Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe
-
Size
455KB
-
MD5
4f58c898a8af55ec26dcd816bc81c8ad
-
SHA1
64b0ddb224d0635c85e80adf64c78042eab0897f
-
SHA256
436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41
-
SHA512
896d0075c4cde61d2dea296d6a4a099b6f03c0c884519f57442d1477f75469c4c6b39714535ec07d57fc5870ac068809b07dac9e45c4cea65f1d6a3abac2ea47
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTy:q7Tc2NYHUrAwfMp3CDW
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3612-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4708-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-537-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-574-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-726-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-791-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-804-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-1075-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-1506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-1801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-1805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3300 nhbbtt.exe 2964 1rlxrlf.exe 5008 thnhhb.exe 3588 btbtnb.exe 3088 vppjd.exe 2032 fxrxllf.exe 3140 pvjvp.exe 3600 bnbttn.exe 4556 jdjjd.exe 3872 dpppj.exe 4684 vjdvd.exe 3176 hnhbbb.exe 1016 pjvpj.exe 3252 jvdpj.exe 3160 vdjvp.exe 1400 lflxrrf.exe 2752 vdvdj.exe 4792 bnnhhh.exe 2008 jvvjv.exe 3972 xlrrlrx.exe 1052 hnhhhh.exe 2512 xxfxlfx.exe 1620 jvdvv.exe 4804 ntbbtt.exe 2128 5llfxrr.exe 3448 xlxfxxr.exe 4440 btnhhh.exe 2736 7bthnh.exe 4500 ttnhhh.exe 4024 jpvpj.exe 4172 7ttnhh.exe 2880 ttnhtt.exe 4612 7ddvp.exe 2052 1nthbb.exe 1360 3jpjj.exe 1092 jddvp.exe 3532 xflfxrl.exe 232 bntttt.exe 4012 ppvdd.exe 5004 lllfxxl.exe 4480 5nttbh.exe 1004 jdjdd.exe 2144 vpddv.exe 2964 rlffxxx.exe 3568 7nnhbt.exe 2368 vpvpj.exe 3080 xlfxrfx.exe 3724 xrxlfrl.exe 3480 vdjvp.exe 4860 jpjpp.exe 4668 xrlfrfx.exe 1464 htbtnn.exe 4432 pvdvv.exe 2408 xrrlfff.exe 1384 tnnhhh.exe 3872 vjjdv.exe 4796 xlrfxxl.exe 4684 5ffxxxr.exe 3176 thnnnn.exe 1820 djjdv.exe 224 xxlfllx.exe 3252 lrlxrlf.exe 3208 1bhnhh.exe 4232 ddjdj.exe -
resource yara_rule behavioral2/memory/3612-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1052-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4708-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-382-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-574-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-726-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-791-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-804-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-1075-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3612 wrote to memory of 3300 3612 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe 83 PID 3612 wrote to memory of 3300 3612 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe 83 PID 3612 wrote to memory of 3300 3612 436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe 83 PID 3300 wrote to memory of 2964 3300 nhbbtt.exe 84 PID 3300 wrote to memory of 2964 3300 nhbbtt.exe 84 PID 3300 wrote to memory of 2964 3300 nhbbtt.exe 84 PID 2964 wrote to memory of 5008 2964 1rlxrlf.exe 85 PID 2964 wrote to memory of 5008 2964 1rlxrlf.exe 85 PID 2964 wrote to memory of 5008 2964 1rlxrlf.exe 85 PID 5008 wrote to memory of 3588 5008 thnhhb.exe 86 PID 5008 wrote to memory of 3588 5008 thnhhb.exe 86 PID 5008 wrote to memory of 3588 5008 thnhhb.exe 86 PID 3588 wrote to memory of 3088 3588 btbtnb.exe 87 PID 3588 wrote to memory of 3088 3588 btbtnb.exe 87 PID 3588 wrote to memory of 3088 3588 btbtnb.exe 87 PID 3088 wrote to memory of 2032 3088 vppjd.exe 88 PID 3088 wrote to memory of 2032 3088 vppjd.exe 88 PID 3088 wrote to memory of 2032 3088 vppjd.exe 88 PID 2032 wrote to memory of 3140 2032 fxrxllf.exe 89 PID 2032 wrote to memory of 3140 2032 fxrxllf.exe 89 PID 2032 wrote to memory of 3140 2032 fxrxllf.exe 89 PID 3140 wrote to memory of 3600 3140 pvjvp.exe 90 PID 3140 wrote to memory of 3600 3140 pvjvp.exe 90 PID 3140 wrote to memory of 3600 3140 pvjvp.exe 90 PID 3600 wrote to memory of 4556 3600 bnbttn.exe 91 PID 3600 wrote to memory of 4556 3600 bnbttn.exe 91 PID 3600 wrote to memory of 4556 3600 bnbttn.exe 91 PID 4556 wrote to memory of 3872 4556 jdjjd.exe 92 PID 4556 wrote to memory of 3872 4556 jdjjd.exe 92 PID 4556 wrote to memory of 3872 4556 jdjjd.exe 92 PID 3872 wrote to memory of 4684 3872 dpppj.exe 93 PID 3872 wrote to memory of 4684 3872 dpppj.exe 93 PID 3872 wrote to memory of 4684 3872 dpppj.exe 93 PID 4684 wrote to memory of 3176 4684 vjdvd.exe 94 PID 4684 wrote to memory of 3176 4684 vjdvd.exe 94 PID 4684 wrote to memory of 3176 4684 vjdvd.exe 94 PID 3176 wrote to memory of 1016 3176 hnhbbb.exe 95 PID 3176 wrote to memory of 1016 3176 hnhbbb.exe 95 PID 3176 wrote to memory of 1016 3176 hnhbbb.exe 95 PID 1016 wrote to memory of 3252 1016 pjvpj.exe 96 PID 1016 wrote to memory of 3252 1016 pjvpj.exe 96 PID 1016 wrote to memory of 3252 1016 pjvpj.exe 96 PID 3252 wrote to memory of 3160 3252 jvdpj.exe 97 PID 3252 wrote to memory of 3160 3252 jvdpj.exe 97 PID 3252 wrote to memory of 3160 3252 jvdpj.exe 97 PID 3160 wrote to memory of 1400 3160 vdjvp.exe 98 PID 3160 wrote to memory of 1400 3160 vdjvp.exe 98 PID 3160 wrote to memory of 1400 3160 vdjvp.exe 98 PID 1400 wrote to memory of 2752 1400 lflxrrf.exe 99 PID 1400 wrote to memory of 2752 1400 lflxrrf.exe 99 PID 1400 wrote to memory of 2752 1400 lflxrrf.exe 99 PID 2752 wrote to memory of 4792 2752 vdvdj.exe 100 PID 2752 wrote to memory of 4792 2752 vdvdj.exe 100 PID 2752 wrote to memory of 4792 2752 vdvdj.exe 100 PID 4792 wrote to memory of 2008 4792 bnnhhh.exe 101 PID 4792 wrote to memory of 2008 4792 bnnhhh.exe 101 PID 4792 wrote to memory of 2008 4792 bnnhhh.exe 101 PID 2008 wrote to memory of 3972 2008 jvvjv.exe 102 PID 2008 wrote to memory of 3972 2008 jvvjv.exe 102 PID 2008 wrote to memory of 3972 2008 jvvjv.exe 102 PID 3972 wrote to memory of 1052 3972 xlrrlrx.exe 103 PID 3972 wrote to memory of 1052 3972 xlrrlrx.exe 103 PID 3972 wrote to memory of 1052 3972 xlrrlrx.exe 103 PID 1052 wrote to memory of 2512 1052 hnhhhh.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe"C:\Users\Admin\AppData\Local\Temp\436605d7b0720c8161f9fc4a8714e329f3b9eff08e4f84f943a682f165190a41.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\nhbbtt.exec:\nhbbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3300 -
\??\c:\1rlxrlf.exec:\1rlxrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\thnhhb.exec:\thnhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\btbtnb.exec:\btbtnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\vppjd.exec:\vppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\fxrxllf.exec:\fxrxllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032 -
\??\c:\pvjvp.exec:\pvjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
\??\c:\bnbttn.exec:\bnbttn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\jdjjd.exec:\jdjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
\??\c:\dpppj.exec:\dpppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\vjdvd.exec:\vjdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\hnhbbb.exec:\hnhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\pjvpj.exec:\pjvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\jvdpj.exec:\jvdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\vdjvp.exec:\vdjvp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160 -
\??\c:\lflxrrf.exec:\lflxrrf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1400 -
\??\c:\vdvdj.exec:\vdvdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
\??\c:\bnnhhh.exec:\bnnhhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\jvvjv.exec:\jvvjv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\xlrrlrx.exec:\xlrrlrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\hnhhhh.exec:\hnhhhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1052 -
\??\c:\xxfxlfx.exec:\xxfxlfx.exe23⤵
- Executes dropped EXE
PID:2512 -
\??\c:\jvdvv.exec:\jvdvv.exe24⤵
- Executes dropped EXE
PID:1620 -
\??\c:\ntbbtt.exec:\ntbbtt.exe25⤵
- Executes dropped EXE
PID:4804 -
\??\c:\5llfxrr.exec:\5llfxrr.exe26⤵
- Executes dropped EXE
PID:2128 -
\??\c:\xlxfxxr.exec:\xlxfxxr.exe27⤵
- Executes dropped EXE
PID:3448 -
\??\c:\btnhhh.exec:\btnhhh.exe28⤵
- Executes dropped EXE
PID:4440 -
\??\c:\7bthnh.exec:\7bthnh.exe29⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ttnhhh.exec:\ttnhhh.exe30⤵
- Executes dropped EXE
PID:4500 -
\??\c:\jpvpj.exec:\jpvpj.exe31⤵
- Executes dropped EXE
PID:4024 -
\??\c:\7ttnhh.exec:\7ttnhh.exe32⤵
- Executes dropped EXE
PID:4172 -
\??\c:\ttnhtt.exec:\ttnhtt.exe33⤵
- Executes dropped EXE
PID:2880 -
\??\c:\7ddvp.exec:\7ddvp.exe34⤵
- Executes dropped EXE
PID:4612 -
\??\c:\1nthbb.exec:\1nthbb.exe35⤵
- Executes dropped EXE
PID:2052 -
\??\c:\3jpjj.exec:\3jpjj.exe36⤵
- Executes dropped EXE
PID:1360 -
\??\c:\jddvp.exec:\jddvp.exe37⤵
- Executes dropped EXE
PID:1092 -
\??\c:\xflfxrl.exec:\xflfxrl.exe38⤵
- Executes dropped EXE
PID:3532 -
\??\c:\bntttt.exec:\bntttt.exe39⤵
- Executes dropped EXE
PID:232 -
\??\c:\ppvdd.exec:\ppvdd.exe40⤵
- Executes dropped EXE
PID:4012 -
\??\c:\lllfxxl.exec:\lllfxxl.exe41⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5nttbh.exec:\5nttbh.exe42⤵
- Executes dropped EXE
PID:4480 -
\??\c:\jdjdd.exec:\jdjdd.exe43⤵
- Executes dropped EXE
PID:1004 -
\??\c:\vpddv.exec:\vpddv.exe44⤵
- Executes dropped EXE
PID:2144 -
\??\c:\rlffxxx.exec:\rlffxxx.exe45⤵
- Executes dropped EXE
PID:2964 -
\??\c:\7nnhbt.exec:\7nnhbt.exe46⤵
- Executes dropped EXE
PID:3568 -
\??\c:\vpvpj.exec:\vpvpj.exe47⤵
- Executes dropped EXE
PID:2368 -
\??\c:\xlfxrfx.exec:\xlfxrfx.exe48⤵
- Executes dropped EXE
PID:3080 -
\??\c:\xrxlfrl.exec:\xrxlfrl.exe49⤵
- Executes dropped EXE
PID:3724 -
\??\c:\vdjvp.exec:\vdjvp.exe50⤵
- Executes dropped EXE
PID:3480 -
\??\c:\jpjpp.exec:\jpjpp.exe51⤵
- Executes dropped EXE
PID:4860 -
\??\c:\xrlfrfx.exec:\xrlfrfx.exe52⤵
- Executes dropped EXE
PID:4668 -
\??\c:\htbtnn.exec:\htbtnn.exe53⤵
- Executes dropped EXE
PID:1464 -
\??\c:\pvdvv.exec:\pvdvv.exe54⤵
- Executes dropped EXE
PID:4432 -
\??\c:\xrrlfff.exec:\xrrlfff.exe55⤵
- Executes dropped EXE
PID:2408 -
\??\c:\tnnhhh.exec:\tnnhhh.exe56⤵
- Executes dropped EXE
PID:1384 -
\??\c:\vjjdv.exec:\vjjdv.exe57⤵
- Executes dropped EXE
PID:3872 -
\??\c:\xlrfxxl.exec:\xlrfxxl.exe58⤵
- Executes dropped EXE
PID:4796 -
\??\c:\5ffxxxr.exec:\5ffxxxr.exe59⤵
- Executes dropped EXE
PID:4684 -
\??\c:\thnnnn.exec:\thnnnn.exe60⤵
- Executes dropped EXE
PID:3176 -
\??\c:\djjdv.exec:\djjdv.exe61⤵
- Executes dropped EXE
PID:1820 -
\??\c:\xxlfllx.exec:\xxlfllx.exe62⤵
- Executes dropped EXE
PID:224 -
\??\c:\lrlxrlf.exec:\lrlxrlf.exe63⤵
- Executes dropped EXE
PID:3252 -
\??\c:\1bhnhh.exec:\1bhnhh.exe64⤵
- Executes dropped EXE
PID:3208 -
\??\c:\ddjdj.exec:\ddjdj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4232 -
\??\c:\frxrlfx.exec:\frxrlfx.exe66⤵PID:4340
-
\??\c:\bnbhbb.exec:\bnbhbb.exe67⤵PID:2752
-
\??\c:\tttnhn.exec:\tttnhn.exe68⤵PID:1348
-
\??\c:\jjjpd.exec:\jjjpd.exe69⤵PID:2952
-
\??\c:\xllxrll.exec:\xllxrll.exe70⤵PID:3368
-
\??\c:\rfrllxr.exec:\rfrllxr.exe71⤵PID:4948
-
\??\c:\tnttnn.exec:\tnttnn.exe72⤵PID:4708
-
\??\c:\vvvjj.exec:\vvvjj.exe73⤵PID:3148
-
\??\c:\vppjj.exec:\vppjj.exe74⤵PID:4652
-
\??\c:\htbnbt.exec:\htbnbt.exe75⤵PID:4444
-
\??\c:\bbbttt.exec:\bbbttt.exe76⤵PID:3212
-
\??\c:\vjpdv.exec:\vjpdv.exe77⤵PID:2648
-
\??\c:\xrrlffx.exec:\xrrlffx.exe78⤵PID:3200
-
\??\c:\fxrlxrr.exec:\fxrlxrr.exe79⤵PID:860
-
\??\c:\nnnhbt.exec:\nnnhbt.exe80⤵PID:4440
-
\??\c:\jjjdd.exec:\jjjdd.exe81⤵PID:2736
-
\??\c:\3xrfrrl.exec:\3xrfrrl.exe82⤵PID:2488
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe83⤵PID:2088
-
\??\c:\httnnn.exec:\httnnn.exe84⤵PID:2084
-
\??\c:\dddvd.exec:\dddvd.exe85⤵PID:3636
-
\??\c:\fxlfrff.exec:\fxlfrff.exe86⤵PID:3484
-
\??\c:\lrflxlx.exec:\lrflxlx.exe87⤵PID:3316
-
\??\c:\tntnhh.exec:\tntnhh.exe88⤵PID:2760
-
\??\c:\vpjdv.exec:\vpjdv.exe89⤵PID:2052
-
\??\c:\rrlfrrl.exec:\rrlfrrl.exe90⤵PID:4960
-
\??\c:\5btnnn.exec:\5btnnn.exe91⤵PID:1944
-
\??\c:\nnthhh.exec:\nnthhh.exe92⤵PID:4272
-
\??\c:\5jjdv.exec:\5jjdv.exe93⤵PID:3988
-
\??\c:\lfrxllx.exec:\lfrxllx.exe94⤵PID:4484
-
\??\c:\xlfxrrr.exec:\xlfxrrr.exe95⤵PID:4620
-
\??\c:\ntnhtn.exec:\ntnhtn.exe96⤵PID:4288
-
\??\c:\jdjdp.exec:\jdjdp.exe97⤵PID:1344
-
\??\c:\xrxlrxf.exec:\xrxlrxf.exe98⤵PID:2112
-
\??\c:\tbhbtn.exec:\tbhbtn.exe99⤵PID:4596
-
\??\c:\pdvjv.exec:\pdvjv.exe100⤵PID:5008
-
\??\c:\pvjjd.exec:\pvjjd.exe101⤵PID:4872
-
\??\c:\xxflfff.exec:\xxflfff.exe102⤵PID:2368
-
\??\c:\nbhbhh.exec:\nbhbhh.exe103⤵PID:396
-
\??\c:\pjjdv.exec:\pjjdv.exe104⤵PID:4600
-
\??\c:\jjpvj.exec:\jjpvj.exe105⤵PID:2864
-
\??\c:\1lxfrlr.exec:\1lxfrlr.exe106⤵PID:384
-
\??\c:\thbttb.exec:\thbttb.exe107⤵PID:4860
-
\??\c:\vppjj.exec:\vppjj.exe108⤵PID:4524
-
\??\c:\5rxrlrl.exec:\5rxrlrl.exe109⤵PID:4780
-
\??\c:\bnnhtt.exec:\bnnhtt.exe110⤵PID:1548
-
\??\c:\htbnht.exec:\htbnht.exe111⤵PID:664
-
\??\c:\jvjdv.exec:\jvjdv.exe112⤵PID:1584
-
\??\c:\rrlxrxr.exec:\rrlxrxr.exe113⤵PID:3184
-
\??\c:\lxrffxr.exec:\lxrffxr.exe114⤵PID:2960
-
\??\c:\9tbnhb.exec:\9tbnhb.exe115⤵PID:3872
-
\??\c:\jvvpj.exec:\jvvpj.exe116⤵PID:1328
-
\??\c:\fxfxffx.exec:\fxfxffx.exe117⤵PID:3076
-
\??\c:\fxrlffx.exec:\fxrlffx.exe118⤵PID:3180
-
\??\c:\tnnbtn.exec:\tnnbtn.exe119⤵PID:1016
-
\??\c:\hntnhn.exec:\hntnhn.exe120⤵PID:1820
-
\??\c:\vvvvd.exec:\vvvvd.exe121⤵PID:3160
-
\??\c:\fflfrfx.exec:\fflfrfx.exe122⤵PID:3248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-