Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 02:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe
-
Size
454KB
-
MD5
3e6f1f7480e8571754c1c49000f1e5ae
-
SHA1
f60a52d4cf86be71fa32f1841a37dc8d61d40e89
-
SHA256
bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d
-
SHA512
ef9924a742f693577a17edd73ca64b19324ca7158d62f8be76da917298123892a8e69d6dd043b53e5a5fb9e4bd2953716026b253105c0f1153572eb86e26ac2a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4572-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/180-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/332-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2220-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/524-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-437-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-591-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-876-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-950-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-1188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-1192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-1214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-1314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 180 3thtth.exe 4256 flrlllf.exe 3024 nbtbtb.exe 1940 vjpjd.exe 2948 fxxrllx.exe 3188 fffxrll.exe 3656 3xrxllx.exe 4908 7bhnnt.exe 2380 pvjdp.exe 1156 dvdvp.exe 1352 bhhtnn.exe 4620 dvddj.exe 5116 3thnnn.exe 396 vjpdv.exe 3504 djvvp.exe 4416 rlfllxf.exe 3644 ddddj.exe 2124 3flxrrf.exe 2004 xrfxxxl.exe 4912 dvdpj.exe 2528 rrrlrfx.exe 2668 hbtnhb.exe 4120 vjvdv.exe 1376 rfxrrlf.exe 3060 nttbtt.exe 2252 1vjvj.exe 4720 rllffxr.exe 1648 9nhhbh.exe 2532 3llxrlf.exe 4144 lflfrrr.exe 4104 btbhbh.exe 432 vpdvj.exe 2876 1rrlffx.exe 1500 tthbth.exe 452 1rlfffl.exe 2172 nnbtnn.exe 5104 ppvpj.exe 2568 vppjd.exe 3896 xrfxrrl.exe 3464 nttbnt.exe 5092 1nnhtt.exe 4020 dvjdd.exe 2180 1rxrrrl.exe 3484 bbnbnt.exe 2076 frrxrfx.exe 4404 tthbbb.exe 4316 dppdv.exe 4564 fxrxfxl.exe 444 nnbbtt.exe 1812 xrlrllx.exe 4172 btbtnn.exe 3880 dppjv.exe 1264 dvpdp.exe 4516 rffrlfr.exe 1036 nhbtnn.exe 748 xrlflxx.exe 1216 9httbh.exe 2756 pddpj.exe 1860 dpjjj.exe 4400 llxrfxx.exe 1940 bhhbth.exe 3540 ddddv.exe 2948 dvvjd.exe 1100 llrlxrl.exe -
resource yara_rule behavioral2/memory/4572-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/180-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/332-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2220-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/524-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-437-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2860-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-591-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-653-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-876-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-946-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-950-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrllxx.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 180 4572 bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe 82 PID 4572 wrote to memory of 180 4572 bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe 82 PID 4572 wrote to memory of 180 4572 bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe 82 PID 180 wrote to memory of 4256 180 3thtth.exe 83 PID 180 wrote to memory of 4256 180 3thtth.exe 83 PID 180 wrote to memory of 4256 180 3thtth.exe 83 PID 4256 wrote to memory of 3024 4256 flrlllf.exe 84 PID 4256 wrote to memory of 3024 4256 flrlllf.exe 84 PID 4256 wrote to memory of 3024 4256 flrlllf.exe 84 PID 3024 wrote to memory of 1940 3024 nbtbtb.exe 85 PID 3024 wrote to memory of 1940 3024 nbtbtb.exe 85 PID 3024 wrote to memory of 1940 3024 nbtbtb.exe 85 PID 1940 wrote to memory of 2948 1940 vjpjd.exe 86 PID 1940 wrote to memory of 2948 1940 vjpjd.exe 86 PID 1940 wrote to memory of 2948 1940 vjpjd.exe 86 PID 2948 wrote to memory of 3188 2948 fxxrllx.exe 87 PID 2948 wrote to memory of 3188 2948 fxxrllx.exe 87 PID 2948 wrote to memory of 3188 2948 fxxrllx.exe 87 PID 3188 wrote to memory of 3656 3188 fffxrll.exe 88 PID 3188 wrote to memory of 3656 3188 fffxrll.exe 88 PID 3188 wrote to memory of 3656 3188 fffxrll.exe 88 PID 3656 wrote to memory of 4908 3656 3xrxllx.exe 89 PID 3656 wrote to memory of 4908 3656 3xrxllx.exe 89 PID 3656 wrote to memory of 4908 3656 3xrxllx.exe 89 PID 4908 wrote to memory of 2380 4908 7bhnnt.exe 90 PID 4908 wrote to memory of 2380 4908 7bhnnt.exe 90 PID 4908 wrote to memory of 2380 4908 7bhnnt.exe 90 PID 2380 wrote to memory of 1156 2380 pvjdp.exe 91 PID 2380 wrote to memory of 1156 2380 pvjdp.exe 91 PID 2380 wrote to memory of 1156 2380 pvjdp.exe 91 PID 1156 wrote to memory of 1352 1156 dvdvp.exe 92 PID 1156 wrote to memory of 1352 1156 dvdvp.exe 92 PID 1156 wrote to memory of 1352 1156 dvdvp.exe 92 PID 1352 wrote to memory of 4620 1352 bhhtnn.exe 93 PID 1352 wrote to memory of 4620 1352 bhhtnn.exe 93 PID 1352 wrote to memory of 4620 1352 bhhtnn.exe 93 PID 4620 wrote to memory of 5116 4620 dvddj.exe 94 PID 4620 wrote to memory of 5116 4620 dvddj.exe 94 PID 4620 wrote to memory of 5116 4620 dvddj.exe 94 PID 5116 wrote to memory of 396 5116 3thnnn.exe 95 PID 5116 wrote to memory of 396 5116 3thnnn.exe 95 PID 5116 wrote to memory of 396 5116 3thnnn.exe 95 PID 396 wrote to memory of 3504 396 vjpdv.exe 96 PID 396 wrote to memory of 3504 396 vjpdv.exe 96 PID 396 wrote to memory of 3504 396 vjpdv.exe 96 PID 3504 wrote to memory of 4416 3504 djvvp.exe 97 PID 3504 wrote to memory of 4416 3504 djvvp.exe 97 PID 3504 wrote to memory of 4416 3504 djvvp.exe 97 PID 4416 wrote to memory of 3644 4416 rlfllxf.exe 98 PID 4416 wrote to memory of 3644 4416 rlfllxf.exe 98 PID 4416 wrote to memory of 3644 4416 rlfllxf.exe 98 PID 3644 wrote to memory of 2124 3644 ddddj.exe 99 PID 3644 wrote to memory of 2124 3644 ddddj.exe 99 PID 3644 wrote to memory of 2124 3644 ddddj.exe 99 PID 2124 wrote to memory of 2004 2124 3flxrrf.exe 100 PID 2124 wrote to memory of 2004 2124 3flxrrf.exe 100 PID 2124 wrote to memory of 2004 2124 3flxrrf.exe 100 PID 2004 wrote to memory of 4912 2004 xrfxxxl.exe 101 PID 2004 wrote to memory of 4912 2004 xrfxxxl.exe 101 PID 2004 wrote to memory of 4912 2004 xrfxxxl.exe 101 PID 4912 wrote to memory of 2528 4912 dvdpj.exe 102 PID 4912 wrote to memory of 2528 4912 dvdpj.exe 102 PID 4912 wrote to memory of 2528 4912 dvdpj.exe 102 PID 2528 wrote to memory of 2668 2528 rrrlrfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe"C:\Users\Admin\AppData\Local\Temp\bd20a5cd3986550e04c854e6d2ae4fbe9b01ef44c43137f3754e334e7296436d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\3thtth.exec:\3thtth.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
\??\c:\flrlllf.exec:\flrlllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\nbtbtb.exec:\nbtbtb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\vjpjd.exec:\vjpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\fxxrllx.exec:\fxxrllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\fffxrll.exec:\fffxrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\3xrxllx.exec:\3xrxllx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\7bhnnt.exec:\7bhnnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\pvjdp.exec:\pvjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\dvdvp.exec:\dvdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\bhhtnn.exec:\bhhtnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
\??\c:\dvddj.exec:\dvddj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\3thnnn.exec:\3thnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\vjpdv.exec:\vjpdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
\??\c:\djvvp.exec:\djvvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\rlfllxf.exec:\rlfllxf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\ddddj.exec:\ddddj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\3flxrrf.exec:\3flxrrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\xrfxxxl.exec:\xrfxxxl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
\??\c:\dvdpj.exec:\dvdpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\rrrlrfx.exec:\rrrlrfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2528 -
\??\c:\hbtnhb.exec:\hbtnhb.exe23⤵
- Executes dropped EXE
PID:2668 -
\??\c:\vjvdv.exec:\vjvdv.exe24⤵
- Executes dropped EXE
PID:4120 -
\??\c:\rfxrrlf.exec:\rfxrrlf.exe25⤵
- Executes dropped EXE
PID:1376 -
\??\c:\nttbtt.exec:\nttbtt.exe26⤵
- Executes dropped EXE
PID:3060 -
\??\c:\1vjvj.exec:\1vjvj.exe27⤵
- Executes dropped EXE
PID:2252 -
\??\c:\rllffxr.exec:\rllffxr.exe28⤵
- Executes dropped EXE
PID:4720 -
\??\c:\9nhhbh.exec:\9nhhbh.exe29⤵
- Executes dropped EXE
PID:1648 -
\??\c:\3llxrlf.exec:\3llxrlf.exe30⤵
- Executes dropped EXE
PID:2532 -
\??\c:\lflfrrr.exec:\lflfrrr.exe31⤵
- Executes dropped EXE
PID:4144 -
\??\c:\btbhbh.exec:\btbhbh.exe32⤵
- Executes dropped EXE
PID:4104 -
\??\c:\vpdvj.exec:\vpdvj.exe33⤵
- Executes dropped EXE
PID:432 -
\??\c:\1rrlffx.exec:\1rrlffx.exe34⤵
- Executes dropped EXE
PID:2876 -
\??\c:\tthbth.exec:\tthbth.exe35⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1rlfffl.exec:\1rlfffl.exe36⤵
- Executes dropped EXE
PID:452 -
\??\c:\nnbtnn.exec:\nnbtnn.exe37⤵
- Executes dropped EXE
PID:2172 -
\??\c:\ppvpj.exec:\ppvpj.exe38⤵
- Executes dropped EXE
PID:5104 -
\??\c:\vppjd.exec:\vppjd.exe39⤵
- Executes dropped EXE
PID:2568 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe40⤵
- Executes dropped EXE
PID:3896 -
\??\c:\nttbnt.exec:\nttbnt.exe41⤵
- Executes dropped EXE
PID:3464 -
\??\c:\1nnhtt.exec:\1nnhtt.exe42⤵
- Executes dropped EXE
PID:5092 -
\??\c:\dvjdd.exec:\dvjdd.exe43⤵
- Executes dropped EXE
PID:4020 -
\??\c:\1rxrrrl.exec:\1rxrrrl.exe44⤵
- Executes dropped EXE
PID:2180 -
\??\c:\bbnbnt.exec:\bbnbnt.exe45⤵
- Executes dropped EXE
PID:3484 -
\??\c:\frrxrfx.exec:\frrxrfx.exe46⤵
- Executes dropped EXE
PID:2076 -
\??\c:\tthbbb.exec:\tthbbb.exe47⤵
- Executes dropped EXE
PID:4404 -
\??\c:\dppdv.exec:\dppdv.exe48⤵
- Executes dropped EXE
PID:4316 -
\??\c:\fxrxfxl.exec:\fxrxfxl.exe49⤵
- Executes dropped EXE
PID:4564 -
\??\c:\nnbbtt.exec:\nnbbtt.exe50⤵
- Executes dropped EXE
PID:444 -
\??\c:\xrlrllx.exec:\xrlrllx.exe51⤵
- Executes dropped EXE
PID:1812 -
\??\c:\btbtnn.exec:\btbtnn.exe52⤵
- Executes dropped EXE
PID:4172 -
\??\c:\dppjv.exec:\dppjv.exe53⤵
- Executes dropped EXE
PID:3880 -
\??\c:\dvpdp.exec:\dvpdp.exe54⤵
- Executes dropped EXE
PID:1264 -
\??\c:\rffrlfr.exec:\rffrlfr.exe55⤵
- Executes dropped EXE
PID:4516 -
\??\c:\nhbtnn.exec:\nhbtnn.exe56⤵
- Executes dropped EXE
PID:1036 -
\??\c:\xrlflxx.exec:\xrlflxx.exe57⤵
- Executes dropped EXE
PID:748 -
\??\c:\9httbh.exec:\9httbh.exe58⤵
- Executes dropped EXE
PID:1216 -
\??\c:\pddpj.exec:\pddpj.exe59⤵
- Executes dropped EXE
PID:2756 -
\??\c:\dpjjj.exec:\dpjjj.exe60⤵
- Executes dropped EXE
PID:1860 -
\??\c:\llxrfxx.exec:\llxrfxx.exe61⤵
- Executes dropped EXE
PID:4400 -
\??\c:\bhhbth.exec:\bhhbth.exe62⤵
- Executes dropped EXE
PID:1940 -
\??\c:\ddddv.exec:\ddddv.exe63⤵
- Executes dropped EXE
PID:3540 -
\??\c:\dvvjd.exec:\dvvjd.exe64⤵
- Executes dropped EXE
PID:2948 -
\??\c:\llrlxrl.exec:\llrlxrl.exe65⤵
- Executes dropped EXE
PID:1100 -
\??\c:\tbhhhh.exec:\tbhhhh.exe66⤵PID:620
-
\??\c:\jpjdp.exec:\jpjdp.exe67⤵PID:2944
-
\??\c:\tnthbn.exec:\tnthbn.exe68⤵PID:332
-
\??\c:\vppjj.exec:\vppjj.exe69⤵PID:1132
-
\??\c:\7hhbnn.exec:\7hhbnn.exe70⤵PID:3012
-
\??\c:\pvjpp.exec:\pvjpp.exe71⤵PID:1156
-
\??\c:\5rflllf.exec:\5rflllf.exe72⤵PID:4944
-
\??\c:\nntnhb.exec:\nntnhb.exe73⤵PID:4296
-
\??\c:\vpppp.exec:\vpppp.exe74⤵PID:2900
-
\??\c:\frrlrlf.exec:\frrlrlf.exe75⤵PID:4340
-
\??\c:\hntnhb.exec:\hntnhb.exe76⤵PID:864
-
\??\c:\ddvdd.exec:\ddvdd.exe77⤵PID:2028
-
\??\c:\jppjd.exec:\jppjd.exe78⤵PID:1820
-
\??\c:\xxlxlfr.exec:\xxlxlfr.exe79⤵PID:3640
-
\??\c:\tntnnn.exec:\tntnnn.exe80⤵PID:1912
-
\??\c:\pdddv.exec:\pdddv.exe81⤵PID:1784
-
\??\c:\rxfxrff.exec:\rxfxrff.exe82⤵PID:4024
-
\??\c:\tnhbnh.exec:\tnhbnh.exe83⤵PID:212
-
\??\c:\frrfflf.exec:\frrfflf.exe84⤵PID:1624
-
\??\c:\vvvvv.exec:\vvvvv.exe85⤵PID:3364
-
\??\c:\9flfxxr.exec:\9flfxxr.exe86⤵PID:3344
-
\??\c:\tnbthh.exec:\tnbthh.exe87⤵PID:1388
-
\??\c:\rrxfllf.exec:\rrxfllf.exe88⤵PID:4120
-
\??\c:\ntbttt.exec:\ntbttt.exe89⤵PID:916
-
\??\c:\xrrlxxr.exec:\xrrlxxr.exe90⤵PID:2220
-
\??\c:\bbttth.exec:\bbttth.exe91⤵PID:3528
-
\??\c:\djvvv.exec:\djvvv.exe92⤵PID:2676
-
\??\c:\lrxlfrl.exec:\lrxlfrl.exe93⤵PID:3228
-
\??\c:\7dvdv.exec:\7dvdv.exe94⤵PID:2940
-
\??\c:\llrlffx.exec:\llrlffx.exe95⤵PID:1564
-
\??\c:\xrfrlll.exec:\xrfrlll.exe96⤵PID:4168
-
\??\c:\ppdvp.exec:\ppdvp.exe97⤵PID:4428
-
\??\c:\xxxxrxx.exec:\xxxxrxx.exe98⤵PID:3900
-
\??\c:\rflfrrl.exec:\rflfrrl.exe99⤵PID:4240
-
\??\c:\nbnbtn.exec:\nbnbtn.exe100⤵PID:4824
-
\??\c:\ntntnn.exec:\ntntnn.exe101⤵PID:3032
-
\??\c:\dppvd.exec:\dppvd.exe102⤵PID:3376
-
\??\c:\flrrfll.exec:\flrrfll.exe103⤵PID:524
-
\??\c:\flrlrll.exec:\flrlrll.exe104⤵PID:3588
-
\??\c:\7hbtnb.exec:\7hbtnb.exe105⤵PID:5048
-
\??\c:\1dddd.exec:\1dddd.exe106⤵PID:900
-
\??\c:\lxrfxxr.exec:\lxrfxxr.exe107⤵PID:1188
-
\??\c:\fffxxxr.exec:\fffxxxr.exe108⤵PID:2896
-
\??\c:\thtnnt.exec:\thtnnt.exe109⤵PID:4988
-
\??\c:\xlfrxrx.exec:\xlfrxrx.exe110⤵PID:2136
-
\??\c:\5tnhnn.exec:\5tnhnn.exe111⤵PID:4060
-
\??\c:\pjjdp.exec:\pjjdp.exe112⤵PID:4320
-
\??\c:\5lrflll.exec:\5lrflll.exe113⤵PID:852
-
\??\c:\lxffxxx.exec:\lxffxxx.exe114⤵PID:5060
-
\??\c:\hbbtnn.exec:\hbbtnn.exe115⤵PID:2508
-
\??\c:\5jppp.exec:\5jppp.exe116⤵PID:2204
-
\??\c:\frfxlfr.exec:\frfxlfr.exe117⤵PID:972
-
\??\c:\httbtt.exec:\httbtt.exe118⤵PID:4524
-
\??\c:\jdvpj.exec:\jdvpj.exe119⤵PID:4496
-
\??\c:\rrfxrll.exec:\rrfxrll.exe120⤵PID:2736
-
\??\c:\hhnhhh.exec:\hhnhhh.exe121⤵PID:4492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-