Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5.exe
-
Size
453KB
-
MD5
d5ef3fb54e3343b2e1b180ff17f0c37e
-
SHA1
c9c2139c59f2914d86b01859bda770a9cd8074c2
-
SHA256
94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5
-
SHA512
03ee9168124d0dac5284d5c28d3128e41d361814e611e67b54af0cd1a7a76893b1cbacff4c303b25c3b7321c91b75a7f70e61f3890d4f97b1aca6d1c69b82c5e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbea:q7Tc2NYHUrAwfMp3CDa
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4744-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-715-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-815-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-861-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-913-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-1524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1320 tbhbbt.exe 3248 lllfrfl.exe 3572 9xffxlf.exe 4044 5ddvp.exe 1092 ffxrlff.exe 3904 pdjjd.exe 1100 1fxrlfr.exe 4472 lxfxrrr.exe 1288 1btnhh.exe 1368 vpddp.exe 4456 frrxxrr.exe 1284 rrxrrrl.exe 2056 3lfxrrl.exe 760 hthbtn.exe 4580 dvdvj.exe 4684 frfxllf.exe 1296 djjdj.exe 4648 3frlfxr.exe 1748 ttnhht.exe 4388 fxxrllf.exe 4316 flxrlfx.exe 4088 vjjpj.exe 5044 xxrllll.exe 5104 dpvdd.exe 440 xxffxrx.exe 3664 bttnhb.exe 1784 dvppj.exe 1992 7ffffll.exe 3540 9bbtnn.exe 2608 rrfxxxf.exe 2100 jvvpv.exe 1976 vjpjd.exe 4728 btntht.exe 1736 bbtnnb.exe 4428 xxfxxxx.exe 4596 bthtbh.exe 2000 ffrrfff.exe 1264 ttbtnh.exe 1132 lfxrlfx.exe 5108 vvvdd.exe 2628 ffxrlfl.exe 1004 frxxxxx.exe 3092 thhtnt.exe 3388 5pppd.exe 3236 lllfxlr.exe 4040 thtnhh.exe 1300 dpvvv.exe 2928 xxxxrrl.exe 4940 lfxlxfr.exe 2876 htbtnh.exe 4816 jdjdp.exe 2400 xrlxlll.exe 2932 tbbbbt.exe 1292 jppvj.exe 4052 rrxrfrl.exe 3972 nhbtnt.exe 1848 nbhbnh.exe 4756 pddvp.exe 4516 llfxrxr.exe 4584 fxlffff.exe 2476 5ntnbb.exe 2864 ddpdj.exe 2044 5xrxfxx.exe 812 thhhbt.exe -
resource yara_rule behavioral2/memory/4744-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/316-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-715-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ntntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4744 wrote to memory of 1320 4744 94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5.exe 82 PID 4744 wrote to memory of 1320 4744 94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5.exe 82 PID 4744 wrote to memory of 1320 4744 94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5.exe 82 PID 1320 wrote to memory of 3248 1320 tbhbbt.exe 83 PID 1320 wrote to memory of 3248 1320 tbhbbt.exe 83 PID 1320 wrote to memory of 3248 1320 tbhbbt.exe 83 PID 3248 wrote to memory of 3572 3248 lllfrfl.exe 84 PID 3248 wrote to memory of 3572 3248 lllfrfl.exe 84 PID 3248 wrote to memory of 3572 3248 lllfrfl.exe 84 PID 3572 wrote to memory of 4044 3572 9xffxlf.exe 85 PID 3572 wrote to memory of 4044 3572 9xffxlf.exe 85 PID 3572 wrote to memory of 4044 3572 9xffxlf.exe 85 PID 4044 wrote to memory of 1092 4044 5ddvp.exe 86 PID 4044 wrote to memory of 1092 4044 5ddvp.exe 86 PID 4044 wrote to memory of 1092 4044 5ddvp.exe 86 PID 1092 wrote to memory of 3904 1092 ffxrlff.exe 87 PID 1092 wrote to memory of 3904 1092 ffxrlff.exe 87 PID 1092 wrote to memory of 3904 1092 ffxrlff.exe 87 PID 3904 wrote to memory of 1100 3904 pdjjd.exe 88 PID 3904 wrote to memory of 1100 3904 pdjjd.exe 88 PID 3904 wrote to memory of 1100 3904 pdjjd.exe 88 PID 1100 wrote to memory of 4472 1100 1fxrlfr.exe 89 PID 1100 wrote to memory of 4472 1100 1fxrlfr.exe 89 PID 1100 wrote to memory of 4472 1100 1fxrlfr.exe 89 PID 4472 wrote to memory of 1288 4472 lxfxrrr.exe 90 PID 4472 wrote to memory of 1288 4472 lxfxrrr.exe 90 PID 4472 wrote to memory of 1288 4472 lxfxrrr.exe 90 PID 1288 wrote to memory of 1368 1288 1btnhh.exe 91 PID 1288 wrote to memory of 1368 1288 1btnhh.exe 91 PID 1288 wrote to memory of 1368 1288 1btnhh.exe 91 PID 1368 wrote to memory of 4456 1368 vpddp.exe 92 PID 1368 wrote to memory of 4456 1368 vpddp.exe 92 PID 1368 wrote to memory of 4456 1368 vpddp.exe 92 PID 4456 wrote to memory of 1284 4456 frrxxrr.exe 93 PID 4456 wrote to memory of 1284 4456 frrxxrr.exe 93 PID 4456 wrote to memory of 1284 4456 frrxxrr.exe 93 PID 1284 wrote to memory of 2056 1284 rrxrrrl.exe 94 PID 1284 wrote to memory of 2056 1284 rrxrrrl.exe 94 PID 1284 wrote to memory of 2056 1284 rrxrrrl.exe 94 PID 2056 wrote to memory of 760 2056 3lfxrrl.exe 95 PID 2056 wrote to memory of 760 2056 3lfxrrl.exe 95 PID 2056 wrote to memory of 760 2056 3lfxrrl.exe 95 PID 760 wrote to memory of 4580 760 hthbtn.exe 96 PID 760 wrote to memory of 4580 760 hthbtn.exe 96 PID 760 wrote to memory of 4580 760 hthbtn.exe 96 PID 4580 wrote to memory of 4684 4580 dvdvj.exe 97 PID 4580 wrote to memory of 4684 4580 dvdvj.exe 97 PID 4580 wrote to memory of 4684 4580 dvdvj.exe 97 PID 4684 wrote to memory of 1296 4684 frfxllf.exe 98 PID 4684 wrote to memory of 1296 4684 frfxllf.exe 98 PID 4684 wrote to memory of 1296 4684 frfxllf.exe 98 PID 1296 wrote to memory of 4648 1296 djjdj.exe 99 PID 1296 wrote to memory of 4648 1296 djjdj.exe 99 PID 1296 wrote to memory of 4648 1296 djjdj.exe 99 PID 4648 wrote to memory of 1748 4648 3frlfxr.exe 100 PID 4648 wrote to memory of 1748 4648 3frlfxr.exe 100 PID 4648 wrote to memory of 1748 4648 3frlfxr.exe 100 PID 1748 wrote to memory of 4388 1748 ttnhht.exe 101 PID 1748 wrote to memory of 4388 1748 ttnhht.exe 101 PID 1748 wrote to memory of 4388 1748 ttnhht.exe 101 PID 4388 wrote to memory of 4316 4388 fxxrllf.exe 102 PID 4388 wrote to memory of 4316 4388 fxxrllf.exe 102 PID 4388 wrote to memory of 4316 4388 fxxrllf.exe 102 PID 4316 wrote to memory of 4088 4316 flxrlfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5.exe"C:\Users\Admin\AppData\Local\Temp\94824cc2f15b47e53175e908d0a2b4378c7f16560a1017b789f9e4a7fbbfaab5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\tbhbbt.exec:\tbhbbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\lllfrfl.exec:\lllfrfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\9xffxlf.exec:\9xffxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\5ddvp.exec:\5ddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\ffxrlff.exec:\ffxrlff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\pdjjd.exec:\pdjjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\1fxrlfr.exec:\1fxrlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100 -
\??\c:\lxfxrrr.exec:\lxfxrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\1btnhh.exec:\1btnhh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\vpddp.exec:\vpddp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\frrxxrr.exec:\frrxxrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\rrxrrrl.exec:\rrxrrrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1284 -
\??\c:\3lfxrrl.exec:\3lfxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\hthbtn.exec:\hthbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\dvdvj.exec:\dvdvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
\??\c:\frfxllf.exec:\frfxllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\djjdj.exec:\djjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296 -
\??\c:\3frlfxr.exec:\3frlfxr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\ttnhht.exec:\ttnhht.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\fxxrllf.exec:\fxxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\flxrlfx.exec:\flxrlfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\vjjpj.exec:\vjjpj.exe23⤵
- Executes dropped EXE
PID:4088 -
\??\c:\xxrllll.exec:\xxrllll.exe24⤵
- Executes dropped EXE
PID:5044 -
\??\c:\dpvdd.exec:\dpvdd.exe25⤵
- Executes dropped EXE
PID:5104 -
\??\c:\xxffxrx.exec:\xxffxrx.exe26⤵
- Executes dropped EXE
PID:440 -
\??\c:\bttnhb.exec:\bttnhb.exe27⤵
- Executes dropped EXE
PID:3664 -
\??\c:\dvppj.exec:\dvppj.exe28⤵
- Executes dropped EXE
PID:1784 -
\??\c:\7ffffll.exec:\7ffffll.exe29⤵
- Executes dropped EXE
PID:1992 -
\??\c:\9bbtnn.exec:\9bbtnn.exe30⤵
- Executes dropped EXE
PID:3540 -
\??\c:\rrfxxxf.exec:\rrfxxxf.exe31⤵
- Executes dropped EXE
PID:2608 -
\??\c:\jvvpv.exec:\jvvpv.exe32⤵
- Executes dropped EXE
PID:2100 -
\??\c:\vjpjd.exec:\vjpjd.exe33⤵
- Executes dropped EXE
PID:1976 -
\??\c:\btntht.exec:\btntht.exe34⤵
- Executes dropped EXE
PID:4728 -
\??\c:\bbtnnb.exec:\bbtnnb.exe35⤵
- Executes dropped EXE
PID:1736 -
\??\c:\xxfxxxx.exec:\xxfxxxx.exe36⤵
- Executes dropped EXE
PID:4428 -
\??\c:\bthtbh.exec:\bthtbh.exe37⤵
- Executes dropped EXE
PID:4596 -
\??\c:\ffrrfff.exec:\ffrrfff.exe38⤵
- Executes dropped EXE
PID:2000 -
\??\c:\ttbtnh.exec:\ttbtnh.exe39⤵
- Executes dropped EXE
PID:1264 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe40⤵
- Executes dropped EXE
PID:1132 -
\??\c:\vvvdd.exec:\vvvdd.exe41⤵
- Executes dropped EXE
PID:5108 -
\??\c:\ffxrlfl.exec:\ffxrlfl.exe42⤵
- Executes dropped EXE
PID:2628 -
\??\c:\hbbbtt.exec:\hbbbtt.exe43⤵PID:4440
-
\??\c:\frxxxxx.exec:\frxxxxx.exe44⤵
- Executes dropped EXE
PID:1004 -
\??\c:\thhtnt.exec:\thhtnt.exe45⤵
- Executes dropped EXE
PID:3092 -
\??\c:\5pppd.exec:\5pppd.exe46⤵
- Executes dropped EXE
PID:3388 -
\??\c:\lllfxlr.exec:\lllfxlr.exe47⤵
- Executes dropped EXE
PID:3236 -
\??\c:\thtnhh.exec:\thtnhh.exe48⤵
- Executes dropped EXE
PID:4040 -
\??\c:\dpvvv.exec:\dpvvv.exe49⤵
- Executes dropped EXE
PID:1300 -
\??\c:\xxxxrrl.exec:\xxxxrrl.exe50⤵
- Executes dropped EXE
PID:2928 -
\??\c:\lfxlxfr.exec:\lfxlxfr.exe51⤵
- Executes dropped EXE
PID:4940 -
\??\c:\htbtnh.exec:\htbtnh.exe52⤵
- Executes dropped EXE
PID:2876 -
\??\c:\jdjdp.exec:\jdjdp.exe53⤵
- Executes dropped EXE
PID:4816 -
\??\c:\xrlxlll.exec:\xrlxlll.exe54⤵
- Executes dropped EXE
PID:2400 -
\??\c:\tbbbbt.exec:\tbbbbt.exe55⤵
- Executes dropped EXE
PID:2932 -
\??\c:\jppvj.exec:\jppvj.exe56⤵
- Executes dropped EXE
PID:1292 -
\??\c:\rrxrfrl.exec:\rrxrfrl.exe57⤵
- Executes dropped EXE
PID:4052 -
\??\c:\nhbtnt.exec:\nhbtnt.exe58⤵
- Executes dropped EXE
PID:3972 -
\??\c:\nbhbnh.exec:\nbhbnh.exe59⤵
- Executes dropped EXE
PID:1848 -
\??\c:\pddvp.exec:\pddvp.exe60⤵
- Executes dropped EXE
PID:4756 -
\??\c:\llfxrxr.exec:\llfxrxr.exe61⤵
- Executes dropped EXE
PID:4516 -
\??\c:\fxlffff.exec:\fxlffff.exe62⤵
- Executes dropped EXE
PID:4584 -
\??\c:\5ntnbb.exec:\5ntnbb.exe63⤵
- Executes dropped EXE
PID:2476 -
\??\c:\ddpdj.exec:\ddpdj.exe64⤵
- Executes dropped EXE
PID:2864 -
\??\c:\5xrxfxx.exec:\5xrxfxx.exe65⤵
- Executes dropped EXE
PID:2044 -
\??\c:\thhhbt.exec:\thhhbt.exe66⤵
- Executes dropped EXE
PID:812 -
\??\c:\jdvpd.exec:\jdvpd.exe67⤵PID:3400
-
\??\c:\jppdp.exec:\jppdp.exe68⤵PID:2372
-
\??\c:\lffxrrl.exec:\lffxrrl.exe69⤵PID:316
-
\??\c:\bhnbtn.exec:\bhnbtn.exe70⤵PID:3944
-
\??\c:\5pvpp.exec:\5pvpp.exe71⤵PID:2832
-
\??\c:\9dvvv.exec:\9dvvv.exe72⤵PID:4380
-
\??\c:\frrrlrr.exec:\frrrlrr.exe73⤵PID:4828
-
\??\c:\nhbbbn.exec:\nhbbbn.exe74⤵PID:1536
-
\??\c:\rxxlxlr.exec:\rxxlxlr.exe75⤵PID:4452
-
\??\c:\tttntt.exec:\tttntt.exe76⤵PID:3624
-
\??\c:\vpjdv.exec:\vpjdv.exe77⤵PID:4400
-
\??\c:\9lllxxl.exec:\9lllxxl.exe78⤵PID:448
-
\??\c:\rrflrfx.exec:\rrflrfx.exe79⤵PID:1512
-
\??\c:\nttnbt.exec:\nttnbt.exe80⤵PID:4900
-
\??\c:\dvdvp.exec:\dvdvp.exe81⤵PID:2576
-
\??\c:\xlflxrr.exec:\xlflxrr.exe82⤵PID:5052
-
\??\c:\7nbtnh.exec:\7nbtnh.exe83⤵PID:2344
-
\??\c:\1pdvv.exec:\1pdvv.exe84⤵PID:5104
-
\??\c:\jpdvv.exec:\jpdvv.exe85⤵PID:2080
-
\??\c:\flllffx.exec:\flllffx.exe86⤵PID:4112
-
\??\c:\nbhnhh.exec:\nbhnhh.exe87⤵PID:512
-
\??\c:\pdvpj.exec:\pdvpj.exe88⤵PID:4268
-
\??\c:\xfrlflf.exec:\xfrlflf.exe89⤵PID:3100
-
\??\c:\bttbbb.exec:\bttbbb.exe90⤵PID:2292
-
\??\c:\pjjpv.exec:\pjjpv.exe91⤵PID:2660
-
\??\c:\frrrlll.exec:\frrrlll.exe92⤵PID:4652
-
\??\c:\frrllff.exec:\frrllff.exe93⤵PID:3060
-
\??\c:\5nhhbb.exec:\5nhhbb.exe94⤵PID:3108
-
\??\c:\dppjj.exec:\dppjj.exe95⤵PID:2180
-
\??\c:\fxxxxxx.exec:\fxxxxxx.exe96⤵PID:1740
-
\??\c:\tnhhnn.exec:\tnhhnn.exe97⤵PID:3496
-
\??\c:\pjjdp.exec:\pjjdp.exe98⤵PID:4728
-
\??\c:\ddpjd.exec:\ddpjd.exe99⤵PID:4152
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe100⤵PID:2808
-
\??\c:\3nttbb.exec:\3nttbb.exe101⤵PID:4596
-
\??\c:\ttbhhh.exec:\ttbhhh.exe102⤵PID:4996
-
\??\c:\vpvpp.exec:\vpvpp.exe103⤵PID:220
-
\??\c:\fxxrflf.exec:\fxxrflf.exe104⤵PID:3440
-
\??\c:\9tbtnn.exec:\9tbtnn.exe105⤵PID:4360
-
\??\c:\vdjdp.exec:\vdjdp.exe106⤵PID:1824
-
\??\c:\xxrrlrr.exec:\xxrrlrr.exe107⤵PID:3268
-
\??\c:\tnttbt.exec:\tnttbt.exe108⤵PID:4980
-
\??\c:\jjppp.exec:\jjppp.exe109⤵PID:4892
-
\??\c:\llxrfrl.exec:\llxrfrl.exe110⤵PID:1380
-
\??\c:\thnhbt.exec:\thnhbt.exe111⤵PID:2388
-
\??\c:\9bhbbb.exec:\9bhbbb.exe112⤵PID:556
-
\??\c:\pdvpd.exec:\pdvpd.exe113⤵PID:3388
-
\??\c:\ffffxxx.exec:\ffffxxx.exe114⤵PID:3236
-
\??\c:\nhhbtn.exec:\nhhbtn.exe115⤵PID:2844
-
\??\c:\djvpj.exec:\djvpj.exe116⤵PID:3464
-
\??\c:\lrxrllf.exec:\lrxrllf.exe117⤵PID:3844
-
\??\c:\lrrfxrl.exec:\lrrfxrl.exe118⤵PID:4544
-
\??\c:\bnnnnt.exec:\bnnnnt.exe119⤵PID:4760
-
\??\c:\jvdjd.exec:\jvdjd.exe120⤵PID:3904
-
\??\c:\lxfrlfr.exec:\lxfrlfr.exe121⤵PID:68
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-