Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 08:05
Behavioral task
behavioral1
Sample
f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927.exe
-
Size
335KB
-
MD5
9555f090ec71b56bf780b5264bcf0ea6
-
SHA1
c910e2cf869a55315104e8a9a0a64563e5f09714
-
SHA256
f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927
-
SHA512
a3d8cf45bfb0e85204daf681d1fe6340dccee283bd6e2862e63480e2852af9c41d524e1f9b895169bcfeded6474f79131073b686b61dd6a900c48c7c5da885e5
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbe7:R4wFHoSHYHUrAwfMp3CD7
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3836-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1812-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/512-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3672-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2828-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4928-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4500-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2688-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4828-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5008-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3272-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2376-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3488-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1236-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3832-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1860-185-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3384-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2560-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1876-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3860-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1528-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2640-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/844-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2124-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4120-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1816-294-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2636-297-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-314-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/768-325-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4704-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-348-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3528-367-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3008-398-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1044-421-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/916-426-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1944-433-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1820-502-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/948-509-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2216-586-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3212-590-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1328-601-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-782-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3424 7bnbtn.exe 4144 frxxlfr.exe 1112 1bbtnn.exe 3168 7rrfrfx.exe 3592 nnbttn.exe 512 1ffxrlf.exe 1812 hbtnnh.exe 1728 hbbtnb.exe 3672 pdvvp.exe 844 dddvp.exe 684 ffxrlfx.exe 2828 lfxlxlf.exe 4928 jjvpj.exe 4500 fffxlfx.exe 2688 pppjj.exe 1532 ttttnt.exe 4828 hbbttn.exe 2784 xrrrrrr.exe 4184 jdjvp.exe 2660 xllfxxr.exe 4640 rffxxxf.exe 1284 jjdvv.exe 1960 lfxrrrr.exe 5008 nhtnnb.exe 4688 vjvpj.exe 4740 htbtnh.exe 676 bthbtt.exe 4076 hbnhbb.exe 2020 7jpjp.exe 1328 5lrlflf.exe 1480 tnnbtt.exe 4008 hbbnbh.exe 3272 vpdvv.exe 3636 7rrlxxr.exe 2376 hbbtnh.exe 3488 vpjvp.exe 2556 rxfxrrf.exe 4624 hbnnnh.exe 1116 vjddp.exe 3824 jjpdv.exe 1236 ffxrffx.exe 2360 bthbbt.exe 3832 dvvdv.exe 60 frflllx.exe 1860 1bhtnn.exe 3384 dvvpj.exe 3504 5xrlfrl.exe 4612 tbtnhn.exe 3096 tnbtth.exe 2560 dppjv.exe 4980 rlrrrrl.exe 1820 tntntn.exe 4244 vjppj.exe 1112 pppvp.exe 3168 lllfrxr.exe 2236 9dddd.exe 2428 pdpjj.exe 2976 rfrlrlf.exe 1876 hbttnn.exe 3860 htntbb.exe 1528 vjpjp.exe 1040 5lrlrrr.exe 3456 1tnnhn.exe 2640 bntnnh.exe -
resource yara_rule behavioral2/memory/3836-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bdf-3.dat upx behavioral2/memory/3836-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c3b-10.dat upx behavioral2/memory/3424-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c3e-11.dat upx behavioral2/memory/1112-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4144-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c3f-19.dat upx behavioral2/memory/1112-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c40-24.dat upx behavioral2/memory/3168-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c41-29.dat upx behavioral2/memory/3592-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c42-34.dat upx behavioral2/files/0x000a000000023c43-41.dat upx behavioral2/memory/1812-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/512-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c44-44.dat upx behavioral2/files/0x000a000000023c45-48.dat upx behavioral2/memory/3672-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c46-53.dat upx behavioral2/memory/844-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c47-59.dat upx behavioral2/files/0x000a000000023c49-63.dat upx behavioral2/memory/2828-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c4b-67.dat upx behavioral2/memory/4928-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4500-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023b5d-73.dat upx behavioral2/memory/4500-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2688-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c48-79.dat upx behavioral2/files/0x000b000000023c3c-84.dat upx behavioral2/files/0x000b000000023c4c-87.dat upx behavioral2/memory/4828-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c4d-92.dat upx behavioral2/files/0x000a000000023c4e-96.dat upx behavioral2/files/0x000a000000023c4f-100.dat upx behavioral2/files/0x000a000000023c50-104.dat upx behavioral2/files/0x000a000000023c51-108.dat upx behavioral2/memory/1284-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c55-119.dat upx behavioral2/memory/5008-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1960-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c54-114.dat upx behavioral2/files/0x000a000000023c56-123.dat upx behavioral2/memory/4740-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023c57-127.dat upx behavioral2/files/0x000c000000023c58-132.dat upx behavioral2/files/0x000a000000023c59-136.dat upx behavioral2/files/0x000a000000023c61-140.dat upx behavioral2/memory/2020-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0012000000023c6e-145.dat upx behavioral2/files/0x0008000000023c70-149.dat upx behavioral2/memory/3272-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3636-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2376-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3488-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1236-175-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3832-180-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1860-185-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3384-188-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2560-197-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3836 wrote to memory of 3424 3836 f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927.exe 81 PID 3836 wrote to memory of 3424 3836 f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927.exe 81 PID 3836 wrote to memory of 3424 3836 f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927.exe 81 PID 3424 wrote to memory of 4144 3424 7bnbtn.exe 82 PID 3424 wrote to memory of 4144 3424 7bnbtn.exe 82 PID 3424 wrote to memory of 4144 3424 7bnbtn.exe 82 PID 4144 wrote to memory of 1112 4144 frxxlfr.exe 84 PID 4144 wrote to memory of 1112 4144 frxxlfr.exe 84 PID 4144 wrote to memory of 1112 4144 frxxlfr.exe 84 PID 1112 wrote to memory of 3168 1112 1bbtnn.exe 86 PID 1112 wrote to memory of 3168 1112 1bbtnn.exe 86 PID 1112 wrote to memory of 3168 1112 1bbtnn.exe 86 PID 3168 wrote to memory of 3592 3168 7rrfrfx.exe 87 PID 3168 wrote to memory of 3592 3168 7rrfrfx.exe 87 PID 3168 wrote to memory of 3592 3168 7rrfrfx.exe 87 PID 3592 wrote to memory of 512 3592 nnbttn.exe 89 PID 3592 wrote to memory of 512 3592 nnbttn.exe 89 PID 3592 wrote to memory of 512 3592 nnbttn.exe 89 PID 512 wrote to memory of 1812 512 1ffxrlf.exe 90 PID 512 wrote to memory of 1812 512 1ffxrlf.exe 90 PID 512 wrote to memory of 1812 512 1ffxrlf.exe 90 PID 1812 wrote to memory of 1728 1812 hbtnnh.exe 91 PID 1812 wrote to memory of 1728 1812 hbtnnh.exe 91 PID 1812 wrote to memory of 1728 1812 hbtnnh.exe 91 PID 1728 wrote to memory of 3672 1728 hbbtnb.exe 92 PID 1728 wrote to memory of 3672 1728 hbbtnb.exe 92 PID 1728 wrote to memory of 3672 1728 hbbtnb.exe 92 PID 3672 wrote to memory of 844 3672 pdvvp.exe 93 PID 3672 wrote to memory of 844 3672 pdvvp.exe 93 PID 3672 wrote to memory of 844 3672 pdvvp.exe 93 PID 844 wrote to memory of 684 844 dddvp.exe 94 PID 844 wrote to memory of 684 844 dddvp.exe 94 PID 844 wrote to memory of 684 844 dddvp.exe 94 PID 684 wrote to memory of 2828 684 ffxrlfx.exe 95 PID 684 wrote to memory of 2828 684 ffxrlfx.exe 95 PID 684 wrote to memory of 2828 684 ffxrlfx.exe 95 PID 2828 wrote to memory of 4928 2828 lfxlxlf.exe 96 PID 2828 wrote to memory of 4928 2828 lfxlxlf.exe 96 PID 2828 wrote to memory of 4928 2828 lfxlxlf.exe 96 PID 4928 wrote to memory of 4500 4928 jjvpj.exe 97 PID 4928 wrote to memory of 4500 4928 jjvpj.exe 97 PID 4928 wrote to memory of 4500 4928 jjvpj.exe 97 PID 4500 wrote to memory of 2688 4500 fffxlfx.exe 98 PID 4500 wrote to memory of 2688 4500 fffxlfx.exe 98 PID 4500 wrote to memory of 2688 4500 fffxlfx.exe 98 PID 2688 wrote to memory of 1532 2688 pppjj.exe 99 PID 2688 wrote to memory of 1532 2688 pppjj.exe 99 PID 2688 wrote to memory of 1532 2688 pppjj.exe 99 PID 1532 wrote to memory of 4828 1532 ttttnt.exe 100 PID 1532 wrote to memory of 4828 1532 ttttnt.exe 100 PID 1532 wrote to memory of 4828 1532 ttttnt.exe 100 PID 4828 wrote to memory of 2784 4828 hbbttn.exe 101 PID 4828 wrote to memory of 2784 4828 hbbttn.exe 101 PID 4828 wrote to memory of 2784 4828 hbbttn.exe 101 PID 2784 wrote to memory of 4184 2784 xrrrrrr.exe 102 PID 2784 wrote to memory of 4184 2784 xrrrrrr.exe 102 PID 2784 wrote to memory of 4184 2784 xrrrrrr.exe 102 PID 4184 wrote to memory of 2660 4184 jdjvp.exe 103 PID 4184 wrote to memory of 2660 4184 jdjvp.exe 103 PID 4184 wrote to memory of 2660 4184 jdjvp.exe 103 PID 2660 wrote to memory of 4640 2660 xllfxxr.exe 104 PID 2660 wrote to memory of 4640 2660 xllfxxr.exe 104 PID 2660 wrote to memory of 4640 2660 xllfxxr.exe 104 PID 4640 wrote to memory of 1284 4640 rffxxxf.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927.exe"C:\Users\Admin\AppData\Local\Temp\f4ea32fece5631143df1f6e9f53fe741ac26d7ee73a038e1a30389000629d927.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\7bnbtn.exec:\7bnbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\frxxlfr.exec:\frxxlfr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\1bbtnn.exec:\1bbtnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\7rrfrfx.exec:\7rrfrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\nnbttn.exec:\nnbttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\1ffxrlf.exec:\1ffxrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\hbtnnh.exec:\hbtnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\hbbtnb.exec:\hbbtnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
\??\c:\pdvvp.exec:\pdvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\dddvp.exec:\dddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:844 -
\??\c:\ffxrlfx.exec:\ffxrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:684 -
\??\c:\lfxlxlf.exec:\lfxlxlf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\jjvpj.exec:\jjvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\fffxlfx.exec:\fffxlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4500 -
\??\c:\pppjj.exec:\pppjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\ttttnt.exec:\ttttnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\hbbttn.exec:\hbbttn.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\xrrrrrr.exec:\xrrrrrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\jdjvp.exec:\jdjvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\xllfxxr.exec:\xllfxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\rffxxxf.exec:\rffxxxf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\jjdvv.exec:\jjdvv.exe23⤵
- Executes dropped EXE
PID:1284 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe24⤵
- Executes dropped EXE
PID:1960 -
\??\c:\nhtnnb.exec:\nhtnnb.exe25⤵
- Executes dropped EXE
PID:5008 -
\??\c:\vjvpj.exec:\vjvpj.exe26⤵
- Executes dropped EXE
PID:4688 -
\??\c:\htbtnh.exec:\htbtnh.exe27⤵
- Executes dropped EXE
PID:4740 -
\??\c:\bthbtt.exec:\bthbtt.exe28⤵
- Executes dropped EXE
PID:676 -
\??\c:\hbnhbb.exec:\hbnhbb.exe29⤵
- Executes dropped EXE
PID:4076 -
\??\c:\7jpjp.exec:\7jpjp.exe30⤵
- Executes dropped EXE
PID:2020 -
\??\c:\5lrlflf.exec:\5lrlflf.exe31⤵
- Executes dropped EXE
PID:1328 -
\??\c:\tnnbtt.exec:\tnnbtt.exe32⤵
- Executes dropped EXE
PID:1480 -
\??\c:\hbbnbh.exec:\hbbnbh.exe33⤵
- Executes dropped EXE
PID:4008 -
\??\c:\vpdvv.exec:\vpdvv.exe34⤵
- Executes dropped EXE
PID:3272 -
\??\c:\7rrlxxr.exec:\7rrlxxr.exe35⤵
- Executes dropped EXE
PID:3636 -
\??\c:\hbbtnh.exec:\hbbtnh.exe36⤵
- Executes dropped EXE
PID:2376 -
\??\c:\vpjvp.exec:\vpjvp.exe37⤵
- Executes dropped EXE
PID:3488 -
\??\c:\rxfxrrf.exec:\rxfxrrf.exe38⤵
- Executes dropped EXE
PID:2556 -
\??\c:\hbnnnh.exec:\hbnnnh.exe39⤵
- Executes dropped EXE
PID:4624 -
\??\c:\vjddp.exec:\vjddp.exe40⤵
- Executes dropped EXE
PID:1116 -
\??\c:\jjpdv.exec:\jjpdv.exe41⤵
- Executes dropped EXE
PID:3824 -
\??\c:\ffxrffx.exec:\ffxrffx.exe42⤵
- Executes dropped EXE
PID:1236 -
\??\c:\bthbbt.exec:\bthbbt.exe43⤵
- Executes dropped EXE
PID:2360 -
\??\c:\dvvdv.exec:\dvvdv.exe44⤵
- Executes dropped EXE
PID:3832 -
\??\c:\frflllx.exec:\frflllx.exe45⤵
- Executes dropped EXE
PID:60 -
\??\c:\1bhtnn.exec:\1bhtnn.exe46⤵
- Executes dropped EXE
PID:1860 -
\??\c:\dvvpj.exec:\dvvpj.exe47⤵
- Executes dropped EXE
PID:3384 -
\??\c:\5xrlfrl.exec:\5xrlfrl.exe48⤵
- Executes dropped EXE
PID:3504 -
\??\c:\tbtnhn.exec:\tbtnhn.exe49⤵
- Executes dropped EXE
PID:4612 -
\??\c:\tnbtth.exec:\tnbtth.exe50⤵
- Executes dropped EXE
PID:3096 -
\??\c:\ddvpp.exec:\ddvpp.exe51⤵PID:4756
-
\??\c:\dppjv.exec:\dppjv.exe52⤵
- Executes dropped EXE
PID:2560 -
\??\c:\rlrrrrl.exec:\rlrrrrl.exe53⤵
- Executes dropped EXE
PID:4980 -
\??\c:\tntntn.exec:\tntntn.exe54⤵
- Executes dropped EXE
PID:1820 -
\??\c:\vjppj.exec:\vjppj.exe55⤵
- Executes dropped EXE
PID:4244 -
\??\c:\pppvp.exec:\pppvp.exe56⤵
- Executes dropped EXE
PID:1112 -
\??\c:\lllfrxr.exec:\lllfrxr.exe57⤵
- Executes dropped EXE
PID:3168 -
\??\c:\9dddd.exec:\9dddd.exe58⤵
- Executes dropped EXE
PID:2236 -
\??\c:\pdpjj.exec:\pdpjj.exe59⤵
- Executes dropped EXE
PID:2428 -
\??\c:\rfrlrlf.exec:\rfrlrlf.exe60⤵
- Executes dropped EXE
PID:2976 -
\??\c:\hbttnn.exec:\hbttnn.exe61⤵
- Executes dropped EXE
PID:1876 -
\??\c:\htntbb.exec:\htntbb.exe62⤵
- Executes dropped EXE
PID:3860 -
\??\c:\vjpjp.exec:\vjpjp.exe63⤵
- Executes dropped EXE
PID:1528 -
\??\c:\5lrlrrr.exec:\5lrlrrr.exe64⤵
- Executes dropped EXE
PID:1040 -
\??\c:\1tnnhn.exec:\1tnnhn.exe65⤵
- Executes dropped EXE
PID:3456 -
\??\c:\bntnnh.exec:\bntnnh.exe66⤵
- Executes dropped EXE
PID:2640 -
\??\c:\7dddv.exec:\7dddv.exe67⤵PID:844
-
\??\c:\rxllffx.exec:\rxllffx.exe68⤵PID:3128
-
\??\c:\bhhnhb.exec:\bhhnhb.exe69⤵PID:2472
-
\??\c:\5tbthb.exec:\5tbthb.exe70⤵PID:3968
-
\??\c:\vjdpd.exec:\vjdpd.exe71⤵PID:3856
-
\??\c:\lffxrrl.exec:\lffxrrl.exe72⤵PID:5012
-
\??\c:\7rxrrlr.exec:\7rxrrlr.exe73⤵PID:3028
-
\??\c:\1hbbbb.exec:\1hbbbb.exe74⤵PID:4604
-
\??\c:\pjvpp.exec:\pjvpp.exe75⤵PID:2688
-
\??\c:\frrfflf.exec:\frrfflf.exe76⤵PID:3844
-
\??\c:\rrlxllf.exec:\rrlxllf.exe77⤵PID:1336
-
\??\c:\3hhhbn.exec:\3hhhbn.exe78⤵PID:3228
-
\??\c:\nhnhtn.exec:\nhnhtn.exe79⤵PID:2784
-
\??\c:\7vdvj.exec:\7vdvj.exe80⤵PID:2304
-
\??\c:\lflffff.exec:\lflffff.exe81⤵PID:4020
-
\??\c:\7llfxfx.exec:\7llfxfx.exe82⤵PID:764
-
\??\c:\7hhhbb.exec:\7hhhbb.exe83⤵PID:3616
-
\??\c:\pvdvj.exec:\pvdvj.exe84⤵PID:3064
-
\??\c:\5vdvd.exec:\5vdvd.exe85⤵PID:4936
-
\??\c:\ffxrrrr.exec:\ffxrrrr.exe86⤵PID:3892
-
\??\c:\9bbtnn.exec:\9bbtnn.exe87⤵PID:4264
-
\??\c:\jddpj.exec:\jddpj.exe88⤵
- System Location Discovery: System Language Discovery
PID:2528 -
\??\c:\jppjd.exec:\jppjd.exe89⤵PID:1680
-
\??\c:\rfrlxrr.exec:\rfrlxrr.exe90⤵PID:2124
-
\??\c:\thhbtn.exec:\thhbtn.exe91⤵PID:4120
-
\??\c:\hntttt.exec:\hntttt.exe92⤵PID:4468
-
\??\c:\vddvp.exec:\vddvp.exe93⤵PID:3720
-
\??\c:\rfffxrl.exec:\rfffxrl.exe94⤵PID:1816
-
\??\c:\rfxrlfx.exec:\rfxrlfx.exe95⤵PID:2636
-
\??\c:\ttbntn.exec:\ttbntn.exe96⤵PID:1328
-
\??\c:\5vvpj.exec:\5vvpj.exe97⤵PID:4712
-
\??\c:\pddvp.exec:\pddvp.exe98⤵PID:4008
-
\??\c:\rxfxlfx.exec:\rxfxlfx.exe99⤵PID:3272
-
\??\c:\rfxrllf.exec:\rfxrllf.exe100⤵PID:2984
-
\??\c:\hbtnhb.exec:\hbtnhb.exe101⤵PID:1416
-
\??\c:\dvvpd.exec:\dvvpd.exe102⤵PID:1184
-
\??\c:\1jjvj.exec:\1jjvj.exe103⤵PID:3016
-
\??\c:\xxrlxlf.exec:\xxrlxlf.exe104⤵PID:4368
-
\??\c:\hbbtbb.exec:\hbbtbb.exe105⤵PID:1840
-
\??\c:\hhhbtn.exec:\hhhbtn.exe106⤵PID:2080
-
\??\c:\jdpjj.exec:\jdpjj.exe107⤵PID:768
-
\??\c:\3pdpv.exec:\3pdpv.exe108⤵PID:3348
-
\??\c:\lxrlrxr.exec:\lxrlrxr.exe109⤵PID:4200
-
\??\c:\1bhttt.exec:\1bhttt.exe110⤵PID:3336
-
\??\c:\tbhthh.exec:\tbhthh.exe111⤵PID:3652
-
\??\c:\7jvjv.exec:\7jvjv.exe112⤵PID:4704
-
\??\c:\1rrrfxr.exec:\1rrrfxr.exe113⤵PID:4516
-
\??\c:\htbbbt.exec:\htbbbt.exe114⤵PID:3324
-
\??\c:\thhhtt.exec:\thhhtt.exe115⤵PID:4496
-
\??\c:\dppdp.exec:\dppdp.exe116⤵PID:5104
-
\??\c:\rlfxlfx.exec:\rlfxlfx.exe117⤵PID:4440
-
\??\c:\xlfxxxr.exec:\xlfxxxr.exe118⤵PID:4996
-
\??\c:\nhhbhh.exec:\nhhbhh.exe119⤵PID:3904
-
\??\c:\5ntnnn.exec:\5ntnnn.exe120⤵PID:3216
-
\??\c:\5dddv.exec:\5dddv.exe121⤵PID:3416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-