Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe
-
Size
454KB
-
MD5
f1af55dd54e1ef703b8e8ba93e0b6170
-
SHA1
91a6b9f204f898f5830ea2c34eb0edee001b2a1e
-
SHA256
f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3f
-
SHA512
437e95aef852a37be0a11c423e11327a18c8d3d5c4f433b47736bdd6f60e747ab6b20e1193a2ab66f58568b21be9ca0260704f7b262e425bdd76acf53402c8ae
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbetQ:q7Tc2NYHUrAwfMp3CDtQ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3480-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2556-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4636-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1700-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1592-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4076-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-652-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-707-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3388 hnnhtt.exe 3068 xffxxxx.exe 2556 djjdv.exe 4636 1nnhbt.exe 4436 ttthbt.exe 1644 xlxrrll.exe 5040 5bbhtn.exe 4880 bnhtht.exe 3596 fffffxr.exe 408 djvpj.exe 916 tbhnbn.exe 4496 dpdvp.exe 2092 lxrllfx.exe 1036 ntbttt.exe 4292 djdjd.exe 4072 xffxrlf.exe 1700 thbbhh.exe 1324 pjjdp.exe 4916 3btnhh.exe 3224 lxfrxrx.exe 1864 3jddv.exe 432 7tnhbt.exe 736 pddvd.exe 4628 3xfxxxf.exe 3248 9llfxxr.exe 1752 nhhthh.exe 4376 lflffxx.exe 1232 btbbtt.exe 3840 thtntn.exe 1528 vjdvj.exe 536 bhbhbt.exe 1972 frfxrlx.exe 3620 jpvdv.exe 3584 1xfrrrr.exe 3504 bthntt.exe 4380 jvdpj.exe 4856 lfrlfxr.exe 4820 fllxrlx.exe 3084 hnnhbt.exe 4060 vjjdp.exe 4348 1xxrllf.exe 1468 nthbhh.exe 1028 pvvjv.exe 3656 xrxllff.exe 4448 tbnhtn.exe 2204 vpjjd.exe 3624 1frlffx.exe 3228 frlfrxl.exe 2544 1hhbtt.exe 1348 jjjvp.exe 1260 rxlxxrf.exe 4120 thbnbt.exe 4412 jdjdj.exe 3512 xfrlxxr.exe 3444 ntbthb.exe 2792 pjdvj.exe 4496 ppdvj.exe 5096 rllfxrl.exe 1128 9jddv.exe 2196 1lxrlxr.exe 5112 btnbtn.exe 4828 vjdvd.exe 4076 jpvpd.exe 1164 fxlxffx.exe -
resource yara_rule behavioral2/memory/3480-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2556-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4636-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1592-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/756-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4076-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-516-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-639-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-652-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrllxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnttt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3480 wrote to memory of 3388 3480 f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe 82 PID 3480 wrote to memory of 3388 3480 f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe 82 PID 3480 wrote to memory of 3388 3480 f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe 82 PID 3388 wrote to memory of 3068 3388 hnnhtt.exe 83 PID 3388 wrote to memory of 3068 3388 hnnhtt.exe 83 PID 3388 wrote to memory of 3068 3388 hnnhtt.exe 83 PID 3068 wrote to memory of 2556 3068 xffxxxx.exe 84 PID 3068 wrote to memory of 2556 3068 xffxxxx.exe 84 PID 3068 wrote to memory of 2556 3068 xffxxxx.exe 84 PID 2556 wrote to memory of 4636 2556 djjdv.exe 85 PID 2556 wrote to memory of 4636 2556 djjdv.exe 85 PID 2556 wrote to memory of 4636 2556 djjdv.exe 85 PID 4636 wrote to memory of 4436 4636 1nnhbt.exe 86 PID 4636 wrote to memory of 4436 4636 1nnhbt.exe 86 PID 4636 wrote to memory of 4436 4636 1nnhbt.exe 86 PID 4436 wrote to memory of 1644 4436 ttthbt.exe 87 PID 4436 wrote to memory of 1644 4436 ttthbt.exe 87 PID 4436 wrote to memory of 1644 4436 ttthbt.exe 87 PID 1644 wrote to memory of 5040 1644 xlxrrll.exe 88 PID 1644 wrote to memory of 5040 1644 xlxrrll.exe 88 PID 1644 wrote to memory of 5040 1644 xlxrrll.exe 88 PID 5040 wrote to memory of 4880 5040 5bbhtn.exe 89 PID 5040 wrote to memory of 4880 5040 5bbhtn.exe 89 PID 5040 wrote to memory of 4880 5040 5bbhtn.exe 89 PID 4880 wrote to memory of 3596 4880 bnhtht.exe 90 PID 4880 wrote to memory of 3596 4880 bnhtht.exe 90 PID 4880 wrote to memory of 3596 4880 bnhtht.exe 90 PID 3596 wrote to memory of 408 3596 fffffxr.exe 91 PID 3596 wrote to memory of 408 3596 fffffxr.exe 91 PID 3596 wrote to memory of 408 3596 fffffxr.exe 91 PID 408 wrote to memory of 916 408 djvpj.exe 92 PID 408 wrote to memory of 916 408 djvpj.exe 92 PID 408 wrote to memory of 916 408 djvpj.exe 92 PID 916 wrote to memory of 4496 916 tbhnbn.exe 93 PID 916 wrote to memory of 4496 916 tbhnbn.exe 93 PID 916 wrote to memory of 4496 916 tbhnbn.exe 93 PID 4496 wrote to memory of 2092 4496 dpdvp.exe 94 PID 4496 wrote to memory of 2092 4496 dpdvp.exe 94 PID 4496 wrote to memory of 2092 4496 dpdvp.exe 94 PID 2092 wrote to memory of 1036 2092 lxrllfx.exe 95 PID 2092 wrote to memory of 1036 2092 lxrllfx.exe 95 PID 2092 wrote to memory of 1036 2092 lxrllfx.exe 95 PID 1036 wrote to memory of 4292 1036 ntbttt.exe 96 PID 1036 wrote to memory of 4292 1036 ntbttt.exe 96 PID 1036 wrote to memory of 4292 1036 ntbttt.exe 96 PID 4292 wrote to memory of 4072 4292 djdjd.exe 97 PID 4292 wrote to memory of 4072 4292 djdjd.exe 97 PID 4292 wrote to memory of 4072 4292 djdjd.exe 97 PID 4072 wrote to memory of 1700 4072 xffxrlf.exe 98 PID 4072 wrote to memory of 1700 4072 xffxrlf.exe 98 PID 4072 wrote to memory of 1700 4072 xffxrlf.exe 98 PID 1700 wrote to memory of 1324 1700 thbbhh.exe 99 PID 1700 wrote to memory of 1324 1700 thbbhh.exe 99 PID 1700 wrote to memory of 1324 1700 thbbhh.exe 99 PID 1324 wrote to memory of 4916 1324 pjjdp.exe 100 PID 1324 wrote to memory of 4916 1324 pjjdp.exe 100 PID 1324 wrote to memory of 4916 1324 pjjdp.exe 100 PID 4916 wrote to memory of 3224 4916 3btnhh.exe 101 PID 4916 wrote to memory of 3224 4916 3btnhh.exe 101 PID 4916 wrote to memory of 3224 4916 3btnhh.exe 101 PID 3224 wrote to memory of 1864 3224 lxfrxrx.exe 102 PID 3224 wrote to memory of 1864 3224 lxfrxrx.exe 102 PID 3224 wrote to memory of 1864 3224 lxfrxrx.exe 102 PID 1864 wrote to memory of 432 1864 3jddv.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe"C:\Users\Admin\AppData\Local\Temp\f2553afa0e642ac4ebaa3f2f020b5fb38684ff3a1f6983cd139617ff0f24df3fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\hnnhtt.exec:\hnnhtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\xffxxxx.exec:\xffxxxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
\??\c:\djjdv.exec:\djjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2556 -
\??\c:\1nnhbt.exec:\1nnhbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636 -
\??\c:\ttthbt.exec:\ttthbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\xlxrrll.exec:\xlxrrll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644 -
\??\c:\5bbhtn.exec:\5bbhtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\bnhtht.exec:\bnhtht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\fffffxr.exec:\fffffxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\djvpj.exec:\djvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408 -
\??\c:\tbhnbn.exec:\tbhnbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\dpdvp.exec:\dpdvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496 -
\??\c:\lxrllfx.exec:\lxrllfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
\??\c:\ntbttt.exec:\ntbttt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
\??\c:\djdjd.exec:\djdjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\xffxrlf.exec:\xffxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\thbbhh.exec:\thbbhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700 -
\??\c:\pjjdp.exec:\pjjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\3btnhh.exec:\3btnhh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\lxfrxrx.exec:\lxfrxrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\3jddv.exec:\3jddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\7tnhbt.exec:\7tnhbt.exe23⤵
- Executes dropped EXE
PID:432 -
\??\c:\pddvd.exec:\pddvd.exe24⤵
- Executes dropped EXE
PID:736 -
\??\c:\3xfxxxf.exec:\3xfxxxf.exe25⤵
- Executes dropped EXE
PID:4628 -
\??\c:\9llfxxr.exec:\9llfxxr.exe26⤵
- Executes dropped EXE
PID:3248 -
\??\c:\nhhthh.exec:\nhhthh.exe27⤵
- Executes dropped EXE
PID:1752 -
\??\c:\lflffxx.exec:\lflffxx.exe28⤵
- Executes dropped EXE
PID:4376 -
\??\c:\btbbtt.exec:\btbbtt.exe29⤵
- Executes dropped EXE
PID:1232 -
\??\c:\thtntn.exec:\thtntn.exe30⤵
- Executes dropped EXE
PID:3840 -
\??\c:\vjdvj.exec:\vjdvj.exe31⤵
- Executes dropped EXE
PID:1528 -
\??\c:\bhbhbt.exec:\bhbhbt.exe32⤵
- Executes dropped EXE
PID:536 -
\??\c:\frfxrlx.exec:\frfxrlx.exe33⤵
- Executes dropped EXE
PID:1972 -
\??\c:\jpvdv.exec:\jpvdv.exe34⤵
- Executes dropped EXE
PID:3620 -
\??\c:\1xfrrrr.exec:\1xfrrrr.exe35⤵
- Executes dropped EXE
PID:3584 -
\??\c:\bthntt.exec:\bthntt.exe36⤵
- Executes dropped EXE
PID:3504 -
\??\c:\jvdpj.exec:\jvdpj.exe37⤵
- Executes dropped EXE
PID:4380 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe38⤵
- Executes dropped EXE
PID:4856 -
\??\c:\fllxrlx.exec:\fllxrlx.exe39⤵
- Executes dropped EXE
PID:4820 -
\??\c:\hnnhbt.exec:\hnnhbt.exe40⤵
- Executes dropped EXE
PID:3084 -
\??\c:\vjjdp.exec:\vjjdp.exe41⤵
- Executes dropped EXE
PID:4060 -
\??\c:\1xxrllf.exec:\1xxrllf.exe42⤵
- Executes dropped EXE
PID:4348 -
\??\c:\nthbhh.exec:\nthbhh.exe43⤵
- Executes dropped EXE
PID:1468 -
\??\c:\pvvjv.exec:\pvvjv.exe44⤵
- Executes dropped EXE
PID:1028 -
\??\c:\xrxllff.exec:\xrxllff.exe45⤵
- Executes dropped EXE
PID:3656 -
\??\c:\tbnhtn.exec:\tbnhtn.exe46⤵
- Executes dropped EXE
PID:4448 -
\??\c:\vpjjd.exec:\vpjjd.exe47⤵
- Executes dropped EXE
PID:2204 -
\??\c:\1frlffx.exec:\1frlffx.exe48⤵
- Executes dropped EXE
PID:3624 -
\??\c:\frlfrxl.exec:\frlfrxl.exe49⤵
- Executes dropped EXE
PID:3228 -
\??\c:\1hhbtt.exec:\1hhbtt.exe50⤵
- Executes dropped EXE
PID:2544 -
\??\c:\jjjvp.exec:\jjjvp.exe51⤵
- Executes dropped EXE
PID:1348 -
\??\c:\rxlxxrf.exec:\rxlxxrf.exe52⤵
- Executes dropped EXE
PID:1260 -
\??\c:\thbnbt.exec:\thbnbt.exe53⤵
- Executes dropped EXE
PID:4120 -
\??\c:\jdjdj.exec:\jdjdj.exe54⤵
- Executes dropped EXE
PID:4412 -
\??\c:\xfrlxxr.exec:\xfrlxxr.exe55⤵
- Executes dropped EXE
PID:3512 -
\??\c:\ntbthb.exec:\ntbthb.exe56⤵
- Executes dropped EXE
PID:3444 -
\??\c:\pjdvj.exec:\pjdvj.exe57⤵
- Executes dropped EXE
PID:2792 -
\??\c:\ppdvj.exec:\ppdvj.exe58⤵
- Executes dropped EXE
PID:4496 -
\??\c:\rllfxrl.exec:\rllfxrl.exe59⤵
- Executes dropped EXE
PID:5096 -
\??\c:\9jddv.exec:\9jddv.exe60⤵
- Executes dropped EXE
PID:1128 -
\??\c:\1lxrlxr.exec:\1lxrlxr.exe61⤵
- Executes dropped EXE
PID:2196 -
\??\c:\btnbtn.exec:\btnbtn.exe62⤵
- Executes dropped EXE
PID:5112 -
\??\c:\vjdvd.exec:\vjdvd.exe63⤵
- Executes dropped EXE
PID:4828 -
\??\c:\jpvpd.exec:\jpvpd.exe64⤵
- Executes dropped EXE
PID:4076 -
\??\c:\fxlxffx.exec:\fxlxffx.exe65⤵
- Executes dropped EXE
PID:1164 -
\??\c:\hnnhbt.exec:\hnnhbt.exe66⤵PID:2988
-
\??\c:\nhhnhb.exec:\nhhnhb.exe67⤵PID:1792
-
\??\c:\9vpjv.exec:\9vpjv.exe68⤵PID:4212
-
\??\c:\3flfrrf.exec:\3flfrrf.exe69⤵PID:716
-
\??\c:\bntnnh.exec:\bntnnh.exe70⤵PID:2608
-
\??\c:\dpvpd.exec:\dpvpd.exe71⤵PID:1544
-
\??\c:\pvvjv.exec:\pvvjv.exe72⤵PID:4916
-
\??\c:\lxxfxfx.exec:\lxxfxfx.exe73⤵PID:4272
-
\??\c:\nttnnn.exec:\nttnnn.exe74⤵PID:3640
-
\??\c:\jddpj.exec:\jddpj.exe75⤵PID:2420
-
\??\c:\lrrlfxl.exec:\lrrlfxl.exe76⤵PID:4992
-
\??\c:\3xlxrlx.exec:\3xlxrlx.exe77⤵PID:4944
-
\??\c:\htbnhb.exec:\htbnhb.exe78⤵PID:3380
-
\??\c:\pvdvj.exec:\pvdvj.exe79⤵PID:3996
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe80⤵PID:864
-
\??\c:\9bttnn.exec:\9bttnn.exe81⤵PID:3956
-
\??\c:\thhbtn.exec:\thhbtn.exe82⤵PID:4568
-
\??\c:\rfxrrrl.exec:\rfxrrrl.exe83⤵PID:1968
-
\??\c:\1nhbtt.exec:\1nhbtt.exe84⤵PID:208
-
\??\c:\jppdv.exec:\jppdv.exe85⤵PID:60
-
\??\c:\pvvpp.exec:\pvvpp.exe86⤵PID:2324
-
\??\c:\frrlxrl.exec:\frrlxrl.exe87⤵PID:1804
-
\??\c:\bhhtnn.exec:\bhhtnn.exe88⤵PID:4056
-
\??\c:\pdvpj.exec:\pdvpj.exe89⤵PID:3936
-
\??\c:\ppdvp.exec:\ppdvp.exe90⤵PID:1936
-
\??\c:\3xxfxrx.exec:\3xxfxrx.exe91⤵PID:1724
-
\??\c:\jpvpj.exec:\jpvpj.exe92⤵PID:4984
-
\??\c:\3lfxrff.exec:\3lfxrff.exe93⤵PID:3992
-
\??\c:\bnnhbb.exec:\bnnhbb.exe94⤵PID:2592
-
\??\c:\5vdvv.exec:\5vdvv.exe95⤵PID:2332
-
\??\c:\3fxrllf.exec:\3fxrllf.exe96⤵PID:2436
-
\??\c:\5xrrllf.exec:\5xrrllf.exe97⤵PID:2372
-
\??\c:\3tnhbb.exec:\3tnhbb.exe98⤵PID:3944
-
\??\c:\dddjd.exec:\dddjd.exe99⤵PID:1592
-
\??\c:\1xxlfff.exec:\1xxlfff.exe100⤵PID:4352
-
\??\c:\9tnttt.exec:\9tnttt.exe101⤵PID:1648
-
\??\c:\1pdpj.exec:\1pdpj.exe102⤵PID:1180
-
\??\c:\vjpjp.exec:\vjpjp.exe103⤵PID:3012
-
\??\c:\7flllxr.exec:\7flllxr.exe104⤵PID:1160
-
\??\c:\tttbbt.exec:\tttbbt.exe105⤵PID:2604
-
\??\c:\vvpjd.exec:\vvpjd.exe106⤵PID:3900
-
\??\c:\xrffxxr.exec:\xrffxxr.exe107⤵PID:1064
-
\??\c:\xxrxxxf.exec:\xxrxxxf.exe108⤵PID:1176
-
\??\c:\7ntnhn.exec:\7ntnhn.exe109⤵PID:1928
-
\??\c:\vvjvp.exec:\vvjvp.exe110⤵PID:1344
-
\??\c:\fllfxlf.exec:\fllfxlf.exe111⤵PID:224
-
\??\c:\xrllfff.exec:\xrllfff.exe112⤵PID:1692
-
\??\c:\hnhbtn.exec:\hnhbtn.exe113⤵PID:1032
-
\??\c:\pdvvp.exec:\pdvvp.exe114⤵PID:2204
-
\??\c:\rlrrllr.exec:\rlrrllr.exe115⤵PID:3624
-
\??\c:\htbbbt.exec:\htbbbt.exe116⤵PID:460
-
\??\c:\hbbtbh.exec:\hbbtbh.exe117⤵PID:2544
-
\??\c:\dvjdv.exec:\dvjdv.exe118⤵PID:1268
-
\??\c:\lxxllxx.exec:\lxxllxx.exe119⤵PID:3600
-
\??\c:\bttnnt.exec:\bttnnt.exe120⤵PID:1736
-
\??\c:\9pvpp.exec:\9pvpp.exe121⤵PID:1272
-
\??\c:\fxlfllx.exec:\fxlfllx.exe122⤵PID:756
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-