Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe
-
Size
454KB
-
MD5
7274e150b5a85a41a35089bfa50cc790
-
SHA1
1bad12e134c8fa99c5ebbdb0ad8ee67e38506485
-
SHA256
a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a
-
SHA512
b7b9ba5dd8eb6d184dea0afd972c4d052a2dd1286e160207aa5692d31ad2913b027e980f3d43502236d33347d00e7531dc999c444e54866afb1503da64c07fab
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbek:q7Tc2NYHUrAwfMp3CDk
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/5076-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2472-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/620-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/344-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3904-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1608-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4176-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2436-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-347-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1808-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-451-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-746-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-955-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-1010-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-1212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-1300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/392-1340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4052 pjddp.exe 2756 nhhnht.exe 4960 dvdvv.exe 2336 ffrrllf.exe 2472 bnbbtt.exe 2708 xlxrrrx.exe 4008 nhbttn.exe 4416 tnnbtb.exe 2592 djvpv.exe 5116 bnnbtt.exe 4312 jjvvv.exe 2688 xrxlfxx.exe 4684 lfflrlf.exe 2184 jddvd.exe 3460 vdjjj.exe 4956 fxlflff.exe 620 ntbtnn.exe 2368 nbhnbt.exe 4652 frllfff.exe 4344 7ttnnn.exe 1236 lrrrrrl.exe 1016 dvdvv.exe 648 5bhbtn.exe 536 vpvdv.exe 2940 3xrlrrl.exe 4272 tnbtnn.exe 3736 3vpdv.exe 2080 hnbtnh.exe 4132 rllrlfx.exe 4316 nbhbtt.exe 2180 ddvvp.exe 344 ffrflfx.exe 388 dvdvd.exe 2352 lfrlrrx.exe 3916 btbbtn.exe 1648 pppjj.exe 4256 vvddd.exe 4476 rfllfff.exe 5012 hbhhhh.exe 400 xrfxrrx.exe 3116 hbnhhh.exe 3340 3jpjj.exe 1128 jvvpj.exe 3740 rfrxxfr.exe 3904 tnnnhh.exe 4864 pjjdv.exe 3664 rlxlfrl.exe 2632 tttbbt.exe 4752 jjjjp.exe 3484 ppvpj.exe 4292 1rrlffx.exe 3940 nnnnhb.exe 5032 pvpjj.exe 2756 pjdvp.exe 4960 rflfxxr.exe 4364 5hhtnt.exe 4908 dvvdp.exe 1176 xlrrffx.exe 3604 rlxxfll.exe 4916 bhtnhb.exe 4352 jpjjd.exe 736 lrrlxxr.exe 4560 btnhtt.exe 2464 dpvpv.exe -
resource yara_rule behavioral2/memory/5076-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/620-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/344-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3904-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1608-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4176-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2436-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-347-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4344-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1808-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-451-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-746-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-955-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-1010-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-1212-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxffrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llfxlll.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5076 wrote to memory of 4052 5076 a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe 82 PID 5076 wrote to memory of 4052 5076 a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe 82 PID 5076 wrote to memory of 4052 5076 a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe 82 PID 4052 wrote to memory of 2756 4052 pjddp.exe 83 PID 4052 wrote to memory of 2756 4052 pjddp.exe 83 PID 4052 wrote to memory of 2756 4052 pjddp.exe 83 PID 2756 wrote to memory of 4960 2756 nhhnht.exe 84 PID 2756 wrote to memory of 4960 2756 nhhnht.exe 84 PID 2756 wrote to memory of 4960 2756 nhhnht.exe 84 PID 4960 wrote to memory of 2336 4960 dvdvv.exe 85 PID 4960 wrote to memory of 2336 4960 dvdvv.exe 85 PID 4960 wrote to memory of 2336 4960 dvdvv.exe 85 PID 2336 wrote to memory of 2472 2336 ffrrllf.exe 86 PID 2336 wrote to memory of 2472 2336 ffrrllf.exe 86 PID 2336 wrote to memory of 2472 2336 ffrrllf.exe 86 PID 2472 wrote to memory of 2708 2472 bnbbtt.exe 87 PID 2472 wrote to memory of 2708 2472 bnbbtt.exe 87 PID 2472 wrote to memory of 2708 2472 bnbbtt.exe 87 PID 2708 wrote to memory of 4008 2708 xlxrrrx.exe 88 PID 2708 wrote to memory of 4008 2708 xlxrrrx.exe 88 PID 2708 wrote to memory of 4008 2708 xlxrrrx.exe 88 PID 4008 wrote to memory of 4416 4008 nhbttn.exe 89 PID 4008 wrote to memory of 4416 4008 nhbttn.exe 89 PID 4008 wrote to memory of 4416 4008 nhbttn.exe 89 PID 4416 wrote to memory of 2592 4416 tnnbtb.exe 90 PID 4416 wrote to memory of 2592 4416 tnnbtb.exe 90 PID 4416 wrote to memory of 2592 4416 tnnbtb.exe 90 PID 2592 wrote to memory of 5116 2592 djvpv.exe 91 PID 2592 wrote to memory of 5116 2592 djvpv.exe 91 PID 2592 wrote to memory of 5116 2592 djvpv.exe 91 PID 5116 wrote to memory of 4312 5116 bnnbtt.exe 92 PID 5116 wrote to memory of 4312 5116 bnnbtt.exe 92 PID 5116 wrote to memory of 4312 5116 bnnbtt.exe 92 PID 4312 wrote to memory of 2688 4312 jjvvv.exe 93 PID 4312 wrote to memory of 2688 4312 jjvvv.exe 93 PID 4312 wrote to memory of 2688 4312 jjvvv.exe 93 PID 2688 wrote to memory of 4684 2688 xrxlfxx.exe 94 PID 2688 wrote to memory of 4684 2688 xrxlfxx.exe 94 PID 2688 wrote to memory of 4684 2688 xrxlfxx.exe 94 PID 4684 wrote to memory of 2184 4684 lfflrlf.exe 95 PID 4684 wrote to memory of 2184 4684 lfflrlf.exe 95 PID 4684 wrote to memory of 2184 4684 lfflrlf.exe 95 PID 2184 wrote to memory of 3460 2184 jddvd.exe 96 PID 2184 wrote to memory of 3460 2184 jddvd.exe 96 PID 2184 wrote to memory of 3460 2184 jddvd.exe 96 PID 3460 wrote to memory of 4956 3460 vdjjj.exe 97 PID 3460 wrote to memory of 4956 3460 vdjjj.exe 97 PID 3460 wrote to memory of 4956 3460 vdjjj.exe 97 PID 4956 wrote to memory of 620 4956 fxlflff.exe 98 PID 4956 wrote to memory of 620 4956 fxlflff.exe 98 PID 4956 wrote to memory of 620 4956 fxlflff.exe 98 PID 620 wrote to memory of 2368 620 ntbtnn.exe 99 PID 620 wrote to memory of 2368 620 ntbtnn.exe 99 PID 620 wrote to memory of 2368 620 ntbtnn.exe 99 PID 2368 wrote to memory of 4652 2368 nbhnbt.exe 100 PID 2368 wrote to memory of 4652 2368 nbhnbt.exe 100 PID 2368 wrote to memory of 4652 2368 nbhnbt.exe 100 PID 4652 wrote to memory of 4344 4652 frllfff.exe 101 PID 4652 wrote to memory of 4344 4652 frllfff.exe 101 PID 4652 wrote to memory of 4344 4652 frllfff.exe 101 PID 4344 wrote to memory of 1236 4344 7ttnnn.exe 102 PID 4344 wrote to memory of 1236 4344 7ttnnn.exe 102 PID 4344 wrote to memory of 1236 4344 7ttnnn.exe 102 PID 1236 wrote to memory of 1016 1236 lrrrrrl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe"C:\Users\Admin\AppData\Local\Temp\a6649cebd4f38845634941115648ca2f2a820fd1f274f7993c25a70fa97ca35a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\pjddp.exec:\pjddp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4052 -
\??\c:\nhhnht.exec:\nhhnht.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\dvdvv.exec:\dvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\ffrrllf.exec:\ffrrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\bnbbtt.exec:\bnbbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
\??\c:\xlxrrrx.exec:\xlxrrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\nhbttn.exec:\nhbttn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\tnnbtb.exec:\tnnbtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\djvpv.exec:\djvpv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\bnnbtt.exec:\bnnbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5116 -
\??\c:\jjvvv.exec:\jjvvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
\??\c:\xrxlfxx.exec:\xrxlfxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\lfflrlf.exec:\lfflrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\jddvd.exec:\jddvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\vdjjj.exec:\vdjjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\fxlflff.exec:\fxlflff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\ntbtnn.exec:\ntbtnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\nbhnbt.exec:\nbhnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\frllfff.exec:\frllfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4652 -
\??\c:\7ttnnn.exec:\7ttnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4344 -
\??\c:\lrrrrrl.exec:\lrrrrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\dvdvv.exec:\dvdvv.exe23⤵
- Executes dropped EXE
PID:1016 -
\??\c:\5bhbtn.exec:\5bhbtn.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:648 -
\??\c:\vpvdv.exec:\vpvdv.exe25⤵
- Executes dropped EXE
PID:536 -
\??\c:\3xrlrrl.exec:\3xrlrrl.exe26⤵
- Executes dropped EXE
PID:2940 -
\??\c:\tnbtnn.exec:\tnbtnn.exe27⤵
- Executes dropped EXE
PID:4272 -
\??\c:\3vpdv.exec:\3vpdv.exe28⤵
- Executes dropped EXE
PID:3736 -
\??\c:\hnbtnh.exec:\hnbtnh.exe29⤵
- Executes dropped EXE
PID:2080 -
\??\c:\rllrlfx.exec:\rllrlfx.exe30⤵
- Executes dropped EXE
PID:4132 -
\??\c:\nbhbtt.exec:\nbhbtt.exe31⤵
- Executes dropped EXE
PID:4316 -
\??\c:\ddvvp.exec:\ddvvp.exe32⤵
- Executes dropped EXE
PID:2180 -
\??\c:\ffrflfx.exec:\ffrflfx.exe33⤵
- Executes dropped EXE
PID:344 -
\??\c:\dvdvd.exec:\dvdvd.exe34⤵
- Executes dropped EXE
PID:388 -
\??\c:\lfrlrrx.exec:\lfrlrrx.exe35⤵
- Executes dropped EXE
PID:2352 -
\??\c:\btbbtn.exec:\btbbtn.exe36⤵
- Executes dropped EXE
PID:3916 -
\??\c:\pppjj.exec:\pppjj.exe37⤵
- Executes dropped EXE
PID:1648 -
\??\c:\vvddd.exec:\vvddd.exe38⤵
- Executes dropped EXE
PID:4256 -
\??\c:\rfllfff.exec:\rfllfff.exe39⤵
- Executes dropped EXE
PID:4476 -
\??\c:\hbhhhh.exec:\hbhhhh.exe40⤵
- Executes dropped EXE
PID:5012 -
\??\c:\xrfxrrx.exec:\xrfxrrx.exe41⤵
- Executes dropped EXE
PID:400 -
\??\c:\hbnhhh.exec:\hbnhhh.exe42⤵
- Executes dropped EXE
PID:3116 -
\??\c:\3jpjj.exec:\3jpjj.exe43⤵
- Executes dropped EXE
PID:3340 -
\??\c:\jvvpj.exec:\jvvpj.exe44⤵
- Executes dropped EXE
PID:1128 -
\??\c:\rfrxxfr.exec:\rfrxxfr.exe45⤵
- Executes dropped EXE
PID:3740 -
\??\c:\tnnnhh.exec:\tnnnhh.exe46⤵
- Executes dropped EXE
PID:3904 -
\??\c:\pjjdv.exec:\pjjdv.exe47⤵
- Executes dropped EXE
PID:4864 -
\??\c:\rlxlfrl.exec:\rlxlfrl.exe48⤵
- Executes dropped EXE
PID:3664 -
\??\c:\tttbbt.exec:\tttbbt.exe49⤵
- Executes dropped EXE
PID:2632 -
\??\c:\jjjjp.exec:\jjjjp.exe50⤵
- Executes dropped EXE
PID:4752 -
\??\c:\ppvpj.exec:\ppvpj.exe51⤵
- Executes dropped EXE
PID:3484 -
\??\c:\1rrlffx.exec:\1rrlffx.exe52⤵
- Executes dropped EXE
PID:4292 -
\??\c:\nnnnhb.exec:\nnnnhb.exe53⤵
- Executes dropped EXE
PID:3940 -
\??\c:\pvpjj.exec:\pvpjj.exe54⤵
- Executes dropped EXE
PID:5032 -
\??\c:\pjdvp.exec:\pjdvp.exe55⤵
- Executes dropped EXE
PID:2756 -
\??\c:\rflfxxr.exec:\rflfxxr.exe56⤵
- Executes dropped EXE
PID:4960 -
\??\c:\5hhtnt.exec:\5hhtnt.exe57⤵
- Executes dropped EXE
PID:4364 -
\??\c:\dvvdp.exec:\dvvdp.exe58⤵
- Executes dropped EXE
PID:4908 -
\??\c:\xlrrffx.exec:\xlrrffx.exe59⤵
- Executes dropped EXE
PID:1176 -
\??\c:\rlxxfll.exec:\rlxxfll.exe60⤵
- Executes dropped EXE
PID:3604 -
\??\c:\bhtnhb.exec:\bhtnhb.exe61⤵
- Executes dropped EXE
PID:4916 -
\??\c:\jpjjd.exec:\jpjjd.exe62⤵
- Executes dropped EXE
PID:4352 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe63⤵
- Executes dropped EXE
PID:736 -
\??\c:\btnhtt.exec:\btnhtt.exe64⤵
- Executes dropped EXE
PID:4560 -
\??\c:\dpvpv.exec:\dpvpv.exe65⤵
- Executes dropped EXE
PID:2464 -
\??\c:\vdvpj.exec:\vdvpj.exe66⤵PID:5112
-
\??\c:\rfrlfxl.exec:\rfrlfxl.exe67⤵PID:2612
-
\??\c:\bbbhtt.exec:\bbbhtt.exe68⤵PID:2696
-
\??\c:\vpvpp.exec:\vpvpp.exe69⤵PID:1876
-
\??\c:\rlxxxxr.exec:\rlxxxxr.exe70⤵PID:1608
-
\??\c:\tnbtbb.exec:\tnbtbb.exe71⤵PID:4176
-
\??\c:\5jdpp.exec:\5jdpp.exe72⤵PID:2404
-
\??\c:\rlrlffx.exec:\rlrlffx.exe73⤵PID:2436
-
\??\c:\hhthbb.exec:\hhthbb.exe74⤵PID:4792
-
\??\c:\tthtnh.exec:\tthtnh.exe75⤵PID:3460
-
\??\c:\vpvpj.exec:\vpvpj.exe76⤵PID:32
-
\??\c:\lffrllf.exec:\lffrllf.exe77⤵PID:2800
-
\??\c:\rfxxrlf.exec:\rfxxrlf.exe78⤵PID:1688
-
\??\c:\5thbnn.exec:\5thbnn.exe79⤵PID:2388
-
\??\c:\vppjv.exec:\vppjv.exe80⤵PID:2368
-
\??\c:\vppjd.exec:\vppjd.exe81⤵PID:2992
-
\??\c:\lxlffff.exec:\lxlffff.exe82⤵PID:4344
-
\??\c:\nhnhhh.exec:\nhnhhh.exe83⤵PID:1572
-
\??\c:\dvdjd.exec:\dvdjd.exe84⤵PID:4524
-
\??\c:\xlxrffx.exec:\xlxrffx.exe85⤵PID:3136
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe86⤵PID:5064
-
\??\c:\hbtthh.exec:\hbtthh.exe87⤵PID:4912
-
\??\c:\vpdvv.exec:\vpdvv.exe88⤵PID:1388
-
\??\c:\dvjvv.exec:\dvjvv.exe89⤵PID:1344
-
\??\c:\frffrrr.exec:\frffrrr.exe90⤵PID:1156
-
\??\c:\nhtthh.exec:\nhtthh.exe91⤵PID:1384
-
\??\c:\pjpjd.exec:\pjpjd.exe92⤵PID:3608
-
\??\c:\vdjdv.exec:\vdjdv.exe93⤵PID:1092
-
\??\c:\xfrfxrl.exec:\xfrfxrl.exe94⤵PID:1808
-
\??\c:\btbttt.exec:\btbttt.exe95⤵PID:4132
-
\??\c:\dpdvv.exec:\dpdvv.exe96⤵PID:4084
-
\??\c:\jvvpj.exec:\jvvpj.exe97⤵PID:3588
-
\??\c:\3rxfrfx.exec:\3rxfrfx.exe98⤵PID:3380
-
\??\c:\nhhbth.exec:\nhhbth.exe99⤵PID:1400
-
\??\c:\vpppj.exec:\vpppj.exe100⤵PID:4736
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe101⤵PID:1752
-
\??\c:\xrxlffx.exec:\xrxlffx.exe102⤵PID:2620
-
\??\c:\thnhhh.exec:\thnhhh.exe103⤵PID:3632
-
\??\c:\pjvpp.exec:\pjvpp.exe104⤵PID:3000
-
\??\c:\lffxlff.exec:\lffxlff.exe105⤵PID:4516
-
\??\c:\btnbtn.exec:\btnbtn.exe106⤵PID:712
-
\??\c:\bbbthh.exec:\bbbthh.exe107⤵PID:3144
-
\??\c:\jjpjd.exec:\jjpjd.exe108⤵PID:3684
-
\??\c:\frfrlfr.exec:\frfrlfr.exe109⤵PID:4584
-
\??\c:\bnnhtb.exec:\bnnhtb.exe110⤵PID:3340
-
\??\c:\htthtn.exec:\htthtn.exe111⤵PID:2092
-
\??\c:\ddjvj.exec:\ddjvj.exe112⤵PID:852
-
\??\c:\frrfrll.exec:\frrfrll.exe113⤵PID:4992
-
\??\c:\nbhhhb.exec:\nbhhhb.exe114⤵PID:4404
-
\??\c:\jvpdj.exec:\jvpdj.exe115⤵PID:3664
-
\??\c:\jvdpd.exec:\jvdpd.exe116⤵PID:3100
-
\??\c:\flrlffx.exec:\flrlffx.exe117⤵PID:4408
-
\??\c:\tnbnnn.exec:\tnbnnn.exe118⤵PID:5068
-
\??\c:\jdvpj.exec:\jdvpj.exe119⤵PID:4180
-
\??\c:\lxffrlx.exec:\lxffrlx.exe120⤵PID:2740
-
\??\c:\hbbtnh.exec:\hbbtnh.exe121⤵PID:4668
-
\??\c:\hbhnnh.exec:\hbhnnh.exe122⤵PID:4204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-