Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311.exe
-
Size
454KB
-
MD5
e23b4a38adf721c8d05fecef8686fce4
-
SHA1
aed61ef3f172b4ec4f231622f76106c0322da3d5
-
SHA256
248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311
-
SHA512
8c43fffa403b659f3f56e3cb0450c9cbb440362c125b3e272daaa55711d0a7b31ff3df0d7d3526ce4b79d5f934d01f829225ef825187f1467fc74182cf13b2c4
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbev:q7Tc2NYHUrAwfMp3CDv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1488-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1392-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-1382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-1961-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1876 htnbnh.exe 1880 pdjvp.exe 1392 bbnhtt.exe 3780 hbnhbt.exe 816 xxxrllf.exe 1264 hhbthh.exe 4800 bhnntt.exe 4312 rlrrlrr.exe 1432 7tbbtn.exe 3120 nhtbnt.exe 1548 thtnhh.exe 2416 rfrfxrf.exe 1092 rffrlrl.exe 3876 pjvpv.exe 1720 7pppj.exe 4764 djpjv.exe 2004 3lfxlxr.exe 3924 7pvjj.exe 1796 xlrllll.exe 4772 pvdvd.exe 2264 9thbbn.exe 4768 vpddd.exe 1180 lxxxrrl.exe 2196 nhhbbb.exe 876 rfllffx.exe 3704 3rrrrrr.exe 1244 hbbtnn.exe 4836 5tnbtn.exe 1072 nnhnhb.exe 1636 xflxrlf.exe 4436 7rrlffx.exe 436 frfxxxl.exe 2960 fxxxrxr.exe 1924 lrrlffx.exe 1804 bttthb.exe 1716 jvvvv.exe 4980 7rrrrrr.exe 2272 7dvvp.exe 2840 xxrrrrl.exe 2500 lfrrrrx.exe 2608 nntthh.exe 708 dppdd.exe 4080 frxrlfr.exe 432 llxrxfl.exe 632 ttntht.exe 384 pjpjd.exe 4424 fxlxfll.exe 2020 bbhhhn.exe 4388 ddppv.exe 3224 lfrlxff.exe 4272 bnbthb.exe 4756 nhttbb.exe 3160 jdvvp.exe 1328 fxxrrrl.exe 3448 hbbbtt.exe 2332 pdddv.exe 2596 xrlllll.exe 1248 9nnhbb.exe 4128 dpvpj.exe 2716 3vppp.exe 4312 rllffxr.exe 4960 hbhbtn.exe 1724 hhhbtt.exe 2036 pdjdv.exe -
resource yara_rule behavioral2/memory/1488-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1392-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-736-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-773-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlxfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlflrx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1876 1488 248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311.exe 83 PID 1488 wrote to memory of 1876 1488 248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311.exe 83 PID 1488 wrote to memory of 1876 1488 248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311.exe 83 PID 1876 wrote to memory of 1880 1876 htnbnh.exe 84 PID 1876 wrote to memory of 1880 1876 htnbnh.exe 84 PID 1876 wrote to memory of 1880 1876 htnbnh.exe 84 PID 1880 wrote to memory of 1392 1880 pdjvp.exe 85 PID 1880 wrote to memory of 1392 1880 pdjvp.exe 85 PID 1880 wrote to memory of 1392 1880 pdjvp.exe 85 PID 1392 wrote to memory of 3780 1392 bbnhtt.exe 86 PID 1392 wrote to memory of 3780 1392 bbnhtt.exe 86 PID 1392 wrote to memory of 3780 1392 bbnhtt.exe 86 PID 3780 wrote to memory of 816 3780 hbnhbt.exe 87 PID 3780 wrote to memory of 816 3780 hbnhbt.exe 87 PID 3780 wrote to memory of 816 3780 hbnhbt.exe 87 PID 816 wrote to memory of 1264 816 xxxrllf.exe 88 PID 816 wrote to memory of 1264 816 xxxrllf.exe 88 PID 816 wrote to memory of 1264 816 xxxrllf.exe 88 PID 1264 wrote to memory of 4800 1264 hhbthh.exe 89 PID 1264 wrote to memory of 4800 1264 hhbthh.exe 89 PID 1264 wrote to memory of 4800 1264 hhbthh.exe 89 PID 4800 wrote to memory of 4312 4800 bhnntt.exe 90 PID 4800 wrote to memory of 4312 4800 bhnntt.exe 90 PID 4800 wrote to memory of 4312 4800 bhnntt.exe 90 PID 4312 wrote to memory of 1432 4312 rlrrlrr.exe 91 PID 4312 wrote to memory of 1432 4312 rlrrlrr.exe 91 PID 4312 wrote to memory of 1432 4312 rlrrlrr.exe 91 PID 1432 wrote to memory of 3120 1432 7tbbtn.exe 92 PID 1432 wrote to memory of 3120 1432 7tbbtn.exe 92 PID 1432 wrote to memory of 3120 1432 7tbbtn.exe 92 PID 3120 wrote to memory of 1548 3120 nhtbnt.exe 93 PID 3120 wrote to memory of 1548 3120 nhtbnt.exe 93 PID 3120 wrote to memory of 1548 3120 nhtbnt.exe 93 PID 1548 wrote to memory of 2416 1548 thtnhh.exe 94 PID 1548 wrote to memory of 2416 1548 thtnhh.exe 94 PID 1548 wrote to memory of 2416 1548 thtnhh.exe 94 PID 2416 wrote to memory of 1092 2416 rfrfxrf.exe 95 PID 2416 wrote to memory of 1092 2416 rfrfxrf.exe 95 PID 2416 wrote to memory of 1092 2416 rfrfxrf.exe 95 PID 1092 wrote to memory of 3876 1092 rffrlrl.exe 96 PID 1092 wrote to memory of 3876 1092 rffrlrl.exe 96 PID 1092 wrote to memory of 3876 1092 rffrlrl.exe 96 PID 3876 wrote to memory of 1720 3876 pjvpv.exe 97 PID 3876 wrote to memory of 1720 3876 pjvpv.exe 97 PID 3876 wrote to memory of 1720 3876 pjvpv.exe 97 PID 1720 wrote to memory of 4764 1720 7pppj.exe 98 PID 1720 wrote to memory of 4764 1720 7pppj.exe 98 PID 1720 wrote to memory of 4764 1720 7pppj.exe 98 PID 4764 wrote to memory of 2004 4764 djpjv.exe 99 PID 4764 wrote to memory of 2004 4764 djpjv.exe 99 PID 4764 wrote to memory of 2004 4764 djpjv.exe 99 PID 2004 wrote to memory of 3924 2004 3lfxlxr.exe 100 PID 2004 wrote to memory of 3924 2004 3lfxlxr.exe 100 PID 2004 wrote to memory of 3924 2004 3lfxlxr.exe 100 PID 3924 wrote to memory of 1796 3924 7pvjj.exe 101 PID 3924 wrote to memory of 1796 3924 7pvjj.exe 101 PID 3924 wrote to memory of 1796 3924 7pvjj.exe 101 PID 1796 wrote to memory of 4772 1796 xlrllll.exe 102 PID 1796 wrote to memory of 4772 1796 xlrllll.exe 102 PID 1796 wrote to memory of 4772 1796 xlrllll.exe 102 PID 4772 wrote to memory of 2264 4772 pvdvd.exe 103 PID 4772 wrote to memory of 2264 4772 pvdvd.exe 103 PID 4772 wrote to memory of 2264 4772 pvdvd.exe 103 PID 2264 wrote to memory of 4768 2264 9thbbn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311.exe"C:\Users\Admin\AppData\Local\Temp\248967d4c21b02530a6102efac901c8a8ad2c618ff47470393573e358e7cf311.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\htnbnh.exec:\htnbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\pdjvp.exec:\pdjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\bbnhtt.exec:\bbnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\hbnhbt.exec:\hbnhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\xxxrllf.exec:\xxxrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\hhbthh.exec:\hhbthh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\bhnntt.exec:\bhnntt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\rlrrlrr.exec:\rlrrlrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\7tbbtn.exec:\7tbbtn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
\??\c:\nhtbnt.exec:\nhtbnt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\thtnhh.exec:\thtnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\rfrfxrf.exec:\rfrfxrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\rffrlrl.exec:\rffrlrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\pjvpv.exec:\pjvpv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\7pppj.exec:\7pppj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\djpjv.exec:\djpjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\3lfxlxr.exec:\3lfxlxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\7pvjj.exec:\7pvjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\xlrllll.exec:\xlrllll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\pvdvd.exec:\pvdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
\??\c:\9thbbn.exec:\9thbbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\vpddd.exec:\vpddd.exe23⤵
- Executes dropped EXE
PID:4768 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe24⤵
- Executes dropped EXE
PID:1180 -
\??\c:\nhhbbb.exec:\nhhbbb.exe25⤵
- Executes dropped EXE
PID:2196 -
\??\c:\rfllffx.exec:\rfllffx.exe26⤵
- Executes dropped EXE
PID:876 -
\??\c:\3rrrrrr.exec:\3rrrrrr.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704 -
\??\c:\hbbtnn.exec:\hbbtnn.exe28⤵
- Executes dropped EXE
PID:1244 -
\??\c:\5tnbtn.exec:\5tnbtn.exe29⤵
- Executes dropped EXE
PID:4836 -
\??\c:\nnhnhb.exec:\nnhnhb.exe30⤵
- Executes dropped EXE
PID:1072 -
\??\c:\xflxrlf.exec:\xflxrlf.exe31⤵
- Executes dropped EXE
PID:1636 -
\??\c:\7rrlffx.exec:\7rrlffx.exe32⤵
- Executes dropped EXE
PID:4436 -
\??\c:\frfxxxl.exec:\frfxxxl.exe33⤵
- Executes dropped EXE
PID:436 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe34⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lrrlffx.exec:\lrrlffx.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
\??\c:\bttthb.exec:\bttthb.exe36⤵
- Executes dropped EXE
PID:1804 -
\??\c:\jvvvv.exec:\jvvvv.exe37⤵
- Executes dropped EXE
PID:1716 -
\??\c:\7rrrrrr.exec:\7rrrrrr.exe38⤵
- Executes dropped EXE
PID:4980 -
\??\c:\7dvvp.exec:\7dvvp.exe39⤵
- Executes dropped EXE
PID:2272 -
\??\c:\xxrrrrl.exec:\xxrrrrl.exe40⤵
- Executes dropped EXE
PID:2840 -
\??\c:\lfrrrrx.exec:\lfrrrrx.exe41⤵
- Executes dropped EXE
PID:2500 -
\??\c:\nntthh.exec:\nntthh.exe42⤵
- Executes dropped EXE
PID:2608 -
\??\c:\dppdd.exec:\dppdd.exe43⤵
- Executes dropped EXE
PID:708 -
\??\c:\frxrlfr.exec:\frxrlfr.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4080 -
\??\c:\llxrxfl.exec:\llxrxfl.exe45⤵
- Executes dropped EXE
PID:432 -
\??\c:\ttntht.exec:\ttntht.exe46⤵
- Executes dropped EXE
PID:632 -
\??\c:\pjpjd.exec:\pjpjd.exe47⤵
- Executes dropped EXE
PID:384 -
\??\c:\fxlxfll.exec:\fxlxfll.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4424 -
\??\c:\bbhhhn.exec:\bbhhhn.exe49⤵
- Executes dropped EXE
PID:2020 -
\??\c:\ddppv.exec:\ddppv.exe50⤵
- Executes dropped EXE
PID:4388 -
\??\c:\lfrlxff.exec:\lfrlxff.exe51⤵
- Executes dropped EXE
PID:3224 -
\??\c:\bnbthb.exec:\bnbthb.exe52⤵
- Executes dropped EXE
PID:4272 -
\??\c:\nhttbb.exec:\nhttbb.exe53⤵
- Executes dropped EXE
PID:4756 -
\??\c:\jdvvp.exec:\jdvvp.exe54⤵
- Executes dropped EXE
PID:3160 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe55⤵
- Executes dropped EXE
PID:1328 -
\??\c:\hbbbtt.exec:\hbbbtt.exe56⤵
- Executes dropped EXE
PID:3448 -
\??\c:\pdddv.exec:\pdddv.exe57⤵
- Executes dropped EXE
PID:2332 -
\??\c:\xrlllll.exec:\xrlllll.exe58⤵
- Executes dropped EXE
PID:2596 -
\??\c:\9nnhbb.exec:\9nnhbb.exe59⤵
- Executes dropped EXE
PID:1248 -
\??\c:\dpvpj.exec:\dpvpj.exe60⤵
- Executes dropped EXE
PID:4128 -
\??\c:\3vppp.exec:\3vppp.exe61⤵
- Executes dropped EXE
PID:2716 -
\??\c:\rllffxr.exec:\rllffxr.exe62⤵
- Executes dropped EXE
PID:4312 -
\??\c:\hbhbtn.exec:\hbhbtn.exe63⤵
- Executes dropped EXE
PID:4960 -
\??\c:\hhhbtt.exec:\hhhbtt.exe64⤵
- Executes dropped EXE
PID:1724 -
\??\c:\pdjdv.exec:\pdjdv.exe65⤵
- Executes dropped EXE
PID:2036 -
\??\c:\xflffff.exec:\xflffff.exe66⤵PID:1416
-
\??\c:\rlrlflx.exec:\rlrlflx.exe67⤵PID:2988
-
\??\c:\5ttttt.exec:\5ttttt.exe68⤵PID:2556
-
\??\c:\dvdvp.exec:\dvdvp.exe69⤵PID:3024
-
\??\c:\rrllfll.exec:\rrllfll.exe70⤵PID:3196
-
\??\c:\ntbbnn.exec:\ntbbnn.exe71⤵PID:2724
-
\??\c:\5dvpd.exec:\5dvpd.exe72⤵PID:864
-
\??\c:\3rxflrx.exec:\3rxflrx.exe73⤵PID:4420
-
\??\c:\9hnnhh.exec:\9hnnhh.exe74⤵PID:4660
-
\??\c:\vvvpj.exec:\vvvpj.exe75⤵PID:4648
-
\??\c:\vpjdj.exec:\vpjdj.exe76⤵PID:4624
-
\??\c:\hbbtnn.exec:\hbbtnn.exe77⤵PID:2308
-
\??\c:\tnthbb.exec:\tnthbb.exe78⤵PID:2056
-
\??\c:\vvvvv.exec:\vvvvv.exe79⤵PID:4676
-
\??\c:\xxfrffx.exec:\xxfrffx.exe80⤵PID:2708
-
\??\c:\5bhhbb.exec:\5bhhbb.exe81⤵PID:2236
-
\??\c:\5jjdv.exec:\5jjdv.exe82⤵PID:5112
-
\??\c:\1rrffxx.exec:\1rrffxx.exe83⤵PID:628
-
\??\c:\fxlxrfr.exec:\fxlxrfr.exe84⤵PID:3888
-
\??\c:\nhnnhh.exec:\nhnnhh.exe85⤵PID:2848
-
\??\c:\jvpdv.exec:\jvpdv.exe86⤵
- System Location Discovery: System Language Discovery
PID:4260 -
\??\c:\jpddv.exec:\jpddv.exe87⤵PID:2928
-
\??\c:\llxrrrl.exec:\llxrrrl.exe88⤵PID:1428
-
\??\c:\bnhbbn.exec:\bnhbbn.exe89⤵
- System Location Discovery: System Language Discovery
PID:880 -
\??\c:\hhbbtt.exec:\hhbbtt.exe90⤵PID:2000
-
\??\c:\pjpjd.exec:\pjpjd.exe91⤵PID:1460
-
\??\c:\1lrlffx.exec:\1lrlffx.exe92⤵
- System Location Discovery: System Language Discovery
PID:1636 -
\??\c:\rlffxrr.exec:\rlffxrr.exe93⤵PID:4544
-
\??\c:\htnhhb.exec:\htnhhb.exe94⤵PID:4844
-
\??\c:\1ddvp.exec:\1ddvp.exe95⤵PID:4492
-
\??\c:\lflffff.exec:\lflffff.exe96⤵PID:2696
-
\??\c:\nhnhhh.exec:\nhnhhh.exe97⤵PID:3148
-
\??\c:\nbnhbb.exec:\nbnhbb.exe98⤵PID:4568
-
\??\c:\5djdv.exec:\5djdv.exe99⤵PID:1456
-
\??\c:\frxxrfx.exec:\frxxrfx.exe100⤵PID:2612
-
\??\c:\ttnntt.exec:\ttnntt.exe101⤵
- System Location Discovery: System Language Discovery
PID:2624 -
\??\c:\dvdvp.exec:\dvdvp.exe102⤵PID:2680
-
\??\c:\rflrlll.exec:\rflrlll.exe103⤵PID:2392
-
\??\c:\xxfxrrx.exec:\xxfxrrx.exe104⤵PID:1692
-
\??\c:\tnbthh.exec:\tnbthh.exe105⤵PID:3916
-
\??\c:\ddjdv.exec:\ddjdv.exe106⤵PID:4508
-
\??\c:\3rfxlrr.exec:\3rfxlrr.exe107⤵PID:4500
-
\??\c:\1xxxxxr.exec:\1xxxxxr.exe108⤵PID:456
-
\??\c:\tnnhhh.exec:\tnnhhh.exe109⤵PID:1056
-
\??\c:\5djjj.exec:\5djjj.exe110⤵PID:4348
-
\??\c:\3xfxrll.exec:\3xfxrll.exe111⤵PID:4372
-
\??\c:\nbhttn.exec:\nbhttn.exe112⤵PID:1824
-
\??\c:\tnbntt.exec:\tnbntt.exe113⤵PID:212
-
\??\c:\xrlfxrl.exec:\xrlfxrl.exe114⤵PID:556
-
\??\c:\fxlfxxx.exec:\fxlfxxx.exe115⤵PID:784
-
\??\c:\1ttbth.exec:\1ttbth.exe116⤵PID:4640
-
\??\c:\3pjjp.exec:\3pjjp.exe117⤵PID:4128
-
\??\c:\5rrxxfl.exec:\5rrxxfl.exe118⤵PID:4408
-
\??\c:\ttnhnn.exec:\ttnhnn.exe119⤵PID:3856
-
\??\c:\djjdv.exec:\djjdv.exe120⤵PID:676
-
\??\c:\llfxrll.exec:\llfxrll.exe121⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-