Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53.exe
-
Size
454KB
-
MD5
ff3b153115e8d447f337f367fce1b628
-
SHA1
e289c693a86aa23fd1e9eea67777514601ad3b4c
-
SHA256
1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53
-
SHA512
87ecbb6608e95cfd3ce3f44cac33fd7e5f81ac94a3d624860df6305af05a8efb4782351b601fd31bc3583b4173561ce0aae75a76430614b15217ded966a7853e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe11:q7Tc2NYHUrAwfMp3CD11
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3820-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1208-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/552-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3048-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-519-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-661-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-765-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-773-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-1407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-1476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1444 nhbthb.exe 4220 lfxrlfr.exe 2016 hbbtnh.exe 1548 pddvp.exe 4884 vvdpj.exe 4820 tbtnhh.exe 3060 xflrxfl.exe 1600 9vpjv.exe 3372 lxxlflx.exe 3608 vvpjd.exe 3172 xflrlxf.exe 876 tnhtnh.exe 2696 dpjdp.exe 116 nhhtnh.exe 760 rfxxrxr.exe 836 hbbnnn.exe 4368 pjdvv.exe 4012 lfllrrx.exe 840 1tbbbb.exe 3544 pdpdj.exe 896 rflfrrl.exe 3436 vppjd.exe 828 7fffrxx.exe 1236 jvdvd.exe 1544 bntthb.exe 2532 rrlfrlx.exe 4900 3nnnbt.exe 4864 7vjvp.exe 1436 thnhbb.exe 1648 vvjdp.exe 1084 1xlxlfx.exe 2940 jvjdp.exe 1060 7xxlxrl.exe 1392 rlrlxfx.exe 3868 tntttt.exe 3628 9jjvp.exe 1640 flfrlff.exe 4608 7nbhtn.exe 4072 vvvpp.exe 2872 ddpvj.exe 1616 rlfxrlx.exe 1460 tthtnh.exe 220 dvjvj.exe 4136 lxrllff.exe 432 bnhtnn.exe 1300 hnhbtn.exe 620 pvdvp.exe 1248 tthtnh.exe 1088 3bbthh.exe 2360 vpvjd.exe 3600 rrfxxrl.exe 3176 bbtnhh.exe 1208 dppjd.exe 2604 xffrlfx.exe 4248 bbhhhn.exe 4216 ppvpd.exe 4820 xfrrffr.exe 5084 fllfrlf.exe 552 thntnt.exe 968 dppdp.exe 3948 5dvdv.exe 792 1rxlllf.exe 8 bnhbnh.exe 3048 5vdvd.exe -
resource yara_rule behavioral2/memory/3820-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1208-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/552-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3048-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-661-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-695-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-765-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-766-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1llxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tntht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3820 wrote to memory of 1444 3820 1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53.exe 82 PID 3820 wrote to memory of 1444 3820 1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53.exe 82 PID 3820 wrote to memory of 1444 3820 1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53.exe 82 PID 1444 wrote to memory of 4220 1444 nhbthb.exe 83 PID 1444 wrote to memory of 4220 1444 nhbthb.exe 83 PID 1444 wrote to memory of 4220 1444 nhbthb.exe 83 PID 4220 wrote to memory of 2016 4220 lfxrlfr.exe 84 PID 4220 wrote to memory of 2016 4220 lfxrlfr.exe 84 PID 4220 wrote to memory of 2016 4220 lfxrlfr.exe 84 PID 2016 wrote to memory of 1548 2016 hbbtnh.exe 85 PID 2016 wrote to memory of 1548 2016 hbbtnh.exe 85 PID 2016 wrote to memory of 1548 2016 hbbtnh.exe 85 PID 1548 wrote to memory of 4884 1548 pddvp.exe 86 PID 1548 wrote to memory of 4884 1548 pddvp.exe 86 PID 1548 wrote to memory of 4884 1548 pddvp.exe 86 PID 4884 wrote to memory of 4820 4884 vvdpj.exe 87 PID 4884 wrote to memory of 4820 4884 vvdpj.exe 87 PID 4884 wrote to memory of 4820 4884 vvdpj.exe 87 PID 4820 wrote to memory of 3060 4820 tbtnhh.exe 88 PID 4820 wrote to memory of 3060 4820 tbtnhh.exe 88 PID 4820 wrote to memory of 3060 4820 tbtnhh.exe 88 PID 3060 wrote to memory of 1600 3060 xflrxfl.exe 89 PID 3060 wrote to memory of 1600 3060 xflrxfl.exe 89 PID 3060 wrote to memory of 1600 3060 xflrxfl.exe 89 PID 1600 wrote to memory of 3372 1600 9vpjv.exe 90 PID 1600 wrote to memory of 3372 1600 9vpjv.exe 90 PID 1600 wrote to memory of 3372 1600 9vpjv.exe 90 PID 3372 wrote to memory of 3608 3372 lxxlflx.exe 91 PID 3372 wrote to memory of 3608 3372 lxxlflx.exe 91 PID 3372 wrote to memory of 3608 3372 lxxlflx.exe 91 PID 3608 wrote to memory of 3172 3608 vvpjd.exe 92 PID 3608 wrote to memory of 3172 3608 vvpjd.exe 92 PID 3608 wrote to memory of 3172 3608 vvpjd.exe 92 PID 3172 wrote to memory of 876 3172 xflrlxf.exe 93 PID 3172 wrote to memory of 876 3172 xflrlxf.exe 93 PID 3172 wrote to memory of 876 3172 xflrlxf.exe 93 PID 876 wrote to memory of 2696 876 tnhtnh.exe 94 PID 876 wrote to memory of 2696 876 tnhtnh.exe 94 PID 876 wrote to memory of 2696 876 tnhtnh.exe 94 PID 2696 wrote to memory of 116 2696 dpjdp.exe 95 PID 2696 wrote to memory of 116 2696 dpjdp.exe 95 PID 2696 wrote to memory of 116 2696 dpjdp.exe 95 PID 116 wrote to memory of 760 116 nhhtnh.exe 96 PID 116 wrote to memory of 760 116 nhhtnh.exe 96 PID 116 wrote to memory of 760 116 nhhtnh.exe 96 PID 760 wrote to memory of 836 760 rfxxrxr.exe 97 PID 760 wrote to memory of 836 760 rfxxrxr.exe 97 PID 760 wrote to memory of 836 760 rfxxrxr.exe 97 PID 836 wrote to memory of 4368 836 hbbnnn.exe 98 PID 836 wrote to memory of 4368 836 hbbnnn.exe 98 PID 836 wrote to memory of 4368 836 hbbnnn.exe 98 PID 4368 wrote to memory of 4012 4368 pjdvv.exe 99 PID 4368 wrote to memory of 4012 4368 pjdvv.exe 99 PID 4368 wrote to memory of 4012 4368 pjdvv.exe 99 PID 4012 wrote to memory of 840 4012 lfllrrx.exe 100 PID 4012 wrote to memory of 840 4012 lfllrrx.exe 100 PID 4012 wrote to memory of 840 4012 lfllrrx.exe 100 PID 840 wrote to memory of 3544 840 1tbbbb.exe 101 PID 840 wrote to memory of 3544 840 1tbbbb.exe 101 PID 840 wrote to memory of 3544 840 1tbbbb.exe 101 PID 3544 wrote to memory of 896 3544 pdpdj.exe 102 PID 3544 wrote to memory of 896 3544 pdpdj.exe 102 PID 3544 wrote to memory of 896 3544 pdpdj.exe 102 PID 896 wrote to memory of 3436 896 rflfrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53.exe"C:\Users\Admin\AppData\Local\Temp\1c04fbda54fae00586dde576da10ec87044d94d2f4209c984c69d7ceada7fb53.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\nhbthb.exec:\nhbthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\lfxrlfr.exec:\lfxrlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\hbbtnh.exec:\hbbtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
\??\c:\pddvp.exec:\pddvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\vvdpj.exec:\vvdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\tbtnhh.exec:\tbtnhh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\xflrxfl.exec:\xflrxfl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060 -
\??\c:\9vpjv.exec:\9vpjv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\lxxlflx.exec:\lxxlflx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\vvpjd.exec:\vvpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
\??\c:\xflrlxf.exec:\xflrlxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\tnhtnh.exec:\tnhtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
\??\c:\dpjdp.exec:\dpjdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\nhhtnh.exec:\nhhtnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\rfxxrxr.exec:\rfxxrxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\hbbnnn.exec:\hbbnnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
\??\c:\pjdvv.exec:\pjdvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\lfllrrx.exec:\lfllrrx.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\1tbbbb.exec:\1tbbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\pdpdj.exec:\pdpdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\rflfrrl.exec:\rflfrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896 -
\??\c:\vppjd.exec:\vppjd.exe23⤵
- Executes dropped EXE
PID:3436 -
\??\c:\7fffrxx.exec:\7fffrxx.exe24⤵
- Executes dropped EXE
PID:828 -
\??\c:\jvdvd.exec:\jvdvd.exe25⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bntthb.exec:\bntthb.exe26⤵
- Executes dropped EXE
PID:1544 -
\??\c:\rrlfrlx.exec:\rrlfrlx.exe27⤵
- Executes dropped EXE
PID:2532 -
\??\c:\3nnnbt.exec:\3nnnbt.exe28⤵
- Executes dropped EXE
PID:4900 -
\??\c:\7vjvp.exec:\7vjvp.exe29⤵
- Executes dropped EXE
PID:4864 -
\??\c:\thnhbb.exec:\thnhbb.exe30⤵
- Executes dropped EXE
PID:1436 -
\??\c:\vvjdp.exec:\vvjdp.exe31⤵
- Executes dropped EXE
PID:1648 -
\??\c:\1xlxlfx.exec:\1xlxlfx.exe32⤵
- Executes dropped EXE
PID:1084 -
\??\c:\jvjdp.exec:\jvjdp.exe33⤵
- Executes dropped EXE
PID:2940 -
\??\c:\7xxlxrl.exec:\7xxlxrl.exe34⤵
- Executes dropped EXE
PID:1060 -
\??\c:\rlrlxfx.exec:\rlrlxfx.exe35⤵
- Executes dropped EXE
PID:1392 -
\??\c:\tntttt.exec:\tntttt.exe36⤵
- Executes dropped EXE
PID:3868 -
\??\c:\9jjvp.exec:\9jjvp.exe37⤵
- Executes dropped EXE
PID:3628 -
\??\c:\flfrlff.exec:\flfrlff.exe38⤵
- Executes dropped EXE
PID:1640 -
\??\c:\7nbhtn.exec:\7nbhtn.exe39⤵
- Executes dropped EXE
PID:4608 -
\??\c:\vvvpp.exec:\vvvpp.exe40⤵
- Executes dropped EXE
PID:4072 -
\??\c:\ddpvj.exec:\ddpvj.exe41⤵
- Executes dropped EXE
PID:2872 -
\??\c:\rlfxrlx.exec:\rlfxrlx.exe42⤵
- Executes dropped EXE
PID:1616 -
\??\c:\tthtnh.exec:\tthtnh.exe43⤵
- Executes dropped EXE
PID:1460 -
\??\c:\dvjvj.exec:\dvjvj.exe44⤵
- Executes dropped EXE
PID:220 -
\??\c:\lxrllff.exec:\lxrllff.exe45⤵
- Executes dropped EXE
PID:4136 -
\??\c:\bnhtnn.exec:\bnhtnn.exe46⤵
- Executes dropped EXE
PID:432 -
\??\c:\hnhbtn.exec:\hnhbtn.exe47⤵
- Executes dropped EXE
PID:1300 -
\??\c:\pvdvp.exec:\pvdvp.exe48⤵
- Executes dropped EXE
PID:620 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe49⤵PID:4980
-
\??\c:\tthtnh.exec:\tthtnh.exe50⤵
- Executes dropped EXE
PID:1248 -
\??\c:\3bbthh.exec:\3bbthh.exe51⤵
- Executes dropped EXE
PID:1088 -
\??\c:\vpvjd.exec:\vpvjd.exe52⤵
- Executes dropped EXE
PID:2360 -
\??\c:\rrfxxrl.exec:\rrfxxrl.exe53⤵
- Executes dropped EXE
PID:3600 -
\??\c:\bbtnhh.exec:\bbtnhh.exe54⤵
- Executes dropped EXE
PID:3176 -
\??\c:\dppjd.exec:\dppjd.exe55⤵
- Executes dropped EXE
PID:1208 -
\??\c:\xffrlfx.exec:\xffrlfx.exe56⤵
- Executes dropped EXE
PID:2604 -
\??\c:\bbhhhn.exec:\bbhhhn.exe57⤵
- Executes dropped EXE
PID:4248 -
\??\c:\ppvpd.exec:\ppvpd.exe58⤵
- Executes dropped EXE
PID:4216 -
\??\c:\xfrrffr.exec:\xfrrffr.exe59⤵
- Executes dropped EXE
PID:4820 -
\??\c:\fllfrlf.exec:\fllfrlf.exe60⤵
- Executes dropped EXE
PID:5084 -
\??\c:\thntnt.exec:\thntnt.exe61⤵
- Executes dropped EXE
PID:552 -
\??\c:\dppdp.exec:\dppdp.exe62⤵
- Executes dropped EXE
PID:968 -
\??\c:\5dvdv.exec:\5dvdv.exe63⤵
- Executes dropped EXE
PID:3948 -
\??\c:\1rxlllf.exec:\1rxlllf.exe64⤵
- Executes dropped EXE
PID:792 -
\??\c:\bnhbnh.exec:\bnhbnh.exe65⤵
- Executes dropped EXE
PID:8 -
\??\c:\5vdvd.exec:\5vdvd.exe66⤵
- Executes dropped EXE
PID:3048 -
\??\c:\frfflxl.exec:\frfflxl.exe67⤵PID:2040
-
\??\c:\7nnbtt.exec:\7nnbtt.exe68⤵PID:3380
-
\??\c:\9bbnhb.exec:\9bbnhb.exe69⤵PID:3216
-
\??\c:\vjjdp.exec:\vjjdp.exe70⤵PID:2120
-
\??\c:\1xrfrlx.exec:\1xrfrlx.exe71⤵PID:1756
-
\??\c:\htthbt.exec:\htthbt.exe72⤵PID:4292
-
\??\c:\bnnhtn.exec:\bnnhtn.exe73⤵PID:2400
-
\??\c:\jvdpd.exec:\jvdpd.exe74⤵PID:4368
-
\??\c:\xflfrrl.exec:\xflfrrl.exe75⤵PID:1916
-
\??\c:\bthbbh.exec:\bthbbh.exe76⤵PID:1808
-
\??\c:\jvddj.exec:\jvddj.exe77⤵PID:4228
-
\??\c:\xffxxrl.exec:\xffxxrl.exe78⤵PID:3544
-
\??\c:\flrlllf.exec:\flrlllf.exe79⤵PID:524
-
\??\c:\bbbbbb.exec:\bbbbbb.exe80⤵PID:1948
-
\??\c:\pvdvp.exec:\pvdvp.exe81⤵PID:376
-
\??\c:\1rxrlll.exec:\1rxrlll.exe82⤵PID:536
-
\??\c:\9xxrlll.exec:\9xxrlll.exe83⤵PID:1932
-
\??\c:\1hbthb.exec:\1hbthb.exe84⤵PID:1184
-
\??\c:\pjjjv.exec:\pjjjv.exe85⤵PID:1528
-
\??\c:\fxrrfxx.exec:\fxrrfxx.exe86⤵PID:1388
-
\??\c:\nhhnhb.exec:\nhhnhb.exe87⤵PID:1328
-
\??\c:\hbhnhn.exec:\hbhnhn.exe88⤵PID:1196
-
\??\c:\pppjv.exec:\pppjv.exe89⤵PID:4576
-
\??\c:\lxxrrll.exec:\lxxrrll.exe90⤵PID:1672
-
\??\c:\1ttbtt.exec:\1ttbtt.exe91⤵PID:2372
-
\??\c:\vvpdd.exec:\vvpdd.exe92⤵PID:2140
-
\??\c:\vppjj.exec:\vppjj.exe93⤵PID:4524
-
\??\c:\xffrflf.exec:\xffrflf.exe94⤵PID:4160
-
\??\c:\bhnhtt.exec:\bhnhtt.exe95⤵PID:4592
-
\??\c:\7hnthn.exec:\7hnthn.exe96⤵PID:4600
-
\??\c:\jpvvp.exec:\jpvvp.exe97⤵PID:3704
-
\??\c:\7frfxrl.exec:\7frfxrl.exe98⤵PID:1512
-
\??\c:\1lfxrlf.exec:\1lfxrlf.exe99⤵PID:4472
-
\??\c:\tnhthb.exec:\tnhthb.exe100⤵PID:3084
-
\??\c:\jjjdp.exec:\jjjdp.exe101⤵PID:700
-
\??\c:\7fxrllr.exec:\7fxrllr.exe102⤵PID:4172
-
\??\c:\htnbtn.exec:\htnbtn.exe103⤵PID:4964
-
\??\c:\5vpjd.exec:\5vpjd.exe104⤵PID:3824
-
\??\c:\vdvdj.exec:\vdvdj.exe105⤵PID:1128
-
\??\c:\3rfxxrl.exec:\3rfxxrl.exe106⤵PID:4320
-
\??\c:\5nthnn.exec:\5nthnn.exe107⤵PID:4044
-
\??\c:\htbbnn.exec:\htbbnn.exe108⤵PID:3580
-
\??\c:\5pdvp.exec:\5pdvp.exe109⤵PID:4336
-
\??\c:\3jvjv.exec:\3jvjv.exe110⤵PID:804
-
\??\c:\flfxrlf.exec:\flfxrlf.exe111⤵PID:3872
-
\??\c:\btbtnh.exec:\btbtnh.exe112⤵PID:2432
-
\??\c:\djpdv.exec:\djpdv.exe113⤵PID:1140
-
\??\c:\rfxrllf.exec:\rfxrllf.exe114⤵PID:4220
-
\??\c:\djpjd.exec:\djpjd.exe115⤵PID:3988
-
\??\c:\rxfxrrl.exec:\rxfxrrl.exe116⤵PID:224
-
\??\c:\5jjdv.exec:\5jjdv.exe117⤵PID:508
-
\??\c:\ddjvj.exec:\ddjvj.exe118⤵PID:3488
-
\??\c:\5ffxrxx.exec:\5ffxrxx.exe119⤵PID:2640
-
\??\c:\hbthth.exec:\hbthth.exe120⤵PID:4840
-
\??\c:\jvdvv.exec:\jvdvv.exe121⤵PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-