Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe
-
Size
453KB
-
MD5
21f7f1bb95bfc7466f96b95b89014e35
-
SHA1
ef7c775bd3be2c8c01fcb19408178bf59b0d2d16
-
SHA256
fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9
-
SHA512
b240ad4d4537e68cc99da80459875933fee94002e72675966704693e5cb23697aba1fffd20e776ed287e77e3bb9cbe1ffdd6a4545f5a870784e58913e675e742
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3996-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2824-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2568-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-729-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2856-1035-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5008 dvvdj.exe 4524 bbbhtn.exe 1756 fffrfrf.exe 4840 jpjdp.exe 3208 hbttnn.exe 4760 dppdj.exe 4608 bhbhth.exe 1220 dvvjd.exe 1772 jppjd.exe 4832 rlfxfxr.exe 4360 9frfrfx.exe 3492 1nbnbt.exe 2092 lfrxlxr.exe 1336 3nnbtt.exe 3172 jpvpd.exe 752 frrflfr.exe 3892 bttnbt.exe 4548 rfxlxlf.exe 972 nhbbtt.exe 4136 jpjvj.exe 2940 tnnhbh.exe 4944 jvdvv.exe 4884 rxxrffx.exe 2496 frrrffx.exe 1944 5btnhb.exe 1544 tntnhn.exe 3572 1xfxllf.exe 4724 5bnhbb.exe 4816 pddvp.exe 4648 7jppj.exe 1584 xllfxrl.exe 4448 5jvpp.exe 1028 bbbbnt.exe 540 jvvpj.exe 4048 5lllxxr.exe 1276 nnhnhn.exe 3732 tbtnhh.exe 4620 vpjdv.exe 4580 rlrrrxr.exe 4804 fffxrlf.exe 8 nhnhhb.exe 2568 3ppdp.exe 2216 jpdvj.exe 4544 llfxrrl.exe 4064 nntttb.exe 1484 5ttnbb.exe 640 5pdpp.exe 5008 tttnhh.exe 392 bhnhbb.exe 1952 rrxrxrr.exe 4432 rflfffx.exe 4840 7bbtnh.exe 2636 djddv.exe 1332 lffrllf.exe 2396 frxrrrl.exe 1020 bhthbb.exe 4616 pdjvp.exe 2512 xfxrfxr.exe 4332 fxxrlfx.exe 780 bttnbb.exe 3976 9vpjv.exe 4900 3ddvv.exe 4176 9lfrlfx.exe 2280 bnthbb.exe -
resource yara_rule behavioral2/memory/3996-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/392-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4616-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2824-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-706-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-707-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-729-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-773-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-823-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rffllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3996 wrote to memory of 5008 3996 fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe 82 PID 3996 wrote to memory of 5008 3996 fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe 82 PID 3996 wrote to memory of 5008 3996 fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe 82 PID 5008 wrote to memory of 4524 5008 dvvdj.exe 83 PID 5008 wrote to memory of 4524 5008 dvvdj.exe 83 PID 5008 wrote to memory of 4524 5008 dvvdj.exe 83 PID 4524 wrote to memory of 1756 4524 bbbhtn.exe 84 PID 4524 wrote to memory of 1756 4524 bbbhtn.exe 84 PID 4524 wrote to memory of 1756 4524 bbbhtn.exe 84 PID 1756 wrote to memory of 4840 1756 fffrfrf.exe 85 PID 1756 wrote to memory of 4840 1756 fffrfrf.exe 85 PID 1756 wrote to memory of 4840 1756 fffrfrf.exe 85 PID 4840 wrote to memory of 3208 4840 jpjdp.exe 86 PID 4840 wrote to memory of 3208 4840 jpjdp.exe 86 PID 4840 wrote to memory of 3208 4840 jpjdp.exe 86 PID 3208 wrote to memory of 4760 3208 hbttnn.exe 87 PID 3208 wrote to memory of 4760 3208 hbttnn.exe 87 PID 3208 wrote to memory of 4760 3208 hbttnn.exe 87 PID 4760 wrote to memory of 4608 4760 dppdj.exe 88 PID 4760 wrote to memory of 4608 4760 dppdj.exe 88 PID 4760 wrote to memory of 4608 4760 dppdj.exe 88 PID 4608 wrote to memory of 1220 4608 bhbhth.exe 89 PID 4608 wrote to memory of 1220 4608 bhbhth.exe 89 PID 4608 wrote to memory of 1220 4608 bhbhth.exe 89 PID 1220 wrote to memory of 1772 1220 dvvjd.exe 90 PID 1220 wrote to memory of 1772 1220 dvvjd.exe 90 PID 1220 wrote to memory of 1772 1220 dvvjd.exe 90 PID 1772 wrote to memory of 4832 1772 jppjd.exe 91 PID 1772 wrote to memory of 4832 1772 jppjd.exe 91 PID 1772 wrote to memory of 4832 1772 jppjd.exe 91 PID 4832 wrote to memory of 4360 4832 rlfxfxr.exe 92 PID 4832 wrote to memory of 4360 4832 rlfxfxr.exe 92 PID 4832 wrote to memory of 4360 4832 rlfxfxr.exe 92 PID 4360 wrote to memory of 3492 4360 9frfrfx.exe 93 PID 4360 wrote to memory of 3492 4360 9frfrfx.exe 93 PID 4360 wrote to memory of 3492 4360 9frfrfx.exe 93 PID 3492 wrote to memory of 2092 3492 1nbnbt.exe 94 PID 3492 wrote to memory of 2092 3492 1nbnbt.exe 94 PID 3492 wrote to memory of 2092 3492 1nbnbt.exe 94 PID 2092 wrote to memory of 1336 2092 lfrxlxr.exe 95 PID 2092 wrote to memory of 1336 2092 lfrxlxr.exe 95 PID 2092 wrote to memory of 1336 2092 lfrxlxr.exe 95 PID 1336 wrote to memory of 3172 1336 3nnbtt.exe 96 PID 1336 wrote to memory of 3172 1336 3nnbtt.exe 96 PID 1336 wrote to memory of 3172 1336 3nnbtt.exe 96 PID 3172 wrote to memory of 752 3172 jpvpd.exe 97 PID 3172 wrote to memory of 752 3172 jpvpd.exe 97 PID 3172 wrote to memory of 752 3172 jpvpd.exe 97 PID 752 wrote to memory of 3892 752 frrflfr.exe 98 PID 752 wrote to memory of 3892 752 frrflfr.exe 98 PID 752 wrote to memory of 3892 752 frrflfr.exe 98 PID 3892 wrote to memory of 4548 3892 bttnbt.exe 99 PID 3892 wrote to memory of 4548 3892 bttnbt.exe 99 PID 3892 wrote to memory of 4548 3892 bttnbt.exe 99 PID 4548 wrote to memory of 972 4548 rfxlxlf.exe 100 PID 4548 wrote to memory of 972 4548 rfxlxlf.exe 100 PID 4548 wrote to memory of 972 4548 rfxlxlf.exe 100 PID 972 wrote to memory of 4136 972 nhbbtt.exe 101 PID 972 wrote to memory of 4136 972 nhbbtt.exe 101 PID 972 wrote to memory of 4136 972 nhbbtt.exe 101 PID 4136 wrote to memory of 2940 4136 jpjvj.exe 102 PID 4136 wrote to memory of 2940 4136 jpjvj.exe 102 PID 4136 wrote to memory of 2940 4136 jpjvj.exe 102 PID 2940 wrote to memory of 4944 2940 tnnhbh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe"C:\Users\Admin\AppData\Local\Temp\fe676b0c320473c2e2939f793de5a3d89bf0067c9b87fb4cede7d120043a60b9.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\dvvdj.exec:\dvvdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\bbbhtn.exec:\bbbhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
\??\c:\fffrfrf.exec:\fffrfrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\jpjdp.exec:\jpjdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\hbttnn.exec:\hbttnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\dppdj.exec:\dppdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\bhbhth.exec:\bhbhth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\dvvjd.exec:\dvvjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\jppjd.exec:\jppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\rlfxfxr.exec:\rlfxfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
\??\c:\9frfrfx.exec:\9frfrfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\1nbnbt.exec:\1nbnbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\lfrxlxr.exec:\lfrxlxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\3nnbtt.exec:\3nnbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\jpvpd.exec:\jpvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\frrflfr.exec:\frrflfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:752 -
\??\c:\bttnbt.exec:\bttnbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\rfxlxlf.exec:\rfxlxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\nhbbtt.exec:\nhbbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\jpjvj.exec:\jpjvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\tnnhbh.exec:\tnnhbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\jvdvv.exec:\jvdvv.exe23⤵
- Executes dropped EXE
PID:4944 -
\??\c:\rxxrffx.exec:\rxxrffx.exe24⤵
- Executes dropped EXE
PID:4884 -
\??\c:\frrrffx.exec:\frrrffx.exe25⤵
- Executes dropped EXE
PID:2496 -
\??\c:\5btnhb.exec:\5btnhb.exe26⤵
- Executes dropped EXE
PID:1944 -
\??\c:\tntnhn.exec:\tntnhn.exe27⤵
- Executes dropped EXE
PID:1544 -
\??\c:\1xfxllf.exec:\1xfxllf.exe28⤵
- Executes dropped EXE
PID:3572 -
\??\c:\5bnhbb.exec:\5bnhbb.exe29⤵
- Executes dropped EXE
PID:4724 -
\??\c:\pddvp.exec:\pddvp.exe30⤵
- Executes dropped EXE
PID:4816 -
\??\c:\7jppj.exec:\7jppj.exe31⤵
- Executes dropped EXE
PID:4648 -
\??\c:\xllfxrl.exec:\xllfxrl.exe32⤵
- Executes dropped EXE
PID:1584 -
\??\c:\5jvpp.exec:\5jvpp.exe33⤵
- Executes dropped EXE
PID:4448 -
\??\c:\bbbbnt.exec:\bbbbnt.exe34⤵
- Executes dropped EXE
PID:1028 -
\??\c:\jvvpj.exec:\jvvpj.exe35⤵
- Executes dropped EXE
PID:540 -
\??\c:\5lllxxr.exec:\5lllxxr.exe36⤵
- Executes dropped EXE
PID:4048 -
\??\c:\nnhnhn.exec:\nnhnhn.exe37⤵
- Executes dropped EXE
PID:1276 -
\??\c:\tbtnhh.exec:\tbtnhh.exe38⤵
- Executes dropped EXE
PID:3732 -
\??\c:\vpjdv.exec:\vpjdv.exe39⤵
- Executes dropped EXE
PID:4620 -
\??\c:\rlrrrxr.exec:\rlrrrxr.exe40⤵
- Executes dropped EXE
PID:4580 -
\??\c:\fffxrlf.exec:\fffxrlf.exe41⤵
- Executes dropped EXE
PID:4804 -
\??\c:\nhnhhb.exec:\nhnhhb.exe42⤵
- Executes dropped EXE
PID:8 -
\??\c:\3ppdp.exec:\3ppdp.exe43⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jpdvj.exec:\jpdvj.exe44⤵
- Executes dropped EXE
PID:2216 -
\??\c:\llfxrrl.exec:\llfxrrl.exe45⤵
- Executes dropped EXE
PID:4544 -
\??\c:\nntttb.exec:\nntttb.exe46⤵
- Executes dropped EXE
PID:4064 -
\??\c:\5ttnbb.exec:\5ttnbb.exe47⤵
- Executes dropped EXE
PID:1484 -
\??\c:\5pdpp.exec:\5pdpp.exe48⤵
- Executes dropped EXE
PID:640 -
\??\c:\tttnhh.exec:\tttnhh.exe49⤵
- Executes dropped EXE
PID:5008 -
\??\c:\bhnhbb.exec:\bhnhbb.exe50⤵
- Executes dropped EXE
PID:392 -
\??\c:\rrxrxrr.exec:\rrxrxrr.exe51⤵
- Executes dropped EXE
PID:1952 -
\??\c:\rflfffx.exec:\rflfffx.exe52⤵
- Executes dropped EXE
PID:4432 -
\??\c:\7bbtnh.exec:\7bbtnh.exe53⤵
- Executes dropped EXE
PID:4840 -
\??\c:\djddv.exec:\djddv.exe54⤵
- Executes dropped EXE
PID:2636 -
\??\c:\lffrllf.exec:\lffrllf.exe55⤵
- Executes dropped EXE
PID:1332 -
\??\c:\frxrrrl.exec:\frxrrrl.exe56⤵
- Executes dropped EXE
PID:2396 -
\??\c:\bhthbb.exec:\bhthbb.exe57⤵
- Executes dropped EXE
PID:1020 -
\??\c:\pdjvp.exec:\pdjvp.exe58⤵
- Executes dropped EXE
PID:4616 -
\??\c:\xfxrfxr.exec:\xfxrfxr.exe59⤵
- Executes dropped EXE
PID:2512 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe60⤵
- Executes dropped EXE
PID:4332 -
\??\c:\bttnbb.exec:\bttnbb.exe61⤵
- Executes dropped EXE
PID:780 -
\??\c:\9vpjv.exec:\9vpjv.exe62⤵
- Executes dropped EXE
PID:3976 -
\??\c:\3ddvv.exec:\3ddvv.exe63⤵
- Executes dropped EXE
PID:4900 -
\??\c:\9lfrlfx.exec:\9lfrlfx.exe64⤵
- Executes dropped EXE
PID:4176 -
\??\c:\bnthbb.exec:\bnthbb.exe65⤵
- Executes dropped EXE
PID:2280 -
\??\c:\hththh.exec:\hththh.exe66⤵PID:1352
-
\??\c:\ppvpd.exec:\ppvpd.exe67⤵PID:3304
-
\??\c:\xxxlfxr.exec:\xxxlfxr.exe68⤵PID:864
-
\??\c:\hbbtnh.exec:\hbbtnh.exe69⤵PID:3168
-
\??\c:\vpdvd.exec:\vpdvd.exe70⤵PID:2932
-
\??\c:\7ppjv.exec:\7ppjv.exe71⤵PID:4796
-
\??\c:\7rxrllf.exec:\7rxrllf.exe72⤵PID:3784
-
\??\c:\lxxrlrl.exec:\lxxrlrl.exe73⤵PID:4972
-
\??\c:\hntbtt.exec:\hntbtt.exe74⤵PID:4196
-
\??\c:\vjpjd.exec:\vjpjd.exe75⤵PID:1592
-
\??\c:\vpvpv.exec:\vpvpv.exe76⤵PID:4624
-
\??\c:\rxfxllf.exec:\rxfxllf.exe77⤵PID:2940
-
\??\c:\hhttbb.exec:\hhttbb.exe78⤵PID:4124
-
\??\c:\dddvj.exec:\dddvj.exe79⤵PID:2620
-
\??\c:\dpjdp.exec:\dpjdp.exe80⤵PID:2824
-
\??\c:\xffrlff.exec:\xffrlff.exe81⤵PID:2496
-
\??\c:\thntbt.exec:\thntbt.exe82⤵PID:1244
-
\??\c:\pvpvv.exec:\pvpvv.exe83⤵PID:1812
-
\??\c:\lxfrllf.exec:\lxfrllf.exe84⤵PID:396
-
\??\c:\ffllllf.exec:\ffllllf.exe85⤵PID:4756
-
\??\c:\1ntnhb.exec:\1ntnhb.exe86⤵PID:2072
-
\??\c:\5ppjd.exec:\5ppjd.exe87⤵PID:3596
-
\??\c:\lllfxrr.exec:\lllfxrr.exe88⤵PID:1876
-
\??\c:\1tttnn.exec:\1tttnn.exe89⤵PID:2144
-
\??\c:\thhbnn.exec:\thhbnn.exe90⤵PID:1228
-
\??\c:\3jjjd.exec:\3jjjd.exe91⤵PID:4560
-
\??\c:\lflfxxx.exec:\lflfxxx.exe92⤵PID:4812
-
\??\c:\bhnhbt.exec:\bhnhbt.exe93⤵PID:720
-
\??\c:\ddppj.exec:\ddppj.exe94⤵PID:540
-
\??\c:\pjpjv.exec:\pjpjv.exe95⤵PID:592
-
\??\c:\xllfrrl.exec:\xllfrrl.exe96⤵PID:3428
-
\??\c:\lxfrllf.exec:\lxfrllf.exe97⤵PID:3732
-
\??\c:\9ttnbn.exec:\9ttnbn.exe98⤵PID:4620
-
\??\c:\dppjv.exec:\dppjv.exe99⤵PID:2312
-
\??\c:\xrlfffx.exec:\xrlfffx.exe100⤵PID:2672
-
\??\c:\thhbth.exec:\thhbth.exe101⤵PID:8
-
\??\c:\tbtbtb.exec:\tbtbtb.exe102⤵PID:2568
-
\??\c:\dvdvv.exec:\dvdvv.exe103⤵PID:4400
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe104⤵PID:4544
-
\??\c:\ntbtnh.exec:\ntbtnh.exe105⤵PID:4372
-
\??\c:\3dvjv.exec:\3dvjv.exe106⤵PID:3996
-
\??\c:\vpvpv.exec:\vpvpv.exe107⤵PID:1116
-
\??\c:\xfxxlrl.exec:\xfxxlrl.exe108⤵PID:1468
-
\??\c:\tnnnhn.exec:\tnnnhn.exe109⤵PID:784
-
\??\c:\dvdvv.exec:\dvdvv.exe110⤵PID:3256
-
\??\c:\xrrlffx.exec:\xrrlffx.exe111⤵PID:924
-
\??\c:\tttnbt.exec:\tttnbt.exe112⤵PID:3164
-
\??\c:\vvdpd.exec:\vvdpd.exe113⤵PID:4192
-
\??\c:\7flxxxf.exec:\7flxxxf.exe114⤵PID:724
-
\??\c:\xrrlffx.exec:\xrrlffx.exe115⤵PID:4516
-
\??\c:\ttnhbb.exec:\ttnhbb.exe116⤵PID:2396
-
\??\c:\jddjv.exec:\jddjv.exe117⤵PID:1020
-
\??\c:\lxxrfxr.exec:\lxxrfxr.exe118⤵PID:2324
-
\??\c:\xflfxrr.exec:\xflfxrr.exe119⤵PID:2512
-
\??\c:\tnbttt.exec:\tnbttt.exe120⤵PID:4280
-
\??\c:\vjjdv.exec:\vjjdv.exe121⤵PID:232
-
\??\c:\llrxflf.exec:\llrxflf.exe122⤵PID:3976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-