Analysis
-
max time kernel
110s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 06:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2N.exe
-
Size
453KB
-
MD5
228565d822ba9ffaace66e3aedeb79b0
-
SHA1
1bbb7535a5b58afb85541a83767f0f945e0d5b2c
-
SHA256
f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2
-
SHA512
e5b330d2d936fbd2c5f01586c5019ca6a80c6bd6aff8d2ac60ad79156f06dd2a92637a57c07eda77b8cb3125750a039478627eb2ea618b023c629bbff2e17dfa
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4768-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/508-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/792-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3260-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3392-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1116-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3680-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/888-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-1199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-1358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-1432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-1876-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-1970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 388 tbnhbb.exe 3044 hhnhhn.exe 3680 fxfrfrl.exe 3172 bbbtnh.exe 1288 ppjdv.exe 1416 5rrlllf.exe 728 pddvd.exe 912 fxxxxxx.exe 536 bbhbbb.exe 4584 djjdv.exe 184 7jvjd.exe 1440 flrrfxf.exe 4516 xxfrxfl.exe 896 bbbttt.exe 2828 vjjdv.exe 116 1jjjd.exe 2636 flrlfff.exe 1936 tttttn.exe 3272 xffxxll.exe 4208 7tnhhh.exe 5056 dppjd.exe 2388 xlxlxlf.exe 2748 hhhbnt.exe 1840 jddjp.exe 220 jjdpj.exe 4332 lxrrxlf.exe 436 btbbbt.exe 3576 7vdvv.exe 2380 fxrrrrr.exe 2816 7bttnh.exe 1248 jjdvd.exe 5040 xrxlffx.exe 1752 ttbttb.exe 2196 pddjv.exe 2612 frfxrlf.exe 508 bthtbb.exe 4468 vvpdj.exe 3460 xxxxfrx.exe 5020 pvvvp.exe 1592 xrrxrfx.exe 1868 3ffxrrr.exe 60 tbnhnn.exe 4596 vvddv.exe 4768 jddvp.exe 4488 lrfxrrr.exe 4908 hbbbtn.exe 3680 pjvpp.exe 3172 jdvpj.exe 1812 lrxrrll.exe 1776 9hnhtb.exe 3448 jvjvj.exe 2928 1jjdp.exe 4872 rxxxrrl.exe 4336 rllxrrr.exe 1376 hbtntt.exe 3084 ddvjv.exe 792 pvddv.exe 4688 lxffxxx.exe 5084 bnnnhh.exe 4036 9vdpd.exe 1552 pdjdv.exe 3260 rlxrxxf.exe 1116 thnhbt.exe 116 btbbhh.exe -
resource yara_rule behavioral2/memory/4768-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/508-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/792-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3260-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3392-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1116-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3680-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/888-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-579-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-1048-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5flfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntbtb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 388 4768 f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2N.exe 83 PID 4768 wrote to memory of 388 4768 f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2N.exe 83 PID 4768 wrote to memory of 388 4768 f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2N.exe 83 PID 388 wrote to memory of 3044 388 tbnhbb.exe 84 PID 388 wrote to memory of 3044 388 tbnhbb.exe 84 PID 388 wrote to memory of 3044 388 tbnhbb.exe 84 PID 3044 wrote to memory of 3680 3044 hhnhhn.exe 129 PID 3044 wrote to memory of 3680 3044 hhnhhn.exe 129 PID 3044 wrote to memory of 3680 3044 hhnhhn.exe 129 PID 3680 wrote to memory of 3172 3680 fxfrfrl.exe 130 PID 3680 wrote to memory of 3172 3680 fxfrfrl.exe 130 PID 3680 wrote to memory of 3172 3680 fxfrfrl.exe 130 PID 3172 wrote to memory of 1288 3172 bbbtnh.exe 184 PID 3172 wrote to memory of 1288 3172 bbbtnh.exe 184 PID 3172 wrote to memory of 1288 3172 bbbtnh.exe 184 PID 1288 wrote to memory of 1416 1288 ppjdv.exe 88 PID 1288 wrote to memory of 1416 1288 ppjdv.exe 88 PID 1288 wrote to memory of 1416 1288 ppjdv.exe 88 PID 1416 wrote to memory of 728 1416 5rrlllf.exe 89 PID 1416 wrote to memory of 728 1416 5rrlllf.exe 89 PID 1416 wrote to memory of 728 1416 5rrlllf.exe 89 PID 728 wrote to memory of 912 728 pddvd.exe 90 PID 728 wrote to memory of 912 728 pddvd.exe 90 PID 728 wrote to memory of 912 728 pddvd.exe 90 PID 912 wrote to memory of 536 912 fxxxxxx.exe 91 PID 912 wrote to memory of 536 912 fxxxxxx.exe 91 PID 912 wrote to memory of 536 912 fxxxxxx.exe 91 PID 536 wrote to memory of 4584 536 bbhbbb.exe 92 PID 536 wrote to memory of 4584 536 bbhbbb.exe 92 PID 536 wrote to memory of 4584 536 bbhbbb.exe 92 PID 4584 wrote to memory of 184 4584 djjdv.exe 93 PID 4584 wrote to memory of 184 4584 djjdv.exe 93 PID 4584 wrote to memory of 184 4584 djjdv.exe 93 PID 184 wrote to memory of 1440 184 7jvjd.exe 94 PID 184 wrote to memory of 1440 184 7jvjd.exe 94 PID 184 wrote to memory of 1440 184 7jvjd.exe 94 PID 1440 wrote to memory of 4516 1440 flrrfxf.exe 195 PID 1440 wrote to memory of 4516 1440 flrrfxf.exe 195 PID 1440 wrote to memory of 4516 1440 flrrfxf.exe 195 PID 4516 wrote to memory of 896 4516 xxfrxfl.exe 96 PID 4516 wrote to memory of 896 4516 xxfrxfl.exe 96 PID 4516 wrote to memory of 896 4516 xxfrxfl.exe 96 PID 896 wrote to memory of 2828 896 bbbttt.exe 97 PID 896 wrote to memory of 2828 896 bbbttt.exe 97 PID 896 wrote to memory of 2828 896 bbbttt.exe 97 PID 2828 wrote to memory of 116 2828 vjjdv.exe 98 PID 2828 wrote to memory of 116 2828 vjjdv.exe 98 PID 2828 wrote to memory of 116 2828 vjjdv.exe 98 PID 116 wrote to memory of 2636 116 1jjjd.exe 147 PID 116 wrote to memory of 2636 116 1jjjd.exe 147 PID 116 wrote to memory of 2636 116 1jjjd.exe 147 PID 2636 wrote to memory of 1936 2636 flrlfff.exe 100 PID 2636 wrote to memory of 1936 2636 flrlfff.exe 100 PID 2636 wrote to memory of 1936 2636 flrlfff.exe 100 PID 1936 wrote to memory of 3272 1936 tttttn.exe 101 PID 1936 wrote to memory of 3272 1936 tttttn.exe 101 PID 1936 wrote to memory of 3272 1936 tttttn.exe 101 PID 3272 wrote to memory of 4208 3272 xffxxll.exe 102 PID 3272 wrote to memory of 4208 3272 xffxxll.exe 102 PID 3272 wrote to memory of 4208 3272 xffxxll.exe 102 PID 4208 wrote to memory of 5056 4208 7tnhhh.exe 103 PID 4208 wrote to memory of 5056 4208 7tnhhh.exe 103 PID 4208 wrote to memory of 5056 4208 7tnhhh.exe 103 PID 5056 wrote to memory of 2388 5056 dppjd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2N.exe"C:\Users\Admin\AppData\Local\Temp\f981c824045cb3ac8755079dba7c8759c6b2b3bf481fa943ff70a87e28be31e2N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\tbnhbb.exec:\tbnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388 -
\??\c:\hhnhhn.exec:\hhnhhn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3044 -
\??\c:\fxfrfrl.exec:\fxfrfrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\bbbtnh.exec:\bbbtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\ppjdv.exec:\ppjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\5rrlllf.exec:\5rrlllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\pddvd.exec:\pddvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\fxxxxxx.exec:\fxxxxxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:912 -
\??\c:\bbhbbb.exec:\bbhbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\djjdv.exec:\djjdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\7jvjd.exec:\7jvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\flrrfxf.exec:\flrrfxf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\xxfrxfl.exec:\xxfrxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\bbbttt.exec:\bbbttt.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\vjjdv.exec:\vjjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\1jjjd.exec:\1jjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\flrlfff.exec:\flrlfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2636 -
\??\c:\tttttn.exec:\tttttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\xffxxll.exec:\xffxxll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\7tnhhh.exec:\7tnhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\dppjd.exec:\dppjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\xlxlxlf.exec:\xlxlxlf.exe23⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hhhbnt.exec:\hhhbnt.exe24⤵
- Executes dropped EXE
PID:2748 -
\??\c:\jddjp.exec:\jddjp.exe25⤵
- Executes dropped EXE
PID:1840 -
\??\c:\jjdpj.exec:\jjdpj.exe26⤵
- Executes dropped EXE
PID:220 -
\??\c:\lxrrxlf.exec:\lxrrxlf.exe27⤵
- Executes dropped EXE
PID:4332 -
\??\c:\btbbbt.exec:\btbbbt.exe28⤵
- Executes dropped EXE
PID:436 -
\??\c:\7vdvv.exec:\7vdvv.exe29⤵
- Executes dropped EXE
PID:3576 -
\??\c:\fxrrrrr.exec:\fxrrrrr.exe30⤵
- Executes dropped EXE
PID:2380 -
\??\c:\7bttnh.exec:\7bttnh.exe31⤵
- Executes dropped EXE
PID:2816 -
\??\c:\jjdvd.exec:\jjdvd.exe32⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xrxlffx.exec:\xrxlffx.exe33⤵
- Executes dropped EXE
PID:5040 -
\??\c:\ttbttb.exec:\ttbttb.exe34⤵
- Executes dropped EXE
PID:1752 -
\??\c:\pddjv.exec:\pddjv.exe35⤵
- Executes dropped EXE
PID:2196 -
\??\c:\frfxrlf.exec:\frfxrlf.exe36⤵
- Executes dropped EXE
PID:2612 -
\??\c:\bthtbb.exec:\bthtbb.exe37⤵
- Executes dropped EXE
PID:508 -
\??\c:\vvpdj.exec:\vvpdj.exe38⤵
- Executes dropped EXE
PID:4468 -
\??\c:\xxxxfrx.exec:\xxxxfrx.exe39⤵
- Executes dropped EXE
PID:3460 -
\??\c:\pvvvp.exec:\pvvvp.exe40⤵
- Executes dropped EXE
PID:5020 -
\??\c:\xrrxrfx.exec:\xrrxrfx.exe41⤵
- Executes dropped EXE
PID:1592 -
\??\c:\3ffxrrr.exec:\3ffxrrr.exe42⤵
- Executes dropped EXE
PID:1868 -
\??\c:\tbnhnn.exec:\tbnhnn.exe43⤵
- Executes dropped EXE
PID:60 -
\??\c:\vvddv.exec:\vvddv.exe44⤵
- Executes dropped EXE
PID:4596 -
\??\c:\jddvp.exec:\jddvp.exe45⤵
- Executes dropped EXE
PID:4768 -
\??\c:\lrfxrrr.exec:\lrfxrrr.exe46⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hbbbtn.exec:\hbbbtn.exe47⤵
- Executes dropped EXE
PID:4908 -
\??\c:\pjvpp.exec:\pjvpp.exe48⤵
- Executes dropped EXE
PID:3680 -
\??\c:\jdvpj.exec:\jdvpj.exe49⤵
- Executes dropped EXE
PID:3172 -
\??\c:\lrxrrll.exec:\lrxrrll.exe50⤵
- Executes dropped EXE
PID:1812 -
\??\c:\9hnhtb.exec:\9hnhtb.exe51⤵
- Executes dropped EXE
PID:1776 -
\??\c:\jvjvj.exec:\jvjvj.exe52⤵
- Executes dropped EXE
PID:3448 -
\??\c:\1jjdp.exec:\1jjdp.exe53⤵
- Executes dropped EXE
PID:2928 -
\??\c:\rxxxrrl.exec:\rxxxrrl.exe54⤵
- Executes dropped EXE
PID:4872 -
\??\c:\rllxrrr.exec:\rllxrrr.exe55⤵
- Executes dropped EXE
PID:4336 -
\??\c:\hbtntt.exec:\hbtntt.exe56⤵
- Executes dropped EXE
PID:1376 -
\??\c:\ddvjv.exec:\ddvjv.exe57⤵
- Executes dropped EXE
PID:3084 -
\??\c:\pvddv.exec:\pvddv.exe58⤵
- Executes dropped EXE
PID:792 -
\??\c:\lxffxxx.exec:\lxffxxx.exe59⤵
- Executes dropped EXE
PID:4688 -
\??\c:\bnnnhh.exec:\bnnnhh.exe60⤵
- Executes dropped EXE
PID:5084 -
\??\c:\9vdpd.exec:\9vdpd.exe61⤵
- Executes dropped EXE
PID:4036 -
\??\c:\pdjdv.exec:\pdjdv.exe62⤵
- Executes dropped EXE
PID:1552 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe63⤵
- Executes dropped EXE
PID:3260 -
\??\c:\thnhbt.exec:\thnhbt.exe64⤵
- Executes dropped EXE
PID:1116 -
\??\c:\btbbhh.exec:\btbbhh.exe65⤵
- Executes dropped EXE
PID:116 -
\??\c:\5ddvd.exec:\5ddvd.exe66⤵PID:2636
-
\??\c:\fffxrlf.exec:\fffxrlf.exe67⤵PID:4600
-
\??\c:\9xrrlfx.exec:\9xrrlfx.exe68⤵PID:1172
-
\??\c:\bbtnnh.exec:\bbtnnh.exe69⤵PID:1652
-
\??\c:\jjjpd.exec:\jjjpd.exe70⤵PID:4208
-
\??\c:\flrrlll.exec:\flrrlll.exe71⤵PID:3572
-
\??\c:\fxrfxll.exec:\fxrfxll.exe72⤵PID:1996
-
\??\c:\9nnbtt.exec:\9nnbtt.exe73⤵PID:4464
-
\??\c:\hbbttt.exec:\hbbttt.exe74⤵PID:4900
-
\??\c:\djjdp.exec:\djjdp.exe75⤵PID:4280
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe76⤵PID:956
-
\??\c:\llxrfff.exec:\llxrfff.exe77⤵PID:3300
-
\??\c:\bbnbht.exec:\bbnbht.exe78⤵PID:4024
-
\??\c:\pddpj.exec:\pddpj.exe79⤵PID:3576
-
\??\c:\pjvdp.exec:\pjvdp.exe80⤵PID:4984
-
\??\c:\xlxlfxr.exec:\xlxlfxr.exe81⤵PID:676
-
\??\c:\3rrlffl.exec:\3rrlffl.exe82⤵PID:4032
-
\??\c:\hnttbn.exec:\hnttbn.exe83⤵PID:3608
-
\??\c:\ppvpv.exec:\ppvpv.exe84⤵PID:3908
-
\??\c:\dpppj.exec:\dpppj.exe85⤵PID:1420
-
\??\c:\3xxfxfx.exec:\3xxfxfx.exe86⤵PID:1536
-
\??\c:\ttbthh.exec:\ttbthh.exe87⤵
- System Location Discovery: System Language Discovery
PID:1824 -
\??\c:\nbhbbn.exec:\nbhbbn.exe88⤵PID:4888
-
\??\c:\djdjv.exec:\djdjv.exe89⤵PID:3512
-
\??\c:\pdjdd.exec:\pdjdd.exe90⤵PID:3764
-
\??\c:\9lrllfl.exec:\9lrllfl.exe91⤵PID:2164
-
\??\c:\hntnth.exec:\hntnth.exe92⤵PID:3060
-
\??\c:\nbhtth.exec:\nbhtth.exe93⤵PID:4960
-
\??\c:\pjjjj.exec:\pjjjj.exe94⤵PID:2352
-
\??\c:\1flxrrf.exec:\1flxrrf.exe95⤵PID:3392
-
\??\c:\bbttbt.exec:\bbttbt.exe96⤵PID:4428
-
\??\c:\nnnbnh.exec:\nnnbnh.exe97⤵PID:1940
-
\??\c:\3jpjp.exec:\3jpjp.exe98⤵PID:724
-
\??\c:\7xlfflx.exec:\7xlfflx.exe99⤵PID:448
-
\??\c:\lfrflxf.exec:\lfrflxf.exe100⤵PID:1160
-
\??\c:\htnbnt.exec:\htnbnt.exe101⤵PID:4908
-
\??\c:\pppjv.exec:\pppjv.exe102⤵PID:1424
-
\??\c:\ppppj.exec:\ppppj.exe103⤵PID:1288
-
\??\c:\frlrllx.exec:\frlrllx.exe104⤵PID:3604
-
\??\c:\bhhnhn.exec:\bhhnhn.exe105⤵PID:1416
-
\??\c:\bhhbtn.exec:\bhhbtn.exe106⤵PID:3184
-
\??\c:\jdvpp.exec:\jdvpp.exe107⤵PID:2608
-
\??\c:\llrlrlr.exec:\llrlrlr.exe108⤵PID:2928
-
\??\c:\lfxrlfx.exec:\lfxrlfx.exe109⤵PID:4872
-
\??\c:\nbbnbb.exec:\nbbnbb.exe110⤵PID:4336
-
\??\c:\pddvp.exec:\pddvp.exe111⤵PID:4584
-
\??\c:\vpppj.exec:\vpppj.exe112⤵PID:2424
-
\??\c:\nththb.exec:\nththb.exe113⤵PID:4080
-
\??\c:\hnbnht.exec:\hnbnht.exe114⤵PID:4516
-
\??\c:\9pjdv.exec:\9pjdv.exe115⤵PID:2976
-
\??\c:\lffxrxr.exec:\lffxrxr.exe116⤵PID:3700
-
\??\c:\3hbbtt.exec:\3hbbtt.exe117⤵PID:4144
-
\??\c:\xrlfrxf.exec:\xrlfrxf.exe118⤵PID:3276
-
\??\c:\xlfxrlr.exec:\xlfxrlr.exe119⤵PID:4692
-
\??\c:\5vjdp.exec:\5vjdp.exe120⤵PID:3120
-
\??\c:\vjvpj.exec:\vjvpj.exe121⤵PID:1400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-