 3316 4472 xfxrxlr.exe 95 PID 3316 wrote to memory of 3760 3316 hbhbtn.exe 96 PID 3316 wrote to memory of 3760 3316 hbhbtn.exe 96 PID 3316 wrote to memory of 3760 3316 hbhbtn.exe 96 PID 3760 wrote to memory of 4164 3760 hhtnhb.exe 97 PID 3760 wrote to memory of 4164 3760 hhtnhb.exe 97 PID 3760 wrote to memory of 4164 3760 hhtnhb.exe 97 PID 4164 wrote to memory of 3380 4164 nntntn.exe 98 PID 4164 wrote to memory of 3380 4164 nntntn.exe 98 PID 4164 wrote to memory of 3380 4164 nntntn.exe 98 PID 3380 wrote to memory of 3220 3380 vpvvv.exe 99 PID 3380 wrote to memory of 3220 3380 vpvvv.exe 99 PID 3380 wrote to memory of 3220 3380 vpvvv.exe 99 PID 3220 wrote to memory of 3592 3220 xxrlffx.exe 100 PID 3220 wrote to memory of 3592 3220 xxrlffx.exe 100 PID 3220 wrote to memory of 3592 3220 xxrlffx.exe 100 PID 3592 wrote to memory of 3724 3592 bbtnnh.exe 101 PID 3592 wrote to memory of 3724 3592 bbtnnh.exe 101 PID 3592 wrote to memory of 3724 3592 bbtnnh.exe 101 PID 3724 wrote to memory of 2036 3724 3tnnhn.exe 102 PID 3724 wrote to memory of 2036 3724 3tnnhn.exe 102 PID 3724 wrote to memory of 2036 3724 3tnnhn.exe 102 PID 2036 wrote to memory of 1720 2036 ntbbtb.exe 103 PID 2036 wrote to memory of 1720 2036 ntbbtb.exe 103 PID 2036 wrote to memory of 1720 2036 ntbbtb.exe 103 PID 1720 wrote to memory of 1800 1720 llrrrrx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe"C:\Users\Admin\AppData\Local\Temp\fbf81c32fee3725a6dc24a285a2ce56e8011fa41a3df9417f9337040c8b2d653.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\5hnhhh.exec:\5hnhhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\pjdvp.exec:\pjdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1780 -
\??\c:\hbnnnh.exec:\hbnnnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\bbhbbt.exec:\bbhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\xfrrrff.exec:\xfrrrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\vvjvp.exec:\vvjvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\thbnnb.exec:\thbnnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\lffffll.exec:\lffffll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\ppddd.exec:\ppddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\9lfxrlf.exec:\9lfxrlf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\btnhtt.exec:\btnhtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\xfxrxlr.exec:\xfxrxlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\hbhbtn.exec:\hbhbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\hhtnhb.exec:\hhtnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
\??\c:\nntntn.exec:\nntntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\vpvvv.exec:\vpvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\xxrlffx.exec:\xxrlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
\??\c:\bbtnnh.exec:\bbtnnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\3tnnhn.exec:\3tnnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\ntbbtb.exec:\ntbbtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\llrrrrx.exec:\llrrrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\rlrlrlr.exec:\rlrlrlr.exe23⤵
- Executes dropped EXE
PID:1800 -
\??\c:\bhnnhh.exec:\bhnnhh.exe24⤵
- Executes dropped EXE
PID:2736 -
\??\c:\vvddd.exec:\vvddd.exe25⤵
- Executes dropped EXE
PID:4532 -
\??\c:\nhhbnt.exec:\nhhbnt.exe26⤵
- Executes dropped EXE
PID:3248 -
\??\c:\jvvpd.exec:\jvvpd.exe27⤵
- Executes dropped EXE
PID:4316 -
\??\c:\9llfxfx.exec:\9llfxfx.exe28⤵
- Executes dropped EXE
PID:1992 -
\??\c:\1llxrrl.exec:\1llxrrl.exe29⤵
- Executes dropped EXE
PID:336 -
\??\c:\7nnhhb.exec:\7nnhhb.exe30⤵
- Executes dropped EXE
PID:4608 -
\??\c:\bhbbtn.exec:\bhbbtn.exe31⤵
- Executes dropped EXE
PID:1112 -
\??\c:\ffffllf.exec:\ffffllf.exe32⤵
- Executes dropped EXE
PID:3276 -
\??\c:\htnhhh.exec:\htnhhh.exe33⤵
- Executes dropped EXE
PID:3692 -
\??\c:\jjpjp.exec:\jjpjp.exe34⤵
- Executes dropped EXE
PID:3776 -
\??\c:\vvjdd.exec:\vvjdd.exe35⤵
- Executes dropped EXE
PID:3116 -
\??\c:\xxfxxxr.exec:\xxfxxxr.exe36⤵
- Executes dropped EXE
PID:3820 -
\??\c:\tbbbtt.exec:\tbbbtt.exe37⤵
- Executes dropped EXE
PID:4612 -
\??\c:\5lrrllf.exec:\5lrrllf.exe38⤵
- Executes dropped EXE
PID:3492 -
\??\c:\bbbtnn.exec:\bbbtnn.exe39⤵
- Executes dropped EXE
PID:3476 -
\??\c:\ttbttt.exec:\ttbttt.exe40⤵
- Executes dropped EXE
PID:2660 -
\??\c:\xfxlfxx.exec:\xfxlfxx.exe41⤵
- Executes dropped EXE
PID:2620 -
\??\c:\7hbbtb.exec:\7hbbtb.exe42⤵
- Executes dropped EXE
PID:1632 -
\??\c:\ppvvp.exec:\ppvvp.exe43⤵
- Executes dropped EXE
PID:3628 -
\??\c:\jvvpp.exec:\jvvpp.exe44⤵
- Executes dropped EXE
PID:4764 -
\??\c:\9ttnhb.exec:\9ttnhb.exe45⤵
- Executes dropped EXE
PID:2572 -
\??\c:\1dpjp.exec:\1dpjp.exe46⤵
- Executes dropped EXE
PID:4552 -
\??\c:\1rfffff.exec:\1rfffff.exe47⤵
- Executes dropped EXE
PID:4888 -
\??\c:\bbhhhn.exec:\bbhhhn.exe48⤵
- Executes dropped EXE
PID:2680 -
\??\c:\jdjjd.exec:\jdjjd.exe49⤵
- Executes dropped EXE
PID:2576 -
\??\c:\hntbbh.exec:\hntbbh.exe50⤵
- Executes dropped EXE
PID:4388 -
\??\c:\5ppjv.exec:\5ppjv.exe51⤵
- Executes dropped EXE
PID:2500 -
\??\c:\5lffxff.exec:\5lffxff.exe52⤵
- Executes dropped EXE
PID:4504 -
\??\c:\fllfxxr.exec:\fllfxxr.exe53⤵
- Executes dropped EXE
PID:2616 -
\??\c:\btttbb.exec:\btttbb.exe54⤵
- Executes dropped EXE
PID:3844 -
\??\c:\1pdvp.exec:\1pdvp.exe55⤵
- Executes dropped EXE
PID:5100 -
\??\c:\5pvpj.exec:\5pvpj.exe56⤵
- Executes dropped EXE
PID:4884 -
\??\c:\xxfxrfx.exec:\xxfxrfx.exe57⤵
- Executes dropped EXE
PID:4820 -
\??\c:\nnnnhn.exec:\nnnnhn.exe58⤵
- Executes dropped EXE
PID:4964 -
\??\c:\jpvjv.exec:\jpvjv.exe59⤵
- Executes dropped EXE
PID:2544 -
\??\c:\vdppj.exec:\vdppj.exe60⤵
- Executes dropped EXE
PID:4500 -
\??\c:\lfllffx.exec:\lfllffx.exe61⤵
- Executes dropped EXE
PID:2936 -
\??\c:\hbbbtt.exec:\hbbbtt.exe62⤵
- Executes dropped EXE
PID:2072 -
\??\c:\jjpjd.exec:\jjpjd.exe63⤵
- Executes dropped EXE
PID:5084 -
\??\c:\lrfxfxf.exec:\lrfxfxf.exe64⤵
- Executes dropped EXE
PID:3504 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe65⤵
- Executes dropped EXE
PID:2764 -
\??\c:\bnhhhh.exec:\bnhhhh.exe66⤵PID:2368
-
\??\c:\9djjj.exec:\9djjj.exe67⤵PID:1416
-
\??\c:\vpvjd.exec:\vpvjd.exe68⤵PID:4640
-
\??\c:\7fxlffr.exec:\7fxlffr.exe69⤵PID:4472
-
\??\c:\thhbtn.exec:\thhbtn.exe70⤵PID:2436
-
\??\c:\pjddj.exec:\pjddj.exe71⤵PID:3508
-
\??\c:\tntttb.exec:\tntttb.exe72⤵PID:3760
-
\??\c:\jjvpj.exec:\jjvpj.exe73⤵PID:3488
-
\??\c:\1jjdp.exec:\1jjdp.exe74⤵PID:1148
-
\??\c:\3xrlxxr.exec:\3xrlxxr.exe75⤵PID:3228
-
\??\c:\7htthh.exec:\7htthh.exe76⤵PID:4116
-
\??\c:\nhtnhb.exec:\nhtnhb.exe77⤵PID:4456
-
\??\c:\1ddvp.exec:\1ddvp.exe78⤵PID:1940
-
\??\c:\lrrlrlf.exec:\lrrlrlf.exe79⤵PID:1040
-
\??\c:\thttbt.exec:\thttbt.exe80⤵PID:2552
-
\??\c:\bbtnbt.exec:\bbtnbt.exe81⤵PID:836
-
\??\c:\3ddvv.exec:\3ddvv.exe82⤵PID:3704
-
\??\c:\ffxrrrx.exec:\ffxrrrx.exe83⤵PID:2524
-
\??\c:\7nhbtt.exec:\7nhbtt.exe84⤵PID:3940
-
\??\c:\vvddv.exec:\vvddv.exe85⤵PID:4320
-
\??\c:\flfxrrl.exec:\flfxrrl.exe86⤵PID:2632
-
\??\c:\rxxrffr.exec:\rxxrffr.exe87⤵PID:4440
-
\??\c:\bnthbb.exec:\bnthbb.exe88⤵PID:4824
-
\??\c:\dvjdv.exec:\dvjdv.exe89⤵PID:4760
-
\??\c:\1rllflf.exec:\1rllflf.exe90⤵PID:3188
-
\??\c:\fxrlffx.exec:\fxrlffx.exe91⤵PID:752
-
\??\c:\hbbbtt.exec:\hbbbtt.exe92⤵PID:736
-
\??\c:\djjjd.exec:\djjjd.exe93⤵PID:4356
-
\??\c:\xrffrlr.exec:\xrffrlr.exe94⤵PID:1300
-
\??\c:\rrflfxf.exec:\rrflfxf.exe95⤵PID:2100
-
\??\c:\tnnnhh.exec:\tnnnhh.exe96⤵PID:3692
-
\??\c:\jvvvd.exec:\jvvvd.exe97⤵PID:3432
-
\??\c:\lrxrllx.exec:\lrxrllx.exe98⤵PID:3632
-
\??\c:\bhhbtn.exec:\bhhbtn.exe99⤵PID:4616
-
\??\c:\7nbthn.exec:\7nbthn.exe100⤵PID:5080
-
\??\c:\vvddj.exec:\vvddj.exe101⤵PID:3516
-
\??\c:\xffxrxl.exec:\xffxrxl.exe102⤵PID:4208
-
\??\c:\rxffxrr.exec:\rxffxrr.exe103⤵PID:3588
-
\??\c:\jpvvd.exec:\jpvvd.exe104⤵PID:2948
-
\??\c:\pvvpd.exec:\pvvpd.exe105⤵PID:748
-
\??\c:\ntnhbh.exec:\ntnhbh.exe106⤵PID:4684
-
\??\c:\hhnbnh.exec:\hhnbnh.exe107⤵PID:624
-
\??\c:\1jpjv.exec:\1jpjv.exe108⤵PID:3096
-
\??\c:\1lxrrrr.exec:\1lxrrrr.exe109⤵PID:2092
-
\??\c:\9llfxrl.exec:\9llfxrl.exe110⤵PID:3252
-
\??\c:\9hnhnh.exec:\9hnhnh.exe111⤵PID:3832
-
\??\c:\jdjvd.exec:\jdjvd.exe112⤵PID:2680
-
\??\c:\3frfffx.exec:\3frfffx.exe113⤵PID:548
-
\??\c:\hhtnbt.exec:\hhtnbt.exe114⤵PID:2532
-
\??\c:\3hhbbb.exec:\3hhbbb.exe115⤵PID:1016
-
\??\c:\jdvdp.exec:\jdvdp.exe116⤵PID:2424
-
\??\c:\lxrrrll.exec:\lxrrrll.exe117⤵PID:4548
-
\??\c:\thnbtt.exec:\thnbtt.exe118⤵PID:3844
-
\??\c:\ddjdv.exec:\ddjdv.exe119⤵PID:5100
-
\??\c:\xlrllll.exec:\xlrllll.exe120⤵PID:3972
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe121⤵PID:4992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-