Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 15:32
Behavioral task
behavioral1
Sample
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe
-
Size
130KB
-
MD5
52039e11a38cbca607d22dbc06785fc7
-
SHA1
1beb567a22d519b6530301280644df6375f390bf
-
SHA256
f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33
-
SHA512
76fab7b3065e222b48efc4b51faed6f647a09b1e8d5f42d7cb4d78e3c4760619c5e13aa782fa288c1bbed0e00f5c2aacbc0434ed4456129d8f74a4933aecac3c
-
SSDEEP
3072:0hOmTsF93UYfwC6GIoutX8Kikz9qI+fPl/d:0cm4FmowdHoSH5L+Zd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4076-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1952-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2932-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4632-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4800-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4688-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-83-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4680-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3612-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3296-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3608-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-113-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3016-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4716-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4116-135-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2596-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1492-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5000-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/892-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4344-252-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4672-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3344-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5092-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1736-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-319-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-346-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3548-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-363-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-373-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-377-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3800-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3140-451-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4488-456-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2240-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2900-503-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-526-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-554-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-562-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2528-779-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3128-888-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1296-1892-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2060 tbbthn.exe 1952 vvpdp.exe 2960 lffrrll.exe 2932 fxxrxxx.exe 3020 9dvpd.exe 4632 flrfrlx.exe 5092 htnbhn.exe 4868 bbhhth.exe 4800 jdvjd.exe 3632 lrffflr.exe 1048 nnhthb.exe 4688 vjjvv.exe 3288 vjdpj.exe 4680 hnnbhn.exe 3612 pppjv.exe 3296 vddvp.exe 3608 ntnhtn.exe 4816 htnhtn.exe 1624 jpppd.exe 3016 dvdvp.exe 4716 lfxrlfl.exe 4116 bttnhn.exe 2708 7pdpd.exe 4248 jddvp.exe 2940 rlflxrl.exe 2596 5tttnh.exe 1492 jvpdp.exe 228 lxxrlfr.exe 5000 bttnbh.exe 892 nhtnnh.exe 3732 pvjdv.exe 3800 bbtnbb.exe 1104 1ppjd.exe 4072 pvpdv.exe 3448 xlfxlff.exe 3284 hntthh.exe 1004 jdpjv.exe 1796 dvjjp.exe 3892 xffrlfr.exe 4568 7tnnhn.exe 2360 thbbtt.exe 1720 7vpdp.exe 2124 fxrfllf.exe 1376 llffffl.exe 4844 ntnhtt.exe 3808 dvvpp.exe 1644 3lfrffx.exe 1120 3tnhbt.exe 4344 5djdv.exe 2072 7djvj.exe 4672 lxrlfxr.exe 1836 tbnhtt.exe 2132 tbbnth.exe 2312 vddpd.exe 3236 rlfrffr.exe 3128 bntnnh.exe 4268 bntnbt.exe 3344 jdvjv.exe 2916 7lfxllf.exe 5092 nbtnht.exe 2900 bhhtnn.exe 1736 vvppj.exe 3604 7xxrxfx.exe 928 rfxrlfx.exe -
resource yara_rule behavioral2/memory/4076-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b99-3.dat upx behavioral2/memory/4076-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2060-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c89-11.dat upx behavioral2/files/0x0007000000023c8d-13.dat upx behavioral2/memory/1952-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2960-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8e-22.dat upx behavioral2/files/0x0007000000023c8f-28.dat upx behavioral2/memory/2932-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c90-33.dat upx behavioral2/files/0x0007000000023c91-38.dat upx behavioral2/memory/4632-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c92-44.dat upx behavioral2/memory/5092-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-50.dat upx behavioral2/memory/4800-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c94-56.dat upx behavioral2/memory/4800-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-62.dat upx behavioral2/memory/3632-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-69.dat upx behavioral2/memory/1048-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c97-74.dat upx behavioral2/memory/4688-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-80.dat upx behavioral2/memory/3288-83-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-86.dat upx behavioral2/memory/4680-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3612-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-94.dat upx behavioral2/files/0x0007000000023c9c-98.dat upx behavioral2/memory/3296-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3608-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-105.dat upx behavioral2/memory/3608-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9e-111.dat upx behavioral2/memory/4816-113-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-118.dat upx behavioral2/files/0x0007000000023ca0-122.dat upx behavioral2/memory/3016-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-129.dat upx behavioral2/memory/4716-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca2-136.dat upx behavioral2/memory/4116-135-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-140.dat upx behavioral2/files/0x0007000000023ca4-144.dat upx behavioral2/memory/4248-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-151.dat upx behavioral2/files/0x0008000000023c8a-156.dat upx behavioral2/memory/2596-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1492-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-162.dat upx behavioral2/files/0x0007000000023ca8-168.dat upx behavioral2/memory/228-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-174.dat upx behavioral2/memory/5000-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caa-180.dat upx behavioral2/memory/892-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-187.dat upx behavioral2/memory/1104-192-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1104-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3284-206-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlflrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxlxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4076 wrote to memory of 2060 4076 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 83 PID 4076 wrote to memory of 2060 4076 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 83 PID 4076 wrote to memory of 2060 4076 f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe 83 PID 2060 wrote to memory of 1952 2060 tbbthn.exe 84 PID 2060 wrote to memory of 1952 2060 tbbthn.exe 84 PID 2060 wrote to memory of 1952 2060 tbbthn.exe 84 PID 1952 wrote to memory of 2960 1952 vvpdp.exe 85 PID 1952 wrote to memory of 2960 1952 vvpdp.exe 85 PID 1952 wrote to memory of 2960 1952 vvpdp.exe 85 PID 2960 wrote to memory of 2932 2960 lffrrll.exe 86 PID 2960 wrote to memory of 2932 2960 lffrrll.exe 86 PID 2960 wrote to memory of 2932 2960 lffrrll.exe 86 PID 2932 wrote to memory of 3020 2932 fxxrxxx.exe 87 PID 2932 wrote to memory of 3020 2932 fxxrxxx.exe 87 PID 2932 wrote to memory of 3020 2932 fxxrxxx.exe 87 PID 3020 wrote to memory of 4632 3020 9dvpd.exe 88 PID 3020 wrote to memory of 4632 3020 9dvpd.exe 88 PID 3020 wrote to memory of 4632 3020 9dvpd.exe 88 PID 4632 wrote to memory of 5092 4632 flrfrlx.exe 89 PID 4632 wrote to memory of 5092 4632 flrfrlx.exe 89 PID 4632 wrote to memory of 5092 4632 flrfrlx.exe 89 PID 5092 wrote to memory of 4868 5092 htnbhn.exe 90 PID 5092 wrote to memory of 4868 5092 htnbhn.exe 90 PID 5092 wrote to memory of 4868 5092 htnbhn.exe 90 PID 4868 wrote to memory of 4800 4868 bbhhth.exe 91 PID 4868 wrote to memory of 4800 4868 bbhhth.exe 91 PID 4868 wrote to memory of 4800 4868 bbhhth.exe 91 PID 4800 wrote to memory of 3632 4800 jdvjd.exe 92 PID 4800 wrote to memory of 3632 4800 jdvjd.exe 92 PID 4800 wrote to memory of 3632 4800 jdvjd.exe 92 PID 3632 wrote to memory of 1048 3632 lrffflr.exe 93 PID 3632 wrote to memory of 1048 3632 lrffflr.exe 93 PID 3632 wrote to memory of 1048 3632 lrffflr.exe 93 PID 1048 wrote to memory of 4688 1048 nnhthb.exe 94 PID 1048 wrote to memory of 4688 1048 nnhthb.exe 94 PID 1048 wrote to memory of 4688 1048 nnhthb.exe 94 PID 4688 wrote to memory of 3288 4688 vjjvv.exe 95 PID 4688 wrote to memory of 3288 4688 vjjvv.exe 95 PID 4688 wrote to memory of 3288 4688 vjjvv.exe 95 PID 3288 wrote to memory of 4680 3288 vjdpj.exe 96 PID 3288 wrote to memory of 4680 3288 vjdpj.exe 96 PID 3288 wrote to memory of 4680 3288 vjdpj.exe 96 PID 4680 wrote to memory of 3612 4680 hnnbhn.exe 97 PID 4680 wrote to memory of 3612 4680 hnnbhn.exe 97 PID 4680 wrote to memory of 3612 4680 hnnbhn.exe 97 PID 3612 wrote to memory of 3296 3612 pppjv.exe 98 PID 3612 wrote to memory of 3296 3612 pppjv.exe 98 PID 3612 wrote to memory of 3296 3612 pppjv.exe 98 PID 3296 wrote to memory of 3608 3296 vddvp.exe 99 PID 3296 wrote to memory of 3608 3296 vddvp.exe 99 PID 3296 wrote to memory of 3608 3296 vddvp.exe 99 PID 3608 wrote to memory of 4816 3608 ntnhtn.exe 100 PID 3608 wrote to memory of 4816 3608 ntnhtn.exe 100 PID 3608 wrote to memory of 4816 3608 ntnhtn.exe 100 PID 4816 wrote to memory of 1624 4816 htnhtn.exe 101 PID 4816 wrote to memory of 1624 4816 htnhtn.exe 101 PID 4816 wrote to memory of 1624 4816 htnhtn.exe 101 PID 1624 wrote to memory of 3016 1624 jpppd.exe 102 PID 1624 wrote to memory of 3016 1624 jpppd.exe 102 PID 1624 wrote to memory of 3016 1624 jpppd.exe 102 PID 3016 wrote to memory of 4716 3016 dvdvp.exe 103 PID 3016 wrote to memory of 4716 3016 dvdvp.exe 103 PID 3016 wrote to memory of 4716 3016 dvdvp.exe 103 PID 4716 wrote to memory of 4116 4716 lfxrlfl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe"C:\Users\Admin\AppData\Local\Temp\f1df4ffcb0603ce5f490a95be7bbd4ca24c6530daca2b364236ca17b4e9bde33.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
\??\c:\tbbthn.exec:\tbbthn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\vvpdp.exec:\vvpdp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\lffrrll.exec:\lffrrll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\fxxrxxx.exec:\fxxrxxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\9dvpd.exec:\9dvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\flrfrlx.exec:\flrfrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4632 -
\??\c:\htnbhn.exec:\htnbhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\bbhhth.exec:\bbhhth.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\jdvjd.exec:\jdvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4800 -
\??\c:\lrffflr.exec:\lrffflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\nnhthb.exec:\nnhthb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\vjjvv.exec:\vjjvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\vjdpj.exec:\vjdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\hnnbhn.exec:\hnnbhn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680 -
\??\c:\pppjv.exec:\pppjv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\vddvp.exec:\vddvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\ntnhtn.exec:\ntnhtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\htnhtn.exec:\htnhtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\jpppd.exec:\jpppd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\dvdvp.exec:\dvdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\lfxrlfl.exec:\lfxrlfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\bttnhn.exec:\bttnhn.exe23⤵
- Executes dropped EXE
PID:4116 -
\??\c:\7pdpd.exec:\7pdpd.exe24⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jddvp.exec:\jddvp.exe25⤵
- Executes dropped EXE
PID:4248 -
\??\c:\rlflxrl.exec:\rlflxrl.exe26⤵
- Executes dropped EXE
PID:2940 -
\??\c:\5tttnh.exec:\5tttnh.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
\??\c:\jvpdp.exec:\jvpdp.exe28⤵
- Executes dropped EXE
PID:1492 -
\??\c:\lxxrlfr.exec:\lxxrlfr.exe29⤵
- Executes dropped EXE
PID:228 -
\??\c:\bttnbh.exec:\bttnbh.exe30⤵
- Executes dropped EXE
PID:5000 -
\??\c:\nhtnnh.exec:\nhtnnh.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\pvjdv.exec:\pvjdv.exe32⤵
- Executes dropped EXE
PID:3732 -
\??\c:\bbtnbb.exec:\bbtnbb.exe33⤵
- Executes dropped EXE
PID:3800 -
\??\c:\1ppjd.exec:\1ppjd.exe34⤵
- Executes dropped EXE
PID:1104 -
\??\c:\pvpdv.exec:\pvpdv.exe35⤵
- Executes dropped EXE
PID:4072 -
\??\c:\xlfxlff.exec:\xlfxlff.exe36⤵
- Executes dropped EXE
PID:3448 -
\??\c:\hntthh.exec:\hntthh.exe37⤵
- Executes dropped EXE
PID:3284 -
\??\c:\jdpjv.exec:\jdpjv.exe38⤵
- Executes dropped EXE
PID:1004 -
\??\c:\dvjjp.exec:\dvjjp.exe39⤵
- Executes dropped EXE
PID:1796 -
\??\c:\xffrlfr.exec:\xffrlfr.exe40⤵
- Executes dropped EXE
PID:3892 -
\??\c:\7tnnhn.exec:\7tnnhn.exe41⤵
- Executes dropped EXE
PID:4568 -
\??\c:\thbbtt.exec:\thbbtt.exe42⤵
- Executes dropped EXE
PID:2360 -
\??\c:\7vpdp.exec:\7vpdp.exe43⤵
- Executes dropped EXE
PID:1720 -
\??\c:\fxrfllf.exec:\fxrfllf.exe44⤵
- Executes dropped EXE
PID:2124 -
\??\c:\llffffl.exec:\llffffl.exe45⤵
- Executes dropped EXE
PID:1376 -
\??\c:\ntnhtt.exec:\ntnhtt.exe46⤵
- Executes dropped EXE
PID:4844 -
\??\c:\dvvpp.exec:\dvvpp.exe47⤵
- Executes dropped EXE
PID:3808 -
\??\c:\3lfrffx.exec:\3lfrffx.exe48⤵
- Executes dropped EXE
PID:1644 -
\??\c:\3tnhbt.exec:\3tnhbt.exe49⤵
- Executes dropped EXE
PID:1120 -
\??\c:\5djdv.exec:\5djdv.exe50⤵
- Executes dropped EXE
PID:4344 -
\??\c:\7djvj.exec:\7djvj.exe51⤵
- Executes dropped EXE
PID:2072 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe52⤵
- Executes dropped EXE
PID:4672 -
\??\c:\tbnhtt.exec:\tbnhtt.exe53⤵
- Executes dropped EXE
PID:1836 -
\??\c:\tbbnth.exec:\tbbnth.exe54⤵
- Executes dropped EXE
PID:2132 -
\??\c:\vddpd.exec:\vddpd.exe55⤵
- Executes dropped EXE
PID:2312 -
\??\c:\rlfrffr.exec:\rlfrffr.exe56⤵
- Executes dropped EXE
PID:3236 -
\??\c:\bntnnh.exec:\bntnnh.exe57⤵
- Executes dropped EXE
PID:3128 -
\??\c:\bntnbt.exec:\bntnbt.exe58⤵
- Executes dropped EXE
PID:4268 -
\??\c:\jdvjv.exec:\jdvjv.exe59⤵
- Executes dropped EXE
PID:3344 -
\??\c:\7lfxllf.exec:\7lfxllf.exe60⤵
- Executes dropped EXE
PID:2916 -
\??\c:\nbtnht.exec:\nbtnht.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5092 -
\??\c:\bhhtnn.exec:\bhhtnn.exe62⤵
- Executes dropped EXE
PID:2900 -
\??\c:\vvppj.exec:\vvppj.exe63⤵
- Executes dropped EXE
PID:1736 -
\??\c:\7xxrxfx.exec:\7xxrxfx.exe64⤵
- Executes dropped EXE
PID:3604 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe65⤵
- Executes dropped EXE
PID:928 -
\??\c:\hnbbhh.exec:\hnbbhh.exe66⤵PID:3196
-
\??\c:\lflfffl.exec:\lflfffl.exe67⤵PID:4912
-
\??\c:\1hhtnn.exec:\1hhtnn.exe68⤵PID:2656
-
\??\c:\thhbtn.exec:\thhbtn.exe69⤵PID:1316
-
\??\c:\vpjdp.exec:\vpjdp.exe70⤵PID:4832
-
\??\c:\xlfrffx.exec:\xlfrffx.exe71⤵PID:3272
-
\??\c:\frrrrlf.exec:\frrrrlf.exe72⤵PID:2112
-
\??\c:\hbhbnn.exec:\hbhbnn.exe73⤵PID:3736
-
\??\c:\1pvjj.exec:\1pvjj.exe74⤵PID:4700
-
\??\c:\dvjvj.exec:\dvjvj.exe75⤵PID:576
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe76⤵PID:4556
-
\??\c:\tntntt.exec:\tntntt.exe77⤵PID:1872
-
\??\c:\bbbtnn.exec:\bbbtnn.exe78⤵
- System Location Discovery: System Language Discovery
PID:3552 -
\??\c:\vdjvj.exec:\vdjvj.exe79⤵PID:3548
-
\??\c:\7dpjv.exec:\7dpjv.exe80⤵PID:3340
-
\??\c:\lfrffxx.exec:\lfrffxx.exe81⤵PID:4116
-
\??\c:\nthbtn.exec:\nthbtn.exe82⤵PID:2536
-
\??\c:\jvvjp.exec:\jvvjp.exe83⤵PID:1972
-
\??\c:\5vvpj.exec:\5vvpj.exe84⤵PID:4452
-
\??\c:\xllfrxr.exec:\xllfrxr.exe85⤵PID:2940
-
\??\c:\lllfxrl.exec:\lllfxrl.exe86⤵PID:1284
-
\??\c:\htthbt.exec:\htthbt.exe87⤵PID:4852
-
\??\c:\thhbtn.exec:\thhbtn.exe88⤵PID:220
-
\??\c:\pddvp.exec:\pddvp.exe89⤵PID:2576
-
\??\c:\jpppd.exec:\jpppd.exe90⤵PID:1812
-
\??\c:\xlllrlf.exec:\xlllrlf.exe91⤵PID:3888
-
\??\c:\btbhbh.exec:\btbhbh.exe92⤵PID:4324
-
\??\c:\vvvpj.exec:\vvvpj.exe93⤵PID:4940
-
\??\c:\pvppj.exec:\pvppj.exe94⤵PID:336
-
\??\c:\7xxlffx.exec:\7xxlffx.exe95⤵PID:3800
-
\??\c:\1hhhhh.exec:\1hhhhh.exe96⤵PID:2396
-
\??\c:\pdvjv.exec:\pdvjv.exe97⤵PID:3176
-
\??\c:\1vdvj.exec:\1vdvj.exe98⤵PID:2640
-
\??\c:\rlfxllf.exec:\rlfxllf.exe99⤵PID:2252
-
\??\c:\frxrrrl.exec:\frxrrrl.exe100⤵PID:4572
-
\??\c:\tnnhnn.exec:\tnnhnn.exe101⤵PID:2772
-
\??\c:\1ttbnh.exec:\1ttbnh.exe102⤵PID:812
-
\??\c:\jddvv.exec:\jddvv.exe103⤵PID:3720
-
\??\c:\llrlfxr.exec:\llrlfxr.exe104⤵PID:2716
-
\??\c:\ttbbhh.exec:\ttbbhh.exe105⤵PID:3768
-
\??\c:\1nnhhb.exec:\1nnhhb.exe106⤵PID:1052
-
\??\c:\bhhtnh.exec:\bhhtnh.exe107⤵PID:5076
-
\??\c:\dvjdp.exec:\dvjdp.exe108⤵PID:3544
-
\??\c:\rflxrll.exec:\rflxrll.exe109⤵PID:2788
-
\??\c:\xfllxxr.exec:\xfllxxr.exe110⤵PID:3140
-
\??\c:\5hhtnh.exec:\5hhtnh.exe111⤵PID:4488
-
\??\c:\dppjd.exec:\dppjd.exe112⤵PID:4308
-
\??\c:\jddpp.exec:\jddpp.exe113⤵PID:820
-
\??\c:\frrfrlf.exec:\frrfrlf.exe114⤵PID:4472
-
\??\c:\fxlxxrx.exec:\fxlxxrx.exe115⤵PID:1728
-
\??\c:\tnnbbb.exec:\tnnbbb.exe116⤵PID:2240
-
\??\c:\pdpjj.exec:\pdpjj.exe117⤵PID:3460
-
\??\c:\djpjd.exec:\djpjd.exe118⤵PID:1332
-
\??\c:\rfrlxxr.exec:\rfrlxxr.exe119⤵PID:3804
-
\??\c:\tnbbtn.exec:\tnbbtn.exe120⤵PID:3692
-
\??\c:\hntnnn.exec:\hntnnn.exe121⤵PID:4376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-