Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 11:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98.exe
-
Size
456KB
-
MD5
6d8a3ca08c7d94564ab16f0dfac9172c
-
SHA1
ad9be8a481c19e43900d9b653dafd5133a7a834c
-
SHA256
be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98
-
SHA512
6c4f2eadfc8b03162c94b58a1babd398f084a7ff79c23c4f137c682d8c97548479e6e300c1b00bae59dd283267650e62a3f737263fd1f1091a3ee65960e2a527
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRg:q7Tc2NYHUrAwfMp3CDRg
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3124-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1144-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-669-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-725-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-958-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-1112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-1188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-1657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 456 pdjjj.exe 2816 hnttbn.exe 1144 rrxxrxr.exe 1896 ppjdd.exe 3744 3xxxxxr.exe 3640 ththht.exe 1280 tnnnhh.exe 1220 vvppp.exe 2552 nhnhtt.exe 3464 ddddj.exe 2412 ffrfffx.exe 3792 nbhhbb.exe 3544 jpdvp.exe 952 fxlfffr.exe 1196 xlfxxxx.exe 3520 fffxrrl.exe 4356 vjpjd.exe 2996 htbtnn.exe 3336 dvjjd.exe 688 frlfxxr.exe 3064 7bthnn.exe 1400 1vjvp.exe 4768 3ffxrff.exe 1348 rllfxxr.exe 2844 9frrxxr.exe 1328 fflrllr.exe 2244 vpddd.exe 2864 1tnhbt.exe 2308 ppppj.exe 836 1rlfxxr.exe 2564 9pvjj.exe 2468 vjppj.exe 5080 xxxlffx.exe 4320 9httnn.exe 4540 7ffrrll.exe 4568 xxfxxxx.exe 5008 nthbbb.exe 4740 7dvvp.exe 676 3xfrrrr.exe 2336 tnttnt.exe 1164 dpjdv.exe 4136 rxrxlrr.exe 792 lfrllll.exe 2868 hbnhbb.exe 1860 ddjvd.exe 4316 bnhtth.exe 3060 jvjdj.exe 4864 rrlxfrx.exe 2816 1frxflf.exe 1144 btbntt.exe 3896 pppdp.exe 1480 fflxflx.exe 1700 1tbttt.exe 4196 hthbbt.exe 3640 rrrlxrl.exe 516 rxlxrlf.exe 432 3bhbhb.exe 3948 pjjvj.exe 464 frrffrr.exe 1076 nttnht.exe 1244 hhhtnh.exe 2940 dpvjp.exe 1608 xrlxlfr.exe 3036 fllxxrl.exe -
resource yara_rule behavioral2/memory/3124-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1144-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-669-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-725-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-867-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lrlfrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3124 wrote to memory of 456 3124 be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98.exe 82 PID 3124 wrote to memory of 456 3124 be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98.exe 82 PID 3124 wrote to memory of 456 3124 be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98.exe 82 PID 456 wrote to memory of 2816 456 pdjjj.exe 83 PID 456 wrote to memory of 2816 456 pdjjj.exe 83 PID 456 wrote to memory of 2816 456 pdjjj.exe 83 PID 2816 wrote to memory of 1144 2816 hnttbn.exe 84 PID 2816 wrote to memory of 1144 2816 hnttbn.exe 84 PID 2816 wrote to memory of 1144 2816 hnttbn.exe 84 PID 1144 wrote to memory of 1896 1144 rrxxrxr.exe 85 PID 1144 wrote to memory of 1896 1144 rrxxrxr.exe 85 PID 1144 wrote to memory of 1896 1144 rrxxrxr.exe 85 PID 1896 wrote to memory of 3744 1896 ppjdd.exe 86 PID 1896 wrote to memory of 3744 1896 ppjdd.exe 86 PID 1896 wrote to memory of 3744 1896 ppjdd.exe 86 PID 3744 wrote to memory of 3640 3744 3xxxxxr.exe 87 PID 3744 wrote to memory of 3640 3744 3xxxxxr.exe 87 PID 3744 wrote to memory of 3640 3744 3xxxxxr.exe 87 PID 3640 wrote to memory of 1280 3640 ththht.exe 88 PID 3640 wrote to memory of 1280 3640 ththht.exe 88 PID 3640 wrote to memory of 1280 3640 ththht.exe 88 PID 1280 wrote to memory of 1220 1280 tnnnhh.exe 89 PID 1280 wrote to memory of 1220 1280 tnnnhh.exe 89 PID 1280 wrote to memory of 1220 1280 tnnnhh.exe 89 PID 1220 wrote to memory of 2552 1220 vvppp.exe 90 PID 1220 wrote to memory of 2552 1220 vvppp.exe 90 PID 1220 wrote to memory of 2552 1220 vvppp.exe 90 PID 2552 wrote to memory of 3464 2552 nhnhtt.exe 91 PID 2552 wrote to memory of 3464 2552 nhnhtt.exe 91 PID 2552 wrote to memory of 3464 2552 nhnhtt.exe 91 PID 3464 wrote to memory of 2412 3464 ddddj.exe 92 PID 3464 wrote to memory of 2412 3464 ddddj.exe 92 PID 3464 wrote to memory of 2412 3464 ddddj.exe 92 PID 2412 wrote to memory of 3792 2412 ffrfffx.exe 93 PID 2412 wrote to memory of 3792 2412 ffrfffx.exe 93 PID 2412 wrote to memory of 3792 2412 ffrfffx.exe 93 PID 3792 wrote to memory of 3544 3792 nbhhbb.exe 94 PID 3792 wrote to memory of 3544 3792 nbhhbb.exe 94 PID 3792 wrote to memory of 3544 3792 nbhhbb.exe 94 PID 3544 wrote to memory of 952 3544 jpdvp.exe 95 PID 3544 wrote to memory of 952 3544 jpdvp.exe 95 PID 3544 wrote to memory of 952 3544 jpdvp.exe 95 PID 952 wrote to memory of 1196 952 fxlfffr.exe 96 PID 952 wrote to memory of 1196 952 fxlfffr.exe 96 PID 952 wrote to memory of 1196 952 fxlfffr.exe 96 PID 1196 wrote to memory of 3520 1196 xlfxxxx.exe 97 PID 1196 wrote to memory of 3520 1196 xlfxxxx.exe 97 PID 1196 wrote to memory of 3520 1196 xlfxxxx.exe 97 PID 3520 wrote to memory of 4356 3520 fffxrrl.exe 98 PID 3520 wrote to memory of 4356 3520 fffxrrl.exe 98 PID 3520 wrote to memory of 4356 3520 fffxrrl.exe 98 PID 4356 wrote to memory of 2996 4356 vjpjd.exe 99 PID 4356 wrote to memory of 2996 4356 vjpjd.exe 99 PID 4356 wrote to memory of 2996 4356 vjpjd.exe 99 PID 2996 wrote to memory of 3336 2996 htbtnn.exe 100 PID 2996 wrote to memory of 3336 2996 htbtnn.exe 100 PID 2996 wrote to memory of 3336 2996 htbtnn.exe 100 PID 3336 wrote to memory of 688 3336 dvjjd.exe 101 PID 3336 wrote to memory of 688 3336 dvjjd.exe 101 PID 3336 wrote to memory of 688 3336 dvjjd.exe 101 PID 688 wrote to memory of 3064 688 frlfxxr.exe 102 PID 688 wrote to memory of 3064 688 frlfxxr.exe 102 PID 688 wrote to memory of 3064 688 frlfxxr.exe 102 PID 3064 wrote to memory of 1400 3064 7bthnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98.exe"C:\Users\Admin\AppData\Local\Temp\be0c525cb00960d1f0e7bd50a1ffb71f736198b79ffb8b4d2f476b1efa387e98.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\pdjjj.exec:\pdjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\hnttbn.exec:\hnttbn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\rrxxrxr.exec:\rrxxrxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
\??\c:\ppjdd.exec:\ppjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\3xxxxxr.exec:\3xxxxxr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\ththht.exec:\ththht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\tnnnhh.exec:\tnnnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280 -
\??\c:\vvppp.exec:\vvppp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\nhnhtt.exec:\nhnhtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\ddddj.exec:\ddddj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\ffrfffx.exec:\ffrfffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\nbhhbb.exec:\nbhhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\jpdvp.exec:\jpdvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\fxlfffr.exec:\fxlfffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\xlfxxxx.exec:\xlfxxxx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\fffxrrl.exec:\fffxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\vjpjd.exec:\vjpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4356 -
\??\c:\htbtnn.exec:\htbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\dvjjd.exec:\dvjjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336 -
\??\c:\frlfxxr.exec:\frlfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:688 -
\??\c:\7bthnn.exec:\7bthnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\1vjvp.exec:\1vjvp.exe23⤵
- Executes dropped EXE
PID:1400 -
\??\c:\3ffxrff.exec:\3ffxrff.exe24⤵
- Executes dropped EXE
PID:4768 -
\??\c:\rllfxxr.exec:\rllfxxr.exe25⤵
- Executes dropped EXE
PID:1348 -
\??\c:\9frrxxr.exec:\9frrxxr.exe26⤵
- Executes dropped EXE
PID:2844 -
\??\c:\fflrllr.exec:\fflrllr.exe27⤵
- Executes dropped EXE
PID:1328 -
\??\c:\vpddd.exec:\vpddd.exe28⤵
- Executes dropped EXE
PID:2244 -
\??\c:\1tnhbt.exec:\1tnhbt.exe29⤵
- Executes dropped EXE
PID:2864 -
\??\c:\ppppj.exec:\ppppj.exe30⤵
- Executes dropped EXE
PID:2308 -
\??\c:\1rlfxxr.exec:\1rlfxxr.exe31⤵
- Executes dropped EXE
PID:836 -
\??\c:\9pvjj.exec:\9pvjj.exe32⤵
- Executes dropped EXE
PID:2564 -
\??\c:\vjppj.exec:\vjppj.exe33⤵
- Executes dropped EXE
PID:2468 -
\??\c:\xxxlffx.exec:\xxxlffx.exe34⤵
- Executes dropped EXE
PID:5080 -
\??\c:\9httnn.exec:\9httnn.exe35⤵
- Executes dropped EXE
PID:4320 -
\??\c:\7ffrrll.exec:\7ffrrll.exe36⤵
- Executes dropped EXE
PID:4540 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe37⤵
- Executes dropped EXE
PID:4568 -
\??\c:\nthbbb.exec:\nthbbb.exe38⤵
- Executes dropped EXE
PID:5008 -
\??\c:\7dvvp.exec:\7dvvp.exe39⤵
- Executes dropped EXE
PID:4740 -
\??\c:\3xfrrrr.exec:\3xfrrrr.exe40⤵
- Executes dropped EXE
PID:676 -
\??\c:\tnttnt.exec:\tnttnt.exe41⤵
- Executes dropped EXE
PID:2336 -
\??\c:\dpjdv.exec:\dpjdv.exe42⤵
- Executes dropped EXE
PID:1164 -
\??\c:\rxrxlrr.exec:\rxrxlrr.exe43⤵
- Executes dropped EXE
PID:4136 -
\??\c:\lfrllll.exec:\lfrllll.exe44⤵
- Executes dropped EXE
PID:792 -
\??\c:\hbnhbb.exec:\hbnhbb.exe45⤵
- Executes dropped EXE
PID:2868 -
\??\c:\ddjvd.exec:\ddjvd.exe46⤵
- Executes dropped EXE
PID:1860 -
\??\c:\frrrxxx.exec:\frrrxxx.exe47⤵PID:1380
-
\??\c:\bnhtth.exec:\bnhtth.exe48⤵
- Executes dropped EXE
PID:4316 -
\??\c:\jvjdj.exec:\jvjdj.exe49⤵
- Executes dropped EXE
PID:3060 -
\??\c:\rrlxfrx.exec:\rrlxfrx.exe50⤵
- Executes dropped EXE
PID:4864 -
\??\c:\1frxflf.exec:\1frxflf.exe51⤵
- Executes dropped EXE
PID:2816 -
\??\c:\btbntt.exec:\btbntt.exe52⤵
- Executes dropped EXE
PID:1144 -
\??\c:\pppdp.exec:\pppdp.exe53⤵
- Executes dropped EXE
PID:3896 -
\??\c:\fflxflx.exec:\fflxflx.exe54⤵
- Executes dropped EXE
PID:1480 -
\??\c:\1tbttt.exec:\1tbttt.exe55⤵
- Executes dropped EXE
PID:1700 -
\??\c:\hthbbt.exec:\hthbbt.exe56⤵
- Executes dropped EXE
PID:4196 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe57⤵
- Executes dropped EXE
PID:3640 -
\??\c:\rxlxrlf.exec:\rxlxrlf.exe58⤵
- Executes dropped EXE
PID:516 -
\??\c:\3bhbhb.exec:\3bhbhb.exe59⤵
- Executes dropped EXE
PID:432 -
\??\c:\pjjvj.exec:\pjjvj.exe60⤵
- Executes dropped EXE
PID:3948 -
\??\c:\frrffrr.exec:\frrffrr.exe61⤵
- Executes dropped EXE
PID:464 -
\??\c:\nttnht.exec:\nttnht.exe62⤵
- Executes dropped EXE
PID:1076 -
\??\c:\hhhtnh.exec:\hhhtnh.exe63⤵
- Executes dropped EXE
PID:1244 -
\??\c:\dpvjp.exec:\dpvjp.exe64⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xrlxlfr.exec:\xrlxlfr.exe65⤵
- Executes dropped EXE
PID:1608 -
\??\c:\fllxxrl.exec:\fllxxrl.exe66⤵
- Executes dropped EXE
PID:3036 -
\??\c:\tbhbth.exec:\tbhbth.exe67⤵PID:2160
-
\??\c:\vjvjd.exec:\vjvjd.exe68⤵PID:388
-
\??\c:\9xfrfxl.exec:\9xfrfxl.exe69⤵PID:3204
-
\??\c:\rlxrxll.exec:\rlxrxll.exe70⤵PID:3852
-
\??\c:\hhhbtn.exec:\hhhbtn.exe71⤵PID:2956
-
\??\c:\ppjdv.exec:\ppjdv.exe72⤵PID:4744
-
\??\c:\pvvjv.exec:\pvvjv.exe73⤵PID:3988
-
\??\c:\rllxfxf.exec:\rllxfxf.exe74⤵PID:3528
-
\??\c:\9nbthh.exec:\9nbthh.exe75⤵PID:3720
-
\??\c:\5vpdv.exec:\5vpdv.exe76⤵PID:1660
-
\??\c:\frrlfrr.exec:\frrlfrr.exe77⤵PID:4384
-
\??\c:\9flxfxf.exec:\9flxfxf.exe78⤵PID:3460
-
\??\c:\3hhthh.exec:\3hhthh.exe79⤵PID:1768
-
\??\c:\3jvjv.exec:\3jvjv.exe80⤵PID:1260
-
\??\c:\3lxrffx.exec:\3lxrffx.exe81⤵PID:4960
-
\??\c:\bbtnnh.exec:\bbtnnh.exe82⤵PID:2060
-
\??\c:\hnhtbh.exec:\hnhtbh.exe83⤵PID:2844
-
\??\c:\jdpvp.exec:\jdpvp.exe84⤵PID:5072
-
\??\c:\5rxrfxr.exec:\5rxrfxr.exe85⤵PID:808
-
\??\c:\fxrrfrl.exec:\fxrrfrl.exe86⤵PID:748
-
\??\c:\tbhbtn.exec:\tbhbtn.exe87⤵PID:2320
-
\??\c:\9ddpj.exec:\9ddpj.exe88⤵PID:5108
-
\??\c:\7xfrfxl.exec:\7xfrfxl.exe89⤵PID:1080
-
\??\c:\llffxxr.exec:\llffxxr.exe90⤵PID:2280
-
\??\c:\9hnbbb.exec:\9hnbbb.exe91⤵PID:2564
-
\??\c:\jjddp.exec:\jjddp.exe92⤵PID:3352
-
\??\c:\jvjdv.exec:\jvjdv.exe93⤵PID:3168
-
\??\c:\fllfrrf.exec:\fllfrrf.exe94⤵PID:3956
-
\??\c:\nbhbtt.exec:\nbhbtt.exe95⤵PID:3172
-
\??\c:\7nhbtt.exec:\7nhbtt.exe96⤵PID:2216
-
\??\c:\ppdvp.exec:\ppdvp.exe97⤵PID:2056
-
\??\c:\xllxlfr.exec:\xllxlfr.exe98⤵PID:4408
-
\??\c:\xxxxrxx.exec:\xxxxrxx.exe99⤵PID:4592
-
\??\c:\bnhtbt.exec:\bnhtbt.exe100⤵PID:3980
-
\??\c:\jjpjd.exec:\jjpjd.exe101⤵PID:1836
-
\??\c:\fxflxfr.exec:\fxflxfr.exe102⤵PID:3644
-
\??\c:\9hhbnn.exec:\9hhbnn.exe103⤵PID:2164
-
\??\c:\jddpj.exec:\jddpj.exe104⤵PID:2596
-
\??\c:\jdddv.exec:\jdddv.exe105⤵PID:4368
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe106⤵PID:3288
-
\??\c:\fxffxxx.exec:\fxffxxx.exe107⤵PID:3124
-
\??\c:\hhnbtt.exec:\hhnbtt.exe108⤵PID:4132
-
\??\c:\7djjv.exec:\7djjv.exe109⤵PID:864
-
\??\c:\lfffrrr.exec:\lfffrrr.exe110⤵PID:4048
-
\??\c:\lxrrllf.exec:\lxrrllf.exe111⤵PID:4416
-
\??\c:\thnbtt.exec:\thnbtt.exe112⤵PID:4616
-
\??\c:\jdddv.exec:\jdddv.exe113⤵PID:1204
-
\??\c:\jvpjp.exec:\jvpjp.exe114⤵PID:3552
-
\??\c:\lfxxllx.exec:\lfxxllx.exe115⤵PID:4844
-
\??\c:\7btnth.exec:\7btnth.exe116⤵PID:1280
-
\??\c:\vvjpv.exec:\vvjpv.exe117⤵PID:876
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe118⤵PID:604
-
\??\c:\rfrlrrr.exec:\rfrlrrr.exe119⤵PID:3736
-
\??\c:\5ntnhh.exec:\5ntnhh.exe120⤵PID:2156
-
\??\c:\hnhthb.exec:\hnhthb.exe121⤵PID:3660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-