Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c.exe
-
Size
455KB
-
MD5
1ef700550d015262c8212fde8a90d87f
-
SHA1
3e7532f98a6cdc94269989e8664cd73e31c69c82
-
SHA256
d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c
-
SHA512
fc3327a1bd16a2455c2a5a6e40771ce7cfb9e4fb009e86cb7a1ab9de265b2eb46a68053a97e23232540da8dad138770b7e6d3035442be6bc03cbce94b0cb115b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6gIW:q7Tc2NYHUrAwfMp3CD6tW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1840-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3164-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2652-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2228-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2796-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/804-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-584-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-627-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-908-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-981-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-1018-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-1561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-1638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2996 9bbnbt.exe 552 bhhhbb.exe 4688 0626088.exe 1344 88400.exe 4364 8864084.exe 3104 pjjjd.exe 4224 dvddv.exe 3164 a8260.exe 2980 40266.exe 2184 4822600.exe 2156 28082.exe 4052 2682848.exe 3276 vjjdp.exe 4856 426404.exe 4824 xrxrxrx.exe 2652 k84220.exe 1864 bntnbn.exe 428 3jjdd.exe 4752 m0642.exe 2228 k84264.exe 4980 hbhhhh.exe 1752 44042.exe 5096 48484.exe 116 pvdpj.exe 1624 bnhhnh.exe 1324 fxlfllr.exe 876 2082688.exe 3724 9hnnhh.exe 4568 nbhbbn.exe 3732 hnbtnt.exe 464 2662660.exe 2756 04860.exe 3428 dvjpp.exe 5012 xc88606.exe 3496 djdjd.exe 3176 7ntthn.exe 3040 888260.exe 2796 jvdvv.exe 536 vjjjd.exe 2000 rlrlflf.exe 2860 1pvpv.exe 2732 840488.exe 3384 9tttnt.exe 804 llxrlff.exe 1840 604448.exe 4888 268848.exe 4520 4844040.exe 704 5pvpp.exe 3100 hnbttb.exe 1060 jddvp.exe 2144 062660.exe 1936 bntnnb.exe 2904 pdpjd.exe 3996 0244882.exe 1836 hnbnhb.exe 4376 pddvp.exe 3608 028444.exe 4040 88888.exe 3676 4426668.exe 2156 20000.exe 2608 042020.exe 5100 9bbbtb.exe 4892 00848.exe 4000 rlrrlll.exe -
resource yara_rule behavioral2/memory/1840-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3164-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2652-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2228-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2796-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/804-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-584-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-627-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8060426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 080482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language w86428.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 828822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26286.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 468866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4260826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2996 1840 d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c.exe 83 PID 1840 wrote to memory of 2996 1840 d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c.exe 83 PID 1840 wrote to memory of 2996 1840 d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c.exe 83 PID 2996 wrote to memory of 552 2996 9bbnbt.exe 84 PID 2996 wrote to memory of 552 2996 9bbnbt.exe 84 PID 2996 wrote to memory of 552 2996 9bbnbt.exe 84 PID 552 wrote to memory of 4688 552 bhhhbb.exe 85 PID 552 wrote to memory of 4688 552 bhhhbb.exe 85 PID 552 wrote to memory of 4688 552 bhhhbb.exe 85 PID 4688 wrote to memory of 1344 4688 0626088.exe 86 PID 4688 wrote to memory of 1344 4688 0626088.exe 86 PID 4688 wrote to memory of 1344 4688 0626088.exe 86 PID 1344 wrote to memory of 4364 1344 88400.exe 87 PID 1344 wrote to memory of 4364 1344 88400.exe 87 PID 1344 wrote to memory of 4364 1344 88400.exe 87 PID 4364 wrote to memory of 3104 4364 8864084.exe 88 PID 4364 wrote to memory of 3104 4364 8864084.exe 88 PID 4364 wrote to memory of 3104 4364 8864084.exe 88 PID 3104 wrote to memory of 4224 3104 pjjjd.exe 89 PID 3104 wrote to memory of 4224 3104 pjjjd.exe 89 PID 3104 wrote to memory of 4224 3104 pjjjd.exe 89 PID 4224 wrote to memory of 3164 4224 dvddv.exe 90 PID 4224 wrote to memory of 3164 4224 dvddv.exe 90 PID 4224 wrote to memory of 3164 4224 dvddv.exe 90 PID 3164 wrote to memory of 2980 3164 a8260.exe 91 PID 3164 wrote to memory of 2980 3164 a8260.exe 91 PID 3164 wrote to memory of 2980 3164 a8260.exe 91 PID 2980 wrote to memory of 2184 2980 40266.exe 92 PID 2980 wrote to memory of 2184 2980 40266.exe 92 PID 2980 wrote to memory of 2184 2980 40266.exe 92 PID 2184 wrote to memory of 2156 2184 4822600.exe 93 PID 2184 wrote to memory of 2156 2184 4822600.exe 93 PID 2184 wrote to memory of 2156 2184 4822600.exe 93 PID 2156 wrote to memory of 4052 2156 28082.exe 94 PID 2156 wrote to memory of 4052 2156 28082.exe 94 PID 2156 wrote to memory of 4052 2156 28082.exe 94 PID 4052 wrote to memory of 3276 4052 2682848.exe 95 PID 4052 wrote to memory of 3276 4052 2682848.exe 95 PID 4052 wrote to memory of 3276 4052 2682848.exe 95 PID 3276 wrote to memory of 4856 3276 vjjdp.exe 96 PID 3276 wrote to memory of 4856 3276 vjjdp.exe 96 PID 3276 wrote to memory of 4856 3276 vjjdp.exe 96 PID 4856 wrote to memory of 4824 4856 426404.exe 97 PID 4856 wrote to memory of 4824 4856 426404.exe 97 PID 4856 wrote to memory of 4824 4856 426404.exe 97 PID 4824 wrote to memory of 2652 4824 xrxrxrx.exe 98 PID 4824 wrote to memory of 2652 4824 xrxrxrx.exe 98 PID 4824 wrote to memory of 2652 4824 xrxrxrx.exe 98 PID 2652 wrote to memory of 1864 2652 k84220.exe 99 PID 2652 wrote to memory of 1864 2652 k84220.exe 99 PID 2652 wrote to memory of 1864 2652 k84220.exe 99 PID 1864 wrote to memory of 428 1864 bntnbn.exe 100 PID 1864 wrote to memory of 428 1864 bntnbn.exe 100 PID 1864 wrote to memory of 428 1864 bntnbn.exe 100 PID 428 wrote to memory of 4752 428 3jjdd.exe 101 PID 428 wrote to memory of 4752 428 3jjdd.exe 101 PID 428 wrote to memory of 4752 428 3jjdd.exe 101 PID 4752 wrote to memory of 2228 4752 m0642.exe 102 PID 4752 wrote to memory of 2228 4752 m0642.exe 102 PID 4752 wrote to memory of 2228 4752 m0642.exe 102 PID 2228 wrote to memory of 4980 2228 k84264.exe 103 PID 2228 wrote to memory of 4980 2228 k84264.exe 103 PID 2228 wrote to memory of 4980 2228 k84264.exe 103 PID 4980 wrote to memory of 1752 4980 hbhhhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c.exe"C:\Users\Admin\AppData\Local\Temp\d117255d1e4beeef7ea3de8a9748e583ac8be231a7b1dd5ca2c891e59df1555c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\9bbnbt.exec:\9bbnbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\bhhhbb.exec:\bhhhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\0626088.exec:\0626088.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\88400.exec:\88400.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\8864084.exec:\8864084.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\pjjjd.exec:\pjjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\dvddv.exec:\dvddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\a8260.exec:\a8260.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\40266.exec:\40266.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\4822600.exec:\4822600.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\28082.exec:\28082.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\2682848.exec:\2682848.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\vjjdp.exec:\vjjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
\??\c:\426404.exec:\426404.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\k84220.exec:\k84220.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
\??\c:\bntnbn.exec:\bntnbn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\3jjdd.exec:\3jjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\m0642.exec:\m0642.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\k84264.exec:\k84264.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2228 -
\??\c:\hbhhhh.exec:\hbhhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\44042.exec:\44042.exe23⤵
- Executes dropped EXE
PID:1752 -
\??\c:\48484.exec:\48484.exe24⤵
- Executes dropped EXE
PID:5096 -
\??\c:\pvdpj.exec:\pvdpj.exe25⤵
- Executes dropped EXE
PID:116 -
\??\c:\bnhhnh.exec:\bnhhnh.exe26⤵
- Executes dropped EXE
PID:1624 -
\??\c:\fxlfllr.exec:\fxlfllr.exe27⤵
- Executes dropped EXE
PID:1324 -
\??\c:\2082688.exec:\2082688.exe28⤵
- Executes dropped EXE
PID:876 -
\??\c:\9hnnhh.exec:\9hnnhh.exe29⤵
- Executes dropped EXE
PID:3724 -
\??\c:\nbhbbn.exec:\nbhbbn.exe30⤵
- Executes dropped EXE
PID:4568 -
\??\c:\hnbtnt.exec:\hnbtnt.exe31⤵
- Executes dropped EXE
PID:3732 -
\??\c:\2662660.exec:\2662660.exe32⤵
- Executes dropped EXE
PID:464 -
\??\c:\04860.exec:\04860.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
\??\c:\dvjpp.exec:\dvjpp.exe34⤵
- Executes dropped EXE
PID:3428 -
\??\c:\xc88606.exec:\xc88606.exe35⤵
- Executes dropped EXE
PID:5012 -
\??\c:\djdjd.exec:\djdjd.exe36⤵
- Executes dropped EXE
PID:3496 -
\??\c:\7ntthn.exec:\7ntthn.exe37⤵
- Executes dropped EXE
PID:3176 -
\??\c:\888260.exec:\888260.exe38⤵
- Executes dropped EXE
PID:3040 -
\??\c:\jvdvv.exec:\jvdvv.exe39⤵
- Executes dropped EXE
PID:2796 -
\??\c:\vjjjd.exec:\vjjjd.exe40⤵
- Executes dropped EXE
PID:536 -
\??\c:\rlrlflf.exec:\rlrlflf.exe41⤵
- Executes dropped EXE
PID:2000 -
\??\c:\1pvpv.exec:\1pvpv.exe42⤵
- Executes dropped EXE
PID:2860 -
\??\c:\840488.exec:\840488.exe43⤵
- Executes dropped EXE
PID:2732 -
\??\c:\9tttnt.exec:\9tttnt.exe44⤵
- Executes dropped EXE
PID:3384 -
\??\c:\llxrlff.exec:\llxrlff.exe45⤵
- Executes dropped EXE
PID:804 -
\??\c:\a6260.exec:\a6260.exe46⤵PID:4348
-
\??\c:\604448.exec:\604448.exe47⤵
- Executes dropped EXE
PID:1840 -
\??\c:\268848.exec:\268848.exe48⤵
- Executes dropped EXE
PID:4888 -
\??\c:\4844040.exec:\4844040.exe49⤵
- Executes dropped EXE
PID:4520 -
\??\c:\5pvpp.exec:\5pvpp.exe50⤵
- Executes dropped EXE
PID:704 -
\??\c:\hnbttb.exec:\hnbttb.exe51⤵
- Executes dropped EXE
PID:3100 -
\??\c:\jddvp.exec:\jddvp.exe52⤵
- Executes dropped EXE
PID:1060 -
\??\c:\062660.exec:\062660.exe53⤵
- Executes dropped EXE
PID:2144 -
\??\c:\bntnnb.exec:\bntnnb.exe54⤵
- Executes dropped EXE
PID:1936 -
\??\c:\pdpjd.exec:\pdpjd.exe55⤵
- Executes dropped EXE
PID:2904 -
\??\c:\0244882.exec:\0244882.exe56⤵
- Executes dropped EXE
PID:3996 -
\??\c:\hnbnhb.exec:\hnbnhb.exe57⤵
- Executes dropped EXE
PID:1836 -
\??\c:\pddvp.exec:\pddvp.exe58⤵
- Executes dropped EXE
PID:4376 -
\??\c:\028444.exec:\028444.exe59⤵
- Executes dropped EXE
PID:3608 -
\??\c:\88888.exec:\88888.exe60⤵
- Executes dropped EXE
PID:4040 -
\??\c:\4426668.exec:\4426668.exe61⤵
- Executes dropped EXE
PID:3676 -
\??\c:\20000.exec:\20000.exe62⤵
- Executes dropped EXE
PID:2156 -
\??\c:\042020.exec:\042020.exe63⤵
- Executes dropped EXE
PID:2608 -
\??\c:\9bbbtb.exec:\9bbbtb.exe64⤵
- Executes dropped EXE
PID:5100 -
\??\c:\00848.exec:\00848.exe65⤵
- Executes dropped EXE
PID:4892 -
\??\c:\rlrrlll.exec:\rlrrlll.exe66⤵
- Executes dropped EXE
PID:4000 -
\??\c:\jpjjd.exec:\jpjjd.exe67⤵PID:4856
-
\??\c:\046228.exec:\046228.exe68⤵PID:1668
-
\??\c:\648288.exec:\648288.exe69⤵PID:2972
-
\??\c:\2082808.exec:\2082808.exe70⤵PID:4964
-
\??\c:\o482260.exec:\o482260.exe71⤵PID:4076
-
\??\c:\8064040.exec:\8064040.exe72⤵PID:2244
-
\??\c:\vvjdv.exec:\vvjdv.exe73⤵PID:3080
-
\??\c:\rxxrllf.exec:\rxxrllf.exe74⤵PID:2240
-
\??\c:\0008220.exec:\0008220.exe75⤵PID:3456
-
\??\c:\vpjjp.exec:\vpjjp.exe76⤵PID:4400
-
\??\c:\bntntb.exec:\bntntb.exe77⤵PID:2864
-
\??\c:\8842204.exec:\8842204.exe78⤵PID:3524
-
\??\c:\0282604.exec:\0282604.exe79⤵PID:2300
-
\??\c:\4260826.exec:\4260826.exe80⤵
- System Location Discovery: System Language Discovery
PID:664 -
\??\c:\0820820.exec:\0820820.exe81⤵PID:2508
-
\??\c:\jjvjp.exec:\jjvjp.exe82⤵PID:2736
-
\??\c:\7vdvp.exec:\7vdvp.exe83⤵PID:2820
-
\??\c:\dvvjv.exec:\dvvjv.exe84⤵PID:2416
-
\??\c:\o620886.exec:\o620886.exe85⤵PID:4216
-
\??\c:\dvvvv.exec:\dvvvv.exe86⤵PID:1952
-
\??\c:\jjjdv.exec:\jjjdv.exe87⤵PID:4136
-
\??\c:\a0626.exec:\a0626.exe88⤵PID:2280
-
\??\c:\rrlfrrf.exec:\rrlfrrf.exe89⤵PID:3280
-
\??\c:\426048.exec:\426048.exe90⤵PID:2756
-
\??\c:\jdjdj.exec:\jdjdj.exe91⤵PID:4544
-
\??\c:\pvpdv.exec:\pvpdv.exe92⤵PID:1088
-
\??\c:\8242268.exec:\8242268.exe93⤵PID:1000
-
\??\c:\thnnbt.exec:\thnnbt.exe94⤵PID:1736
-
\??\c:\26826.exec:\26826.exe95⤵PID:4408
-
\??\c:\822048.exec:\822048.exe96⤵PID:4468
-
\??\c:\g2842.exec:\g2842.exe97⤵PID:4356
-
\??\c:\llrrfxl.exec:\llrrfxl.exe98⤵PID:2724
-
\??\c:\8286042.exec:\8286042.exe99⤵PID:4344
-
\??\c:\nnthtn.exec:\nnthtn.exe100⤵PID:5056
-
\??\c:\thhttn.exec:\thhttn.exe101⤵PID:740
-
\??\c:\4666884.exec:\4666884.exe102⤵PID:1308
-
\??\c:\rxlxfxx.exec:\rxlxfxx.exe103⤵PID:3100
-
\??\c:\xflrffx.exec:\xflrffx.exe104⤵PID:2096
-
\??\c:\m6622.exec:\m6622.exe105⤵PID:2928
-
\??\c:\8282200.exec:\8282200.exe106⤵PID:1872
-
\??\c:\bttnhn.exec:\bttnhn.exe107⤵PID:3696
-
\??\c:\xxxrrrl.exec:\xxxrrrl.exe108⤵PID:3728
-
\??\c:\224848.exec:\224848.exe109⤵PID:3300
-
\??\c:\vdvpd.exec:\vdvpd.exe110⤵PID:2564
-
\??\c:\xxflrxx.exec:\xxflrxx.exe111⤵PID:2184
-
\??\c:\bbtnhh.exec:\bbtnhh.exe112⤵PID:4452
-
\??\c:\ttthth.exec:\ttthth.exe113⤵PID:2568
-
\??\c:\08886.exec:\08886.exe114⤵PID:2980
-
\??\c:\o688226.exec:\o688226.exe115⤵PID:3788
-
\??\c:\djjdp.exec:\djjdp.exe116⤵PID:3276
-
\??\c:\hbnhnn.exec:\hbnhnn.exe117⤵PID:4020
-
\??\c:\8602666.exec:\8602666.exe118⤵PID:4000
-
\??\c:\q80000.exec:\q80000.exe119⤵PID:3812
-
\??\c:\0426000.exec:\0426000.exe120⤵PID:3976
-
\??\c:\7pdpd.exec:\7pdpd.exe121⤵PID:2004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-