Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe
-
Size
454KB
-
MD5
373891f5042c85942afacca7707213c9
-
SHA1
4ba9967071b9eec00b3e3123758d67aea33a4826
-
SHA256
2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e
-
SHA512
8b45c6760d551f21d58068771c6e9d96db36e7f22e7b028780124a348890ed4612ebf9c5e6a9708029e7f6749f6aa710548d9f1f8a59332faf4e3a3d6eada456
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeA:q7Tc2NYHUrAwfMp3CDA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4812-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3416-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/336-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2916-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-945-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-1113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3212-1264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4880 028822.exe 224 bntnhn.exe 2428 bbhhbt.exe 1680 86466.exe 4808 9ddvv.exe 3232 jpppj.exe 1400 e84262.exe 2476 a4644.exe 3300 ffrlfff.exe 2164 bhnhnh.exe 4964 8660004.exe 4764 08404.exe 2816 lfxrlfr.exe 3576 thnttt.exe 3024 2444044.exe 2824 i248228.exe 4932 80266.exe 3252 vppjd.exe 2596 rlfxrrr.exe 3708 pjpjj.exe 4496 q28600.exe 4776 dppjj.exe 1012 q40826.exe 3928 86600.exe 2372 e80488.exe 1552 60484.exe 4972 btttnt.exe 3640 fxxrrrl.exe 336 jvdvp.exe 4856 8288222.exe 4700 60260.exe 3416 4282660.exe 1472 hhnbbt.exe 452 rlxrrrr.exe 868 w64820.exe 928 60048.exe 456 frrlfff.exe 2748 202448.exe 3056 04228.exe 1040 4404826.exe 800 66482.exe 2980 jvdpj.exe 548 pdppj.exe 4284 llxrrll.exe 4876 ddvpp.exe 3940 0680488.exe 3020 264400.exe 2268 06222.exe 1320 622004.exe 2644 84604.exe 2840 xlxrllf.exe 4740 tnbbtt.exe 2512 3llffrr.exe 1680 vpvvp.exe 4808 60662.exe 1440 4848440.exe 2068 pppjj.exe 3356 0862262.exe 1208 rrllfrl.exe 2216 q08882.exe 3136 frlfxrl.exe 5036 264444.exe 5052 w84824.exe 4820 20660.exe -
resource yara_rule behavioral2/memory/4812-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3416-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/336-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2916-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-759-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-784-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 00226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q20282.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 424422.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0620.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 880860.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 284482.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4266004.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4812 wrote to memory of 4880 4812 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe 83 PID 4812 wrote to memory of 4880 4812 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe 83 PID 4812 wrote to memory of 4880 4812 2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe 83 PID 4880 wrote to memory of 224 4880 028822.exe 84 PID 4880 wrote to memory of 224 4880 028822.exe 84 PID 4880 wrote to memory of 224 4880 028822.exe 84 PID 224 wrote to memory of 2428 224 bntnhn.exe 85 PID 224 wrote to memory of 2428 224 bntnhn.exe 85 PID 224 wrote to memory of 2428 224 bntnhn.exe 85 PID 2428 wrote to memory of 1680 2428 bbhhbt.exe 136 PID 2428 wrote to memory of 1680 2428 bbhhbt.exe 136 PID 2428 wrote to memory of 1680 2428 bbhhbt.exe 136 PID 1680 wrote to memory of 4808 1680 86466.exe 137 PID 1680 wrote to memory of 4808 1680 86466.exe 137 PID 1680 wrote to memory of 4808 1680 86466.exe 137 PID 4808 wrote to memory of 3232 4808 9ddvv.exe 88 PID 4808 wrote to memory of 3232 4808 9ddvv.exe 88 PID 4808 wrote to memory of 3232 4808 9ddvv.exe 88 PID 3232 wrote to memory of 1400 3232 jpppj.exe 89 PID 3232 wrote to memory of 1400 3232 jpppj.exe 89 PID 3232 wrote to memory of 1400 3232 jpppj.exe 89 PID 1400 wrote to memory of 2476 1400 e84262.exe 90 PID 1400 wrote to memory of 2476 1400 e84262.exe 90 PID 1400 wrote to memory of 2476 1400 e84262.exe 90 PID 2476 wrote to memory of 3300 2476 a4644.exe 91 PID 2476 wrote to memory of 3300 2476 a4644.exe 91 PID 2476 wrote to memory of 3300 2476 a4644.exe 91 PID 3300 wrote to memory of 2164 3300 ffrlfff.exe 92 PID 3300 wrote to memory of 2164 3300 ffrlfff.exe 92 PID 3300 wrote to memory of 2164 3300 ffrlfff.exe 92 PID 2164 wrote to memory of 4964 2164 bhnhnh.exe 93 PID 2164 wrote to memory of 4964 2164 bhnhnh.exe 93 PID 2164 wrote to memory of 4964 2164 bhnhnh.exe 93 PID 4964 wrote to memory of 4764 4964 8660004.exe 94 PID 4964 wrote to memory of 4764 4964 8660004.exe 94 PID 4964 wrote to memory of 4764 4964 8660004.exe 94 PID 4764 wrote to memory of 2816 4764 08404.exe 95 PID 4764 wrote to memory of 2816 4764 08404.exe 95 PID 4764 wrote to memory of 2816 4764 08404.exe 95 PID 2816 wrote to memory of 3576 2816 lfxrlfr.exe 96 PID 2816 wrote to memory of 3576 2816 lfxrlfr.exe 96 PID 2816 wrote to memory of 3576 2816 lfxrlfr.exe 96 PID 3576 wrote to memory of 3024 3576 thnttt.exe 152 PID 3576 wrote to memory of 3024 3576 thnttt.exe 152 PID 3576 wrote to memory of 3024 3576 thnttt.exe 152 PID 3024 wrote to memory of 2824 3024 2444044.exe 98 PID 3024 wrote to memory of 2824 3024 2444044.exe 98 PID 3024 wrote to memory of 2824 3024 2444044.exe 98 PID 2824 wrote to memory of 4932 2824 i248228.exe 99 PID 2824 wrote to memory of 4932 2824 i248228.exe 99 PID 2824 wrote to memory of 4932 2824 i248228.exe 99 PID 4932 wrote to memory of 3252 4932 80266.exe 100 PID 4932 wrote to memory of 3252 4932 80266.exe 100 PID 4932 wrote to memory of 3252 4932 80266.exe 100 PID 3252 wrote to memory of 2596 3252 vppjd.exe 101 PID 3252 wrote to memory of 2596 3252 vppjd.exe 101 PID 3252 wrote to memory of 2596 3252 vppjd.exe 101 PID 2596 wrote to memory of 3708 2596 rlfxrrr.exe 102 PID 2596 wrote to memory of 3708 2596 rlfxrrr.exe 102 PID 2596 wrote to memory of 3708 2596 rlfxrrr.exe 102 PID 3708 wrote to memory of 4496 3708 pjpjj.exe 103 PID 3708 wrote to memory of 4496 3708 pjpjj.exe 103 PID 3708 wrote to memory of 4496 3708 pjpjj.exe 103 PID 4496 wrote to memory of 4776 4496 q28600.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe"C:\Users\Admin\AppData\Local\Temp\2bca218ae202b0310a43e6f1f4d30d4509da3d5322cd813cd3a6e2c316e8811e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\028822.exec:\028822.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\bntnhn.exec:\bntnhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
\??\c:\bbhhbt.exec:\bbhhbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\86466.exec:\86466.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\9ddvv.exec:\9ddvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\jpppj.exec:\jpppj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\e84262.exec:\e84262.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\a4644.exec:\a4644.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476 -
\??\c:\ffrlfff.exec:\ffrlfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\bhnhnh.exec:\bhnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\8660004.exec:\8660004.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
\??\c:\08404.exec:\08404.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\lfxrlfr.exec:\lfxrlfr.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
\??\c:\thnttt.exec:\thnttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\2444044.exec:\2444044.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\i248228.exec:\i248228.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\80266.exec:\80266.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\vppjd.exec:\vppjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\rlfxrrr.exec:\rlfxrrr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\pjpjj.exec:\pjpjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\q28600.exec:\q28600.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\dppjj.exec:\dppjj.exe23⤵
- Executes dropped EXE
PID:4776 -
\??\c:\q40826.exec:\q40826.exe24⤵
- Executes dropped EXE
PID:1012 -
\??\c:\86600.exec:\86600.exe25⤵
- Executes dropped EXE
PID:3928 -
\??\c:\e80488.exec:\e80488.exe26⤵
- Executes dropped EXE
PID:2372 -
\??\c:\60484.exec:\60484.exe27⤵
- Executes dropped EXE
PID:1552 -
\??\c:\btttnt.exec:\btttnt.exe28⤵
- Executes dropped EXE
PID:4972 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe29⤵
- Executes dropped EXE
PID:3640 -
\??\c:\jvdvp.exec:\jvdvp.exe30⤵
- Executes dropped EXE
PID:336 -
\??\c:\8288222.exec:\8288222.exe31⤵
- Executes dropped EXE
PID:4856 -
\??\c:\60260.exec:\60260.exe32⤵
- Executes dropped EXE
PID:4700 -
\??\c:\4282660.exec:\4282660.exe33⤵
- Executes dropped EXE
PID:3416 -
\??\c:\hhnbbt.exec:\hhnbbt.exe34⤵
- Executes dropped EXE
PID:1472 -
\??\c:\rlxrrrr.exec:\rlxrrrr.exe35⤵
- Executes dropped EXE
PID:452 -
\??\c:\w64820.exec:\w64820.exe36⤵
- Executes dropped EXE
PID:868 -
\??\c:\60048.exec:\60048.exe37⤵
- Executes dropped EXE
PID:928 -
\??\c:\frrlfff.exec:\frrlfff.exe38⤵
- Executes dropped EXE
PID:456 -
\??\c:\202448.exec:\202448.exe39⤵
- Executes dropped EXE
PID:2748 -
\??\c:\04228.exec:\04228.exe40⤵
- Executes dropped EXE
PID:3056 -
\??\c:\4404826.exec:\4404826.exe41⤵
- Executes dropped EXE
PID:1040 -
\??\c:\66482.exec:\66482.exe42⤵
- Executes dropped EXE
PID:800 -
\??\c:\jvdpj.exec:\jvdpj.exe43⤵
- Executes dropped EXE
PID:2980 -
\??\c:\pdppj.exec:\pdppj.exe44⤵
- Executes dropped EXE
PID:548 -
\??\c:\llxrrll.exec:\llxrrll.exe45⤵
- Executes dropped EXE
PID:4284 -
\??\c:\ddvpp.exec:\ddvpp.exe46⤵
- Executes dropped EXE
PID:4876 -
\??\c:\0680488.exec:\0680488.exe47⤵
- Executes dropped EXE
PID:3940 -
\??\c:\264400.exec:\264400.exe48⤵
- Executes dropped EXE
PID:3020 -
\??\c:\06222.exec:\06222.exe49⤵
- Executes dropped EXE
PID:2268 -
\??\c:\622004.exec:\622004.exe50⤵
- Executes dropped EXE
PID:1320 -
\??\c:\84604.exec:\84604.exe51⤵
- Executes dropped EXE
PID:2644 -
\??\c:\xlxrllf.exec:\xlxrllf.exe52⤵
- Executes dropped EXE
PID:2840 -
\??\c:\tnbbtt.exec:\tnbbtt.exe53⤵
- Executes dropped EXE
PID:4740 -
\??\c:\3llffrr.exec:\3llffrr.exe54⤵
- Executes dropped EXE
PID:2512 -
\??\c:\vpvvp.exec:\vpvvp.exe55⤵
- Executes dropped EXE
PID:1680 -
\??\c:\60662.exec:\60662.exe56⤵
- Executes dropped EXE
PID:4808 -
\??\c:\4848440.exec:\4848440.exe57⤵
- Executes dropped EXE
PID:1440 -
\??\c:\pppjj.exec:\pppjj.exe58⤵
- Executes dropped EXE
PID:2068 -
\??\c:\0862262.exec:\0862262.exe59⤵
- Executes dropped EXE
PID:3356 -
\??\c:\rrllfrl.exec:\rrllfrl.exe60⤵
- Executes dropped EXE
PID:1208 -
\??\c:\q08882.exec:\q08882.exe61⤵
- Executes dropped EXE
PID:2216 -
\??\c:\frlfxrl.exec:\frlfxrl.exe62⤵
- Executes dropped EXE
PID:3136 -
\??\c:\264444.exec:\264444.exe63⤵
- Executes dropped EXE
PID:5036 -
\??\c:\w84824.exec:\w84824.exe64⤵
- Executes dropped EXE
PID:5052 -
\??\c:\20660.exec:\20660.exe65⤵
- Executes dropped EXE
PID:4820 -
\??\c:\0422002.exec:\0422002.exe66⤵PID:4780
-
\??\c:\2682268.exec:\2682268.exe67⤵PID:4848
-
\??\c:\4800486.exec:\4800486.exe68⤵PID:2864
-
\??\c:\4686600.exec:\4686600.exe69⤵PID:2532
-
\??\c:\82648.exec:\82648.exe70⤵PID:3960
-
\??\c:\488648.exec:\488648.exe71⤵PID:3024
-
\??\c:\6420820.exec:\6420820.exe72⤵PID:2860
-
\??\c:\08626.exec:\08626.exe73⤵PID:876
-
\??\c:\xffxrlf.exec:\xffxrlf.exe74⤵PID:4768
-
\??\c:\xlrllfr.exec:\xlrllfr.exe75⤵PID:3552
-
\??\c:\u224208.exec:\u224208.exe76⤵PID:1672
-
\??\c:\ffrlxrf.exec:\ffrlxrf.exe77⤵PID:3080
-
\??\c:\402206.exec:\402206.exe78⤵PID:3016
-
\??\c:\20204.exec:\20204.exe79⤵PID:3692
-
\??\c:\hnnhtn.exec:\hnnhtn.exe80⤵PID:2828
-
\??\c:\88420.exec:\88420.exe81⤵PID:4216
-
\??\c:\w40420.exec:\w40420.exe82⤵PID:336
-
\??\c:\e40860.exec:\e40860.exe83⤵PID:4852
-
\??\c:\pppjd.exec:\pppjd.exe84⤵PID:2500
-
\??\c:\hnnhbn.exec:\hnnhbn.exe85⤵PID:1472
-
\??\c:\2844048.exec:\2844048.exe86⤵PID:384
-
\??\c:\8844446.exec:\8844446.exe87⤵PID:456
-
\??\c:\64048.exec:\64048.exe88⤵PID:2892
-
\??\c:\086228.exec:\086228.exe89⤵PID:2748
-
\??\c:\46604.exec:\46604.exe90⤵PID:4836
-
\??\c:\00604.exec:\00604.exe91⤵PID:4200
-
\??\c:\bhtnnb.exec:\bhtnnb.exe92⤵PID:208
-
\??\c:\28442.exec:\28442.exe93⤵PID:4508
-
\??\c:\2282660.exec:\2282660.exe94⤵PID:2732
-
\??\c:\622226.exec:\622226.exe95⤵PID:1660
-
\??\c:\jdppv.exec:\jdppv.exe96⤵PID:1432
-
\??\c:\k84888.exec:\k84888.exe97⤵PID:2204
-
\??\c:\pvdvv.exec:\pvdvv.exe98⤵PID:3596
-
\??\c:\9ntttn.exec:\9ntttn.exe99⤵PID:1320
-
\??\c:\64260.exec:\64260.exe100⤵PID:4252
-
\??\c:\k24244.exec:\k24244.exe101⤵PID:2452
-
\??\c:\hhbtnh.exec:\hhbtnh.exe102⤵PID:2536
-
\??\c:\2286486.exec:\2286486.exe103⤵PID:2380
-
\??\c:\846044.exec:\846044.exe104⤵PID:4808
-
\??\c:\jjjdv.exec:\jjjdv.exe105⤵PID:316
-
\??\c:\jddvp.exec:\jddvp.exe106⤵PID:3468
-
\??\c:\nbhhtt.exec:\nbhhtt.exe107⤵PID:3248
-
\??\c:\btbtbb.exec:\btbtbb.exe108⤵PID:3356
-
\??\c:\pppdv.exec:\pppdv.exe109⤵PID:1448
-
\??\c:\600488.exec:\600488.exe110⤵PID:3924
-
\??\c:\vvvpj.exec:\vvvpj.exe111⤵PID:1912
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe112⤵PID:4028
-
\??\c:\bnbtnn.exec:\bnbtnn.exe113⤵PID:4832
-
\??\c:\5nttnh.exec:\5nttnh.exe114⤵PID:5096
-
\??\c:\hnbbbb.exec:\hnbbbb.exe115⤵PID:4772
-
\??\c:\hntnhb.exec:\hntnhb.exe116⤵PID:960
-
\??\c:\246600.exec:\246600.exe117⤵PID:4440
-
\??\c:\60262.exec:\60262.exe118⤵PID:2080
-
\??\c:\640444.exec:\640444.exe119⤵PID:4392
-
\??\c:\220482.exec:\220482.exe120⤵PID:2796
-
\??\c:\fxfrlfx.exec:\fxfrlfx.exe121⤵PID:1512
-
\??\c:\vpppj.exec:\vpppj.exe122⤵PID:1616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-