Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe
-
Size
454KB
-
MD5
14212bad49ca961294ff529352ce04d0
-
SHA1
11075a36e992b186eb30523e16cf418909060db2
-
SHA256
3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4
-
SHA512
f5efcc2b1161c94f99bec35897a16558a3e3a735588b8ac064d308e8c6fc99c7ee4027066c186b1b847487be73f8a291a7a6be0892023b5002f2f9e76b6da291
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4768-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4136-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/864-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1900-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4436-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-700-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-811-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-888-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-1222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-1326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1456 vvvjv.exe 3016 hnthtn.exe 2936 xrrfflx.exe 1112 jvvpd.exe 972 xffxrff.exe 2240 5rrfxrl.exe 3232 btbnnh.exe 4572 jvpdp.exe 3872 jvpjv.exe 3652 fflxlfr.exe 3912 bnthnh.exe 4784 lrxxlfl.exe 4912 httnbt.exe 1712 btthnh.exe 1536 djpdp.exe 2736 jvvjd.exe 348 jdjvj.exe 5032 rlfrlfr.exe 1520 tnthtn.exe 2668 pvjjj.exe 2712 rlffrlx.exe 212 hbtnbt.exe 4136 1xrlfxl.exe 4884 htnbnb.exe 1940 xrxrxrx.exe 2756 thhthb.exe 2188 vjjvj.exe 3472 djpdv.exe 2032 frrfxrl.exe 4888 tbtnbh.exe 3428 lrxxrll.exe 2692 rlxrffr.exe 3548 thhnbt.exe 1872 vppjv.exe 3988 frfrxlr.exe 2236 nhtnhb.exe 5056 3tnbnn.exe 1900 djpvd.exe 644 frxrlfx.exe 4680 lxffrrf.exe 3108 thnnhb.exe 4084 1pppd.exe 4364 rxffxxx.exe 1384 bbbttn.exe 3960 dvpjj.exe 4968 xlxrfxr.exe 864 fffxlfr.exe 1988 bttnhh.exe 4940 5jjvd.exe 4020 frfrlfx.exe 4376 bnbtnn.exe 4384 jvvjj.exe 1552 frrfxxr.exe 3704 bbbnbt.exe 4776 ttbtnn.exe 4568 vjvpd.exe 4836 3ffxrlr.exe 3312 hbthbn.exe 528 dvppv.exe 436 llrfrlf.exe 4288 tnnbth.exe 5092 thnhbt.exe 380 jdvpv.exe 3644 rxxxlfx.exe -
resource yara_rule behavioral2/memory/4768-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/864-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1900-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4436-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-700-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-811-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-888-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-1222-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4768 wrote to memory of 1456 4768 3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe 82 PID 4768 wrote to memory of 1456 4768 3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe 82 PID 4768 wrote to memory of 1456 4768 3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe 82 PID 1456 wrote to memory of 3016 1456 vvvjv.exe 83 PID 1456 wrote to memory of 3016 1456 vvvjv.exe 83 PID 1456 wrote to memory of 3016 1456 vvvjv.exe 83 PID 3016 wrote to memory of 2936 3016 hnthtn.exe 84 PID 3016 wrote to memory of 2936 3016 hnthtn.exe 84 PID 3016 wrote to memory of 2936 3016 hnthtn.exe 84 PID 2936 wrote to memory of 1112 2936 xrrfflx.exe 85 PID 2936 wrote to memory of 1112 2936 xrrfflx.exe 85 PID 2936 wrote to memory of 1112 2936 xrrfflx.exe 85 PID 1112 wrote to memory of 972 1112 jvvpd.exe 86 PID 1112 wrote to memory of 972 1112 jvvpd.exe 86 PID 1112 wrote to memory of 972 1112 jvvpd.exe 86 PID 972 wrote to memory of 2240 972 xffxrff.exe 87 PID 972 wrote to memory of 2240 972 xffxrff.exe 87 PID 972 wrote to memory of 2240 972 xffxrff.exe 87 PID 2240 wrote to memory of 3232 2240 5rrfxrl.exe 88 PID 2240 wrote to memory of 3232 2240 5rrfxrl.exe 88 PID 2240 wrote to memory of 3232 2240 5rrfxrl.exe 88 PID 3232 wrote to memory of 4572 3232 btbnnh.exe 89 PID 3232 wrote to memory of 4572 3232 btbnnh.exe 89 PID 3232 wrote to memory of 4572 3232 btbnnh.exe 89 PID 4572 wrote to memory of 3872 4572 jvpdp.exe 90 PID 4572 wrote to memory of 3872 4572 jvpdp.exe 90 PID 4572 wrote to memory of 3872 4572 jvpdp.exe 90 PID 3872 wrote to memory of 3652 3872 jvpjv.exe 91 PID 3872 wrote to memory of 3652 3872 jvpjv.exe 91 PID 3872 wrote to memory of 3652 3872 jvpjv.exe 91 PID 3652 wrote to memory of 3912 3652 fflxlfr.exe 92 PID 3652 wrote to memory of 3912 3652 fflxlfr.exe 92 PID 3652 wrote to memory of 3912 3652 fflxlfr.exe 92 PID 3912 wrote to memory of 4784 3912 bnthnh.exe 93 PID 3912 wrote to memory of 4784 3912 bnthnh.exe 93 PID 3912 wrote to memory of 4784 3912 bnthnh.exe 93 PID 4784 wrote to memory of 4912 4784 lrxxlfl.exe 94 PID 4784 wrote to memory of 4912 4784 lrxxlfl.exe 94 PID 4784 wrote to memory of 4912 4784 lrxxlfl.exe 94 PID 4912 wrote to memory of 1712 4912 httnbt.exe 95 PID 4912 wrote to memory of 1712 4912 httnbt.exe 95 PID 4912 wrote to memory of 1712 4912 httnbt.exe 95 PID 1712 wrote to memory of 1536 1712 btthnh.exe 96 PID 1712 wrote to memory of 1536 1712 btthnh.exe 96 PID 1712 wrote to memory of 1536 1712 btthnh.exe 96 PID 1536 wrote to memory of 2736 1536 djpdp.exe 97 PID 1536 wrote to memory of 2736 1536 djpdp.exe 97 PID 1536 wrote to memory of 2736 1536 djpdp.exe 97 PID 2736 wrote to memory of 348 2736 jvvjd.exe 98 PID 2736 wrote to memory of 348 2736 jvvjd.exe 98 PID 2736 wrote to memory of 348 2736 jvvjd.exe 98 PID 348 wrote to memory of 5032 348 jdjvj.exe 99 PID 348 wrote to memory of 5032 348 jdjvj.exe 99 PID 348 wrote to memory of 5032 348 jdjvj.exe 99 PID 5032 wrote to memory of 1520 5032 rlfrlfr.exe 100 PID 5032 wrote to memory of 1520 5032 rlfrlfr.exe 100 PID 5032 wrote to memory of 1520 5032 rlfrlfr.exe 100 PID 1520 wrote to memory of 2668 1520 tnthtn.exe 101 PID 1520 wrote to memory of 2668 1520 tnthtn.exe 101 PID 1520 wrote to memory of 2668 1520 tnthtn.exe 101 PID 2668 wrote to memory of 2712 2668 pvjjj.exe 102 PID 2668 wrote to memory of 2712 2668 pvjjj.exe 102 PID 2668 wrote to memory of 2712 2668 pvjjj.exe 102 PID 2712 wrote to memory of 212 2712 rlffrlx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe"C:\Users\Admin\AppData\Local\Temp\3f183dfe42ce6ff4960703b8fae46ee19e397350693b0c99b517f1b4130c30a4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\vvvjv.exec:\vvvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\hnthtn.exec:\hnthtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3016 -
\??\c:\xrrfflx.exec:\xrrfflx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\jvvpd.exec:\jvvpd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\xffxrff.exec:\xffxrff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\5rrfxrl.exec:\5rrfxrl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
\??\c:\btbnnh.exec:\btbnnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\jvpdp.exec:\jvpdp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\jvpjv.exec:\jvpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\fflxlfr.exec:\fflxlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\bnthnh.exec:\bnthnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\lrxxlfl.exec:\lrxxlfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\httnbt.exec:\httnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\btthnh.exec:\btthnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
\??\c:\djpdp.exec:\djpdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\jvvjd.exec:\jvvjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\jdjvj.exec:\jdjvj.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\rlfrlfr.exec:\rlfrlfr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\tnthtn.exec:\tnthtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\pvjjj.exec:\pvjjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\rlffrlx.exec:\rlffrlx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\hbtnbt.exec:\hbtnbt.exe23⤵
- Executes dropped EXE
PID:212 -
\??\c:\1xrlfxl.exec:\1xrlfxl.exe24⤵
- Executes dropped EXE
PID:4136 -
\??\c:\htnbnb.exec:\htnbnb.exe25⤵
- Executes dropped EXE
PID:4884 -
\??\c:\xrxrxrx.exec:\xrxrxrx.exe26⤵
- Executes dropped EXE
PID:1940 -
\??\c:\thhthb.exec:\thhthb.exe27⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vjjvj.exec:\vjjvj.exe28⤵
- Executes dropped EXE
PID:2188 -
\??\c:\djpdv.exec:\djpdv.exe29⤵
- Executes dropped EXE
PID:3472 -
\??\c:\frrfxrl.exec:\frrfxrl.exe30⤵
- Executes dropped EXE
PID:2032 -
\??\c:\tbtnbh.exec:\tbtnbh.exe31⤵
- Executes dropped EXE
PID:4888 -
\??\c:\lrxxrll.exec:\lrxxrll.exe32⤵
- Executes dropped EXE
PID:3428 -
\??\c:\rlxrffr.exec:\rlxrffr.exe33⤵
- Executes dropped EXE
PID:2692 -
\??\c:\thhnbt.exec:\thhnbt.exe34⤵
- Executes dropped EXE
PID:3548 -
\??\c:\vppjv.exec:\vppjv.exe35⤵
- Executes dropped EXE
PID:1872 -
\??\c:\frfrxlr.exec:\frfrxlr.exe36⤵
- Executes dropped EXE
PID:3988 -
\??\c:\nhtnhb.exec:\nhtnhb.exe37⤵
- Executes dropped EXE
PID:2236 -
\??\c:\3tnbnn.exec:\3tnbnn.exe38⤵
- Executes dropped EXE
PID:5056 -
\??\c:\djpvd.exec:\djpvd.exe39⤵
- Executes dropped EXE
PID:1900 -
\??\c:\frxrlfx.exec:\frxrlfx.exe40⤵
- Executes dropped EXE
PID:644 -
\??\c:\lxffrrf.exec:\lxffrrf.exe41⤵
- Executes dropped EXE
PID:4680 -
\??\c:\thnnhb.exec:\thnnhb.exe42⤵
- Executes dropped EXE
PID:3108 -
\??\c:\1pppd.exec:\1pppd.exe43⤵
- Executes dropped EXE
PID:4084 -
\??\c:\rxffxxx.exec:\rxffxxx.exe44⤵
- Executes dropped EXE
PID:4364 -
\??\c:\bbbttn.exec:\bbbttn.exe45⤵
- Executes dropped EXE
PID:1384 -
\??\c:\dvpjj.exec:\dvpjj.exe46⤵
- Executes dropped EXE
PID:3960 -
\??\c:\xlxrfxr.exec:\xlxrfxr.exe47⤵
- Executes dropped EXE
PID:4968 -
\??\c:\fffxlfr.exec:\fffxlfr.exe48⤵
- Executes dropped EXE
PID:864 -
\??\c:\bttnhh.exec:\bttnhh.exe49⤵
- Executes dropped EXE
PID:1988 -
\??\c:\5jjvd.exec:\5jjvd.exe50⤵
- Executes dropped EXE
PID:4940 -
\??\c:\frfrlfx.exec:\frfrlfx.exe51⤵
- Executes dropped EXE
PID:4020 -
\??\c:\bnbtnn.exec:\bnbtnn.exe52⤵
- Executes dropped EXE
PID:4376 -
\??\c:\jvvjj.exec:\jvvjj.exe53⤵
- Executes dropped EXE
PID:4384 -
\??\c:\frrfxxr.exec:\frrfxxr.exe54⤵
- Executes dropped EXE
PID:1552 -
\??\c:\bbbnbt.exec:\bbbnbt.exe55⤵
- Executes dropped EXE
PID:3704 -
\??\c:\ttbtnn.exec:\ttbtnn.exe56⤵
- Executes dropped EXE
PID:4776 -
\??\c:\vjvpd.exec:\vjvpd.exe57⤵
- Executes dropped EXE
PID:4568 -
\??\c:\3ffxrlr.exec:\3ffxrlr.exe58⤵
- Executes dropped EXE
PID:4836 -
\??\c:\hbthbn.exec:\hbthbn.exe59⤵
- Executes dropped EXE
PID:3312 -
\??\c:\dvppv.exec:\dvppv.exe60⤵
- Executes dropped EXE
PID:528 -
\??\c:\llrfrlf.exec:\llrfrlf.exe61⤵
- Executes dropped EXE
PID:436 -
\??\c:\tnnbth.exec:\tnnbth.exe62⤵
- Executes dropped EXE
PID:4288 -
\??\c:\thnhbt.exec:\thnhbt.exe63⤵
- Executes dropped EXE
PID:5092 -
\??\c:\jdvpv.exec:\jdvpv.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:380 -
\??\c:\rxxxlfx.exec:\rxxxlfx.exe65⤵
- Executes dropped EXE
PID:3644 -
\??\c:\hhbtnn.exec:\hhbtnn.exe66⤵PID:2980
-
\??\c:\ppvjd.exec:\ppvjd.exe67⤵PID:468
-
\??\c:\xxfllrr.exec:\xxfllrr.exe68⤵PID:4504
-
\??\c:\lxfrfxr.exec:\lxfrfxr.exe69⤵PID:4380
-
\??\c:\ttbnbb.exec:\ttbnbb.exe70⤵PID:2388
-
\??\c:\nbtnhb.exec:\nbtnhb.exe71⤵PID:4892
-
\??\c:\9dvpj.exec:\9dvpj.exe72⤵PID:1912
-
\??\c:\djjvj.exec:\djjvj.exe73⤵PID:4912
-
\??\c:\frllxlx.exec:\frllxlx.exe74⤵PID:4508
-
\??\c:\nbbnnb.exec:\nbbnnb.exe75⤵PID:1208
-
\??\c:\hbtnbn.exec:\hbtnbn.exe76⤵PID:5036
-
\??\c:\vjdpj.exec:\vjdpj.exe77⤵PID:2736
-
\??\c:\lxxlfxl.exec:\lxxlfxl.exe78⤵PID:4584
-
\??\c:\5nhbtn.exec:\5nhbtn.exe79⤵PID:4348
-
\??\c:\tbbnbt.exec:\tbbnbt.exe80⤵PID:3612
-
\??\c:\jvjvv.exec:\jvjvv.exe81⤵PID:1520
-
\??\c:\rrlxrlx.exec:\rrlxrlx.exe82⤵PID:2276
-
\??\c:\bbhthb.exec:\bbhthb.exe83⤵PID:1972
-
\??\c:\hntnnn.exec:\hntnnn.exe84⤵PID:2824
-
\??\c:\pdjvp.exec:\pdjvp.exe85⤵PID:4108
-
\??\c:\flrfrfx.exec:\flrfrfx.exe86⤵PID:3244
-
\??\c:\btnbtb.exec:\btnbtb.exe87⤵PID:3128
-
\??\c:\pjjpv.exec:\pjjpv.exe88⤵PID:964
-
\??\c:\ddjvj.exec:\ddjvj.exe89⤵PID:3432
-
\??\c:\lxrffrr.exec:\lxrffrr.exe90⤵PID:3112
-
\??\c:\ntnhth.exec:\ntnhth.exe91⤵PID:3080
-
\??\c:\ttbhtn.exec:\ttbhtn.exe92⤵PID:2496
-
\??\c:\dddpd.exec:\dddpd.exe93⤵PID:2300
-
\??\c:\9xxrfff.exec:\9xxrfff.exe94⤵PID:3472
-
\??\c:\5nhthb.exec:\5nhthb.exe95⤵PID:2032
-
\??\c:\nthtbt.exec:\nthtbt.exe96⤵PID:2700
-
\??\c:\vvvjv.exec:\vvvjv.exe97⤵PID:2288
-
\??\c:\frrfrfr.exec:\frrfrfr.exe98⤵PID:3064
-
\??\c:\3bthtn.exec:\3bthtn.exe99⤵PID:1528
-
\??\c:\3tthtn.exec:\3tthtn.exe100⤵PID:876
-
\??\c:\jpvdp.exec:\jpvdp.exe101⤵PID:400
-
\??\c:\jvvpd.exec:\jvvpd.exe102⤵PID:3988
-
\??\c:\llfxrrl.exec:\llfxrrl.exe103⤵PID:3200
-
\??\c:\hhnbtn.exec:\hhnbtn.exe104⤵PID:3896
-
\??\c:\tnnbtn.exec:\tnnbtn.exe105⤵PID:1900
-
\??\c:\dpppd.exec:\dpppd.exe106⤵PID:4600
-
\??\c:\5lfrlxl.exec:\5lfrlxl.exe107⤵PID:2068
-
\??\c:\9hhtht.exec:\9hhtht.exe108⤵PID:3108
-
\??\c:\vpjdp.exec:\vpjdp.exe109⤵PID:4976
-
\??\c:\dvdvd.exec:\dvdvd.exe110⤵PID:3972
-
\??\c:\xflfrxr.exec:\xflfrxr.exe111⤵PID:4280
-
\??\c:\thhbnb.exec:\thhbnb.exe112⤵PID:5100
-
\??\c:\nnhthb.exec:\nnhthb.exe113⤵PID:2764
-
\??\c:\jppjv.exec:\jppjv.exe114⤵PID:464
-
\??\c:\ffllxlf.exec:\ffllxlf.exe115⤵PID:2988
-
\??\c:\nttnhh.exec:\nttnhh.exe116⤵PID:388
-
\??\c:\jdvdv.exec:\jdvdv.exe117⤵PID:4388
-
\??\c:\jvpdv.exec:\jvpdv.exe118⤵PID:4436
-
\??\c:\xrxlfxl.exec:\xrxlfxl.exe119⤵PID:3316
-
\??\c:\hnnnnh.exec:\hnnnnh.exe120⤵PID:3552
-
\??\c:\vjpdp.exec:\vjpdp.exe121⤵PID:3560
-
\??\c:\vjjpd.exec:\vjjpd.exe122⤵PID:1020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-