Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 05:10
Behavioral task
behavioral1
Sample
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe
-
Size
378KB
-
MD5
ff6a31485fc178613ce9cd886a6343a6
-
SHA1
66a7fb935a0d73e068e3e630fb208b871e90dca8
-
SHA256
113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef
-
SHA512
4e8cb5c9cb4818a3c79c9774ddc297e163c93d2e31375105f68de60984e780eccc384569fcf74bc368df8ccd95983f2572886888c52714ac1526557c2ef39896
-
SSDEEP
6144:0cm4FmowdHoSHWVs+QEoD/dL/4oSlCIqbKRs4EkfRDaPRrnVkWHQrvD:C4wFHoS2Vs+IdMoSzqkR5RWVVWrL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1092-6-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2356-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2512-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2240-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/772-39-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4100-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3984-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3900-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3024-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4280-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4608-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1148-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2148-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4640-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4664-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4956-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1096-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1640-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2520-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4780-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4944-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3596-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4188-304-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1892-339-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4228-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-360-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3876-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4368-457-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/976-515-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-522-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-532-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4580-560-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-645-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2892-697-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-707-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-741-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-854-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2452-1439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-1565-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-1602-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1328 nbhtnn.exe 2356 rflrrxr.exe 4528 3thbhh.exe 2512 dvpjd.exe 2240 nhthth.exe 772 3lrlfff.exe 4100 5fllffx.exe 3984 jpjdp.exe 3900 rlfxlfx.exe 3108 9nbtnn.exe 3024 fxrlflx.exe 4364 ttbtnb.exe 2360 jjppp.exe 3164 xfrxlrr.exe 4280 ntbhhb.exe 2456 bhnhtt.exe 3536 ppdpd.exe 1944 lflfxrr.exe 4260 1vdpj.exe 4608 3rxrllf.exe 2600 hhbtnh.exe 2540 jdjdj.exe 3988 rflflfx.exe 1148 jjjjv.exe 1472 frlrffx.exe 2148 xflfxxl.exe 1700 9thbbt.exe 3436 9pvpv.exe 4956 lllfrll.exe 4640 9ntnhh.exe 4664 vpvpd.exe 3620 rflxxxr.exe 1492 pddvp.exe 4800 xffxrxx.exe 1384 tbbbbt.exe 460 jdjdd.exe 1316 dpppj.exe 1096 flxrrll.exe 1500 nhhnbb.exe 1640 9vjdd.exe 2520 rrrlxrl.exe 1284 lxfxfxx.exe 744 1pdvp.exe 4460 rlrlxxr.exe 2656 nttnhb.exe 4400 hnnhtt.exe 4780 5vvpj.exe 3992 9dpjd.exe 4472 3xffxfx.exe 4448 hhthbb.exe 1092 hbnhtn.exe 4944 jpvpd.exe 4252 jvvpd.exe 4288 xxxlrlr.exe 3596 bbnbtt.exe 3532 dvjjd.exe 4464 fxrxrrl.exe 2440 hbthtn.exe 3048 vvdpv.exe 3952 pjddv.exe 3256 ffffrrf.exe 1592 fxrlffx.exe 2908 nbnhbb.exe 1672 jvpjd.exe -
resource yara_rule behavioral2/memory/1092-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c8b-3.dat upx behavioral2/memory/1092-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c90-9.dat upx behavioral2/memory/1328-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-13.dat upx behavioral2/memory/2356-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-21.dat upx behavioral2/memory/4528-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2512-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-28.dat upx behavioral2/files/0x0007000000023c98-32.dat upx behavioral2/memory/2240-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-38.dat upx behavioral2/memory/772-39-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4100-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-44.dat upx behavioral2/memory/3984-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-49.dat upx behavioral2/files/0x0007000000023c9c-55.dat upx behavioral2/memory/3108-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3900-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-62.dat upx behavioral2/memory/3024-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-67.dat upx behavioral2/files/0x0007000000023c9f-72.dat upx behavioral2/memory/2360-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-79.dat upx behavioral2/files/0x0007000000023ca1-84.dat upx behavioral2/files/0x0007000000023ca2-90.dat upx behavioral2/memory/4280-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-95.dat upx behavioral2/files/0x0007000000023ca4-101.dat upx behavioral2/memory/3536-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-105.dat upx behavioral2/memory/1944-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c91-112.dat upx behavioral2/files/0x0007000000023ca6-116.dat upx behavioral2/memory/4608-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-123.dat upx behavioral2/memory/2600-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-128.dat upx behavioral2/files/0x0007000000023caa-134.dat upx behavioral2/memory/1148-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3988-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-141.dat upx behavioral2/files/0x0007000000023cac-146.dat upx behavioral2/files/0x0007000000023cad-152.dat upx behavioral2/memory/2148-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1700-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3436-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-158.dat upx behavioral2/files/0x0007000000023caf-164.dat upx behavioral2/files/0x0007000000023cb0-170.dat upx behavioral2/memory/4640-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-175.dat upx behavioral2/memory/4664-179-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-183.dat upx behavioral2/memory/3620-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4956-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4800-194-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1384-198-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1316-205-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1096-209-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhttbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrffxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1092 wrote to memory of 1328 1092 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 85 PID 1092 wrote to memory of 1328 1092 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 85 PID 1092 wrote to memory of 1328 1092 113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe 85 PID 1328 wrote to memory of 2356 1328 nbhtnn.exe 86 PID 1328 wrote to memory of 2356 1328 nbhtnn.exe 86 PID 1328 wrote to memory of 2356 1328 nbhtnn.exe 86 PID 2356 wrote to memory of 4528 2356 rflrrxr.exe 87 PID 2356 wrote to memory of 4528 2356 rflrrxr.exe 87 PID 2356 wrote to memory of 4528 2356 rflrrxr.exe 87 PID 4528 wrote to memory of 2512 4528 3thbhh.exe 88 PID 4528 wrote to memory of 2512 4528 3thbhh.exe 88 PID 4528 wrote to memory of 2512 4528 3thbhh.exe 88 PID 2512 wrote to memory of 2240 2512 dvpjd.exe 89 PID 2512 wrote to memory of 2240 2512 dvpjd.exe 89 PID 2512 wrote to memory of 2240 2512 dvpjd.exe 89 PID 2240 wrote to memory of 772 2240 nhthth.exe 90 PID 2240 wrote to memory of 772 2240 nhthth.exe 90 PID 2240 wrote to memory of 772 2240 nhthth.exe 90 PID 772 wrote to memory of 4100 772 3lrlfff.exe 91 PID 772 wrote to memory of 4100 772 3lrlfff.exe 91 PID 772 wrote to memory of 4100 772 3lrlfff.exe 91 PID 4100 wrote to memory of 3984 4100 5fllffx.exe 92 PID 4100 wrote to memory of 3984 4100 5fllffx.exe 92 PID 4100 wrote to memory of 3984 4100 5fllffx.exe 92 PID 3984 wrote to memory of 3900 3984 jpjdp.exe 93 PID 3984 wrote to memory of 3900 3984 jpjdp.exe 93 PID 3984 wrote to memory of 3900 3984 jpjdp.exe 93 PID 3900 wrote to memory of 3108 3900 rlfxlfx.exe 94 PID 3900 wrote to memory of 3108 3900 rlfxlfx.exe 94 PID 3900 wrote to memory of 3108 3900 rlfxlfx.exe 94 PID 3108 wrote to memory of 3024 3108 9nbtnn.exe 95 PID 3108 wrote to memory of 3024 3108 9nbtnn.exe 95 PID 3108 wrote to memory of 3024 3108 9nbtnn.exe 95 PID 3024 wrote to memory of 4364 3024 fxrlflx.exe 96 PID 3024 wrote to memory of 4364 3024 fxrlflx.exe 96 PID 3024 wrote to memory of 4364 3024 fxrlflx.exe 96 PID 4364 wrote to memory of 2360 4364 ttbtnb.exe 97 PID 4364 wrote to memory of 2360 4364 ttbtnb.exe 97 PID 4364 wrote to memory of 2360 4364 ttbtnb.exe 97 PID 2360 wrote to memory of 3164 2360 jjppp.exe 98 PID 2360 wrote to memory of 3164 2360 jjppp.exe 98 PID 2360 wrote to memory of 3164 2360 jjppp.exe 98 PID 3164 wrote to memory of 4280 3164 xfrxlrr.exe 99 PID 3164 wrote to memory of 4280 3164 xfrxlrr.exe 99 PID 3164 wrote to memory of 4280 3164 xfrxlrr.exe 99 PID 4280 wrote to memory of 2456 4280 ntbhhb.exe 100 PID 4280 wrote to memory of 2456 4280 ntbhhb.exe 100 PID 4280 wrote to memory of 2456 4280 ntbhhb.exe 100 PID 2456 wrote to memory of 3536 2456 bhnhtt.exe 101 PID 2456 wrote to memory of 3536 2456 bhnhtt.exe 101 PID 2456 wrote to memory of 3536 2456 bhnhtt.exe 101 PID 3536 wrote to memory of 1944 3536 ppdpd.exe 102 PID 3536 wrote to memory of 1944 3536 ppdpd.exe 102 PID 3536 wrote to memory of 1944 3536 ppdpd.exe 102 PID 1944 wrote to memory of 4260 1944 lflfxrr.exe 103 PID 1944 wrote to memory of 4260 1944 lflfxrr.exe 103 PID 1944 wrote to memory of 4260 1944 lflfxrr.exe 103 PID 4260 wrote to memory of 4608 4260 1vdpj.exe 104 PID 4260 wrote to memory of 4608 4260 1vdpj.exe 104 PID 4260 wrote to memory of 4608 4260 1vdpj.exe 104 PID 4608 wrote to memory of 2600 4608 3rxrllf.exe 105 PID 4608 wrote to memory of 2600 4608 3rxrllf.exe 105 PID 4608 wrote to memory of 2600 4608 3rxrllf.exe 105 PID 2600 wrote to memory of 2540 2600 hhbtnh.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe"C:\Users\Admin\AppData\Local\Temp\113844635d8ba6ae7906014cbe023447de5a269761ceb4949e1d814220693eef.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
\??\c:\nbhtnn.exec:\nbhtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\rflrrxr.exec:\rflrrxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356 -
\??\c:\3thbhh.exec:\3thbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
\??\c:\dvpjd.exec:\dvpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\nhthth.exec:\nhthth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\3lrlfff.exec:\3lrlfff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
\??\c:\5fllffx.exec:\5fllffx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\jpjdp.exec:\jpjdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3984 -
\??\c:\rlfxlfx.exec:\rlfxlfx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\9nbtnn.exec:\9nbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\fxrlflx.exec:\fxrlflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\ttbtnb.exec:\ttbtnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\jjppp.exec:\jjppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\xfrxlrr.exec:\xfrxlrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3164 -
\??\c:\ntbhhb.exec:\ntbhhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\bhnhtt.exec:\bhnhtt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\ppdpd.exec:\ppdpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\lflfxrr.exec:\lflfxrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1944 -
\??\c:\1vdpj.exec:\1vdpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\3rxrllf.exec:\3rxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4608 -
\??\c:\hhbtnh.exec:\hhbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\jdjdj.exec:\jdjdj.exe23⤵
- Executes dropped EXE
PID:2540 -
\??\c:\rflflfx.exec:\rflflfx.exe24⤵
- Executes dropped EXE
PID:3988 -
\??\c:\jjjjv.exec:\jjjjv.exe25⤵
- Executes dropped EXE
PID:1148 -
\??\c:\frlrffx.exec:\frlrffx.exe26⤵
- Executes dropped EXE
PID:1472 -
\??\c:\xflfxxl.exec:\xflfxxl.exe27⤵
- Executes dropped EXE
PID:2148 -
\??\c:\9thbbt.exec:\9thbbt.exe28⤵
- Executes dropped EXE
PID:1700 -
\??\c:\9pvpv.exec:\9pvpv.exe29⤵
- Executes dropped EXE
PID:3436 -
\??\c:\lllfrll.exec:\lllfrll.exe30⤵
- Executes dropped EXE
PID:4956 -
\??\c:\9ntnhh.exec:\9ntnhh.exe31⤵
- Executes dropped EXE
PID:4640 -
\??\c:\vpvpd.exec:\vpvpd.exe32⤵
- Executes dropped EXE
PID:4664 -
\??\c:\rflxxxr.exec:\rflxxxr.exe33⤵
- Executes dropped EXE
PID:3620 -
\??\c:\pddvp.exec:\pddvp.exe34⤵
- Executes dropped EXE
PID:1492 -
\??\c:\xffxrxx.exec:\xffxrxx.exe35⤵
- Executes dropped EXE
PID:4800 -
\??\c:\tbbbbt.exec:\tbbbbt.exe36⤵
- Executes dropped EXE
PID:1384 -
\??\c:\jdjdd.exec:\jdjdd.exe37⤵
- Executes dropped EXE
PID:460 -
\??\c:\dpppj.exec:\dpppj.exe38⤵
- Executes dropped EXE
PID:1316 -
\??\c:\flxrrll.exec:\flxrrll.exe39⤵
- Executes dropped EXE
PID:1096 -
\??\c:\nhhnbb.exec:\nhhnbb.exe40⤵
- Executes dropped EXE
PID:1500 -
\??\c:\9vjdd.exec:\9vjdd.exe41⤵
- Executes dropped EXE
PID:1640 -
\??\c:\rrrlxrl.exec:\rrrlxrl.exe42⤵
- Executes dropped EXE
PID:2520 -
\??\c:\lxfxfxx.exec:\lxfxfxx.exe43⤵
- Executes dropped EXE
PID:1284 -
\??\c:\1pdvp.exec:\1pdvp.exe44⤵
- Executes dropped EXE
PID:744 -
\??\c:\rlrlxxr.exec:\rlrlxxr.exe45⤵
- Executes dropped EXE
PID:4460 -
\??\c:\nttnhb.exec:\nttnhb.exe46⤵
- Executes dropped EXE
PID:2656 -
\??\c:\hnnhtt.exec:\hnnhtt.exe47⤵
- Executes dropped EXE
PID:4400 -
\??\c:\5vvpj.exec:\5vvpj.exe48⤵
- Executes dropped EXE
PID:4780 -
\??\c:\9dpjd.exec:\9dpjd.exe49⤵
- Executes dropped EXE
PID:3992 -
\??\c:\3xffxfx.exec:\3xffxfx.exe50⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hhthbb.exec:\hhthbb.exe51⤵
- Executes dropped EXE
PID:4448 -
\??\c:\hbnhtn.exec:\hbnhtn.exe52⤵
- Executes dropped EXE
PID:1092 -
\??\c:\jpvpd.exec:\jpvpd.exe53⤵
- Executes dropped EXE
PID:4944 -
\??\c:\jvvpd.exec:\jvvpd.exe54⤵
- Executes dropped EXE
PID:4252 -
\??\c:\xxxlrlr.exec:\xxxlrlr.exe55⤵
- Executes dropped EXE
PID:4288 -
\??\c:\bbnbtt.exec:\bbnbtt.exe56⤵
- Executes dropped EXE
PID:3596 -
\??\c:\dvjjd.exec:\dvjjd.exe57⤵
- Executes dropped EXE
PID:3532 -
\??\c:\fxrxrrl.exec:\fxrxrrl.exe58⤵
- Executes dropped EXE
PID:4464 -
\??\c:\hbthtn.exec:\hbthtn.exe59⤵
- Executes dropped EXE
PID:2440 -
\??\c:\vvdpv.exec:\vvdpv.exe60⤵
- Executes dropped EXE
PID:3048 -
\??\c:\pjddv.exec:\pjddv.exe61⤵
- Executes dropped EXE
PID:3952 -
\??\c:\ffffrrf.exec:\ffffrrf.exe62⤵
- Executes dropped EXE
PID:3256 -
\??\c:\fxrlffx.exec:\fxrlffx.exe63⤵
- Executes dropped EXE
PID:1592 -
\??\c:\nbnhbb.exec:\nbnhbb.exe64⤵
- Executes dropped EXE
PID:2908 -
\??\c:\jvpjd.exec:\jvpjd.exe65⤵
- Executes dropped EXE
PID:1672 -
\??\c:\pjjjd.exec:\pjjjd.exe66⤵PID:3064
-
\??\c:\9ffxfxf.exec:\9ffxfxf.exe67⤵PID:4188
-
\??\c:\nthhbb.exec:\nthhbb.exe68⤵PID:2624
-
\??\c:\thhhtt.exec:\thhhtt.exe69⤵PID:4364
-
\??\c:\jjvdv.exec:\jjvdv.exe70⤵PID:2736
-
\??\c:\xxxxlfx.exec:\xxxxlfx.exe71⤵PID:1208
-
\??\c:\tbbbtt.exec:\tbbbtt.exe72⤵PID:4972
-
\??\c:\3hhbtn.exec:\3hhbtn.exe73⤵PID:4976
-
\??\c:\ddjvj.exec:\ddjvj.exe74⤵PID:4204
-
\??\c:\3vddp.exec:\3vddp.exe75⤵PID:1772
-
\??\c:\frrxxlr.exec:\frrxxlr.exe76⤵PID:4420
-
\??\c:\bnhbtb.exec:\bnhbtb.exe77⤵PID:1892
-
\??\c:\jvvpp.exec:\jvvpp.exe78⤵PID:4260
-
\??\c:\9rxrfxr.exec:\9rxrfxr.exe79⤵PID:4928
-
\??\c:\1xffxxr.exec:\1xffxxr.exe80⤵PID:2596
-
\??\c:\ntbbbt.exec:\ntbbbt.exe81⤵PID:2336
-
\??\c:\ttbbnh.exec:\ttbbnh.exe82⤵PID:4228
-
\??\c:\jjjdj.exec:\jjjdj.exe83⤵PID:4248
-
\??\c:\lxrrlfr.exec:\lxrrlfr.exe84⤵PID:3648
-
\??\c:\5tttnn.exec:\5tttnn.exe85⤵PID:1148
-
\??\c:\vvdvd.exec:\vvdvd.exe86⤵PID:1580
-
\??\c:\xrfrfxl.exec:\xrfrfxl.exe87⤵PID:2716
-
\??\c:\3lllrrr.exec:\3lllrrr.exe88⤵PID:3240
-
\??\c:\nttnnt.exec:\nttnnt.exe89⤵PID:4652
-
\??\c:\dvpdp.exec:\dvpdp.exe90⤵PID:4756
-
\??\c:\dpjdp.exec:\dpjdp.exe91⤵PID:4140
-
\??\c:\xllrfxf.exec:\xllrfxf.exe92⤵PID:4696
-
\??\c:\bththn.exec:\bththn.exe93⤵PID:4384
-
\??\c:\nnbhtn.exec:\nnbhtn.exe94⤵PID:4912
-
\??\c:\pddpp.exec:\pddpp.exe95⤵PID:2932
-
\??\c:\1lfxlfx.exec:\1lfxlfx.exe96⤵PID:3708
-
\??\c:\rxxxrll.exec:\rxxxrll.exe97⤵PID:2436
-
\??\c:\ttnntn.exec:\ttnntn.exe98⤵PID:2696
-
\??\c:\bhnbnh.exec:\bhnbnh.exe99⤵PID:1720
-
\??\c:\1pppd.exec:\1pppd.exe100⤵PID:1532
-
\??\c:\lxrrrrf.exec:\lxrrrrf.exe101⤵PID:64
-
\??\c:\9rxrlfx.exec:\9rxrlfx.exe102⤵PID:2708
-
\??\c:\7nhbht.exec:\7nhbht.exe103⤵PID:4916
-
\??\c:\nttthh.exec:\nttthh.exe104⤵PID:216
-
\??\c:\5jjvd.exec:\5jjvd.exe105⤵PID:3876
-
\??\c:\7rxxrrl.exec:\7rxxrrl.exe106⤵PID:1440
-
\??\c:\xlrlffl.exec:\xlrlffl.exe107⤵PID:1968
-
\??\c:\hhhbhh.exec:\hhhbhh.exe108⤵PID:2448
-
\??\c:\hbhhbb.exec:\hbhhbb.exe109⤵PID:4804
-
\??\c:\pdjvp.exec:\pdjvp.exe110⤵PID:3300
-
\??\c:\xfxlfrr.exec:\xfxlfrr.exe111⤵PID:232
-
\??\c:\fxffrxl.exec:\fxffrxl.exe112⤵PID:5080
-
\??\c:\nhnbtn.exec:\nhnbtn.exe113⤵PID:4600
-
\??\c:\pdvjv.exec:\pdvjv.exe114⤵PID:4368
-
\??\c:\vppjd.exec:\vppjd.exe115⤵PID:4392
-
\??\c:\3lxrlfl.exec:\3lxrlfl.exe116⤵PID:1328
-
\??\c:\9nnhtt.exec:\9nnhtt.exe117⤵PID:4104
-
\??\c:\5pjdj.exec:\5pjdj.exe118⤵PID:4568
-
\??\c:\7vjdp.exec:\7vjdp.exe119⤵PID:852
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe120⤵PID:404
-
\??\c:\hnnthh.exec:\hnnthh.exe121⤵PID:3596
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-