Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe
-
Size
456KB
-
MD5
64cf39043c649fcb11e32e277aaabc67
-
SHA1
a1296103b288ed3cf90efae6e3300c2d3f6d8711
-
SHA256
bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379
-
SHA512
b733860546a9a7e2f98acf82363c4f6283e8a60e8c3170d482e3c647b9716f04013f417cc65c5c39eb7d185dae2d27975bf1c8f20617ae01e5736e76d5033656
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe9:q7Tc2NYHUrAwfMp3CD9
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/1648-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4252-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/800-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-549-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-615-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-718-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-1243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-1520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4876 hbhnhb.exe 1928 lflflll.exe 3184 ttbtnn.exe 2500 lxrlfxr.exe 1180 tbbtnb.exe 244 7hhbtt.exe 5052 lffffxl.exe 4252 9btnhh.exe 1968 dvjvv.exe 1720 pjjjd.exe 4068 lxlrffr.exe 2016 thhthh.exe 4364 ddpdv.exe 3080 ddpjv.exe 2076 3rlfxrl.exe 4688 hntnbh.exe 3500 djpjp.exe 3404 rlxrffx.exe 544 tnnnhh.exe 4012 7dvpp.exe 1988 lrxrllf.exe 1524 1tnhbb.exe 4540 thnnhh.exe 4416 1vvpj.exe 2932 rxfxrrr.exe 4980 ttnbbb.exe 1456 dvvdd.exe 4852 pdjvp.exe 2312 5hhtnn.exe 1484 dpppp.exe 3968 thhhnn.exe 1808 flrlfff.exe 2104 thnnht.exe 864 3nhhnn.exe 448 fxrxxxx.exe 2112 bbnhhh.exe 3744 7vvpp.exe 1032 lfffxxx.exe 3296 htbttn.exe 3536 jjppp.exe 4536 xxrllrx.exe 1072 nbhbbn.exe 1532 nhnnnn.exe 3528 xfrrlrr.exe 4340 tnnbtt.exe 1816 vvvpv.exe 3976 ppdvp.exe 2408 frrlffx.exe 2280 xrfxffl.exe 2496 bthbhh.exe 4492 pjpjp.exe 3184 rlllfff.exe 4236 xfrlfxr.exe 2500 hhnnhh.exe 220 vvdjv.exe 4788 rllffxr.exe 4488 xxrlllf.exe 1028 hhtnhh.exe 3440 5jvvv.exe 1424 xlrfxlf.exe 2152 rrrxrff.exe 1060 nhnhnh.exe 1084 pjppp.exe 3228 rxfxrlf.exe -
resource yara_rule behavioral2/memory/1648-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4252-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/800-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2568-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-549-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-615-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-718-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-731-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxllxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 4876 1648 bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe 83 PID 1648 wrote to memory of 4876 1648 bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe 83 PID 1648 wrote to memory of 4876 1648 bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe 83 PID 4876 wrote to memory of 1928 4876 hbhnhb.exe 84 PID 4876 wrote to memory of 1928 4876 hbhnhb.exe 84 PID 4876 wrote to memory of 1928 4876 hbhnhb.exe 84 PID 1928 wrote to memory of 3184 1928 lflflll.exe 85 PID 1928 wrote to memory of 3184 1928 lflflll.exe 85 PID 1928 wrote to memory of 3184 1928 lflflll.exe 85 PID 3184 wrote to memory of 2500 3184 ttbtnn.exe 86 PID 3184 wrote to memory of 2500 3184 ttbtnn.exe 86 PID 3184 wrote to memory of 2500 3184 ttbtnn.exe 86 PID 2500 wrote to memory of 1180 2500 lxrlfxr.exe 87 PID 2500 wrote to memory of 1180 2500 lxrlfxr.exe 87 PID 2500 wrote to memory of 1180 2500 lxrlfxr.exe 87 PID 1180 wrote to memory of 244 1180 tbbtnb.exe 88 PID 1180 wrote to memory of 244 1180 tbbtnb.exe 88 PID 1180 wrote to memory of 244 1180 tbbtnb.exe 88 PID 244 wrote to memory of 5052 244 7hhbtt.exe 89 PID 244 wrote to memory of 5052 244 7hhbtt.exe 89 PID 244 wrote to memory of 5052 244 7hhbtt.exe 89 PID 5052 wrote to memory of 4252 5052 lffffxl.exe 90 PID 5052 wrote to memory of 4252 5052 lffffxl.exe 90 PID 5052 wrote to memory of 4252 5052 lffffxl.exe 90 PID 4252 wrote to memory of 1968 4252 9btnhh.exe 91 PID 4252 wrote to memory of 1968 4252 9btnhh.exe 91 PID 4252 wrote to memory of 1968 4252 9btnhh.exe 91 PID 1968 wrote to memory of 1720 1968 dvjvv.exe 92 PID 1968 wrote to memory of 1720 1968 dvjvv.exe 92 PID 1968 wrote to memory of 1720 1968 dvjvv.exe 92 PID 1720 wrote to memory of 4068 1720 pjjjd.exe 93 PID 1720 wrote to memory of 4068 1720 pjjjd.exe 93 PID 1720 wrote to memory of 4068 1720 pjjjd.exe 93 PID 4068 wrote to memory of 2016 4068 lxlrffr.exe 94 PID 4068 wrote to memory of 2016 4068 lxlrffr.exe 94 PID 4068 wrote to memory of 2016 4068 lxlrffr.exe 94 PID 2016 wrote to memory of 4364 2016 thhthh.exe 95 PID 2016 wrote to memory of 4364 2016 thhthh.exe 95 PID 2016 wrote to memory of 4364 2016 thhthh.exe 95 PID 4364 wrote to memory of 3080 4364 ddpdv.exe 96 PID 4364 wrote to memory of 3080 4364 ddpdv.exe 96 PID 4364 wrote to memory of 3080 4364 ddpdv.exe 96 PID 3080 wrote to memory of 2076 3080 ddpjv.exe 97 PID 3080 wrote to memory of 2076 3080 ddpjv.exe 97 PID 3080 wrote to memory of 2076 3080 ddpjv.exe 97 PID 2076 wrote to memory of 4688 2076 3rlfxrl.exe 98 PID 2076 wrote to memory of 4688 2076 3rlfxrl.exe 98 PID 2076 wrote to memory of 4688 2076 3rlfxrl.exe 98 PID 4688 wrote to memory of 3500 4688 hntnbh.exe 99 PID 4688 wrote to memory of 3500 4688 hntnbh.exe 99 PID 4688 wrote to memory of 3500 4688 hntnbh.exe 99 PID 3500 wrote to memory of 3404 3500 djpjp.exe 100 PID 3500 wrote to memory of 3404 3500 djpjp.exe 100 PID 3500 wrote to memory of 3404 3500 djpjp.exe 100 PID 3404 wrote to memory of 544 3404 rlxrffx.exe 101 PID 3404 wrote to memory of 544 3404 rlxrffx.exe 101 PID 3404 wrote to memory of 544 3404 rlxrffx.exe 101 PID 544 wrote to memory of 4012 544 tnnnhh.exe 102 PID 544 wrote to memory of 4012 544 tnnnhh.exe 102 PID 544 wrote to memory of 4012 544 tnnnhh.exe 102 PID 4012 wrote to memory of 1988 4012 7dvpp.exe 103 PID 4012 wrote to memory of 1988 4012 7dvpp.exe 103 PID 4012 wrote to memory of 1988 4012 7dvpp.exe 103 PID 1988 wrote to memory of 1524 1988 lrxrllf.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe"C:\Users\Admin\AppData\Local\Temp\bfd04583ef2bfe6024e186e2155d35f933f7c117131aec75a16746feb22ff379.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\hbhnhb.exec:\hbhnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\lflflll.exec:\lflflll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\ttbtnn.exec:\ttbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184 -
\??\c:\lxrlfxr.exec:\lxrlfxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2500 -
\??\c:\tbbtnb.exec:\tbbtnb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180 -
\??\c:\7hhbtt.exec:\7hhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:244 -
\??\c:\lffffxl.exec:\lffffxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\9btnhh.exec:\9btnhh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\dvjvv.exec:\dvjvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\pjjjd.exec:\pjjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\lxlrffr.exec:\lxlrffr.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\thhthh.exec:\thhthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\ddpdv.exec:\ddpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
\??\c:\ddpjv.exec:\ddpjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\3rlfxrl.exec:\3rlfxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\hntnbh.exec:\hntnbh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\djpjp.exec:\djpjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\rlxrffx.exec:\rlxrffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\tnnnhh.exec:\tnnnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\7dvpp.exec:\7dvpp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\lrxrllf.exec:\lrxrllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988 -
\??\c:\1tnhbb.exec:\1tnhbb.exe23⤵
- Executes dropped EXE
PID:1524 -
\??\c:\thnnhh.exec:\thnnhh.exe24⤵
- Executes dropped EXE
PID:4540 -
\??\c:\1vvpj.exec:\1vvpj.exe25⤵
- Executes dropped EXE
PID:4416 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe26⤵
- Executes dropped EXE
PID:2932 -
\??\c:\ttnbbb.exec:\ttnbbb.exe27⤵
- Executes dropped EXE
PID:4980 -
\??\c:\dvvdd.exec:\dvvdd.exe28⤵
- Executes dropped EXE
PID:1456 -
\??\c:\pdjvp.exec:\pdjvp.exe29⤵
- Executes dropped EXE
PID:4852 -
\??\c:\5hhtnn.exec:\5hhtnn.exe30⤵
- Executes dropped EXE
PID:2312 -
\??\c:\dpppp.exec:\dpppp.exe31⤵
- Executes dropped EXE
PID:1484 -
\??\c:\thhhnn.exec:\thhhnn.exe32⤵
- Executes dropped EXE
PID:3968 -
\??\c:\flrlfff.exec:\flrlfff.exe33⤵
- Executes dropped EXE
PID:1808 -
\??\c:\thnnht.exec:\thnnht.exe34⤵
- Executes dropped EXE
PID:2104 -
\??\c:\3nhhnn.exec:\3nhhnn.exe35⤵
- Executes dropped EXE
PID:864 -
\??\c:\fxrxxxx.exec:\fxrxxxx.exe36⤵
- Executes dropped EXE
PID:448 -
\??\c:\bbnhhh.exec:\bbnhhh.exe37⤵
- Executes dropped EXE
PID:2112 -
\??\c:\7vvpp.exec:\7vvpp.exe38⤵
- Executes dropped EXE
PID:3744 -
\??\c:\lfffxxx.exec:\lfffxxx.exe39⤵
- Executes dropped EXE
PID:1032 -
\??\c:\htbttn.exec:\htbttn.exe40⤵
- Executes dropped EXE
PID:3296 -
\??\c:\jjppp.exec:\jjppp.exe41⤵
- Executes dropped EXE
PID:3536 -
\??\c:\xxrllrx.exec:\xxrllrx.exe42⤵
- Executes dropped EXE
PID:4536 -
\??\c:\nbhbbn.exec:\nbhbbn.exe43⤵
- Executes dropped EXE
PID:1072 -
\??\c:\nhnnnn.exec:\nhnnnn.exe44⤵
- Executes dropped EXE
PID:1532 -
\??\c:\xfrrlrr.exec:\xfrrlrr.exe45⤵
- Executes dropped EXE
PID:3528 -
\??\c:\tnnbtt.exec:\tnnbtt.exe46⤵
- Executes dropped EXE
PID:4340 -
\??\c:\vvvpv.exec:\vvvpv.exe47⤵
- Executes dropped EXE
PID:1816 -
\??\c:\ppdvp.exec:\ppdvp.exe48⤵
- Executes dropped EXE
PID:3976 -
\??\c:\frrlffx.exec:\frrlffx.exe49⤵
- Executes dropped EXE
PID:2408 -
\??\c:\xrfxffl.exec:\xrfxffl.exe50⤵
- Executes dropped EXE
PID:2280 -
\??\c:\bthbhh.exec:\bthbhh.exe51⤵
- Executes dropped EXE
PID:2496 -
\??\c:\pjpjp.exec:\pjpjp.exe52⤵
- Executes dropped EXE
PID:4492 -
\??\c:\rlllfff.exec:\rlllfff.exe53⤵
- Executes dropped EXE
PID:3184 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe54⤵
- Executes dropped EXE
PID:4236 -
\??\c:\hhnnhh.exec:\hhnnhh.exe55⤵
- Executes dropped EXE
PID:2500 -
\??\c:\vvdjv.exec:\vvdjv.exe56⤵
- Executes dropped EXE
PID:220 -
\??\c:\rllffxr.exec:\rllffxr.exe57⤵
- Executes dropped EXE
PID:4788 -
\??\c:\xxrlllf.exec:\xxrlllf.exe58⤵
- Executes dropped EXE
PID:4488 -
\??\c:\hhtnhh.exec:\hhtnhh.exe59⤵
- Executes dropped EXE
PID:1028 -
\??\c:\5jvvv.exec:\5jvvv.exe60⤵
- Executes dropped EXE
PID:3440 -
\??\c:\xlrfxlf.exec:\xlrfxlf.exe61⤵
- Executes dropped EXE
PID:1424 -
\??\c:\rrrxrff.exec:\rrrxrff.exe62⤵
- Executes dropped EXE
PID:2152 -
\??\c:\nhnhnh.exec:\nhnhnh.exe63⤵
- Executes dropped EXE
PID:1060 -
\??\c:\pjppp.exec:\pjppp.exe64⤵
- Executes dropped EXE
PID:1084 -
\??\c:\rxfxrlf.exec:\rxfxrlf.exe65⤵
- Executes dropped EXE
PID:3228 -
\??\c:\rfrrrll.exec:\rfrrrll.exe66⤵PID:3708
-
\??\c:\hbnhbb.exec:\hbnhbb.exe67⤵PID:4328
-
\??\c:\jjjvp.exec:\jjjvp.exe68⤵PID:4300
-
\??\c:\rlxxlfx.exec:\rlxxlfx.exe69⤵PID:800
-
\??\c:\htbttt.exec:\htbttt.exe70⤵PID:3068
-
\??\c:\thnhtt.exec:\thnhtt.exe71⤵PID:832
-
\??\c:\3ddvv.exec:\3ddvv.exe72⤵PID:2756
-
\??\c:\ffxrxxr.exec:\ffxrxxr.exe73⤵PID:4532
-
\??\c:\ttnhhh.exec:\ttnhhh.exe74⤵PID:3500
-
\??\c:\pdjjv.exec:\pdjjv.exe75⤵PID:2512
-
\??\c:\1rfxllx.exec:\1rfxllx.exe76⤵PID:2184
-
\??\c:\nbbhth.exec:\nbbhth.exe77⤵PID:4992
-
\??\c:\pvdvj.exec:\pvdvj.exe78⤵PID:3188
-
\??\c:\jdjvp.exec:\jdjvp.exe79⤵PID:1480
-
\??\c:\rlxrrlf.exec:\rlxrrlf.exe80⤵PID:548
-
\??\c:\nhbtnn.exec:\nhbtnn.exe81⤵PID:3384
-
\??\c:\vppdp.exec:\vppdp.exe82⤵PID:1640
-
\??\c:\7fxrllf.exec:\7fxrllf.exe83⤵PID:4396
-
\??\c:\nhtntt.exec:\nhtntt.exe84⤵PID:3456
-
\??\c:\pjdpj.exec:\pjdpj.exe85⤵PID:3480
-
\??\c:\pdddp.exec:\pdddp.exe86⤵PID:1044
-
\??\c:\fxfxrll.exec:\fxfxrll.exe87⤵PID:4980
-
\??\c:\hhhtht.exec:\hhhtht.exe88⤵PID:3524
-
\??\c:\dppjj.exec:\dppjj.exe89⤵PID:4820
-
\??\c:\jvdpj.exec:\jvdpj.exe90⤵PID:4852
-
\??\c:\rxlxrrl.exec:\rxlxrrl.exe91⤵PID:1848
-
\??\c:\tttnhh.exec:\tttnhh.exe92⤵PID:3088
-
\??\c:\hnthtn.exec:\hnthtn.exe93⤵PID:2568
-
\??\c:\vdjdp.exec:\vdjdp.exe94⤵PID:3164
-
\??\c:\lxfrrrl.exec:\lxfrrrl.exe95⤵PID:3264
-
\??\c:\3xrlfrl.exec:\3xrlfrl.exe96⤵PID:4332
-
\??\c:\ntbnhb.exec:\ntbnhb.exe97⤵PID:1336
-
\??\c:\pdvjd.exec:\pdvjd.exe98⤵PID:448
-
\??\c:\rflffxr.exec:\rflffxr.exe99⤵PID:4824
-
\??\c:\tntnhb.exec:\tntnhb.exe100⤵PID:4936
-
\??\c:\pjpjp.exec:\pjpjp.exe101⤵PID:3716
-
\??\c:\7jpvj.exec:\7jpvj.exe102⤵PID:3296
-
\??\c:\hbnhbt.exec:\hbnhbt.exe103⤵PID:3536
-
\??\c:\bhnhbt.exec:\bhnhbt.exe104⤵PID:4536
-
\??\c:\vvvvp.exec:\vvvvp.exe105⤵PID:1072
-
\??\c:\lfffrrx.exec:\lfffrrx.exe106⤵PID:2976
-
\??\c:\lxfxrlf.exec:\lxfxrlf.exe107⤵PID:4604
-
\??\c:\nbhhhb.exec:\nbhhhb.exe108⤵PID:5008
-
\??\c:\dddvv.exec:\dddvv.exe109⤵PID:1816
-
\??\c:\lrxrxrx.exec:\lrxrxrx.exe110⤵PID:2044
-
\??\c:\btbbtt.exec:\btbbtt.exe111⤵PID:3292
-
\??\c:\bhnhhb.exec:\bhnhhb.exe112⤵PID:3452
-
\??\c:\dddvj.exec:\dddvj.exe113⤵PID:2496
-
\??\c:\frlllff.exec:\frlllff.exe114⤵PID:4056
-
\??\c:\bnbtnt.exec:\bnbtnt.exe115⤵PID:1924
-
\??\c:\hntthh.exec:\hntthh.exe116⤵PID:4812
-
\??\c:\jpvjj.exec:\jpvjj.exe117⤵PID:1180
-
\??\c:\3xrlfff.exec:\3xrlfff.exe118⤵PID:4764
-
\??\c:\nbhbtn.exec:\nbhbtn.exe119⤵PID:1868
-
\??\c:\nthbnn.exec:\nthbnn.exe120⤵PID:3680
-
\??\c:\jdppp.exec:\jdppp.exe121⤵PID:1664
-
\??\c:\xflfxrl.exec:\xflfxrl.exe122⤵PID:5104
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-