Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe
-
Size
455KB
-
MD5
c2d60652899237eab1f854a06e871b80
-
SHA1
64561bbc313ee32a4e00f8ad0ab596e1721087af
-
SHA256
473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827
-
SHA512
f665a96d194c72ae1041fef979274978d28b3bec8a31e49d4b164ee8dd97d1fd3bd89166c0f7933ce84e0d19efb5b5724c71a108ed87895cdb328ba695def7a3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT2:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4204-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/692-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4284-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1212-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/604-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-692-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-944-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-978-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-1273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-1277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/316-1339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4204 bhbtbh.exe 3564 pjjpp.exe 1712 lxxxrrr.exe 2472 vpvpp.exe 2044 9djjd.exe 1404 tbhbtt.exe 2988 vpddp.exe 2592 pvjjd.exe 692 bbbhbb.exe 4884 dvdvv.exe 4284 fxlrrrr.exe 3640 thbtnt.exe 1960 llxrxrx.exe 2680 3ntnhh.exe 1632 vvvvv.exe 4836 rrfxlxr.exe 1184 nhbtnn.exe 1952 tnnhhb.exe 4332 lfllflf.exe 1212 vjvjd.exe 1016 frffxfx.exe 3656 jdpjd.exe 3496 jddvp.exe 1792 fflfxlf.exe 4912 1hbttb.exe 1344 ddjdv.exe 516 3btntt.exe 4348 vjddj.exe 840 rllfxrl.exe 4484 jvppd.exe 3572 5llxlfr.exe 4552 jjvvd.exe 2352 xlrfrrf.exe 4252 ntbnbt.exe 3132 dppdv.exe 1304 vdvdp.exe 3428 xrxrlfx.exe 3620 tnhbnn.exe 3148 jppjv.exe 2488 xrxlxrx.exe 4860 tttthb.exe 1472 hntthb.exe 5060 jddpj.exe 2996 lrxrllf.exe 5020 htnhbt.exe 1864 jdvpj.exe 2356 xrrlfff.exe 380 rfxrxfx.exe 2128 7hnhhh.exe 4328 pdpdv.exe 3336 xrlfxxl.exe 1012 rlxrxxf.exe 4200 bbbnbt.exe 3404 jjpjd.exe 4960 jpvpd.exe 3760 xllfrlf.exe 5072 bbtnbt.exe 2784 jdjvv.exe 2984 lffxlfx.exe 2944 tntnnh.exe 4008 7hhthb.exe 3680 3pvjv.exe 2612 7lrfxrf.exe 1124 tbnbtt.exe -
resource yara_rule behavioral2/memory/4204-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/692-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4284-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1212-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-533-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/604-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-790-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1012 wrote to memory of 4204 1012 473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe 82 PID 1012 wrote to memory of 4204 1012 473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe 82 PID 1012 wrote to memory of 4204 1012 473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe 82 PID 4204 wrote to memory of 3564 4204 bhbtbh.exe 83 PID 4204 wrote to memory of 3564 4204 bhbtbh.exe 83 PID 4204 wrote to memory of 3564 4204 bhbtbh.exe 83 PID 3564 wrote to memory of 1712 3564 pjjpp.exe 84 PID 3564 wrote to memory of 1712 3564 pjjpp.exe 84 PID 3564 wrote to memory of 1712 3564 pjjpp.exe 84 PID 1712 wrote to memory of 2472 1712 lxxxrrr.exe 85 PID 1712 wrote to memory of 2472 1712 lxxxrrr.exe 85 PID 1712 wrote to memory of 2472 1712 lxxxrrr.exe 85 PID 2472 wrote to memory of 2044 2472 vpvpp.exe 86 PID 2472 wrote to memory of 2044 2472 vpvpp.exe 86 PID 2472 wrote to memory of 2044 2472 vpvpp.exe 86 PID 2044 wrote to memory of 1404 2044 9djjd.exe 87 PID 2044 wrote to memory of 1404 2044 9djjd.exe 87 PID 2044 wrote to memory of 1404 2044 9djjd.exe 87 PID 1404 wrote to memory of 2988 1404 tbhbtt.exe 88 PID 1404 wrote to memory of 2988 1404 tbhbtt.exe 88 PID 1404 wrote to memory of 2988 1404 tbhbtt.exe 88 PID 2988 wrote to memory of 2592 2988 vpddp.exe 89 PID 2988 wrote to memory of 2592 2988 vpddp.exe 89 PID 2988 wrote to memory of 2592 2988 vpddp.exe 89 PID 2592 wrote to memory of 692 2592 pvjjd.exe 90 PID 2592 wrote to memory of 692 2592 pvjjd.exe 90 PID 2592 wrote to memory of 692 2592 pvjjd.exe 90 PID 692 wrote to memory of 4884 692 bbbhbb.exe 91 PID 692 wrote to memory of 4884 692 bbbhbb.exe 91 PID 692 wrote to memory of 4884 692 bbbhbb.exe 91 PID 4884 wrote to memory of 4284 4884 dvdvv.exe 92 PID 4884 wrote to memory of 4284 4884 dvdvv.exe 92 PID 4884 wrote to memory of 4284 4884 dvdvv.exe 92 PID 4284 wrote to memory of 3640 4284 fxlrrrr.exe 93 PID 4284 wrote to memory of 3640 4284 fxlrrrr.exe 93 PID 4284 wrote to memory of 3640 4284 fxlrrrr.exe 93 PID 3640 wrote to memory of 1960 3640 thbtnt.exe 94 PID 3640 wrote to memory of 1960 3640 thbtnt.exe 94 PID 3640 wrote to memory of 1960 3640 thbtnt.exe 94 PID 1960 wrote to memory of 2680 1960 llxrxrx.exe 95 PID 1960 wrote to memory of 2680 1960 llxrxrx.exe 95 PID 1960 wrote to memory of 2680 1960 llxrxrx.exe 95 PID 2680 wrote to memory of 1632 2680 3ntnhh.exe 96 PID 2680 wrote to memory of 1632 2680 3ntnhh.exe 96 PID 2680 wrote to memory of 1632 2680 3ntnhh.exe 96 PID 1632 wrote to memory of 4836 1632 vvvvv.exe 97 PID 1632 wrote to memory of 4836 1632 vvvvv.exe 97 PID 1632 wrote to memory of 4836 1632 vvvvv.exe 97 PID 4836 wrote to memory of 1184 4836 rrfxlxr.exe 98 PID 4836 wrote to memory of 1184 4836 rrfxlxr.exe 98 PID 4836 wrote to memory of 1184 4836 rrfxlxr.exe 98 PID 1184 wrote to memory of 1952 1184 nhbtnn.exe 99 PID 1184 wrote to memory of 1952 1184 nhbtnn.exe 99 PID 1184 wrote to memory of 1952 1184 nhbtnn.exe 99 PID 1952 wrote to memory of 4332 1952 tnnhhb.exe 100 PID 1952 wrote to memory of 4332 1952 tnnhhb.exe 100 PID 1952 wrote to memory of 4332 1952 tnnhhb.exe 100 PID 4332 wrote to memory of 1212 4332 lfllflf.exe 101 PID 4332 wrote to memory of 1212 4332 lfllflf.exe 101 PID 4332 wrote to memory of 1212 4332 lfllflf.exe 101 PID 1212 wrote to memory of 1016 1212 vjvjd.exe 102 PID 1212 wrote to memory of 1016 1212 vjvjd.exe 102 PID 1212 wrote to memory of 1016 1212 vjvjd.exe 102 PID 1016 wrote to memory of 3656 1016 frffxfx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe"C:\Users\Admin\AppData\Local\Temp\473c71cd74150357e243282e5fc2d8b5fa950b915fccd8da8bf012457aa7e827N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
\??\c:\bhbtbh.exec:\bhbtbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\pjjpp.exec:\pjjpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\vpvpp.exec:\vpvpp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\9djjd.exec:\9djjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\tbhbtt.exec:\tbhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\vpddp.exec:\vpddp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\pvjjd.exec:\pvjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\bbbhbb.exec:\bbbhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
\??\c:\dvdvv.exec:\dvdvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\fxlrrrr.exec:\fxlrrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
\??\c:\thbtnt.exec:\thbtnt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3640 -
\??\c:\llxrxrx.exec:\llxrxrx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\3ntnhh.exec:\3ntnhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vvvvv.exec:\vvvvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\rrfxlxr.exec:\rrfxlxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\nhbtnn.exec:\nhbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
\??\c:\tnnhhb.exec:\tnnhhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\lfllflf.exec:\lfllflf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\vjvjd.exec:\vjvjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1212 -
\??\c:\frffxfx.exec:\frffxfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\jdpjd.exec:\jdpjd.exe23⤵
- Executes dropped EXE
PID:3656 -
\??\c:\jddvp.exec:\jddvp.exe24⤵
- Executes dropped EXE
PID:3496 -
\??\c:\fflfxlf.exec:\fflfxlf.exe25⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1hbttb.exec:\1hbttb.exe26⤵
- Executes dropped EXE
PID:4912 -
\??\c:\ddjdv.exec:\ddjdv.exe27⤵
- Executes dropped EXE
PID:1344 -
\??\c:\3btntt.exec:\3btntt.exe28⤵
- Executes dropped EXE
PID:516 -
\??\c:\vjddj.exec:\vjddj.exe29⤵
- Executes dropped EXE
PID:4348 -
\??\c:\rllfxrl.exec:\rllfxrl.exe30⤵
- Executes dropped EXE
PID:840 -
\??\c:\jvppd.exec:\jvppd.exe31⤵
- Executes dropped EXE
PID:4484 -
\??\c:\5llxlfr.exec:\5llxlfr.exe32⤵
- Executes dropped EXE
PID:3572 -
\??\c:\jjvvd.exec:\jjvvd.exe33⤵
- Executes dropped EXE
PID:4552 -
\??\c:\xlrfrrf.exec:\xlrfrrf.exe34⤵
- Executes dropped EXE
PID:2352 -
\??\c:\ntbnbt.exec:\ntbnbt.exe35⤵
- Executes dropped EXE
PID:4252 -
\??\c:\dppdv.exec:\dppdv.exe36⤵
- Executes dropped EXE
PID:3132 -
\??\c:\vdvdp.exec:\vdvdp.exe37⤵
- Executes dropped EXE
PID:1304 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe38⤵
- Executes dropped EXE
PID:3428 -
\??\c:\tnhbnn.exec:\tnhbnn.exe39⤵
- Executes dropped EXE
PID:3620 -
\??\c:\jppjv.exec:\jppjv.exe40⤵
- Executes dropped EXE
PID:3148 -
\??\c:\xrxlxrx.exec:\xrxlxrx.exe41⤵
- Executes dropped EXE
PID:2488 -
\??\c:\tttthb.exec:\tttthb.exe42⤵
- Executes dropped EXE
PID:4860 -
\??\c:\hntthb.exec:\hntthb.exe43⤵
- Executes dropped EXE
PID:1472 -
\??\c:\jddpj.exec:\jddpj.exe44⤵
- Executes dropped EXE
PID:5060 -
\??\c:\lrxrllf.exec:\lrxrllf.exe45⤵
- Executes dropped EXE
PID:2996 -
\??\c:\htnhbt.exec:\htnhbt.exe46⤵
- Executes dropped EXE
PID:5020 -
\??\c:\jdvpj.exec:\jdvpj.exe47⤵
- Executes dropped EXE
PID:1864 -
\??\c:\xrrlfff.exec:\xrrlfff.exe48⤵
- Executes dropped EXE
PID:2356 -
\??\c:\rfxrxfx.exec:\rfxrxfx.exe49⤵
- Executes dropped EXE
PID:380 -
\??\c:\7hnhhh.exec:\7hnhhh.exe50⤵
- Executes dropped EXE
PID:2128 -
\??\c:\pdpdv.exec:\pdpdv.exe51⤵
- Executes dropped EXE
PID:4328 -
\??\c:\xrlfxxl.exec:\xrlfxxl.exe52⤵
- Executes dropped EXE
PID:3336 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe53⤵
- Executes dropped EXE
PID:1012 -
\??\c:\bbbnbt.exec:\bbbnbt.exe54⤵
- Executes dropped EXE
PID:4200 -
\??\c:\jjpjd.exec:\jjpjd.exe55⤵
- Executes dropped EXE
PID:3404 -
\??\c:\jpvpd.exec:\jpvpd.exe56⤵
- Executes dropped EXE
PID:4960 -
\??\c:\xllfrlf.exec:\xllfrlf.exe57⤵
- Executes dropped EXE
PID:3760 -
\??\c:\bbtnbt.exec:\bbtnbt.exe58⤵
- Executes dropped EXE
PID:5072 -
\??\c:\jdjvv.exec:\jdjvv.exe59⤵
- Executes dropped EXE
PID:2784 -
\??\c:\lffxlfx.exec:\lffxlfx.exe60⤵
- Executes dropped EXE
PID:2984 -
\??\c:\tntnnh.exec:\tntnnh.exe61⤵
- Executes dropped EXE
PID:2944 -
\??\c:\7hhthb.exec:\7hhthb.exe62⤵
- Executes dropped EXE
PID:4008 -
\??\c:\3pvjv.exec:\3pvjv.exe63⤵
- Executes dropped EXE
PID:3680 -
\??\c:\7lrfxrf.exec:\7lrfxrf.exe64⤵
- Executes dropped EXE
PID:2612 -
\??\c:\tbnbtt.exec:\tbnbtt.exe65⤵
- Executes dropped EXE
PID:1124 -
\??\c:\lxxrffr.exec:\lxxrffr.exe66⤵PID:2688
-
\??\c:\bnthbt.exec:\bnthbt.exe67⤵PID:4968
-
\??\c:\pdvpj.exec:\pdvpj.exe68⤵PID:2104
-
\??\c:\fflxllf.exec:\fflxllf.exe69⤵PID:4888
-
\??\c:\rrxfxlf.exec:\rrxfxlf.exe70⤵PID:4128
-
\??\c:\bhntnh.exec:\bhntnh.exe71⤵PID:4664
-
\??\c:\vvppj.exec:\vvppj.exe72⤵PID:1592
-
\??\c:\xlrlfrl.exec:\xlrlfrl.exe73⤵PID:4956
-
\??\c:\1nhbhb.exec:\1nhbhb.exe74⤵PID:116
-
\??\c:\ntbthh.exec:\ntbthh.exe75⤵PID:1256
-
\??\c:\pvddv.exec:\pvddv.exe76⤵PID:4028
-
\??\c:\rffxrlf.exec:\rffxrlf.exe77⤵PID:4376
-
\??\c:\bthbnb.exec:\bthbnb.exe78⤵PID:4652
-
\??\c:\hhnhbh.exec:\hhnhbh.exe79⤵PID:5036
-
\??\c:\vvvpj.exec:\vvvpj.exe80⤵PID:1320
-
\??\c:\ffrlfxx.exec:\ffrlfxx.exe81⤵PID:4892
-
\??\c:\1ntthh.exec:\1ntthh.exe82⤵PID:3272
-
\??\c:\thnhbb.exec:\thnhbb.exe83⤵PID:1160
-
\??\c:\jdpjd.exec:\jdpjd.exe84⤵PID:3476
-
\??\c:\rrllxrl.exec:\rrllxrl.exe85⤵PID:896
-
\??\c:\bntnnh.exec:\bntnnh.exe86⤵PID:2940
-
\??\c:\jvvvj.exec:\jvvvj.exe87⤵PID:4728
-
\??\c:\ffrfxxl.exec:\ffrfxxl.exe88⤵PID:1792
-
\??\c:\3btnhh.exec:\3btnhh.exe89⤵PID:3736
-
\??\c:\9jvjv.exec:\9jvjv.exe90⤵PID:4140
-
\??\c:\fxxxlrf.exec:\fxxxlrf.exe91⤵PID:4436
-
\??\c:\ntbbhh.exec:\ntbbhh.exe92⤵PID:888
-
\??\c:\ddddv.exec:\ddddv.exe93⤵PID:4804
-
\??\c:\lrfxlff.exec:\lrfxlff.exe94⤵PID:840
-
\??\c:\rlrxxff.exec:\rlrxxff.exe95⤵PID:2344
-
\??\c:\thnhhb.exec:\thnhhb.exe96⤵PID:344
-
\??\c:\pjjvp.exec:\pjjvp.exe97⤵PID:3964
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe98⤵PID:708
-
\??\c:\xrrrllf.exec:\xrrrllf.exe99⤵PID:964
-
\??\c:\hhhbbb.exec:\hhhbbb.exe100⤵PID:2620
-
\??\c:\dvvpd.exec:\dvvpd.exe101⤵PID:1648
-
\??\c:\lflxrlf.exec:\lflxrlf.exe102⤵PID:4256
-
\??\c:\tnnhht.exec:\tnnhht.exe103⤵PID:1304
-
\??\c:\pvjdp.exec:\pvjdp.exe104⤵PID:3384
-
\??\c:\ppddv.exec:\ppddv.exe105⤵PID:4392
-
\??\c:\rffxlxr.exec:\rffxlxr.exe106⤵PID:3280
-
\??\c:\hbhbnn.exec:\hbhbnn.exe107⤵PID:2488
-
\??\c:\7vpdv.exec:\7vpdv.exe108⤵PID:4772
-
\??\c:\xflfrlf.exec:\xflfrlf.exe109⤵PID:2092
-
\??\c:\hbbnht.exec:\hbbnht.exe110⤵PID:5000
-
\??\c:\vdjdv.exec:\vdjdv.exe111⤵PID:860
-
\??\c:\frlfxxx.exec:\frlfxxx.exe112⤵PID:2960
-
\??\c:\hhnhtn.exec:\hhnhtn.exe113⤵PID:4788
-
\??\c:\thhhbb.exec:\thhhbb.exe114⤵PID:1640
-
\??\c:\pvjdv.exec:\pvjdv.exe115⤵PID:3864
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe116⤵PID:4324
-
\??\c:\bbbtnn.exec:\bbbtnn.exe117⤵PID:2308
-
\??\c:\tttnnh.exec:\tttnnh.exe118⤵PID:4880
-
\??\c:\5vvdv.exec:\5vvdv.exe119⤵PID:5032
-
\??\c:\jjvvp.exec:\jjvvp.exe120⤵PID:1192
-
\??\c:\lfllllf.exec:\lfllllf.exe121⤵PID:3452
-
\??\c:\tntnhb.exec:\tntnhb.exe122⤵PID:1188
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-