Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83bN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83bN.exe
-
Size
456KB
-
MD5
0d12c61dc11a85d34dbf08b64fd089e0
-
SHA1
ffc3f622eab3d03cd318def652d81e5fe85d02be
-
SHA256
3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83b
-
SHA512
8d083400e253c956ce7a192daaa4de2e70e7cdd56a7e00508f131d23533448e0005d5551ca00821ab4d78031d19e0ffe97dcdc1880932405f4eb0459929d4e3f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRz:q7Tc2NYHUrAwfMp3CDRz
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4796-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-673-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3368-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2100 3rrfxrf.exe 2740 tbthhb.exe 3464 3rrflfr.exe 3460 ppvpj.exe 2728 hhnbnh.exe 3120 pjvpj.exe 5008 5rrffff.exe 1496 htbtnh.exe 4488 vpjvj.exe 2320 rfrlxrf.exe 644 bntntn.exe 1712 jjdpd.exe 5072 nttnbb.exe 2972 lxfxxxr.exe 1488 5hnhbb.exe 212 rrrlrrl.exe 4140 7vppv.exe 1108 vjjdv.exe 4800 xlfxrrl.exe 1932 hhbtnn.exe 3008 nhhbhh.exe 4992 nbnhnh.exe 1400 9ddvp.exe 2676 7xxrffx.exe 1828 9jjdp.exe 1004 rlllfff.exe 4468 tnnhnh.exe 4472 3xxxlxf.exe 3588 hnthbt.exe 1220 dvvpd.exe 1492 dpvvp.exe 3816 7frlxxr.exe 4532 7bhbbn.exe 860 pvjdd.exe 1628 lrfxllf.exe 4716 9nnhbt.exe 3116 vjpdv.exe 4724 xlrllfx.exe 4512 3nnhbb.exe 2200 jjjvp.exe 5068 lflxlxr.exe 1264 1rxxrrr.exe 2776 1thbth.exe 2044 vpdpj.exe 3416 dpppp.exe 2008 xflxlfx.exe 2188 tntnbt.exe 4448 pdjjv.exe 4508 3rlfrrr.exe 4400 bbbnbt.exe 5032 djjvj.exe 3472 xfxlxrf.exe 4812 rlrrllf.exe 3044 httthh.exe 1800 ddjvj.exe 3540 lflfxxx.exe 4948 bnhbnh.exe 2312 7nbbnt.exe 3500 3pjvp.exe 4292 xrrrllf.exe 468 nnbtnb.exe 2096 ntbbnn.exe 2356 9jjdd.exe 1728 fxrlrlf.exe -
resource yara_rule behavioral2/memory/4796-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-673-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3368-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-808-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrflflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5llxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfrff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bntnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hththt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 2100 4796 3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83bN.exe 82 PID 4796 wrote to memory of 2100 4796 3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83bN.exe 82 PID 4796 wrote to memory of 2100 4796 3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83bN.exe 82 PID 2100 wrote to memory of 2740 2100 3rrfxrf.exe 83 PID 2100 wrote to memory of 2740 2100 3rrfxrf.exe 83 PID 2100 wrote to memory of 2740 2100 3rrfxrf.exe 83 PID 2740 wrote to memory of 3464 2740 tbthhb.exe 84 PID 2740 wrote to memory of 3464 2740 tbthhb.exe 84 PID 2740 wrote to memory of 3464 2740 tbthhb.exe 84 PID 3464 wrote to memory of 3460 3464 3rrflfr.exe 85 PID 3464 wrote to memory of 3460 3464 3rrflfr.exe 85 PID 3464 wrote to memory of 3460 3464 3rrflfr.exe 85 PID 3460 wrote to memory of 2728 3460 ppvpj.exe 86 PID 3460 wrote to memory of 2728 3460 ppvpj.exe 86 PID 3460 wrote to memory of 2728 3460 ppvpj.exe 86 PID 2728 wrote to memory of 3120 2728 hhnbnh.exe 87 PID 2728 wrote to memory of 3120 2728 hhnbnh.exe 87 PID 2728 wrote to memory of 3120 2728 hhnbnh.exe 87 PID 3120 wrote to memory of 5008 3120 pjvpj.exe 88 PID 3120 wrote to memory of 5008 3120 pjvpj.exe 88 PID 3120 wrote to memory of 5008 3120 pjvpj.exe 88 PID 5008 wrote to memory of 1496 5008 5rrffff.exe 89 PID 5008 wrote to memory of 1496 5008 5rrffff.exe 89 PID 5008 wrote to memory of 1496 5008 5rrffff.exe 89 PID 1496 wrote to memory of 4488 1496 htbtnh.exe 90 PID 1496 wrote to memory of 4488 1496 htbtnh.exe 90 PID 1496 wrote to memory of 4488 1496 htbtnh.exe 90 PID 4488 wrote to memory of 2320 4488 vpjvj.exe 91 PID 4488 wrote to memory of 2320 4488 vpjvj.exe 91 PID 4488 wrote to memory of 2320 4488 vpjvj.exe 91 PID 2320 wrote to memory of 644 2320 rfrlxrf.exe 92 PID 2320 wrote to memory of 644 2320 rfrlxrf.exe 92 PID 2320 wrote to memory of 644 2320 rfrlxrf.exe 92 PID 644 wrote to memory of 1712 644 bntntn.exe 93 PID 644 wrote to memory of 1712 644 bntntn.exe 93 PID 644 wrote to memory of 1712 644 bntntn.exe 93 PID 1712 wrote to memory of 5072 1712 jjdpd.exe 94 PID 1712 wrote to memory of 5072 1712 jjdpd.exe 94 PID 1712 wrote to memory of 5072 1712 jjdpd.exe 94 PID 5072 wrote to memory of 2972 5072 nttnbb.exe 95 PID 5072 wrote to memory of 2972 5072 nttnbb.exe 95 PID 5072 wrote to memory of 2972 5072 nttnbb.exe 95 PID 2972 wrote to memory of 1488 2972 lxfxxxr.exe 96 PID 2972 wrote to memory of 1488 2972 lxfxxxr.exe 96 PID 2972 wrote to memory of 1488 2972 lxfxxxr.exe 96 PID 1488 wrote to memory of 212 1488 5hnhbb.exe 97 PID 1488 wrote to memory of 212 1488 5hnhbb.exe 97 PID 1488 wrote to memory of 212 1488 5hnhbb.exe 97 PID 212 wrote to memory of 4140 212 rrrlrrl.exe 98 PID 212 wrote to memory of 4140 212 rrrlrrl.exe 98 PID 212 wrote to memory of 4140 212 rrrlrrl.exe 98 PID 4140 wrote to memory of 1108 4140 7vppv.exe 99 PID 4140 wrote to memory of 1108 4140 7vppv.exe 99 PID 4140 wrote to memory of 1108 4140 7vppv.exe 99 PID 1108 wrote to memory of 4800 1108 vjjdv.exe 100 PID 1108 wrote to memory of 4800 1108 vjjdv.exe 100 PID 1108 wrote to memory of 4800 1108 vjjdv.exe 100 PID 4800 wrote to memory of 1932 4800 xlfxrrl.exe 101 PID 4800 wrote to memory of 1932 4800 xlfxrrl.exe 101 PID 4800 wrote to memory of 1932 4800 xlfxrrl.exe 101 PID 1932 wrote to memory of 3008 1932 hhbtnn.exe 102 PID 1932 wrote to memory of 3008 1932 hhbtnn.exe 102 PID 1932 wrote to memory of 3008 1932 hhbtnn.exe 102 PID 3008 wrote to memory of 4992 3008 nhhbhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83bN.exe"C:\Users\Admin\AppData\Local\Temp\3f20aafc481add492cc73da02ef10f1862b0cc0dee29b00b835ef2b9183fb83bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
\??\c:\3rrfxrf.exec:\3rrfxrf.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\tbthhb.exec:\tbthhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\3rrflfr.exec:\3rrflfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\ppvpj.exec:\ppvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\hhnbnh.exec:\hhnbnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\pjvpj.exec:\pjvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3120 -
\??\c:\5rrffff.exec:\5rrffff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\htbtnh.exec:\htbtnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\vpjvj.exec:\vpjvj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
\??\c:\rfrlxrf.exec:\rfrlxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2320 -
\??\c:\bntntn.exec:\bntntn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\jjdpd.exec:\jjdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\nttnbb.exec:\nttnbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
\??\c:\lxfxxxr.exec:\lxfxxxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\5hnhbb.exec:\5hnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\rrrlrrl.exec:\rrrlrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\7vppv.exec:\7vppv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\vjjdv.exec:\vjjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\hhbtnn.exec:\hhbtnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\nhhbhh.exec:\nhhbhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\nbnhnh.exec:\nbnhnh.exe23⤵
- Executes dropped EXE
PID:4992 -
\??\c:\9ddvp.exec:\9ddvp.exe24⤵
- Executes dropped EXE
PID:1400 -
\??\c:\7xxrffx.exec:\7xxrffx.exe25⤵
- Executes dropped EXE
PID:2676 -
\??\c:\9jjdp.exec:\9jjdp.exe26⤵
- Executes dropped EXE
PID:1828 -
\??\c:\rlllfff.exec:\rlllfff.exe27⤵
- Executes dropped EXE
PID:1004 -
\??\c:\tnnhnh.exec:\tnnhnh.exe28⤵
- Executes dropped EXE
PID:4468 -
\??\c:\3xxxlxf.exec:\3xxxlxf.exe29⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hnthbt.exec:\hnthbt.exe30⤵
- Executes dropped EXE
PID:3588 -
\??\c:\dvvpd.exec:\dvvpd.exe31⤵
- Executes dropped EXE
PID:1220 -
\??\c:\dpvvp.exec:\dpvvp.exe32⤵
- Executes dropped EXE
PID:1492 -
\??\c:\7frlxxr.exec:\7frlxxr.exe33⤵
- Executes dropped EXE
PID:3816 -
\??\c:\7bhbbn.exec:\7bhbbn.exe34⤵
- Executes dropped EXE
PID:4532 -
\??\c:\pvjdd.exec:\pvjdd.exe35⤵
- Executes dropped EXE
PID:860 -
\??\c:\lrfxllf.exec:\lrfxllf.exe36⤵
- Executes dropped EXE
PID:1628 -
\??\c:\9nnhbt.exec:\9nnhbt.exe37⤵
- Executes dropped EXE
PID:4716 -
\??\c:\vjpdv.exec:\vjpdv.exe38⤵
- Executes dropped EXE
PID:3116 -
\??\c:\xlrllfx.exec:\xlrllfx.exe39⤵
- Executes dropped EXE
PID:4724 -
\??\c:\3nnhbb.exec:\3nnhbb.exe40⤵
- Executes dropped EXE
PID:4512 -
\??\c:\jjjvp.exec:\jjjvp.exe41⤵
- Executes dropped EXE
PID:2200 -
\??\c:\lflxlxr.exec:\lflxlxr.exe42⤵
- Executes dropped EXE
PID:5068 -
\??\c:\1rxxrrr.exec:\1rxxrrr.exe43⤵
- Executes dropped EXE
PID:1264 -
\??\c:\1thbth.exec:\1thbth.exe44⤵
- Executes dropped EXE
PID:2776 -
\??\c:\vpdpj.exec:\vpdpj.exe45⤵
- Executes dropped EXE
PID:2044 -
\??\c:\dpppp.exec:\dpppp.exe46⤵
- Executes dropped EXE
PID:3416 -
\??\c:\xflxlfx.exec:\xflxlfx.exe47⤵
- Executes dropped EXE
PID:2008 -
\??\c:\tntnbt.exec:\tntnbt.exe48⤵
- Executes dropped EXE
PID:2188 -
\??\c:\pdjjv.exec:\pdjjv.exe49⤵
- Executes dropped EXE
PID:4448 -
\??\c:\3rlfrrr.exec:\3rlfrrr.exe50⤵
- Executes dropped EXE
PID:4508 -
\??\c:\bbbnbt.exec:\bbbnbt.exe51⤵
- Executes dropped EXE
PID:4400 -
\??\c:\djjvj.exec:\djjvj.exe52⤵
- Executes dropped EXE
PID:5032 -
\??\c:\xfxlxrf.exec:\xfxlxrf.exe53⤵
- Executes dropped EXE
PID:3472 -
\??\c:\rlrrllf.exec:\rlrrllf.exe54⤵
- Executes dropped EXE
PID:4812 -
\??\c:\httthh.exec:\httthh.exe55⤵
- Executes dropped EXE
PID:3044 -
\??\c:\ddjvj.exec:\ddjvj.exe56⤵
- Executes dropped EXE
PID:1800 -
\??\c:\lflfxxx.exec:\lflfxxx.exe57⤵
- Executes dropped EXE
PID:3540 -
\??\c:\bnhbnh.exec:\bnhbnh.exe58⤵
- Executes dropped EXE
PID:4948 -
\??\c:\7nbbnt.exec:\7nbbnt.exe59⤵
- Executes dropped EXE
PID:2312 -
\??\c:\3pjvp.exec:\3pjvp.exe60⤵
- Executes dropped EXE
PID:3500 -
\??\c:\xrrrllf.exec:\xrrrllf.exe61⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nnbtnb.exec:\nnbtnb.exe62⤵
- Executes dropped EXE
PID:468 -
\??\c:\ntbbnn.exec:\ntbbnn.exe63⤵
- Executes dropped EXE
PID:2096 -
\??\c:\9jjdd.exec:\9jjdd.exe64⤵
- Executes dropped EXE
PID:2356 -
\??\c:\fxrlrlf.exec:\fxrlrlf.exe65⤵
- Executes dropped EXE
PID:1728 -
\??\c:\btbnnh.exec:\btbnnh.exe66⤵PID:2320
-
\??\c:\dppdp.exec:\dppdp.exe67⤵PID:1708
-
\??\c:\flrlxrl.exec:\flrlxrl.exe68⤵
- System Location Discovery: System Language Discovery
PID:3708 -
\??\c:\7rlrrff.exec:\7rlrrff.exe69⤵PID:4352
-
\??\c:\htbntn.exec:\htbntn.exe70⤵PID:4380
-
\??\c:\vpdvp.exec:\vpdvp.exe71⤵PID:4544
-
\??\c:\lrrffff.exec:\lrrffff.exe72⤵PID:3780
-
\??\c:\xxffxxx.exec:\xxffxxx.exe73⤵PID:1676
-
\??\c:\hbtnhb.exec:\hbtnhb.exe74⤵PID:2036
-
\??\c:\vjjdp.exec:\vjjdp.exe75⤵PID:1120
-
\??\c:\ddvpd.exec:\ddvpd.exe76⤵PID:312
-
\??\c:\lrfxxxr.exec:\lrfxxxr.exe77⤵PID:4140
-
\??\c:\nhnhnn.exec:\nhnhnn.exe78⤵PID:2292
-
\??\c:\9djdd.exec:\9djdd.exe79⤵PID:2408
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe80⤵PID:216
-
\??\c:\7nhhbn.exec:\7nhhbn.exe81⤵PID:1032
-
\??\c:\dvpjp.exec:\dvpjp.exe82⤵PID:5000
-
\??\c:\3ppdv.exec:\3ppdv.exe83⤵PID:3496
-
\??\c:\fxlfrrl.exec:\fxlfrrl.exe84⤵PID:1524
-
\??\c:\hbbttn.exec:\hbbttn.exe85⤵PID:3368
-
\??\c:\9jpdd.exec:\9jpdd.exe86⤵PID:2996
-
\??\c:\jpdpd.exec:\jpdpd.exe87⤵PID:472
-
\??\c:\fflfrrl.exec:\fflfrrl.exe88⤵PID:2340
-
\??\c:\hbhbhh.exec:\hbhbhh.exe89⤵PID:4068
-
\??\c:\5vvpj.exec:\5vvpj.exe90⤵PID:4516
-
\??\c:\pjjdd.exec:\pjjdd.exe91⤵PID:2156
-
\??\c:\lflflxf.exec:\lflflxf.exe92⤵PID:2064
-
\??\c:\5hhbnb.exec:\5hhbnb.exe93⤵PID:3340
-
\??\c:\7ddjj.exec:\7ddjj.exe94⤵PID:2136
-
\??\c:\dpvpd.exec:\dpvpd.exe95⤵PID:1220
-
\??\c:\lxxxrrr.exec:\lxxxrrr.exe96⤵PID:4760
-
\??\c:\htnhtn.exec:\htnhtn.exe97⤵PID:2524
-
\??\c:\pdjvj.exec:\pdjvj.exe98⤵PID:4596
-
\??\c:\rlrlfrr.exec:\rlrlfrr.exe99⤵PID:2424
-
\??\c:\9bhbhh.exec:\9bhbhh.exe100⤵PID:860
-
\??\c:\bhtbbn.exec:\bhtbbn.exe101⤵PID:4604
-
\??\c:\ppdvp.exec:\ppdvp.exe102⤵PID:1036
-
\??\c:\lfrlffx.exec:\lfrlffx.exe103⤵PID:4504
-
\??\c:\rlfxxrr.exec:\rlfxxrr.exe104⤵PID:4048
-
\??\c:\hbhnnh.exec:\hbhnnh.exe105⤵PID:884
-
\??\c:\9jjvd.exec:\9jjvd.exe106⤵PID:3912
-
\??\c:\lxfrfxl.exec:\lxfrfxl.exe107⤵PID:4748
-
\??\c:\tbnhhh.exec:\tbnhhh.exe108⤵PID:5068
-
\??\c:\hbnhhh.exec:\hbnhhh.exe109⤵PID:824
-
\??\c:\jvdvp.exec:\jvdvp.exe110⤵PID:744
-
\??\c:\3rfxllf.exec:\3rfxllf.exe111⤵PID:2044
-
\??\c:\rlllxlf.exec:\rlllxlf.exe112⤵PID:2712
-
\??\c:\1bbbbh.exec:\1bbbbh.exe113⤵PID:4248
-
\??\c:\dvdvj.exec:\dvdvj.exe114⤵PID:112
-
\??\c:\rfffxxx.exec:\rfffxxx.exe115⤵PID:2188
-
\??\c:\rrrrlll.exec:\rrrrlll.exe116⤵PID:4448
-
\??\c:\btttnn.exec:\btttnn.exe117⤵PID:4508
-
\??\c:\pdppd.exec:\pdppd.exe118⤵
- System Location Discovery: System Language Discovery
PID:540 -
\??\c:\1rxrffx.exec:\1rxrffx.exe119⤵PID:3840
-
\??\c:\xlrlllr.exec:\xlrlllr.exe120⤵PID:3348
-
\??\c:\bnbttt.exec:\bnbttt.exe121⤵PID:3288
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-