Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:01
Behavioral task
behavioral1
Sample
3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8.exe
-
Size
333KB
-
MD5
a64942b29998a73d418b86af0400b1ca
-
SHA1
6f8beaeff7146178e76a22f64b537bb83c42a71a
-
SHA256
3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8
-
SHA512
b9546bc6174c39385ebbbe7a981413a439a08f565e11de13cbe6513c6604cee0b0a97967e422c309e77b3eaac6e458af5810f7a7ff5093b7d09afb36f8f3c03d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeV+:R4wFHoSHYHUrAwfMp3CDV+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2364-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2336-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2156-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2248-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-33-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5024-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/628-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/876-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3520-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2064-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2700-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1304-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-150-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4176-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4172-190-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2324-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4212-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3580-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/508-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1984-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3976-239-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1028-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/544-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2344-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3120-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/764-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4316-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2424-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4156-338-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3656-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4328-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2656-409-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-424-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-464-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/936-541-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-548-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3088-661-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2336 fxlfxff.exe 2156 bbhtnh.exe 4004 jppjj.exe 1400 lfflffx.exe 2248 3fxrrrl.exe 4248 1rfxflx.exe 4820 thnhbt.exe 5024 7ppjd.exe 2044 hhhtnn.exe 628 ppjjd.exe 4448 3lrlxxr.exe 3948 bhnhbb.exe 876 rflfxxr.exe 3520 jvjdv.exe 3260 jjjdv.exe 2064 tntnhb.exe 640 tntbbb.exe 2700 lllfxxx.exe 4368 9nhbtt.exe 764 1nnhbn.exe 4360 pjppj.exe 1476 pdjdd.exe 2464 fxfxrff.exe 4228 lflfxxr.exe 972 bnnnhb.exe 1948 pppjv.exe 1304 rlxrllf.exe 1544 xflfxrl.exe 1528 1hbttn.exe 4016 hntnbt.exe 336 pjjdp.exe 4176 lxllfxx.exe 3144 nbbttn.exe 3832 pvdvp.exe 2608 7flfxxr.exe 4800 xflfxll.exe 2836 bnhtbt.exe 3276 pjvpp.exe 3244 flxxfrx.exe 3776 hhhhhb.exe 4692 5hbthh.exe 2864 vdjjv.exe 2828 5rxrrrr.exe 4880 nbbbnn.exe 4172 jjjdv.exe 2324 vppjj.exe 3088 jvvpd.exe 4348 lrxlxxx.exe 5072 tnhbnh.exe 4212 3jdvj.exe 4044 lflffff.exe 3548 tnnhtn.exe 3580 btnhtt.exe 3052 7pvpj.exe 4332 xxrlxxr.exe 4680 lffffxf.exe 5064 9nntnh.exe 1088 3dpjv.exe 4852 1dvpj.exe 508 3fxxlfl.exe 2080 dvvvp.exe 1984 vpdpj.exe 3960 lffxllx.exe 3976 3hbtnn.exe -
resource yara_rule behavioral2/memory/2364-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b30-3.dat upx behavioral2/memory/2364-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2336-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b85-8.dat upx behavioral2/files/0x000a000000023b8d-11.dat upx behavioral2/memory/2156-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-18.dat upx behavioral2/files/0x000a000000023b8f-23.dat upx behavioral2/memory/2248-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-27.dat upx behavioral2/memory/2248-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-32.dat upx behavioral2/memory/4248-33-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b93-37.dat upx behavioral2/memory/4820-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-42.dat upx behavioral2/memory/5024-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2044-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-47.dat upx behavioral2/files/0x000a000000023b96-52.dat upx behavioral2/memory/628-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-58.dat upx behavioral2/memory/4448-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-62.dat upx behavioral2/memory/876-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-67.dat upx behavioral2/memory/3520-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9a-72.dat upx behavioral2/files/0x000a000000023b9b-77.dat upx behavioral2/memory/3260-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2064-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-81.dat upx behavioral2/files/0x000a000000023b9d-86.dat upx behavioral2/memory/640-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b8a-91.dat upx behavioral2/memory/2700-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/764-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9f-101.dat upx behavioral2/files/0x000a000000023b9e-97.dat upx behavioral2/files/0x000a000000023ba0-106.dat upx behavioral2/files/0x000a000000023ba1-110.dat upx behavioral2/memory/2464-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba2-114.dat upx behavioral2/memory/2464-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba3-119.dat upx behavioral2/memory/972-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba4-125.dat upx behavioral2/files/0x000a000000023ba5-131.dat upx behavioral2/memory/1948-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1304-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba6-135.dat upx behavioral2/files/0x000a000000023ba7-140.dat upx behavioral2/files/0x000a000000023ba8-143.dat upx behavioral2/files/0x000b000000023ba9-147.dat upx behavioral2/files/0x000b000000023baa-154.dat upx behavioral2/memory/336-150-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4016-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4176-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4228-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2608-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4800-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3276-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3244-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrffrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2336 2364 3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8.exe 82 PID 2364 wrote to memory of 2336 2364 3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8.exe 82 PID 2364 wrote to memory of 2336 2364 3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8.exe 82 PID 2336 wrote to memory of 2156 2336 fxlfxff.exe 83 PID 2336 wrote to memory of 2156 2336 fxlfxff.exe 83 PID 2336 wrote to memory of 2156 2336 fxlfxff.exe 83 PID 2156 wrote to memory of 4004 2156 bbhtnh.exe 84 PID 2156 wrote to memory of 4004 2156 bbhtnh.exe 84 PID 2156 wrote to memory of 4004 2156 bbhtnh.exe 84 PID 4004 wrote to memory of 1400 4004 jppjj.exe 85 PID 4004 wrote to memory of 1400 4004 jppjj.exe 85 PID 4004 wrote to memory of 1400 4004 jppjj.exe 85 PID 1400 wrote to memory of 2248 1400 lfflffx.exe 86 PID 1400 wrote to memory of 2248 1400 lfflffx.exe 86 PID 1400 wrote to memory of 2248 1400 lfflffx.exe 86 PID 2248 wrote to memory of 4248 2248 3fxrrrl.exe 87 PID 2248 wrote to memory of 4248 2248 3fxrrrl.exe 87 PID 2248 wrote to memory of 4248 2248 3fxrrrl.exe 87 PID 4248 wrote to memory of 4820 4248 1rfxflx.exe 88 PID 4248 wrote to memory of 4820 4248 1rfxflx.exe 88 PID 4248 wrote to memory of 4820 4248 1rfxflx.exe 88 PID 4820 wrote to memory of 5024 4820 thnhbt.exe 89 PID 4820 wrote to memory of 5024 4820 thnhbt.exe 89 PID 4820 wrote to memory of 5024 4820 thnhbt.exe 89 PID 5024 wrote to memory of 2044 5024 7ppjd.exe 90 PID 5024 wrote to memory of 2044 5024 7ppjd.exe 90 PID 5024 wrote to memory of 2044 5024 7ppjd.exe 90 PID 2044 wrote to memory of 628 2044 hhhtnn.exe 91 PID 2044 wrote to memory of 628 2044 hhhtnn.exe 91 PID 2044 wrote to memory of 628 2044 hhhtnn.exe 91 PID 628 wrote to memory of 4448 628 ppjjd.exe 92 PID 628 wrote to memory of 4448 628 ppjjd.exe 92 PID 628 wrote to memory of 4448 628 ppjjd.exe 92 PID 4448 wrote to memory of 3948 4448 3lrlxxr.exe 93 PID 4448 wrote to memory of 3948 4448 3lrlxxr.exe 93 PID 4448 wrote to memory of 3948 4448 3lrlxxr.exe 93 PID 3948 wrote to memory of 876 3948 bhnhbb.exe 94 PID 3948 wrote to memory of 876 3948 bhnhbb.exe 94 PID 3948 wrote to memory of 876 3948 bhnhbb.exe 94 PID 876 wrote to memory of 3520 876 rflfxxr.exe 95 PID 876 wrote to memory of 3520 876 rflfxxr.exe 95 PID 876 wrote to memory of 3520 876 rflfxxr.exe 95 PID 3520 wrote to memory of 3260 3520 jvjdv.exe 96 PID 3520 wrote to memory of 3260 3520 jvjdv.exe 96 PID 3520 wrote to memory of 3260 3520 jvjdv.exe 96 PID 3260 wrote to memory of 2064 3260 jjjdv.exe 97 PID 3260 wrote to memory of 2064 3260 jjjdv.exe 97 PID 3260 wrote to memory of 2064 3260 jjjdv.exe 97 PID 2064 wrote to memory of 640 2064 tntnhb.exe 98 PID 2064 wrote to memory of 640 2064 tntnhb.exe 98 PID 2064 wrote to memory of 640 2064 tntnhb.exe 98 PID 640 wrote to memory of 2700 640 tntbbb.exe 99 PID 640 wrote to memory of 2700 640 tntbbb.exe 99 PID 640 wrote to memory of 2700 640 tntbbb.exe 99 PID 2700 wrote to memory of 4368 2700 lllfxxx.exe 100 PID 2700 wrote to memory of 4368 2700 lllfxxx.exe 100 PID 2700 wrote to memory of 4368 2700 lllfxxx.exe 100 PID 4368 wrote to memory of 764 4368 9nhbtt.exe 101 PID 4368 wrote to memory of 764 4368 9nhbtt.exe 101 PID 4368 wrote to memory of 764 4368 9nhbtt.exe 101 PID 764 wrote to memory of 4360 764 1nnhbn.exe 102 PID 764 wrote to memory of 4360 764 1nnhbn.exe 102 PID 764 wrote to memory of 4360 764 1nnhbn.exe 102 PID 4360 wrote to memory of 1476 4360 pjppj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8.exe"C:\Users\Admin\AppData\Local\Temp\3daaaa1ec0a948ac1444153ad80042388b48e7a9980b598db0fbb0e94e3e06d8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\fxlfxff.exec:\fxlfxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\bbhtnh.exec:\bbhtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\jppjj.exec:\jppjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\lfflffx.exec:\lfflffx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\3fxrrrl.exec:\3fxrrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\1rfxflx.exec:\1rfxflx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\thnhbt.exec:\thnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\7ppjd.exec:\7ppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5024 -
\??\c:\hhhtnn.exec:\hhhtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\ppjjd.exec:\ppjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\3lrlxxr.exec:\3lrlxxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\bhnhbb.exec:\bhnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\rflfxxr.exec:\rflfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\jvjdv.exec:\jvjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\jjjdv.exec:\jjjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\tntnhb.exec:\tntnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2064 -
\??\c:\tntbbb.exec:\tntbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\lllfxxx.exec:\lllfxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\9nhbtt.exec:\9nhbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\1nnhbn.exec:\1nnhbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
\??\c:\pjppj.exec:\pjppj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\pdjdd.exec:\pdjdd.exe23⤵
- Executes dropped EXE
PID:1476 -
\??\c:\fxfxrff.exec:\fxfxrff.exe24⤵
- Executes dropped EXE
PID:2464 -
\??\c:\lflfxxr.exec:\lflfxxr.exe25⤵
- Executes dropped EXE
PID:4228 -
\??\c:\bnnnhb.exec:\bnnnhb.exe26⤵
- Executes dropped EXE
PID:972 -
\??\c:\pppjv.exec:\pppjv.exe27⤵
- Executes dropped EXE
PID:1948 -
\??\c:\rlxrllf.exec:\rlxrllf.exe28⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xflfxrl.exec:\xflfxrl.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1544 -
\??\c:\1hbttn.exec:\1hbttn.exe30⤵
- Executes dropped EXE
PID:1528 -
\??\c:\hntnbt.exec:\hntnbt.exe31⤵
- Executes dropped EXE
PID:4016 -
\??\c:\pjjdp.exec:\pjjdp.exe32⤵
- Executes dropped EXE
PID:336 -
\??\c:\lxllfxx.exec:\lxllfxx.exe33⤵
- Executes dropped EXE
PID:4176 -
\??\c:\nbbttn.exec:\nbbttn.exe34⤵
- Executes dropped EXE
PID:3144 -
\??\c:\pvdvp.exec:\pvdvp.exe35⤵
- Executes dropped EXE
PID:3832 -
\??\c:\7flfxxr.exec:\7flfxxr.exe36⤵
- Executes dropped EXE
PID:2608 -
\??\c:\xflfxll.exec:\xflfxll.exe37⤵
- Executes dropped EXE
PID:4800 -
\??\c:\bnhtbt.exec:\bnhtbt.exe38⤵
- Executes dropped EXE
PID:2836 -
\??\c:\pjvpp.exec:\pjvpp.exe39⤵
- Executes dropped EXE
PID:3276 -
\??\c:\flxxfrx.exec:\flxxfrx.exe40⤵
- Executes dropped EXE
PID:3244 -
\??\c:\hhhhhb.exec:\hhhhhb.exe41⤵
- Executes dropped EXE
PID:3776 -
\??\c:\5hbthh.exec:\5hbthh.exe42⤵
- Executes dropped EXE
PID:4692 -
\??\c:\vdjjv.exec:\vdjjv.exe43⤵
- Executes dropped EXE
PID:2864 -
\??\c:\5rxrrrr.exec:\5rxrrrr.exe44⤵
- Executes dropped EXE
PID:2828 -
\??\c:\nbbbnn.exec:\nbbbnn.exe45⤵
- Executes dropped EXE
PID:4880 -
\??\c:\jjjdv.exec:\jjjdv.exe46⤵
- Executes dropped EXE
PID:4172 -
\??\c:\vppjj.exec:\vppjj.exe47⤵
- Executes dropped EXE
PID:2324 -
\??\c:\jvvpd.exec:\jvvpd.exe48⤵
- Executes dropped EXE
PID:3088 -
\??\c:\lrxlxxx.exec:\lrxlxxx.exe49⤵
- Executes dropped EXE
PID:4348 -
\??\c:\tnhbnh.exec:\tnhbnh.exe50⤵
- Executes dropped EXE
PID:5072 -
\??\c:\3jdvj.exec:\3jdvj.exe51⤵
- Executes dropped EXE
PID:4212 -
\??\c:\lflffff.exec:\lflffff.exe52⤵
- Executes dropped EXE
PID:4044 -
\??\c:\tnnhtn.exec:\tnnhtn.exe53⤵
- Executes dropped EXE
PID:3548 -
\??\c:\btnhtt.exec:\btnhtt.exe54⤵
- Executes dropped EXE
PID:3580 -
\??\c:\7pvpj.exec:\7pvpj.exe55⤵
- Executes dropped EXE
PID:3052 -
\??\c:\xxrlxxr.exec:\xxrlxxr.exe56⤵
- Executes dropped EXE
PID:4332 -
\??\c:\lffffxf.exec:\lffffxf.exe57⤵
- Executes dropped EXE
PID:4680 -
\??\c:\9nntnh.exec:\9nntnh.exe58⤵
- Executes dropped EXE
PID:5064 -
\??\c:\3dpjv.exec:\3dpjv.exe59⤵
- Executes dropped EXE
PID:1088 -
\??\c:\1dvpj.exec:\1dvpj.exe60⤵
- Executes dropped EXE
PID:4852 -
\??\c:\3fxxlfl.exec:\3fxxlfl.exe61⤵
- Executes dropped EXE
PID:508 -
\??\c:\dvvvp.exec:\dvvvp.exe62⤵
- Executes dropped EXE
PID:2080 -
\??\c:\vpdpj.exec:\vpdpj.exe63⤵
- Executes dropped EXE
PID:1984 -
\??\c:\lffxllx.exec:\lffxllx.exe64⤵
- Executes dropped EXE
PID:3960 -
\??\c:\3hbtnn.exec:\3hbtnn.exe65⤵
- Executes dropped EXE
PID:3976 -
\??\c:\hnthhb.exec:\hnthhb.exe66⤵PID:2640
-
\??\c:\dppdp.exec:\dppdp.exe67⤵PID:4424
-
\??\c:\xflxfxr.exec:\xflxfxr.exe68⤵PID:5048
-
\??\c:\frxrrll.exec:\frxrrll.exe69⤵
- System Location Discovery: System Language Discovery
PID:3372 -
\??\c:\nbbnbt.exec:\nbbnbt.exe70⤵PID:1028
-
\??\c:\ntthtn.exec:\ntthtn.exe71⤵PID:3536
-
\??\c:\djpdp.exec:\djpdp.exe72⤵PID:4848
-
\??\c:\jvppd.exec:\jvppd.exe73⤵PID:4448
-
\??\c:\7rlrflf.exec:\7rlrflf.exe74⤵PID:3948
-
\??\c:\bthhnn.exec:\bthhnn.exe75⤵PID:1728
-
\??\c:\hbhhbb.exec:\hbhhbb.exe76⤵PID:1700
-
\??\c:\dpdvj.exec:\dpdvj.exe77⤵PID:5068
-
\??\c:\1lfxrrl.exec:\1lfxrrl.exe78⤵PID:2120
-
\??\c:\1hbnhh.exec:\1hbnhh.exe79⤵PID:4856
-
\??\c:\nthbnh.exec:\nthbnh.exe80⤵PID:1716
-
\??\c:\jppdv.exec:\jppdv.exe81⤵PID:544
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe82⤵PID:4292
-
\??\c:\ffxlffx.exec:\ffxlffx.exe83⤵PID:2344
-
\??\c:\nbhttn.exec:\nbhttn.exe84⤵PID:3120
-
\??\c:\jppdv.exec:\jppdv.exe85⤵PID:1552
-
\??\c:\vjjdp.exec:\vjjdp.exe86⤵PID:764
-
\??\c:\rxfrxrf.exec:\rxfrxrf.exe87⤵PID:4360
-
\??\c:\nnhbtn.exec:\nnhbtn.exe88⤵PID:1476
-
\??\c:\vjvjp.exec:\vjvjp.exe89⤵PID:3316
-
\??\c:\djjjd.exec:\djjjd.exe90⤵PID:4316
-
\??\c:\xrfxrlr.exec:\xrfxrlr.exe91⤵PID:860
-
\??\c:\xrffxfr.exec:\xrffxfr.exe92⤵PID:828
-
\??\c:\nttnbt.exec:\nttnbt.exe93⤵PID:2592
-
\??\c:\7pdpd.exec:\7pdpd.exe94⤵PID:1948
-
\??\c:\dpvjp.exec:\dpvjp.exe95⤵PID:3104
-
\??\c:\fffxxrx.exec:\fffxxrx.exe96⤵PID:1544
-
\??\c:\3xrlxrf.exec:\3xrlxrf.exe97⤵PID:1160
-
\??\c:\9nhbtt.exec:\9nhbtt.exe98⤵PID:2224
-
\??\c:\tbnnhh.exec:\tbnnhh.exe99⤵PID:1388
-
\??\c:\5djdp.exec:\5djdp.exe100⤵PID:4864
-
\??\c:\3xrfrrl.exec:\3xrfrrl.exe101⤵PID:2596
-
\??\c:\7frlxrr.exec:\7frlxrr.exe102⤵PID:2076
-
\??\c:\ttnbnn.exec:\ttnbnn.exe103⤵PID:3356
-
\??\c:\jpdvv.exec:\jpdvv.exe104⤵PID:1084
-
\??\c:\9lllrxl.exec:\9lllrxl.exe105⤵PID:1136
-
\??\c:\rlrfrlx.exec:\rlrfrlx.exe106⤵PID:2424
-
\??\c:\7bbbtb.exec:\7bbbtb.exe107⤵PID:4092
-
\??\c:\hhthbn.exec:\hhthbn.exe108⤵PID:4156
-
\??\c:\1pjdp.exec:\1pjdp.exe109⤵PID:3656
-
\??\c:\xrrlflf.exec:\xrrlflf.exe110⤵PID:3868
-
\??\c:\tnhhbt.exec:\tnhhbt.exe111⤵PID:3628
-
\??\c:\dpvpj.exec:\dpvpj.exe112⤵PID:1512
-
\??\c:\9vpdv.exec:\9vpdv.exe113⤵PID:1640
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe114⤵PID:2972
-
\??\c:\lrrfrlf.exec:\lrrfrlf.exe115⤵PID:3160
-
\??\c:\btthtn.exec:\btthtn.exe116⤵PID:4452
-
\??\c:\vppdp.exec:\vppdp.exe117⤵PID:2220
-
\??\c:\9vvpd.exec:\9vvpd.exe118⤵PID:2324
-
\??\c:\xflxllf.exec:\xflxllf.exe119⤵PID:1712
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe120⤵PID:1460
-
\??\c:\3tnhbt.exec:\3tnhbt.exe121⤵PID:4804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-