Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5.exe
-
Size
455KB
-
MD5
99b0e89fcc039943b0e4ba46c02e3d2e
-
SHA1
14ea75bd4995909017847cf1cfbb2de046517296
-
SHA256
2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5
-
SHA512
df322442f85a58413474a6c47e53fc51dce4b086271f3f4eb73230f41b2c2fb6cb1f82ac0effe0a63dab8bde25b6a546c99d649f1031195f7ac126085ad23e6b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRI7:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/216-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2140-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-1261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-1395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-1694-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4148 9xfxfff.exe 2848 hhbbtt.exe 2352 rrllfff.exe 1088 pjvpp.exe 3112 rllrlff.exe 3152 vjjdj.exe 1100 7fxrxxr.exe 2172 btnhhb.exe 1460 frrfxrl.exe 3412 3thhbb.exe 3132 9rfxxff.exe 2312 btthhb.exe 2528 fxxxrrr.exe 2004 btnhbb.exe 3520 ddpjp.exe 4776 bbhhbb.exe 3444 rffxllf.exe 4864 nntnht.exe 3692 ffrxrrl.exe 3572 3rfxrrr.exe 1308 5jdvp.exe 4292 rflfxxr.exe 5020 hnthtb.exe 2976 vvdvp.exe 852 jdpjv.exe 2120 9fxlfxr.exe 1476 nbhbtt.exe 4784 rllfrrl.exe 440 nntnhh.exe 1920 3vdvp.exe 3476 vvppp.exe 2264 rrxxxxf.exe 3680 vppjd.exe 1160 flrrlll.exe 4216 bbttnn.exe 4480 tnnhtt.exe 4580 5vvpd.exe 3104 llxrrrx.exe 1260 bnnbtb.exe 5064 hbbthh.exe 4560 vddvp.exe 2672 3fxrffx.exe 2484 bhbbnn.exe 2848 dvpdv.exe 4584 xxxrllf.exe 3188 5llfxxr.exe 2228 hnbtnn.exe 2732 dvjdj.exe 2140 lflrxfx.exe 5032 hbhbth.exe 4880 thtnbb.exe 5072 3pdvj.exe 1444 rfrlffx.exe 2172 xffxrrl.exe 2428 bbtttt.exe 2384 tnnhtt.exe 3172 vvpjv.exe 3132 jdvdp.exe 1612 xfrlxxx.exe 3436 nbtnht.exe 3108 vjppd.exe 4012 9flxrrl.exe 4204 llrrlfl.exe 532 httbtt.exe -
resource yara_rule behavioral2/memory/216-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2140-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-619-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-790-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tthhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 216 wrote to memory of 4148 216 2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5.exe 84 PID 216 wrote to memory of 4148 216 2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5.exe 84 PID 216 wrote to memory of 4148 216 2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5.exe 84 PID 4148 wrote to memory of 2848 4148 9xfxfff.exe 85 PID 4148 wrote to memory of 2848 4148 9xfxfff.exe 85 PID 4148 wrote to memory of 2848 4148 9xfxfff.exe 85 PID 2848 wrote to memory of 2352 2848 hhbbtt.exe 86 PID 2848 wrote to memory of 2352 2848 hhbbtt.exe 86 PID 2848 wrote to memory of 2352 2848 hhbbtt.exe 86 PID 2352 wrote to memory of 1088 2352 rrllfff.exe 87 PID 2352 wrote to memory of 1088 2352 rrllfff.exe 87 PID 2352 wrote to memory of 1088 2352 rrllfff.exe 87 PID 1088 wrote to memory of 3112 1088 pjvpp.exe 88 PID 1088 wrote to memory of 3112 1088 pjvpp.exe 88 PID 1088 wrote to memory of 3112 1088 pjvpp.exe 88 PID 3112 wrote to memory of 3152 3112 rllrlff.exe 89 PID 3112 wrote to memory of 3152 3112 rllrlff.exe 89 PID 3112 wrote to memory of 3152 3112 rllrlff.exe 89 PID 3152 wrote to memory of 1100 3152 vjjdj.exe 90 PID 3152 wrote to memory of 1100 3152 vjjdj.exe 90 PID 3152 wrote to memory of 1100 3152 vjjdj.exe 90 PID 1100 wrote to memory of 2172 1100 7fxrxxr.exe 91 PID 1100 wrote to memory of 2172 1100 7fxrxxr.exe 91 PID 1100 wrote to memory of 2172 1100 7fxrxxr.exe 91 PID 2172 wrote to memory of 1460 2172 btnhhb.exe 92 PID 2172 wrote to memory of 1460 2172 btnhhb.exe 92 PID 2172 wrote to memory of 1460 2172 btnhhb.exe 92 PID 1460 wrote to memory of 3412 1460 frrfxrl.exe 93 PID 1460 wrote to memory of 3412 1460 frrfxrl.exe 93 PID 1460 wrote to memory of 3412 1460 frrfxrl.exe 93 PID 3412 wrote to memory of 3132 3412 3thhbb.exe 94 PID 3412 wrote to memory of 3132 3412 3thhbb.exe 94 PID 3412 wrote to memory of 3132 3412 3thhbb.exe 94 PID 3132 wrote to memory of 2312 3132 9rfxxff.exe 95 PID 3132 wrote to memory of 2312 3132 9rfxxff.exe 95 PID 3132 wrote to memory of 2312 3132 9rfxxff.exe 95 PID 2312 wrote to memory of 2528 2312 btthhb.exe 96 PID 2312 wrote to memory of 2528 2312 btthhb.exe 96 PID 2312 wrote to memory of 2528 2312 btthhb.exe 96 PID 2528 wrote to memory of 2004 2528 fxxxrrr.exe 97 PID 2528 wrote to memory of 2004 2528 fxxxrrr.exe 97 PID 2528 wrote to memory of 2004 2528 fxxxrrr.exe 97 PID 2004 wrote to memory of 3520 2004 btnhbb.exe 98 PID 2004 wrote to memory of 3520 2004 btnhbb.exe 98 PID 2004 wrote to memory of 3520 2004 btnhbb.exe 98 PID 3520 wrote to memory of 4776 3520 ddpjp.exe 99 PID 3520 wrote to memory of 4776 3520 ddpjp.exe 99 PID 3520 wrote to memory of 4776 3520 ddpjp.exe 99 PID 4776 wrote to memory of 3444 4776 bbhhbb.exe 100 PID 4776 wrote to memory of 3444 4776 bbhhbb.exe 100 PID 4776 wrote to memory of 3444 4776 bbhhbb.exe 100 PID 3444 wrote to memory of 4864 3444 rffxllf.exe 101 PID 3444 wrote to memory of 4864 3444 rffxllf.exe 101 PID 3444 wrote to memory of 4864 3444 rffxllf.exe 101 PID 4864 wrote to memory of 3692 4864 nntnht.exe 102 PID 4864 wrote to memory of 3692 4864 nntnht.exe 102 PID 4864 wrote to memory of 3692 4864 nntnht.exe 102 PID 3692 wrote to memory of 3572 3692 ffrxrrl.exe 103 PID 3692 wrote to memory of 3572 3692 ffrxrrl.exe 103 PID 3692 wrote to memory of 3572 3692 ffrxrrl.exe 103 PID 3572 wrote to memory of 1308 3572 3rfxrrr.exe 104 PID 3572 wrote to memory of 1308 3572 3rfxrrr.exe 104 PID 3572 wrote to memory of 1308 3572 3rfxrrr.exe 104 PID 1308 wrote to memory of 4292 1308 5jdvp.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5.exe"C:\Users\Admin\AppData\Local\Temp\2348d17aff4fa3212dbb9231b408425dc7dd8071949438331385d06d111de1b5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\9xfxfff.exec:\9xfxfff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\hhbbtt.exec:\hhbbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
\??\c:\rrllfff.exec:\rrllfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\pjvpp.exec:\pjvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\rllrlff.exec:\rllrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
\??\c:\vjjdj.exec:\vjjdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\7fxrxxr.exec:\7fxrxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\btnhhb.exec:\btnhhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2172 -
\??\c:\frrfxrl.exec:\frrfxrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\3thhbb.exec:\3thhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\9rfxxff.exec:\9rfxxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\btthhb.exec:\btthhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\btnhbb.exec:\btnhbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\ddpjp.exec:\ddpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\bbhhbb.exec:\bbhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\rffxllf.exec:\rffxllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\nntnht.exec:\nntnht.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\ffrxrrl.exec:\ffrxrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\3rfxrrr.exec:\3rfxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\5jdvp.exec:\5jdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\rflfxxr.exec:\rflfxxr.exe23⤵
- Executes dropped EXE
PID:4292 -
\??\c:\hnthtb.exec:\hnthtb.exe24⤵
- Executes dropped EXE
PID:5020 -
\??\c:\vvdvp.exec:\vvdvp.exe25⤵
- Executes dropped EXE
PID:2976 -
\??\c:\jdpjv.exec:\jdpjv.exe26⤵
- Executes dropped EXE
PID:852 -
\??\c:\9fxlfxr.exec:\9fxlfxr.exe27⤵
- Executes dropped EXE
PID:2120 -
\??\c:\nbhbtt.exec:\nbhbtt.exe28⤵
- Executes dropped EXE
PID:1476 -
\??\c:\rllfrrl.exec:\rllfrrl.exe29⤵
- Executes dropped EXE
PID:4784 -
\??\c:\nntnhh.exec:\nntnhh.exe30⤵
- Executes dropped EXE
PID:440 -
\??\c:\3vdvp.exec:\3vdvp.exe31⤵
- Executes dropped EXE
PID:1920 -
\??\c:\vvppp.exec:\vvppp.exe32⤵
- Executes dropped EXE
PID:3476 -
\??\c:\rrxxxxf.exec:\rrxxxxf.exe33⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vppjd.exec:\vppjd.exe34⤵
- Executes dropped EXE
PID:3680 -
\??\c:\flrrlll.exec:\flrrlll.exe35⤵
- Executes dropped EXE
PID:1160 -
\??\c:\bbttnn.exec:\bbttnn.exe36⤵
- Executes dropped EXE
PID:4216 -
\??\c:\tnnhtt.exec:\tnnhtt.exe37⤵
- Executes dropped EXE
PID:4480 -
\??\c:\5vvpd.exec:\5vvpd.exe38⤵
- Executes dropped EXE
PID:4580 -
\??\c:\llxrrrx.exec:\llxrrrx.exe39⤵
- Executes dropped EXE
PID:3104 -
\??\c:\bnnbtb.exec:\bnnbtb.exe40⤵
- Executes dropped EXE
PID:1260 -
\??\c:\hbbthh.exec:\hbbthh.exe41⤵
- Executes dropped EXE
PID:5064 -
\??\c:\vddvp.exec:\vddvp.exe42⤵
- Executes dropped EXE
PID:4560 -
\??\c:\3fxrffx.exec:\3fxrffx.exe43⤵
- Executes dropped EXE
PID:2672 -
\??\c:\bhbbnn.exec:\bhbbnn.exe44⤵
- Executes dropped EXE
PID:2484 -
\??\c:\dvpdv.exec:\dvpdv.exe45⤵
- Executes dropped EXE
PID:2848 -
\??\c:\xxxrllf.exec:\xxxrllf.exe46⤵
- Executes dropped EXE
PID:4584 -
\??\c:\5llfxxr.exec:\5llfxxr.exe47⤵
- Executes dropped EXE
PID:3188 -
\??\c:\hnbtnn.exec:\hnbtnn.exe48⤵
- Executes dropped EXE
PID:2228 -
\??\c:\dvjdj.exec:\dvjdj.exe49⤵
- Executes dropped EXE
PID:2732 -
\??\c:\lflrxfx.exec:\lflrxfx.exe50⤵
- Executes dropped EXE
PID:2140 -
\??\c:\hbhbth.exec:\hbhbth.exe51⤵
- Executes dropped EXE
PID:5032 -
\??\c:\thtnbb.exec:\thtnbb.exe52⤵
- Executes dropped EXE
PID:4880 -
\??\c:\3pdvj.exec:\3pdvj.exe53⤵
- Executes dropped EXE
PID:5072 -
\??\c:\rfrlffx.exec:\rfrlffx.exe54⤵
- Executes dropped EXE
PID:1444 -
\??\c:\xffxrrl.exec:\xffxrrl.exe55⤵
- Executes dropped EXE
PID:2172 -
\??\c:\bbtttt.exec:\bbtttt.exe56⤵
- Executes dropped EXE
PID:2428 -
\??\c:\tnnhtt.exec:\tnnhtt.exe57⤵
- Executes dropped EXE
PID:2384 -
\??\c:\vvpjv.exec:\vvpjv.exe58⤵
- Executes dropped EXE
PID:3172 -
\??\c:\jdvdp.exec:\jdvdp.exe59⤵
- Executes dropped EXE
PID:3132 -
\??\c:\xfrlxxx.exec:\xfrlxxx.exe60⤵
- Executes dropped EXE
PID:1612 -
\??\c:\nbtnht.exec:\nbtnht.exe61⤵
- Executes dropped EXE
PID:3436 -
\??\c:\vjppd.exec:\vjppd.exe62⤵
- Executes dropped EXE
PID:3108 -
\??\c:\9flxrrl.exec:\9flxrrl.exe63⤵
- Executes dropped EXE
PID:4012 -
\??\c:\llrrlfl.exec:\llrrlfl.exe64⤵
- Executes dropped EXE
PID:4204 -
\??\c:\httbtt.exec:\httbtt.exe65⤵
- Executes dropped EXE
PID:532 -
\??\c:\pdpjp.exec:\pdpjp.exe66⤵PID:2196
-
\??\c:\xlllxxr.exec:\xlllxxr.exe67⤵PID:3812
-
\??\c:\lrrlffx.exec:\lrrlffx.exe68⤵PID:1096
-
\??\c:\hntthh.exec:\hntthh.exe69⤵PID:3692
-
\??\c:\7jjjd.exec:\7jjjd.exe70⤵PID:2980
-
\??\c:\jvvpd.exec:\jvvpd.exe71⤵PID:1584
-
\??\c:\frxffxx.exec:\frxffxx.exe72⤵PID:3644
-
\??\c:\bhhhbn.exec:\bhhhbn.exe73⤵PID:1716
-
\??\c:\vjpjd.exec:\vjpjd.exe74⤵PID:2880
-
\??\c:\5jpdd.exec:\5jpdd.exe75⤵PID:1988
-
\??\c:\3xfxllf.exec:\3xfxllf.exe76⤵PID:1760
-
\??\c:\htbttt.exec:\htbttt.exe77⤵PID:2736
-
\??\c:\dvvpd.exec:\dvvpd.exe78⤵PID:2708
-
\??\c:\dpvpp.exec:\dpvpp.exe79⤵PID:3124
-
\??\c:\9fxxrrl.exec:\9fxxrrl.exe80⤵PID:1664
-
\??\c:\rrxrrll.exec:\rrxrrll.exe81⤵PID:4200
-
\??\c:\ntnnbb.exec:\ntnnbb.exe82⤵PID:2368
-
\??\c:\thhbtt.exec:\thhbtt.exe83⤵PID:4772
-
\??\c:\pvdvj.exec:\pvdvj.exe84⤵PID:3440
-
\??\c:\rllfrlf.exec:\rllfrlf.exe85⤵PID:4896
-
\??\c:\tnnhbb.exec:\tnnhbb.exe86⤵PID:2192
-
\??\c:\jjdvj.exec:\jjdvj.exe87⤵PID:2744
-
\??\c:\djdpd.exec:\djdpd.exe88⤵PID:3680
-
\??\c:\btbnhn.exec:\btbnhn.exe89⤵PID:4512
-
\??\c:\bhhnhb.exec:\bhhnhb.exe90⤵PID:2940
-
\??\c:\3pvpp.exec:\3pvpp.exe91⤵PID:4480
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe92⤵PID:2700
-
\??\c:\7xlfxlf.exec:\7xlfxlf.exe93⤵PID:2112
-
\??\c:\3hhbtt.exec:\3hhbtt.exe94⤵
- System Location Discovery: System Language Discovery
PID:4516 -
\??\c:\jdddp.exec:\jdddp.exe95⤵PID:4520
-
\??\c:\5rfxrlf.exec:\5rfxrlf.exe96⤵PID:4560
-
\??\c:\nhtttn.exec:\nhtttn.exe97⤵
- System Location Discovery: System Language Discovery
PID:4992 -
\??\c:\nbnhbt.exec:\nbnhbt.exe98⤵PID:1228
-
\??\c:\dddvj.exec:\dddvj.exe99⤵PID:1152
-
\??\c:\1lllxxr.exec:\1lllxxr.exe100⤵PID:3780
-
\??\c:\hbttnh.exec:\hbttnh.exe101⤵PID:1088
-
\??\c:\htbttt.exec:\htbttt.exe102⤵PID:3356
-
\??\c:\vdjdd.exec:\vdjdd.exe103⤵PID:4564
-
\??\c:\vpvpj.exec:\vpvpj.exe104⤵PID:1164
-
\??\c:\rlxrrlr.exec:\rlxrrlr.exe105⤵PID:2176
-
\??\c:\tthhnh.exec:\tthhnh.exe106⤵PID:5032
-
\??\c:\thttbt.exec:\thttbt.exe107⤵PID:1728
-
\??\c:\vpvpp.exec:\vpvpp.exe108⤵PID:3528
-
\??\c:\frxrlll.exec:\frxrlll.exe109⤵PID:4316
-
\??\c:\ntbtnn.exec:\ntbtnn.exe110⤵PID:1460
-
\??\c:\pvdvj.exec:\pvdvj.exe111⤵PID:920
-
\??\c:\jdjdd.exec:\jdjdd.exe112⤵PID:2300
-
\??\c:\fxfxxxf.exec:\fxfxxxf.exe113⤵PID:4036
-
\??\c:\9httnn.exec:\9httnn.exe114⤵PID:1564
-
\??\c:\vpjpj.exec:\vpjpj.exe115⤵PID:1120
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe116⤵PID:3648
-
\??\c:\ntbbtt.exec:\ntbbtt.exe117⤵PID:1708
-
\??\c:\thbttt.exec:\thbttt.exe118⤵PID:3916
-
\??\c:\jdvpd.exec:\jdvpd.exe119⤵PID:512
-
\??\c:\rllrllf.exec:\rllrllf.exe120⤵PID:8
-
\??\c:\htthbb.exec:\htthbb.exe121⤵PID:4768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-