Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdcN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdcN.exe
-
Size
455KB
-
MD5
24f04bb30cbf3762188937d9f1b3a110
-
SHA1
5d4d321db9f9fbc3982aedb27223fb23a023d297
-
SHA256
12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdc
-
SHA512
403ca14c49f1919332d1a5c60bd5b70ac5915c4605fce5f24b69ad2a8ef0154d405f180288288f881f603658d8a399641e2185fa781de42ae6923fb856397659
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRF:q7Tc2NYHUrAwfMp3CDRF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2692-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2572-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2288-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-947-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-1069-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-1088-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-1191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-1460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1572 tnnhhb.exe 2844 3pdvv.exe 4544 djjvp.exe 2592 bnhnnh.exe 2248 fffrrfr.exe 4024 1bnhnn.exe 1796 xrlxrlf.exe 3280 nhbtnt.exe 3024 7btnbb.exe 1344 hbtnbb.exe 1892 hntntb.exe 1568 pppdd.exe 5116 xffllrx.exe 3068 xrlxlfx.exe 1540 tnhthh.exe 404 xxrfxrf.exe 224 hhhbbt.exe 3244 llxlflx.exe 3968 jjjvv.exe 2348 rlrfrlx.exe 2404 5hhtbt.exe 4732 rfxrrfr.exe 2964 htnnhh.exe 1012 jpvvd.exe 2644 9rlfrrf.exe 2924 frrlffr.exe 3960 ddpjv.exe 2252 rfxxxrl.exe 1144 rrxlxrf.exe 4080 ddjjp.exe 3708 9xfxlfr.exe 2684 3vpjd.exe 4720 1jjjd.exe 2136 fxlfrlx.exe 3716 thbnbt.exe 3664 vppdp.exe 3728 jdvpd.exe 2616 bnnbtn.exe 1020 3pjdp.exe 4156 lxxlxrl.exe 4132 7bbbtb.exe 4304 hntnnn.exe 944 ppjvv.exe 2692 rrrlffx.exe 4748 htnbhb.exe 4500 ddppp.exe 3668 5xllrrl.exe 2392 1ffxrrl.exe 2044 7pjdp.exe 1860 9flllrl.exe 2572 hnnnhh.exe 1056 nnhntn.exe 2804 5ddpd.exe 4568 jjvjv.exe 3916 3fllllr.exe 1108 pvpjv.exe 1424 lllfrlf.exe 344 rrlfrlf.exe 3232 hnnbtn.exe 3516 pjjvd.exe 4108 xflllrl.exe 2568 bbtttt.exe 2960 vppdv.exe 3984 lrfxxxr.exe -
resource yara_rule behavioral2/memory/2692-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2572-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2288-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-947-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-960-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 1572 2692 12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdcN.exe 83 PID 2692 wrote to memory of 1572 2692 12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdcN.exe 83 PID 2692 wrote to memory of 1572 2692 12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdcN.exe 83 PID 1572 wrote to memory of 2844 1572 tnnhhb.exe 84 PID 1572 wrote to memory of 2844 1572 tnnhhb.exe 84 PID 1572 wrote to memory of 2844 1572 tnnhhb.exe 84 PID 2844 wrote to memory of 4544 2844 3pdvv.exe 85 PID 2844 wrote to memory of 4544 2844 3pdvv.exe 85 PID 2844 wrote to memory of 4544 2844 3pdvv.exe 85 PID 4544 wrote to memory of 2592 4544 djjvp.exe 86 PID 4544 wrote to memory of 2592 4544 djjvp.exe 86 PID 4544 wrote to memory of 2592 4544 djjvp.exe 86 PID 2592 wrote to memory of 2248 2592 bnhnnh.exe 87 PID 2592 wrote to memory of 2248 2592 bnhnnh.exe 87 PID 2592 wrote to memory of 2248 2592 bnhnnh.exe 87 PID 2248 wrote to memory of 4024 2248 fffrrfr.exe 88 PID 2248 wrote to memory of 4024 2248 fffrrfr.exe 88 PID 2248 wrote to memory of 4024 2248 fffrrfr.exe 88 PID 4024 wrote to memory of 1796 4024 1bnhnn.exe 89 PID 4024 wrote to memory of 1796 4024 1bnhnn.exe 89 PID 4024 wrote to memory of 1796 4024 1bnhnn.exe 89 PID 1796 wrote to memory of 3280 1796 xrlxrlf.exe 90 PID 1796 wrote to memory of 3280 1796 xrlxrlf.exe 90 PID 1796 wrote to memory of 3280 1796 xrlxrlf.exe 90 PID 3280 wrote to memory of 3024 3280 nhbtnt.exe 91 PID 3280 wrote to memory of 3024 3280 nhbtnt.exe 91 PID 3280 wrote to memory of 3024 3280 nhbtnt.exe 91 PID 3024 wrote to memory of 1344 3024 7btnbb.exe 92 PID 3024 wrote to memory of 1344 3024 7btnbb.exe 92 PID 3024 wrote to memory of 1344 3024 7btnbb.exe 92 PID 1344 wrote to memory of 1892 1344 hbtnbb.exe 93 PID 1344 wrote to memory of 1892 1344 hbtnbb.exe 93 PID 1344 wrote to memory of 1892 1344 hbtnbb.exe 93 PID 1892 wrote to memory of 1568 1892 hntntb.exe 94 PID 1892 wrote to memory of 1568 1892 hntntb.exe 94 PID 1892 wrote to memory of 1568 1892 hntntb.exe 94 PID 1568 wrote to memory of 5116 1568 pppdd.exe 95 PID 1568 wrote to memory of 5116 1568 pppdd.exe 95 PID 1568 wrote to memory of 5116 1568 pppdd.exe 95 PID 5116 wrote to memory of 3068 5116 xffllrx.exe 96 PID 5116 wrote to memory of 3068 5116 xffllrx.exe 96 PID 5116 wrote to memory of 3068 5116 xffllrx.exe 96 PID 3068 wrote to memory of 1540 3068 xrlxlfx.exe 97 PID 3068 wrote to memory of 1540 3068 xrlxlfx.exe 97 PID 3068 wrote to memory of 1540 3068 xrlxlfx.exe 97 PID 1540 wrote to memory of 404 1540 tnhthh.exe 98 PID 1540 wrote to memory of 404 1540 tnhthh.exe 98 PID 1540 wrote to memory of 404 1540 tnhthh.exe 98 PID 404 wrote to memory of 224 404 xxrfxrf.exe 99 PID 404 wrote to memory of 224 404 xxrfxrf.exe 99 PID 404 wrote to memory of 224 404 xxrfxrf.exe 99 PID 224 wrote to memory of 3244 224 hhhbbt.exe 100 PID 224 wrote to memory of 3244 224 hhhbbt.exe 100 PID 224 wrote to memory of 3244 224 hhhbbt.exe 100 PID 3244 wrote to memory of 3968 3244 llxlflx.exe 101 PID 3244 wrote to memory of 3968 3244 llxlflx.exe 101 PID 3244 wrote to memory of 3968 3244 llxlflx.exe 101 PID 3968 wrote to memory of 2348 3968 jjjvv.exe 102 PID 3968 wrote to memory of 2348 3968 jjjvv.exe 102 PID 3968 wrote to memory of 2348 3968 jjjvv.exe 102 PID 2348 wrote to memory of 2404 2348 rlrfrlx.exe 103 PID 2348 wrote to memory of 2404 2348 rlrfrlx.exe 103 PID 2348 wrote to memory of 2404 2348 rlrfrlx.exe 103 PID 2404 wrote to memory of 4732 2404 5hhtbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdcN.exe"C:\Users\Admin\AppData\Local\Temp\12238a06c3efc0f2ddb13446e77f7fe2102d2fba3f4242579afed23518f43bdcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\tnnhhb.exec:\tnnhhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\3pdvv.exec:\3pdvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844 -
\??\c:\djjvp.exec:\djjvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\bnhnnh.exec:\bnhnnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\fffrrfr.exec:\fffrrfr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\1bnhnn.exec:\1bnhnn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
\??\c:\nhbtnt.exec:\nhbtnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280 -
\??\c:\7btnbb.exec:\7btnbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\hbtnbb.exec:\hbtnbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\hntntb.exec:\hntntb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\pppdd.exec:\pppdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1568 -
\??\c:\xffllrx.exec:\xffllrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\xrlxlfx.exec:\xrlxlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\tnhthh.exec:\tnhthh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\xxrfxrf.exec:\xxrfxrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:404 -
\??\c:\hhhbbt.exec:\hhhbbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\llxlflx.exec:\llxlflx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\jjjvv.exec:\jjjvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\rlrfrlx.exec:\rlrfrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\5hhtbt.exec:\5hhtbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
\??\c:\rfxrrfr.exec:\rfxrrfr.exe23⤵
- Executes dropped EXE
PID:4732 -
\??\c:\htnnhh.exec:\htnnhh.exe24⤵
- Executes dropped EXE
PID:2964 -
\??\c:\jpvvd.exec:\jpvvd.exe25⤵
- Executes dropped EXE
PID:1012 -
\??\c:\9rlfrrf.exec:\9rlfrrf.exe26⤵
- Executes dropped EXE
PID:2644 -
\??\c:\frrlffr.exec:\frrlffr.exe27⤵
- Executes dropped EXE
PID:2924 -
\??\c:\ddpjv.exec:\ddpjv.exe28⤵
- Executes dropped EXE
PID:3960 -
\??\c:\rfxxxrl.exec:\rfxxxrl.exe29⤵
- Executes dropped EXE
PID:2252 -
\??\c:\rrxlxrf.exec:\rrxlxrf.exe30⤵
- Executes dropped EXE
PID:1144 -
\??\c:\ddjjp.exec:\ddjjp.exe31⤵
- Executes dropped EXE
PID:4080 -
\??\c:\9xfxlfr.exec:\9xfxlfr.exe32⤵
- Executes dropped EXE
PID:3708 -
\??\c:\3vpjd.exec:\3vpjd.exe33⤵
- Executes dropped EXE
PID:2684 -
\??\c:\1jjjd.exec:\1jjjd.exe34⤵
- Executes dropped EXE
PID:4720 -
\??\c:\fxlfrlx.exec:\fxlfrlx.exe35⤵
- Executes dropped EXE
PID:2136 -
\??\c:\thbnbt.exec:\thbnbt.exe36⤵
- Executes dropped EXE
PID:3716 -
\??\c:\vppdp.exec:\vppdp.exe37⤵
- Executes dropped EXE
PID:3664 -
\??\c:\jdvpd.exec:\jdvpd.exe38⤵
- Executes dropped EXE
PID:3728 -
\??\c:\bnnbtn.exec:\bnnbtn.exe39⤵
- Executes dropped EXE
PID:2616 -
\??\c:\3pjdp.exec:\3pjdp.exe40⤵
- Executes dropped EXE
PID:1020 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe41⤵
- Executes dropped EXE
PID:4156 -
\??\c:\7bbbtb.exec:\7bbbtb.exe42⤵
- Executes dropped EXE
PID:4132 -
\??\c:\hntnnn.exec:\hntnnn.exe43⤵
- Executes dropped EXE
PID:4304 -
\??\c:\ppjvv.exec:\ppjvv.exe44⤵
- Executes dropped EXE
PID:944 -
\??\c:\rrrlffx.exec:\rrrlffx.exe45⤵
- Executes dropped EXE
PID:2692 -
\??\c:\htnbhb.exec:\htnbhb.exe46⤵
- Executes dropped EXE
PID:4748 -
\??\c:\ddppp.exec:\ddppp.exe47⤵
- Executes dropped EXE
PID:4500 -
\??\c:\5xllrrl.exec:\5xllrrl.exe48⤵
- Executes dropped EXE
PID:3668 -
\??\c:\1ffxrrl.exec:\1ffxrrl.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\7pjdp.exec:\7pjdp.exe50⤵
- Executes dropped EXE
PID:2044 -
\??\c:\9flllrl.exec:\9flllrl.exe51⤵
- Executes dropped EXE
PID:1860 -
\??\c:\hnnnhh.exec:\hnnnhh.exe52⤵
- Executes dropped EXE
PID:2572 -
\??\c:\nnhntn.exec:\nnhntn.exe53⤵
- Executes dropped EXE
PID:1056 -
\??\c:\5ddpd.exec:\5ddpd.exe54⤵
- Executes dropped EXE
PID:2804 -
\??\c:\jjvjv.exec:\jjvjv.exe55⤵
- Executes dropped EXE
PID:4568 -
\??\c:\3fllllr.exec:\3fllllr.exe56⤵
- Executes dropped EXE
PID:3916 -
\??\c:\pvpjv.exec:\pvpjv.exe57⤵
- Executes dropped EXE
PID:1108 -
\??\c:\lllfrlf.exec:\lllfrlf.exe58⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rrlfrlf.exec:\rrlfrlf.exe59⤵
- Executes dropped EXE
PID:344 -
\??\c:\hnnbtn.exec:\hnnbtn.exe60⤵
- Executes dropped EXE
PID:3232 -
\??\c:\pjjvd.exec:\pjjvd.exe61⤵
- Executes dropped EXE
PID:3516 -
\??\c:\xflllrl.exec:\xflllrl.exe62⤵
- Executes dropped EXE
PID:4108 -
\??\c:\bbtttt.exec:\bbtttt.exe63⤵
- Executes dropped EXE
PID:2568 -
\??\c:\vppdv.exec:\vppdv.exe64⤵
- Executes dropped EXE
PID:2960 -
\??\c:\lrfxxxr.exec:\lrfxxxr.exe65⤵
- Executes dropped EXE
PID:3984 -
\??\c:\nnbtht.exec:\nnbtht.exe66⤵PID:4104
-
\??\c:\jdpjd.exec:\jdpjd.exe67⤵PID:864
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe68⤵PID:3068
-
\??\c:\9xlfrrf.exec:\9xlfrrf.exe69⤵PID:2988
-
\??\c:\hbbbtt.exec:\hbbbtt.exe70⤵PID:4572
-
\??\c:\pvjdj.exec:\pvjdj.exe71⤵PID:4348
-
\??\c:\9xlfrlf.exec:\9xlfrlf.exe72⤵PID:3204
-
\??\c:\7xlxrlx.exec:\7xlxrlx.exe73⤵PID:3216
-
\??\c:\hnnbth.exec:\hnnbth.exe74⤵PID:2288
-
\??\c:\vvppj.exec:\vvppj.exe75⤵PID:4028
-
\??\c:\7rllflf.exec:\7rllflf.exe76⤵PID:2348
-
\??\c:\ffrxllx.exec:\ffrxllx.exe77⤵PID:2268
-
\??\c:\5hbhbn.exec:\5hbhbn.exe78⤵PID:4660
-
\??\c:\jjpjd.exec:\jjpjd.exe79⤵PID:4732
-
\??\c:\xxxrlff.exec:\xxxrlff.exe80⤵PID:2004
-
\??\c:\bbbbtt.exec:\bbbbtt.exe81⤵PID:5096
-
\??\c:\pdjjd.exec:\pdjjd.exe82⤵PID:364
-
\??\c:\jjvpv.exec:\jjvpv.exe83⤵PID:828
-
\??\c:\3fxrffr.exec:\3fxrffr.exe84⤵PID:2924
-
\??\c:\tttnhh.exec:\tttnhh.exe85⤵PID:1432
-
\??\c:\dppjp.exec:\dppjp.exe86⤵PID:3196
-
\??\c:\jdvjd.exec:\jdvjd.exe87⤵PID:4332
-
\??\c:\ffxrfxr.exec:\ffxrfxr.exe88⤵PID:2252
-
\??\c:\3bttnh.exec:\3bttnh.exe89⤵PID:3288
-
\??\c:\pvpjd.exec:\pvpjd.exe90⤵PID:3424
-
\??\c:\rxlfrlf.exec:\rxlfrlf.exe91⤵PID:2496
-
\??\c:\rlrfflx.exec:\rlrfflx.exe92⤵PID:1916
-
\??\c:\btnhtn.exec:\btnhtn.exe93⤵PID:1920
-
\??\c:\1jddv.exec:\1jddv.exe94⤵PID:3004
-
\??\c:\7djdv.exec:\7djdv.exe95⤵PID:744
-
\??\c:\xrrrflx.exec:\xrrrflx.exe96⤵PID:1112
-
\??\c:\hbbthb.exec:\hbbthb.exe97⤵PID:5056
-
\??\c:\bbtnnn.exec:\bbtnnn.exe98⤵PID:4808
-
\??\c:\pdvpd.exec:\pdvpd.exe99⤵PID:3664
-
\??\c:\xrlxllx.exec:\xrlxllx.exe100⤵PID:3728
-
\??\c:\9nnbtt.exec:\9nnbtt.exe101⤵PID:4456
-
\??\c:\hhtnhb.exec:\hhtnhb.exe102⤵PID:3236
-
\??\c:\vpvpj.exec:\vpvpj.exe103⤵PID:1176
-
\??\c:\xlrlfxr.exec:\xlrlfxr.exe104⤵PID:4156
-
\??\c:\tthtnh.exec:\tthtnh.exe105⤵PID:4400
-
\??\c:\3jpjd.exec:\3jpjd.exe106⤵PID:4304
-
\??\c:\vjppd.exec:\vjppd.exe107⤵PID:4584
-
\??\c:\fffrlll.exec:\fffrlll.exe108⤵PID:2692
-
\??\c:\bbtnbt.exec:\bbtnbt.exe109⤵PID:4748
-
\??\c:\jjvpp.exec:\jjvpp.exe110⤵PID:3552
-
\??\c:\llllffx.exec:\llllffx.exe111⤵PID:4508
-
\??\c:\lfxxrrl.exec:\lfxxrrl.exe112⤵PID:2344
-
\??\c:\hbnbtn.exec:\hbnbtn.exe113⤵PID:2664
-
\??\c:\vdvpj.exec:\vdvpj.exe114⤵PID:3304
-
\??\c:\5jdpj.exec:\5jdpj.exe115⤵PID:5020
-
\??\c:\5fxlfll.exec:\5fxlfll.exe116⤵PID:4596
-
\??\c:\1btnhb.exec:\1btnhb.exe117⤵PID:932
-
\??\c:\vddvv.exec:\vddvv.exe118⤵PID:4488
-
\??\c:\ddvjv.exec:\ddvjv.exe119⤵PID:4932
-
\??\c:\lrrlrxr.exec:\lrrlrxr.exe120⤵PID:2768
-
\??\c:\hbbnbb.exec:\hbbnbb.exe121⤵PID:3428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-