Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 05:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe
-
Size
454KB
-
MD5
5419fddb6941b9a56512deb764dcb61d
-
SHA1
61a8c5045326252175d0a9a3969cc1180957c48c
-
SHA256
9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb
-
SHA512
2292319a57cc024f263224aae6d73604195bc6d12de3d655d512aa62e02384adc9d21a230c9c40e2cc1b7fcb7dca6512a6a14477db1b0bf6cf1e178556eca66b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe0:q7Tc2NYHUrAwfMp3CD0
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/372-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3584-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2508-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1836-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-592-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-738-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-1372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-1885-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3172 nhttnn.exe 2708 1hbhbh.exe 4340 dpdvp.exe 1876 7jdvv.exe 4128 htbttb.exe 4548 rxrrflx.exe 4928 pdpdd.exe 4120 9ttbbb.exe 2484 rlrlfrl.exe 1512 jdjvv.exe 2436 nnhhnh.exe 4564 djjdj.exe 2052 7flxrrl.exe 5040 dpdvd.exe 3584 fxrrlrr.exe 4664 1hhbtb.exe 868 frllflf.exe 540 dvdvv.exe 4576 9rxxrfx.exe 1348 bhnnhh.exe 3096 fxllllf.exe 4276 jdjdv.exe 3696 lxrrlll.exe 1316 hhhhbb.exe 940 rfffffl.exe 2104 hhhhhn.exe 5056 vvddv.exe 4392 pvppj.exe 2720 vpvpv.exe 116 1lxrxxf.exe 2028 rlxrxfr.exe 2088 jdppj.exe 1104 xlrlllf.exe 4956 hhnhbt.exe 3716 vdjpp.exe 1048 dvdjj.exe 2820 ffffllr.exe 2160 nhhhbb.exe 3844 3pddv.exe 3224 flffrfx.exe 2508 ffllxxf.exe 4788 nhtntt.exe 2952 ppddv.exe 964 fllflff.exe 5104 5bnhnt.exe 4936 nhnhth.exe 2804 dvdvp.exe 2972 fxlllll.exe 4504 tnnhhn.exe 5036 dvdvv.exe 2468 rflfxrl.exe 3536 tthbbt.exe 2588 vpvpp.exe 2112 frlfxxr.exe 2388 btttnn.exe 2584 3vdvp.exe 2228 pjvjj.exe 3444 lffffll.exe 4128 nnhbtt.exe 5072 pdjjj.exe 4528 5lrlllr.exe 4676 1hnhbb.exe 2316 hhtnhh.exe 2612 djdpd.exe -
resource yara_rule behavioral2/memory/372-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2508-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1836-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-738-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-862-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntntt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 3172 372 9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe 82 PID 372 wrote to memory of 3172 372 9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe 82 PID 372 wrote to memory of 3172 372 9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe 82 PID 3172 wrote to memory of 2708 3172 nhttnn.exe 83 PID 3172 wrote to memory of 2708 3172 nhttnn.exe 83 PID 3172 wrote to memory of 2708 3172 nhttnn.exe 83 PID 2708 wrote to memory of 4340 2708 1hbhbh.exe 84 PID 2708 wrote to memory of 4340 2708 1hbhbh.exe 84 PID 2708 wrote to memory of 4340 2708 1hbhbh.exe 84 PID 4340 wrote to memory of 1876 4340 dpdvp.exe 85 PID 4340 wrote to memory of 1876 4340 dpdvp.exe 85 PID 4340 wrote to memory of 1876 4340 dpdvp.exe 85 PID 1876 wrote to memory of 4128 1876 7jdvv.exe 86 PID 1876 wrote to memory of 4128 1876 7jdvv.exe 86 PID 1876 wrote to memory of 4128 1876 7jdvv.exe 86 PID 4128 wrote to memory of 4548 4128 htbttb.exe 87 PID 4128 wrote to memory of 4548 4128 htbttb.exe 87 PID 4128 wrote to memory of 4548 4128 htbttb.exe 87 PID 4548 wrote to memory of 4928 4548 rxrrflx.exe 88 PID 4548 wrote to memory of 4928 4548 rxrrflx.exe 88 PID 4548 wrote to memory of 4928 4548 rxrrflx.exe 88 PID 4928 wrote to memory of 4120 4928 pdpdd.exe 89 PID 4928 wrote to memory of 4120 4928 pdpdd.exe 89 PID 4928 wrote to memory of 4120 4928 pdpdd.exe 89 PID 4120 wrote to memory of 2484 4120 9ttbbb.exe 90 PID 4120 wrote to memory of 2484 4120 9ttbbb.exe 90 PID 4120 wrote to memory of 2484 4120 9ttbbb.exe 90 PID 2484 wrote to memory of 1512 2484 rlrlfrl.exe 91 PID 2484 wrote to memory of 1512 2484 rlrlfrl.exe 91 PID 2484 wrote to memory of 1512 2484 rlrlfrl.exe 91 PID 1512 wrote to memory of 2436 1512 jdjvv.exe 92 PID 1512 wrote to memory of 2436 1512 jdjvv.exe 92 PID 1512 wrote to memory of 2436 1512 jdjvv.exe 92 PID 2436 wrote to memory of 4564 2436 nnhhnh.exe 93 PID 2436 wrote to memory of 4564 2436 nnhhnh.exe 93 PID 2436 wrote to memory of 4564 2436 nnhhnh.exe 93 PID 4564 wrote to memory of 2052 4564 djjdj.exe 94 PID 4564 wrote to memory of 2052 4564 djjdj.exe 94 PID 4564 wrote to memory of 2052 4564 djjdj.exe 94 PID 2052 wrote to memory of 5040 2052 7flxrrl.exe 95 PID 2052 wrote to memory of 5040 2052 7flxrrl.exe 95 PID 2052 wrote to memory of 5040 2052 7flxrrl.exe 95 PID 5040 wrote to memory of 3584 5040 dpdvd.exe 96 PID 5040 wrote to memory of 3584 5040 dpdvd.exe 96 PID 5040 wrote to memory of 3584 5040 dpdvd.exe 96 PID 3584 wrote to memory of 4664 3584 fxrrlrr.exe 97 PID 3584 wrote to memory of 4664 3584 fxrrlrr.exe 97 PID 3584 wrote to memory of 4664 3584 fxrrlrr.exe 97 PID 4664 wrote to memory of 868 4664 1hhbtb.exe 98 PID 4664 wrote to memory of 868 4664 1hhbtb.exe 98 PID 4664 wrote to memory of 868 4664 1hhbtb.exe 98 PID 868 wrote to memory of 540 868 frllflf.exe 99 PID 868 wrote to memory of 540 868 frllflf.exe 99 PID 868 wrote to memory of 540 868 frllflf.exe 99 PID 540 wrote to memory of 4576 540 dvdvv.exe 100 PID 540 wrote to memory of 4576 540 dvdvv.exe 100 PID 540 wrote to memory of 4576 540 dvdvv.exe 100 PID 4576 wrote to memory of 1348 4576 9rxxrfx.exe 101 PID 4576 wrote to memory of 1348 4576 9rxxrfx.exe 101 PID 4576 wrote to memory of 1348 4576 9rxxrfx.exe 101 PID 1348 wrote to memory of 3096 1348 bhnnhh.exe 102 PID 1348 wrote to memory of 3096 1348 bhnnhh.exe 102 PID 1348 wrote to memory of 3096 1348 bhnnhh.exe 102 PID 3096 wrote to memory of 4276 3096 fxllllf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe"C:\Users\Admin\AppData\Local\Temp\9cd602a712bb1495714f29d3bb2dbc3f406cd061d0e9bb4df490ffeed8520afb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\nhttnn.exec:\nhttnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\1hbhbh.exec:\1hbhbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\dpdvp.exec:\dpdvp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4340 -
\??\c:\7jdvv.exec:\7jdvv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\htbttb.exec:\htbttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\rxrrflx.exec:\rxrrflx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\pdpdd.exec:\pdpdd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\9ttbbb.exec:\9ttbbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\rlrlfrl.exec:\rlrlfrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\jdjvv.exec:\jdjvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\nnhhnh.exec:\nnhhnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\djjdj.exec:\djjdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\7flxrrl.exec:\7flxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\dpdvd.exec:\dpdvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\fxrrlrr.exec:\fxrrlrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\1hhbtb.exec:\1hhbtb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\frllflf.exec:\frllflf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\dvdvv.exec:\dvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\9rxxrfx.exec:\9rxxrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\bhnnhh.exec:\bhnnhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
\??\c:\fxllllf.exec:\fxllllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\jdjdv.exec:\jdjdv.exe23⤵
- Executes dropped EXE
PID:4276 -
\??\c:\lxrrlll.exec:\lxrrlll.exe24⤵
- Executes dropped EXE
PID:3696 -
\??\c:\hhhhbb.exec:\hhhhbb.exe25⤵
- Executes dropped EXE
PID:1316 -
\??\c:\rfffffl.exec:\rfffffl.exe26⤵
- Executes dropped EXE
PID:940 -
\??\c:\hhhhhn.exec:\hhhhhn.exe27⤵
- Executes dropped EXE
PID:2104 -
\??\c:\vvddv.exec:\vvddv.exe28⤵
- Executes dropped EXE
PID:5056 -
\??\c:\pvppj.exec:\pvppj.exe29⤵
- Executes dropped EXE
PID:4392 -
\??\c:\vpvpv.exec:\vpvpv.exe30⤵
- Executes dropped EXE
PID:2720 -
\??\c:\1lxrxxf.exec:\1lxrxxf.exe31⤵
- Executes dropped EXE
PID:116 -
\??\c:\rlxrxfr.exec:\rlxrxfr.exe32⤵
- Executes dropped EXE
PID:2028 -
\??\c:\jdppj.exec:\jdppj.exe33⤵
- Executes dropped EXE
PID:2088 -
\??\c:\xlrlllf.exec:\xlrlllf.exe34⤵
- Executes dropped EXE
PID:1104 -
\??\c:\hhnhbt.exec:\hhnhbt.exe35⤵
- Executes dropped EXE
PID:4956 -
\??\c:\vdjpp.exec:\vdjpp.exe36⤵
- Executes dropped EXE
PID:3716 -
\??\c:\dvdjj.exec:\dvdjj.exe37⤵
- Executes dropped EXE
PID:1048 -
\??\c:\ffffllr.exec:\ffffllr.exe38⤵
- Executes dropped EXE
PID:2820 -
\??\c:\nhhhbb.exec:\nhhhbb.exe39⤵
- Executes dropped EXE
PID:2160 -
\??\c:\3pddv.exec:\3pddv.exe40⤵
- Executes dropped EXE
PID:3844 -
\??\c:\flffrfx.exec:\flffrfx.exe41⤵
- Executes dropped EXE
PID:3224 -
\??\c:\ffllxxf.exec:\ffllxxf.exe42⤵
- Executes dropped EXE
PID:2508 -
\??\c:\nhtntt.exec:\nhtntt.exe43⤵
- Executes dropped EXE
PID:4788 -
\??\c:\ppddv.exec:\ppddv.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\fllflff.exec:\fllflff.exe45⤵
- Executes dropped EXE
PID:964 -
\??\c:\5bnhnt.exec:\5bnhnt.exe46⤵
- Executes dropped EXE
PID:5104 -
\??\c:\nhnhth.exec:\nhnhth.exe47⤵
- Executes dropped EXE
PID:4936 -
\??\c:\dvdvp.exec:\dvdvp.exe48⤵
- Executes dropped EXE
PID:2804 -
\??\c:\fxlllll.exec:\fxlllll.exe49⤵
- Executes dropped EXE
PID:2972 -
\??\c:\tnnhhn.exec:\tnnhhn.exe50⤵
- Executes dropped EXE
PID:4504 -
\??\c:\dvdvv.exec:\dvdvv.exe51⤵
- Executes dropped EXE
PID:5036 -
\??\c:\vdjdd.exec:\vdjdd.exe52⤵PID:4304
-
\??\c:\rflfxrl.exec:\rflfxrl.exe53⤵
- Executes dropped EXE
PID:2468 -
\??\c:\tthbbt.exec:\tthbbt.exe54⤵
- Executes dropped EXE
PID:3536 -
\??\c:\vpvpp.exec:\vpvpp.exe55⤵
- Executes dropped EXE
PID:2588 -
\??\c:\frlfxxr.exec:\frlfxxr.exe56⤵
- Executes dropped EXE
PID:2112 -
\??\c:\btttnn.exec:\btttnn.exe57⤵
- Executes dropped EXE
PID:2388 -
\??\c:\3vdvp.exec:\3vdvp.exe58⤵
- Executes dropped EXE
PID:2584 -
\??\c:\pjvjj.exec:\pjvjj.exe59⤵
- Executes dropped EXE
PID:2228 -
\??\c:\lffffll.exec:\lffffll.exe60⤵
- Executes dropped EXE
PID:3444 -
\??\c:\nnhbtt.exec:\nnhbtt.exe61⤵
- Executes dropped EXE
PID:4128 -
\??\c:\pdjjj.exec:\pdjjj.exe62⤵
- Executes dropped EXE
PID:5072 -
\??\c:\5lrlllr.exec:\5lrlllr.exe63⤵
- Executes dropped EXE
PID:4528 -
\??\c:\1hnhbb.exec:\1hnhbb.exe64⤵
- Executes dropped EXE
PID:4676 -
\??\c:\hhtnhh.exec:\hhtnhh.exe65⤵
- Executes dropped EXE
PID:2316 -
\??\c:\djdpd.exec:\djdpd.exe66⤵
- Executes dropped EXE
PID:2612 -
\??\c:\7flfllr.exec:\7flfllr.exe67⤵PID:1836
-
\??\c:\3hnbtt.exec:\3hnbtt.exe68⤵PID:1424
-
\??\c:\vppdv.exec:\vppdv.exe69⤵PID:4884
-
\??\c:\jdppp.exec:\jdppp.exe70⤵PID:2436
-
\??\c:\rrxrllf.exec:\rrxrllf.exe71⤵PID:4224
-
\??\c:\bntnhh.exec:\bntnhh.exe72⤵PID:4700
-
\??\c:\jjddv.exec:\jjddv.exe73⤵PID:3140
-
\??\c:\rlxfrfr.exec:\rlxfrfr.exe74⤵
- System Location Discovery: System Language Discovery
PID:5040 -
\??\c:\btnhhn.exec:\btnhhn.exe75⤵PID:2516
-
\??\c:\ppddv.exec:\ppddv.exe76⤵PID:4880
-
\??\c:\ppdpp.exec:\ppdpp.exe77⤵PID:5108
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe78⤵PID:868
-
\??\c:\thhbtt.exec:\thhbtt.exe79⤵PID:920
-
\??\c:\3dvpj.exec:\3dvpj.exe80⤵
- System Location Discovery: System Language Discovery
PID:4980 -
\??\c:\xxxfxrl.exec:\xxxfxrl.exe81⤵PID:440
-
\??\c:\ntbhnb.exec:\ntbhnb.exe82⤵PID:1464
-
\??\c:\9pjdv.exec:\9pjdv.exe83⤵PID:1328
-
\??\c:\jvvpp.exec:\jvvpp.exe84⤵PID:3756
-
\??\c:\1xrlfrl.exec:\1xrlfrl.exe85⤵PID:3872
-
\??\c:\nbnhnh.exec:\nbnhnh.exe86⤵PID:2828
-
\??\c:\7jjvv.exec:\7jjvv.exe87⤵PID:1600
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe88⤵PID:3572
-
\??\c:\tbbnhb.exec:\tbbnhb.exe89⤵PID:1952
-
\??\c:\pjppj.exec:\pjppj.exe90⤵PID:3232
-
\??\c:\xlfrffr.exec:\xlfrffr.exe91⤵PID:4512
-
\??\c:\fffxrlf.exec:\fffxrlf.exe92⤵PID:5056
-
\??\c:\tnnhtn.exec:\tnnhtn.exe93⤵PID:4476
-
\??\c:\jpjdv.exec:\jpjdv.exe94⤵PID:3496
-
\??\c:\1rxlfxr.exec:\1rxlfxr.exe95⤵PID:4820
-
\??\c:\tnbbnn.exec:\tnbbnn.exe96⤵PID:4460
-
\??\c:\pjpjd.exec:\pjpjd.exe97⤵PID:3356
-
\??\c:\rllfxrr.exec:\rllfxrr.exe98⤵PID:3124
-
\??\c:\rllfffx.exec:\rllfffx.exe99⤵PID:1156
-
\??\c:\9tbnhb.exec:\9tbnhb.exe100⤵PID:4328
-
\??\c:\pdjdv.exec:\pdjdv.exe101⤵PID:4336
-
\??\c:\7xrlxxr.exec:\7xrlxxr.exe102⤵PID:3716
-
\??\c:\bhnnhh.exec:\bhnnhh.exe103⤵PID:4248
-
\??\c:\tbtttt.exec:\tbtttt.exe104⤵PID:1788
-
\??\c:\ddjjj.exec:\ddjjj.exe105⤵PID:2160
-
\??\c:\1flxffl.exec:\1flxffl.exe106⤵PID:3844
-
\??\c:\3xxlffx.exec:\3xxlffx.exe107⤵PID:3188
-
\??\c:\tnbthh.exec:\tnbthh.exe108⤵PID:3516
-
\??\c:\dddjj.exec:\dddjj.exe109⤵PID:3568
-
\??\c:\vpvjj.exec:\vpvjj.exe110⤵
- System Location Discovery: System Language Discovery
PID:432 -
\??\c:\flfxllx.exec:\flfxllx.exe111⤵PID:1416
-
\??\c:\nthtnh.exec:\nthtnh.exe112⤵PID:1056
-
\??\c:\5ddvp.exec:\5ddvp.exe113⤵PID:3260
-
\??\c:\jdvdp.exec:\jdvdp.exe114⤵PID:2232
-
\??\c:\lffrllf.exec:\lffrllf.exe115⤵PID:1448
-
\??\c:\3nhbtn.exec:\3nhbtn.exe116⤵PID:1944
-
\??\c:\bnbbbb.exec:\bnbbbb.exe117⤵PID:3612
-
\??\c:\9dddp.exec:\9dddp.exe118⤵PID:372
-
\??\c:\xrxrlll.exec:\xrxrlll.exe119⤵PID:3508
-
\??\c:\tthbbt.exec:\tthbbt.exe120⤵PID:5008
-
\??\c:\ddjpd.exec:\ddjpd.exe121⤵PID:2208
-
\??\c:\lflfxxl.exec:\lflfxxl.exe122⤵PID:4468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-