Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 22:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe
-
Size
454KB
-
MD5
3924eb19bd5c7b2164c4345dd65e67b1
-
SHA1
7acc0f02067e34a48d1d0d558e963104ff951037
-
SHA256
80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b
-
SHA512
49a916105cfa1bb61247a5a72953b69e4c9565c324b9bbd3e41efee670443320ff0e4b4a5ae54fb4b79032150b460644e2cfac2f8fce3f44f2e7c4593e18099e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeG:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/464-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3880-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1832-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2440-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-651-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-733-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-813-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/772-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-1175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-1405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1996 vddpj.exe 4568 6682604.exe 3092 tbtnhb.exe 2996 w68682.exe 552 fxlffff.exe 4484 4002024.exe 3840 tthbbh.exe 1088 62402.exe 4552 02604.exe 4160 0408802.exe 4220 6660482.exe 4824 3fxrllx.exe 2224 84486.exe 3956 hnbnbt.exe 2968 hnnhbt.exe 2412 pdjdp.exe 2352 djjpv.exe 4604 4862666.exe 3656 o404888.exe 2368 btbhbn.exe 772 tbntbt.exe 4236 jdvvv.exe 1140 xlxlfxr.exe 4960 hhtnnn.exe 3460 6860460.exe 264 k28826.exe 1956 6026008.exe 4584 40044.exe 3980 c042220.exe 1832 tbhbbh.exe 1704 4060448.exe 2940 xlxfxrl.exe 1540 hhthbn.exe 516 g2826.exe 4080 jvvpp.exe 2476 lrxxfxl.exe 2336 fflffxr.exe 1120 jjjjj.exe 1512 0060026.exe 3020 1xxlffr.exe 4116 tnhbnh.exe 4908 hhhbbh.exe 4328 3fxlrrf.exe 3100 dvdpd.exe 2792 dvpdd.exe 4352 86608.exe 3888 jvpdj.exe 3908 vddpj.exe 1796 ttnhhh.exe 4492 ddjpp.exe 4692 4888282.exe 8 0886482.exe 2996 lrlllrr.exe 3356 6882264.exe 4696 0828264.exe 4576 406000.exe 3660 200640.exe 3012 e20448.exe 2864 062044.exe 4000 644882.exe 4884 frrrlll.exe 4252 rxfxrrl.exe 3728 2060446.exe 1204 xlrlxxl.exe -
resource yara_rule behavioral2/memory/464-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3880-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1832-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-651-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-733-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-813-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-829-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/772-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-942-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-946-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 240600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bthtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lxrxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6466600.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 482884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4644866.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q02044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 802604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 464 wrote to memory of 1996 464 80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe 85 PID 464 wrote to memory of 1996 464 80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe 85 PID 464 wrote to memory of 1996 464 80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe 85 PID 1996 wrote to memory of 4568 1996 vddpj.exe 86 PID 1996 wrote to memory of 4568 1996 vddpj.exe 86 PID 1996 wrote to memory of 4568 1996 vddpj.exe 86 PID 4568 wrote to memory of 3092 4568 6682604.exe 87 PID 4568 wrote to memory of 3092 4568 6682604.exe 87 PID 4568 wrote to memory of 3092 4568 6682604.exe 87 PID 3092 wrote to memory of 2996 3092 tbtnhb.exe 88 PID 3092 wrote to memory of 2996 3092 tbtnhb.exe 88 PID 3092 wrote to memory of 2996 3092 tbtnhb.exe 88 PID 2996 wrote to memory of 552 2996 w68682.exe 89 PID 2996 wrote to memory of 552 2996 w68682.exe 89 PID 2996 wrote to memory of 552 2996 w68682.exe 89 PID 552 wrote to memory of 4484 552 fxlffff.exe 90 PID 552 wrote to memory of 4484 552 fxlffff.exe 90 PID 552 wrote to memory of 4484 552 fxlffff.exe 90 PID 4484 wrote to memory of 3840 4484 4002024.exe 91 PID 4484 wrote to memory of 3840 4484 4002024.exe 91 PID 4484 wrote to memory of 3840 4484 4002024.exe 91 PID 3840 wrote to memory of 1088 3840 tthbbh.exe 92 PID 3840 wrote to memory of 1088 3840 tthbbh.exe 92 PID 3840 wrote to memory of 1088 3840 tthbbh.exe 92 PID 1088 wrote to memory of 4552 1088 62402.exe 93 PID 1088 wrote to memory of 4552 1088 62402.exe 93 PID 1088 wrote to memory of 4552 1088 62402.exe 93 PID 4552 wrote to memory of 4160 4552 02604.exe 94 PID 4552 wrote to memory of 4160 4552 02604.exe 94 PID 4552 wrote to memory of 4160 4552 02604.exe 94 PID 4160 wrote to memory of 4220 4160 0408802.exe 95 PID 4160 wrote to memory of 4220 4160 0408802.exe 95 PID 4160 wrote to memory of 4220 4160 0408802.exe 95 PID 4220 wrote to memory of 4824 4220 6660482.exe 96 PID 4220 wrote to memory of 4824 4220 6660482.exe 96 PID 4220 wrote to memory of 4824 4220 6660482.exe 96 PID 4824 wrote to memory of 2224 4824 3fxrllx.exe 97 PID 4824 wrote to memory of 2224 4824 3fxrllx.exe 97 PID 4824 wrote to memory of 2224 4824 3fxrllx.exe 97 PID 2224 wrote to memory of 3956 2224 84486.exe 98 PID 2224 wrote to memory of 3956 2224 84486.exe 98 PID 2224 wrote to memory of 3956 2224 84486.exe 98 PID 3956 wrote to memory of 2968 3956 hnbnbt.exe 99 PID 3956 wrote to memory of 2968 3956 hnbnbt.exe 99 PID 3956 wrote to memory of 2968 3956 hnbnbt.exe 99 PID 2968 wrote to memory of 2412 2968 hnnhbt.exe 100 PID 2968 wrote to memory of 2412 2968 hnnhbt.exe 100 PID 2968 wrote to memory of 2412 2968 hnnhbt.exe 100 PID 2412 wrote to memory of 2352 2412 pdjdp.exe 101 PID 2412 wrote to memory of 2352 2412 pdjdp.exe 101 PID 2412 wrote to memory of 2352 2412 pdjdp.exe 101 PID 2352 wrote to memory of 4604 2352 djjpv.exe 102 PID 2352 wrote to memory of 4604 2352 djjpv.exe 102 PID 2352 wrote to memory of 4604 2352 djjpv.exe 102 PID 4604 wrote to memory of 3656 4604 4862666.exe 103 PID 4604 wrote to memory of 3656 4604 4862666.exe 103 PID 4604 wrote to memory of 3656 4604 4862666.exe 103 PID 3656 wrote to memory of 2368 3656 o404888.exe 104 PID 3656 wrote to memory of 2368 3656 o404888.exe 104 PID 3656 wrote to memory of 2368 3656 o404888.exe 104 PID 2368 wrote to memory of 772 2368 btbhbn.exe 105 PID 2368 wrote to memory of 772 2368 btbhbn.exe 105 PID 2368 wrote to memory of 772 2368 btbhbn.exe 105 PID 772 wrote to memory of 4236 772 tbntbt.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe"C:\Users\Admin\AppData\Local\Temp\80b3c31162699734c9e1845479a6fe369e74105d14f5a12706f0656a326d962b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\vddpj.exec:\vddpj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\6682604.exec:\6682604.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\tbtnhb.exec:\tbtnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\w68682.exec:\w68682.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\fxlffff.exec:\fxlffff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:552 -
\??\c:\4002024.exec:\4002024.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\tthbbh.exec:\tthbbh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\62402.exec:\62402.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\02604.exec:\02604.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\0408802.exec:\0408802.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\6660482.exec:\6660482.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\3fxrllx.exec:\3fxrllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\84486.exec:\84486.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
\??\c:\hnbnbt.exec:\hnbnbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\hnnhbt.exec:\hnnhbt.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\pdjdp.exec:\pdjdp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\djjpv.exec:\djjpv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\4862666.exec:\4862666.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\o404888.exec:\o404888.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
\??\c:\btbhbn.exec:\btbhbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\tbntbt.exec:\tbntbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\jdvvv.exec:\jdvvv.exe23⤵
- Executes dropped EXE
PID:4236 -
\??\c:\xlxlfxr.exec:\xlxlfxr.exe24⤵
- Executes dropped EXE
PID:1140 -
\??\c:\hhtnnn.exec:\hhtnnn.exe25⤵
- Executes dropped EXE
PID:4960 -
\??\c:\6860460.exec:\6860460.exe26⤵
- Executes dropped EXE
PID:3460 -
\??\c:\k28826.exec:\k28826.exe27⤵
- Executes dropped EXE
PID:264 -
\??\c:\6026008.exec:\6026008.exe28⤵
- Executes dropped EXE
PID:1956 -
\??\c:\40044.exec:\40044.exe29⤵
- Executes dropped EXE
PID:4584 -
\??\c:\c042220.exec:\c042220.exe30⤵
- Executes dropped EXE
PID:3980 -
\??\c:\tbhbbh.exec:\tbhbbh.exe31⤵
- Executes dropped EXE
PID:1832 -
\??\c:\4060448.exec:\4060448.exe32⤵
- Executes dropped EXE
PID:1704 -
\??\c:\xlxfxrl.exec:\xlxfxrl.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\hhthbn.exec:\hhthbn.exe34⤵
- Executes dropped EXE
PID:1540 -
\??\c:\g2826.exec:\g2826.exe35⤵
- Executes dropped EXE
PID:516 -
\??\c:\jvvpp.exec:\jvvpp.exe36⤵
- Executes dropped EXE
PID:4080 -
\??\c:\lrxxfxl.exec:\lrxxfxl.exe37⤵
- Executes dropped EXE
PID:2476 -
\??\c:\fflffxr.exec:\fflffxr.exe38⤵
- Executes dropped EXE
PID:2336 -
\??\c:\jjjjj.exec:\jjjjj.exe39⤵
- Executes dropped EXE
PID:1120 -
\??\c:\0060026.exec:\0060026.exe40⤵
- Executes dropped EXE
PID:1512 -
\??\c:\1xxlffr.exec:\1xxlffr.exe41⤵
- Executes dropped EXE
PID:3020 -
\??\c:\tnhbnh.exec:\tnhbnh.exe42⤵
- Executes dropped EXE
PID:4116 -
\??\c:\hhhbbh.exec:\hhhbbh.exe43⤵
- Executes dropped EXE
PID:4908 -
\??\c:\3fxlrrf.exec:\3fxlrrf.exe44⤵
- Executes dropped EXE
PID:4328 -
\??\c:\dvdpd.exec:\dvdpd.exe45⤵
- Executes dropped EXE
PID:3100 -
\??\c:\dvpdd.exec:\dvpdd.exe46⤵
- Executes dropped EXE
PID:2792 -
\??\c:\86608.exec:\86608.exe47⤵
- Executes dropped EXE
PID:4352 -
\??\c:\jvpdj.exec:\jvpdj.exe48⤵
- Executes dropped EXE
PID:3888 -
\??\c:\vddpj.exec:\vddpj.exe49⤵
- Executes dropped EXE
PID:3908 -
\??\c:\ttnhhh.exec:\ttnhhh.exe50⤵
- Executes dropped EXE
PID:1796 -
\??\c:\ddjpp.exec:\ddjpp.exe51⤵
- Executes dropped EXE
PID:4492 -
\??\c:\4888282.exec:\4888282.exe52⤵
- Executes dropped EXE
PID:4692 -
\??\c:\0886482.exec:\0886482.exe53⤵
- Executes dropped EXE
PID:8 -
\??\c:\lrlllrr.exec:\lrlllrr.exe54⤵
- Executes dropped EXE
PID:2996 -
\??\c:\6882264.exec:\6882264.exe55⤵
- Executes dropped EXE
PID:3356 -
\??\c:\0828264.exec:\0828264.exe56⤵
- Executes dropped EXE
PID:4696 -
\??\c:\406000.exec:\406000.exe57⤵
- Executes dropped EXE
PID:4576 -
\??\c:\200640.exec:\200640.exe58⤵
- Executes dropped EXE
PID:3660 -
\??\c:\e20448.exec:\e20448.exe59⤵
- Executes dropped EXE
PID:3012 -
\??\c:\062044.exec:\062044.exe60⤵
- Executes dropped EXE
PID:2864 -
\??\c:\644882.exec:\644882.exe61⤵
- Executes dropped EXE
PID:4000 -
\??\c:\frrrlll.exec:\frrrlll.exe62⤵
- Executes dropped EXE
PID:4884 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe63⤵
- Executes dropped EXE
PID:4252 -
\??\c:\2060446.exec:\2060446.exe64⤵
- Executes dropped EXE
PID:3728 -
\??\c:\xlrlxxl.exec:\xlrlxxl.exe65⤵
- Executes dropped EXE
PID:1204 -
\??\c:\hbnnnh.exec:\hbnnnh.exe66⤵PID:4780
-
\??\c:\vpvvp.exec:\vpvvp.exe67⤵PID:3444
-
\??\c:\o004204.exec:\o004204.exe68⤵PID:2796
-
\??\c:\frxrfxr.exec:\frxrfxr.exe69⤵PID:4264
-
\??\c:\1tnhtn.exec:\1tnhtn.exe70⤵PID:1636
-
\??\c:\rrfxxrl.exec:\rrfxxrl.exe71⤵PID:2304
-
\??\c:\8620046.exec:\8620046.exe72⤵PID:1300
-
\??\c:\rlrlfxx.exec:\rlrlfxx.exe73⤵PID:700
-
\??\c:\626808.exec:\626808.exe74⤵PID:3732
-
\??\c:\pjddv.exec:\pjddv.exe75⤵PID:2896
-
\??\c:\xrlxrfx.exec:\xrlxrfx.exe76⤵PID:4764
-
\??\c:\20600.exec:\20600.exe77⤵PID:4272
-
\??\c:\080460.exec:\080460.exe78⤵PID:2512
-
\??\c:\nbbttt.exec:\nbbttt.exe79⤵PID:3148
-
\??\c:\nbhbhb.exec:\nbhbhb.exe80⤵PID:3880
-
\??\c:\0466604.exec:\0466604.exe81⤵PID:2960
-
\??\c:\04404.exec:\04404.exe82⤵PID:2740
-
\??\c:\tbthhh.exec:\tbthhh.exe83⤵PID:4784
-
\??\c:\88260.exec:\88260.exe84⤵PID:1064
-
\??\c:\42406.exec:\42406.exe85⤵PID:4828
-
\??\c:\vppjj.exec:\vppjj.exe86⤵PID:2080
-
\??\c:\222288.exec:\222288.exe87⤵PID:4584
-
\??\c:\dvjdd.exec:\dvjdd.exe88⤵PID:1676
-
\??\c:\dvdvp.exec:\dvdvp.exe89⤵PID:1180
-
\??\c:\tbnbnh.exec:\tbnbnh.exe90⤵PID:1832
-
\??\c:\fxllxxr.exec:\fxllxxr.exe91⤵PID:2428
-
\??\c:\ddjdp.exec:\ddjdp.exe92⤵PID:2440
-
\??\c:\jddvv.exec:\jddvv.exe93⤵PID:2800
-
\??\c:\hththb.exec:\hththb.exe94⤵PID:3320
-
\??\c:\240600.exec:\240600.exe95⤵
- System Location Discovery: System Language Discovery
PID:3328 -
\??\c:\pjvdp.exec:\pjvdp.exe96⤵PID:4396
-
\??\c:\8404482.exec:\8404482.exe97⤵PID:720
-
\??\c:\3rxxrxr.exec:\3rxxrxr.exe98⤵PID:4452
-
\??\c:\64048.exec:\64048.exe99⤵PID:5016
-
\??\c:\9ntttt.exec:\9ntttt.exe100⤵PID:4468
-
\??\c:\46220.exec:\46220.exe101⤵PID:3664
-
\??\c:\vpppd.exec:\vpppd.exe102⤵PID:3608
-
\??\c:\004264.exec:\004264.exe103⤵PID:1756
-
\??\c:\428262.exec:\428262.exe104⤵PID:1136
-
\??\c:\btbtnn.exec:\btbtnn.exe105⤵PID:4356
-
\??\c:\thhlff.exec:\thhlff.exe106⤵PID:3944
-
\??\c:\jdvvj.exec:\jdvvj.exe107⤵
- System Location Discovery: System Language Discovery
PID:1816 -
\??\c:\862666.exec:\862666.exe108⤵PID:1036
-
\??\c:\pdppv.exec:\pdppv.exe109⤵PID:1656
-
\??\c:\djvpj.exec:\djvpj.exe110⤵PID:4692
-
\??\c:\6448222.exec:\6448222.exe111⤵PID:4456
-
\??\c:\nhnhhh.exec:\nhnhhh.exe112⤵PID:4876
-
\??\c:\tbnhbb.exec:\tbnhbb.exe113⤵PID:1052
-
\??\c:\668266.exec:\668266.exe114⤵PID:3012
-
\??\c:\7xlfxll.exec:\7xlfxll.exe115⤵PID:2864
-
\??\c:\82804.exec:\82804.exe116⤵PID:4488
-
\??\c:\8400088.exec:\8400088.exe117⤵PID:4252
-
\??\c:\q88648.exec:\q88648.exe118⤵PID:4944
-
\??\c:\628226.exec:\628226.exe119⤵PID:2364
-
\??\c:\442666.exec:\442666.exe120⤵PID:4428
-
\??\c:\lrrfxrf.exec:\lrrfxrf.exe121⤵PID:3332
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-