Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe
-
Size
456KB
-
MD5
54ce8b9840612af3ea0f31dc26d5d998
-
SHA1
0a686ecc450c5a6cf808b262f929596d00a1e5fe
-
SHA256
3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2
-
SHA512
d9b15aff7f86a4a43cc04619b305bd031ce423cd546c0cc8b8513e8b1bf6a9c04bfd324df8c7d5a17114b1bff9f8afc0427502e6e7eb462ea7c5623f137c1989
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeR2:q7Tc2NYHUrAwfMp3CDR2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/836-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1216-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-378-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-514-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-684-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-827-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-1537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4748 tbbtnb.exe 3628 hnnhbt.exe 2300 lxlxlfr.exe 2704 hhhtnb.exe 4340 vddpd.exe 4544 vddpj.exe 1692 hnhbnn.exe 5056 rxfrlfx.exe 1508 tnntth.exe 5024 jdjvj.exe 1064 fflxfxr.exe 1748 7hhntn.exe 4964 nhtnbn.exe 3360 nhhhtt.exe 1200 5ddvj.exe 2396 bbbthb.exe 4704 dvjpj.exe 648 fflxlfr.exe 2388 vdjvj.exe 3820 hbhtbt.exe 760 5llxllr.exe 2264 nnhtnb.exe 2760 lxrlxrf.exe 4364 pjdjd.exe 4732 9ththh.exe 4980 lrxlxrl.exe 3128 ddjvd.exe 1648 hnbthh.exe 1832 lffxlll.exe 4944 bhtnhh.exe 3000 rrllfxr.exe 4268 tttntt.exe 1344 hhhnnh.exe 1216 htbbth.exe 4880 frlxrlf.exe 4220 rlxxffl.exe 4224 nhhhbb.exe 4784 pppjv.exe 5048 3jvdj.exe 1416 ffxlrfx.exe 64 nttnhb.exe 316 rllfffx.exe 4560 7nhtnh.exe 2828 pjvpj.exe 1744 rlfrfrx.exe 4484 httnhb.exe 2000 pvdvp.exe 2664 dpddv.exe 1420 lrllffx.exe 3336 rlxrxxf.exe 756 tnnhtt.exe 1180 vdvpd.exe 2632 rlrrffx.exe 5056 thhbbt.exe 1508 jddvd.exe 2140 frrrllf.exe 4140 xflfxxx.exe 3968 htttnn.exe 3048 vdjdv.exe 2520 rrrffrl.exe 4964 httnnn.exe 444 vvjdp.exe 720 rlrrffl.exe 3392 llfxlxr.exe -
resource yara_rule behavioral2/memory/836-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3628-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1216-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-378-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-514-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-684-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-827-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfxlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9djdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjvj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 836 wrote to memory of 4748 836 3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe 83 PID 836 wrote to memory of 4748 836 3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe 83 PID 836 wrote to memory of 4748 836 3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe 83 PID 4748 wrote to memory of 3628 4748 tbbtnb.exe 84 PID 4748 wrote to memory of 3628 4748 tbbtnb.exe 84 PID 4748 wrote to memory of 3628 4748 tbbtnb.exe 84 PID 3628 wrote to memory of 2300 3628 hnnhbt.exe 85 PID 3628 wrote to memory of 2300 3628 hnnhbt.exe 85 PID 3628 wrote to memory of 2300 3628 hnnhbt.exe 85 PID 2300 wrote to memory of 2704 2300 lxlxlfr.exe 86 PID 2300 wrote to memory of 2704 2300 lxlxlfr.exe 86 PID 2300 wrote to memory of 2704 2300 lxlxlfr.exe 86 PID 2704 wrote to memory of 4340 2704 hhhtnb.exe 87 PID 2704 wrote to memory of 4340 2704 hhhtnb.exe 87 PID 2704 wrote to memory of 4340 2704 hhhtnb.exe 87 PID 4340 wrote to memory of 4544 4340 vddpd.exe 88 PID 4340 wrote to memory of 4544 4340 vddpd.exe 88 PID 4340 wrote to memory of 4544 4340 vddpd.exe 88 PID 4544 wrote to memory of 1692 4544 vddpj.exe 89 PID 4544 wrote to memory of 1692 4544 vddpj.exe 89 PID 4544 wrote to memory of 1692 4544 vddpj.exe 89 PID 1692 wrote to memory of 5056 1692 hnhbnn.exe 90 PID 1692 wrote to memory of 5056 1692 hnhbnn.exe 90 PID 1692 wrote to memory of 5056 1692 hnhbnn.exe 90 PID 5056 wrote to memory of 1508 5056 rxfrlfx.exe 91 PID 5056 wrote to memory of 1508 5056 rxfrlfx.exe 91 PID 5056 wrote to memory of 1508 5056 rxfrlfx.exe 91 PID 1508 wrote to memory of 5024 1508 tnntth.exe 92 PID 1508 wrote to memory of 5024 1508 tnntth.exe 92 PID 1508 wrote to memory of 5024 1508 tnntth.exe 92 PID 5024 wrote to memory of 1064 5024 jdjvj.exe 93 PID 5024 wrote to memory of 1064 5024 jdjvj.exe 93 PID 5024 wrote to memory of 1064 5024 jdjvj.exe 93 PID 1064 wrote to memory of 1748 1064 fflxfxr.exe 94 PID 1064 wrote to memory of 1748 1064 fflxfxr.exe 94 PID 1064 wrote to memory of 1748 1064 fflxfxr.exe 94 PID 1748 wrote to memory of 4964 1748 7hhntn.exe 95 PID 1748 wrote to memory of 4964 1748 7hhntn.exe 95 PID 1748 wrote to memory of 4964 1748 7hhntn.exe 95 PID 4964 wrote to memory of 3360 4964 nhtnbn.exe 96 PID 4964 wrote to memory of 3360 4964 nhtnbn.exe 96 PID 4964 wrote to memory of 3360 4964 nhtnbn.exe 96 PID 3360 wrote to memory of 1200 3360 nhhhtt.exe 97 PID 3360 wrote to memory of 1200 3360 nhhhtt.exe 97 PID 3360 wrote to memory of 1200 3360 nhhhtt.exe 97 PID 1200 wrote to memory of 2396 1200 5ddvj.exe 98 PID 1200 wrote to memory of 2396 1200 5ddvj.exe 98 PID 1200 wrote to memory of 2396 1200 5ddvj.exe 98 PID 2396 wrote to memory of 4704 2396 bbbthb.exe 99 PID 2396 wrote to memory of 4704 2396 bbbthb.exe 99 PID 2396 wrote to memory of 4704 2396 bbbthb.exe 99 PID 4704 wrote to memory of 648 4704 dvjpj.exe 100 PID 4704 wrote to memory of 648 4704 dvjpj.exe 100 PID 4704 wrote to memory of 648 4704 dvjpj.exe 100 PID 648 wrote to memory of 2388 648 fflxlfr.exe 101 PID 648 wrote to memory of 2388 648 fflxlfr.exe 101 PID 648 wrote to memory of 2388 648 fflxlfr.exe 101 PID 2388 wrote to memory of 3820 2388 vdjvj.exe 102 PID 2388 wrote to memory of 3820 2388 vdjvj.exe 102 PID 2388 wrote to memory of 3820 2388 vdjvj.exe 102 PID 3820 wrote to memory of 760 3820 hbhtbt.exe 103 PID 3820 wrote to memory of 760 3820 hbhtbt.exe 103 PID 3820 wrote to memory of 760 3820 hbhtbt.exe 103 PID 760 wrote to memory of 2264 760 5llxllr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe"C:\Users\Admin\AppData\Local\Temp\3228e775b9c0cca7c9e5747903a2c361df63c93e35ef407f25c4f607818a22e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\tbbtnb.exec:\tbbtnb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\hnnhbt.exec:\hnnhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3628 -
\??\c:\lxlxlfr.exec:\lxlxlfr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\hhhtnb.exec:\hhhtnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\vddpd.exec:\vddpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\vddpj.exec:\vddpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\hnhbnn.exec:\hnhbnn.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\tnntth.exec:\tnntth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\jdjvj.exec:\jdjvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\fflxfxr.exec:\fflxfxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064 -
\??\c:\7hhntn.exec:\7hhntn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\nhtnbn.exec:\nhtnbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\nhhhtt.exec:\nhhhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3360 -
\??\c:\5ddvj.exec:\5ddvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200 -
\??\c:\bbbthb.exec:\bbbthb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\dvjpj.exec:\dvjpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\fflxlfr.exec:\fflxlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:648 -
\??\c:\vdjvj.exec:\vdjvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\hbhtbt.exec:\hbhtbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\5llxllr.exec:\5llxllr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\nnhtnb.exec:\nnhtnb.exe23⤵
- Executes dropped EXE
PID:2264 -
\??\c:\lxrlxrf.exec:\lxrlxrf.exe24⤵
- Executes dropped EXE
PID:2760 -
\??\c:\pjdjd.exec:\pjdjd.exe25⤵
- Executes dropped EXE
PID:4364 -
\??\c:\9ththh.exec:\9ththh.exe26⤵
- Executes dropped EXE
PID:4732 -
\??\c:\lrxlxrl.exec:\lrxlxrl.exe27⤵
- Executes dropped EXE
PID:4980 -
\??\c:\ddjvd.exec:\ddjvd.exe28⤵
- Executes dropped EXE
PID:3128 -
\??\c:\hnbthh.exec:\hnbthh.exe29⤵
- Executes dropped EXE
PID:1648 -
\??\c:\lffxlll.exec:\lffxlll.exe30⤵
- Executes dropped EXE
PID:1832 -
\??\c:\bhtnhh.exec:\bhtnhh.exe31⤵
- Executes dropped EXE
PID:4944 -
\??\c:\rrllfxr.exec:\rrllfxr.exe32⤵
- Executes dropped EXE
PID:3000 -
\??\c:\tttntt.exec:\tttntt.exe33⤵
- Executes dropped EXE
PID:4268 -
\??\c:\hhhnnh.exec:\hhhnnh.exe34⤵
- Executes dropped EXE
PID:1344 -
\??\c:\htbbth.exec:\htbbth.exe35⤵
- Executes dropped EXE
PID:1216 -
\??\c:\frlxrlf.exec:\frlxrlf.exe36⤵
- Executes dropped EXE
PID:4880 -
\??\c:\rlxxffl.exec:\rlxxffl.exe37⤵
- Executes dropped EXE
PID:4220 -
\??\c:\nhhhbb.exec:\nhhhbb.exe38⤵
- Executes dropped EXE
PID:4224 -
\??\c:\pppjv.exec:\pppjv.exe39⤵
- Executes dropped EXE
PID:4784 -
\??\c:\3jvdj.exec:\3jvdj.exe40⤵
- Executes dropped EXE
PID:5048 -
\??\c:\ffxlrfx.exec:\ffxlrfx.exe41⤵
- Executes dropped EXE
PID:1416 -
\??\c:\nttnhb.exec:\nttnhb.exe42⤵
- Executes dropped EXE
PID:64 -
\??\c:\vppdp.exec:\vppdp.exe43⤵PID:4424
-
\??\c:\rllfffx.exec:\rllfffx.exe44⤵
- Executes dropped EXE
PID:316 -
\??\c:\7nhtnh.exec:\7nhtnh.exe45⤵
- Executes dropped EXE
PID:4560 -
\??\c:\pjvpj.exec:\pjvpj.exe46⤵
- Executes dropped EXE
PID:2828 -
\??\c:\rlfrfrx.exec:\rlfrfrx.exe47⤵
- Executes dropped EXE
PID:1744 -
\??\c:\httnhb.exec:\httnhb.exe48⤵
- Executes dropped EXE
PID:4484 -
\??\c:\pvdvp.exec:\pvdvp.exe49⤵
- Executes dropped EXE
PID:2000 -
\??\c:\dpddv.exec:\dpddv.exe50⤵
- Executes dropped EXE
PID:2664 -
\??\c:\lrllffx.exec:\lrllffx.exe51⤵
- Executes dropped EXE
PID:1420 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe52⤵
- Executes dropped EXE
PID:3336 -
\??\c:\tnnhtt.exec:\tnnhtt.exe53⤵
- Executes dropped EXE
PID:756 -
\??\c:\vdvpd.exec:\vdvpd.exe54⤵
- Executes dropped EXE
PID:1180 -
\??\c:\rlrrffx.exec:\rlrrffx.exe55⤵
- Executes dropped EXE
PID:2632 -
\??\c:\thhbbt.exec:\thhbbt.exe56⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jddvd.exec:\jddvd.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508 -
\??\c:\frrrllf.exec:\frrrllf.exe58⤵
- Executes dropped EXE
PID:2140 -
\??\c:\xflfxxx.exec:\xflfxxx.exe59⤵
- Executes dropped EXE
PID:4140 -
\??\c:\htttnn.exec:\htttnn.exe60⤵
- Executes dropped EXE
PID:3968 -
\??\c:\vdjdv.exec:\vdjdv.exe61⤵
- Executes dropped EXE
PID:3048 -
\??\c:\rrrffrl.exec:\rrrffrl.exe62⤵
- Executes dropped EXE
PID:2520 -
\??\c:\httnnn.exec:\httnnn.exe63⤵
- Executes dropped EXE
PID:4964 -
\??\c:\vvjdp.exec:\vvjdp.exe64⤵
- Executes dropped EXE
PID:444 -
\??\c:\rlrrffl.exec:\rlrrffl.exe65⤵
- Executes dropped EXE
PID:720 -
\??\c:\llfxlxr.exec:\llfxlxr.exe66⤵
- Executes dropped EXE
PID:3392 -
\??\c:\hnnnhh.exec:\hnnnhh.exe67⤵PID:424
-
\??\c:\jjddj.exec:\jjddj.exe68⤵PID:4700
-
\??\c:\fllxllx.exec:\fllxllx.exe69⤵PID:3664
-
\??\c:\bttnhh.exec:\bttnhh.exe70⤵PID:4012
-
\??\c:\nbtnbt.exec:\nbtnbt.exe71⤵PID:528
-
\??\c:\9ddvp.exec:\9ddvp.exe72⤵PID:4616
-
\??\c:\lrxlllr.exec:\lrxlllr.exe73⤵PID:3032
-
\??\c:\5bbthh.exec:\5bbthh.exe74⤵PID:3476
-
\??\c:\tnnhtt.exec:\tnnhtt.exe75⤵PID:4676
-
\??\c:\pjdvp.exec:\pjdvp.exe76⤵PID:1176
-
\??\c:\xrrfxrl.exec:\xrrfxrl.exe77⤵PID:1764
-
\??\c:\nhhbbt.exec:\nhhbbt.exe78⤵PID:3976
-
\??\c:\bthbbb.exec:\bthbbb.exe79⤵PID:4188
-
\??\c:\ddpjv.exec:\ddpjv.exe80⤵PID:3848
-
\??\c:\rxxrfrf.exec:\rxxrfrf.exe81⤵PID:4948
-
\??\c:\tnttnn.exec:\tnttnn.exe82⤵PID:3808
-
\??\c:\dvdvv.exec:\dvdvv.exe83⤵PID:1648
-
\??\c:\pjdpd.exec:\pjdpd.exe84⤵PID:1492
-
\??\c:\xlxxxrx.exec:\xlxxxrx.exe85⤵PID:3956
-
\??\c:\tnbttt.exec:\tnbttt.exe86⤵PID:3064
-
\??\c:\vjjjd.exec:\vjjjd.exe87⤵PID:1500
-
\??\c:\rffrfxl.exec:\rffrfxl.exe88⤵PID:2820
-
\??\c:\tntntn.exec:\tntntn.exe89⤵PID:1968
-
\??\c:\thtbnb.exec:\thtbnb.exe90⤵PID:2612
-
\??\c:\5pvpp.exec:\5pvpp.exe91⤵PID:2120
-
\??\c:\5xfxrrx.exec:\5xfxrrx.exe92⤵PID:4220
-
\??\c:\rfxlxrf.exec:\rfxlxrf.exe93⤵PID:1360
-
\??\c:\ttttnh.exec:\ttttnh.exe94⤵PID:920
-
\??\c:\5vjdv.exec:\5vjdv.exe95⤵PID:876
-
\??\c:\fffxllf.exec:\fffxllf.exe96⤵PID:2304
-
\??\c:\hnhbtt.exec:\hnhbtt.exe97⤵PID:5060
-
\??\c:\vdvjv.exec:\vdvjv.exe98⤵PID:4424
-
\??\c:\rxlllll.exec:\rxlllll.exe99⤵PID:3276
-
\??\c:\bntnhh.exec:\bntnhh.exe100⤵PID:1620
-
\??\c:\btbbtt.exec:\btbbtt.exe101⤵PID:4400
-
\??\c:\ppdvp.exec:\ppdvp.exe102⤵PID:4396
-
\??\c:\rrfxffr.exec:\rrfxffr.exe103⤵PID:2372
-
\??\c:\7xxrlll.exec:\7xxrlll.exe104⤵PID:1076
-
\??\c:\bbbtnn.exec:\bbbtnn.exe105⤵PID:3552
-
\??\c:\pdjjv.exec:\pdjjv.exe106⤵PID:2704
-
\??\c:\lrrrlrx.exec:\lrrrlrx.exe107⤵PID:1420
-
\??\c:\ntbbtt.exec:\ntbbtt.exe108⤵PID:4292
-
\??\c:\nbbnhb.exec:\nbbnhb.exe109⤵PID:4544
-
\??\c:\ddjjd.exec:\ddjjd.exe110⤵PID:3016
-
\??\c:\lxfxlll.exec:\lxfxlll.exe111⤵PID:1716
-
\??\c:\htnhtn.exec:\htnhtn.exe112⤵PID:4564
-
\??\c:\pjpjj.exec:\pjpjj.exe113⤵PID:2972
-
\??\c:\lffxllf.exec:\lffxllf.exe114⤵PID:2312
-
\??\c:\xxfxllf.exec:\xxfxllf.exe115⤵PID:4052
-
\??\c:\nhhhbh.exec:\nhhhbh.exe116⤵PID:1232
-
\??\c:\pddpv.exec:\pddpv.exe117⤵PID:5080
-
\??\c:\ddvpv.exec:\ddvpv.exe118⤵PID:2980
-
\??\c:\3ffrfxr.exec:\3ffrfxr.exe119⤵PID:4508
-
\??\c:\btbttt.exec:\btbttt.exe120⤵PID:4900
-
\??\c:\7dvvj.exec:\7dvvj.exe121⤵PID:4468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-