Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36N.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36N.exe
-
Size
455KB
-
MD5
90863307f046bee34d1c0e42de87ece0
-
SHA1
200963cea7ea5d2c1c728bfc27cc97833df4ceaa
-
SHA256
f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36
-
SHA512
54e05ab59efdca7b44ce38be0702030fe92e8c8a53a4a9f563e1ccc7787f10261cc3faae50703dc2266946336b656a285210eaec05a2a090b15f6fc26b3b636b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT1:q7Tc2NYHUrAwfMp3CDB
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4392-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/852-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-635-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-996-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-1155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-1264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-1382-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-1713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3396 xxxlfxl.exe 64 nhnhnb.exe 1576 jjjdv.exe 3676 fxlfxrr.exe 4880 3pdvp.exe 2792 htbbnt.exe 2548 jvvpj.exe 2488 3hnhhn.exe 4856 rlllfff.exe 1748 htnbnh.exe 32 pvpvv.exe 1056 pjdvv.exe 3696 1rlfffx.exe 4876 pjpjd.exe 5096 nbhhbb.exe 2608 fflxrll.exe 2516 hbhhhh.exe 5012 jdpjj.exe 2724 1xfxffr.exe 1516 nnhhtb.exe 3248 hbhbhb.exe 4492 ppddd.exe 4724 rfxrlll.exe 2564 hnnhbt.exe 3412 lllffff.exe 1312 ppjdd.exe 732 flrfxxl.exe 4308 rlxxffx.exe 4944 3hhbbb.exe 908 lxxxrxf.exe 4056 vpvpd.exe 2684 bhnbtn.exe 4588 xrxrrlf.exe 3536 jddvp.exe 4416 lxrlffx.exe 2216 7bbnbb.exe 720 9pvvj.exe 4712 rlrllfx.exe 4408 nnnhtt.exe 3272 xxfxxrr.exe 3028 jddvp.exe 3408 vdpjv.exe 1444 3xlfrrf.exe 1688 hnnbnh.exe 3900 jddvj.exe 2240 1rrfxxr.exe 1344 xrllfff.exe 4860 3ntnht.exe 3676 pppjd.exe 1268 fflxxrr.exe 1632 3lrffxf.exe 2088 ntbthh.exe 3508 5djvp.exe 1636 rfrllff.exe 1552 nthbnn.exe 1464 vppjv.exe 2192 vdddp.exe 1748 3xrlxxx.exe 4772 rxfrlfx.exe 4304 tttnhn.exe 3212 vddvv.exe 4424 jjpdv.exe 1056 xrxrlll.exe 3696 jdjdv.exe -
resource yara_rule behavioral2/memory/4392-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/852-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-635-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-782-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-996-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-1093-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-1155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-1264-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4392 wrote to memory of 3396 4392 f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36N.exe 83 PID 4392 wrote to memory of 3396 4392 f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36N.exe 83 PID 4392 wrote to memory of 3396 4392 f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36N.exe 83 PID 3396 wrote to memory of 64 3396 xxxlfxl.exe 84 PID 3396 wrote to memory of 64 3396 xxxlfxl.exe 84 PID 3396 wrote to memory of 64 3396 xxxlfxl.exe 84 PID 64 wrote to memory of 1576 64 nhnhnb.exe 85 PID 64 wrote to memory of 1576 64 nhnhnb.exe 85 PID 64 wrote to memory of 1576 64 nhnhnb.exe 85 PID 1576 wrote to memory of 3676 1576 jjjdv.exe 86 PID 1576 wrote to memory of 3676 1576 jjjdv.exe 86 PID 1576 wrote to memory of 3676 1576 jjjdv.exe 86 PID 3676 wrote to memory of 4880 3676 fxlfxrr.exe 87 PID 3676 wrote to memory of 4880 3676 fxlfxrr.exe 87 PID 3676 wrote to memory of 4880 3676 fxlfxrr.exe 87 PID 4880 wrote to memory of 2792 4880 3pdvp.exe 88 PID 4880 wrote to memory of 2792 4880 3pdvp.exe 88 PID 4880 wrote to memory of 2792 4880 3pdvp.exe 88 PID 2792 wrote to memory of 2548 2792 htbbnt.exe 89 PID 2792 wrote to memory of 2548 2792 htbbnt.exe 89 PID 2792 wrote to memory of 2548 2792 htbbnt.exe 89 PID 2548 wrote to memory of 2488 2548 jvvpj.exe 90 PID 2548 wrote to memory of 2488 2548 jvvpj.exe 90 PID 2548 wrote to memory of 2488 2548 jvvpj.exe 90 PID 2488 wrote to memory of 4856 2488 3hnhhn.exe 91 PID 2488 wrote to memory of 4856 2488 3hnhhn.exe 91 PID 2488 wrote to memory of 4856 2488 3hnhhn.exe 91 PID 4856 wrote to memory of 1748 4856 rlllfff.exe 92 PID 4856 wrote to memory of 1748 4856 rlllfff.exe 92 PID 4856 wrote to memory of 1748 4856 rlllfff.exe 92 PID 1748 wrote to memory of 32 1748 htnbnh.exe 93 PID 1748 wrote to memory of 32 1748 htnbnh.exe 93 PID 1748 wrote to memory of 32 1748 htnbnh.exe 93 PID 32 wrote to memory of 1056 32 pvpvv.exe 94 PID 32 wrote to memory of 1056 32 pvpvv.exe 94 PID 32 wrote to memory of 1056 32 pvpvv.exe 94 PID 1056 wrote to memory of 3696 1056 pjdvv.exe 95 PID 1056 wrote to memory of 3696 1056 pjdvv.exe 95 PID 1056 wrote to memory of 3696 1056 pjdvv.exe 95 PID 3696 wrote to memory of 4876 3696 1rlfffx.exe 96 PID 3696 wrote to memory of 4876 3696 1rlfffx.exe 96 PID 3696 wrote to memory of 4876 3696 1rlfffx.exe 96 PID 4876 wrote to memory of 5096 4876 pjpjd.exe 97 PID 4876 wrote to memory of 5096 4876 pjpjd.exe 97 PID 4876 wrote to memory of 5096 4876 pjpjd.exe 97 PID 5096 wrote to memory of 2608 5096 nbhhbb.exe 98 PID 5096 wrote to memory of 2608 5096 nbhhbb.exe 98 PID 5096 wrote to memory of 2608 5096 nbhhbb.exe 98 PID 2608 wrote to memory of 2516 2608 fflxrll.exe 99 PID 2608 wrote to memory of 2516 2608 fflxrll.exe 99 PID 2608 wrote to memory of 2516 2608 fflxrll.exe 99 PID 2516 wrote to memory of 5012 2516 hbhhhh.exe 100 PID 2516 wrote to memory of 5012 2516 hbhhhh.exe 100 PID 2516 wrote to memory of 5012 2516 hbhhhh.exe 100 PID 5012 wrote to memory of 2724 5012 jdpjj.exe 101 PID 5012 wrote to memory of 2724 5012 jdpjj.exe 101 PID 5012 wrote to memory of 2724 5012 jdpjj.exe 101 PID 2724 wrote to memory of 1516 2724 1xfxffr.exe 102 PID 2724 wrote to memory of 1516 2724 1xfxffr.exe 102 PID 2724 wrote to memory of 1516 2724 1xfxffr.exe 102 PID 1516 wrote to memory of 3248 1516 nnhhtb.exe 103 PID 1516 wrote to memory of 3248 1516 nnhhtb.exe 103 PID 1516 wrote to memory of 3248 1516 nnhhtb.exe 103 PID 3248 wrote to memory of 4492 3248 hbhbhb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36N.exe"C:\Users\Admin\AppData\Local\Temp\f568fe920c9ae0ec8625d5769885091e016ca5fa7878db173ba429ed2c3aef36N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\xxxlfxl.exec:\xxxlfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\nhnhnb.exec:\nhnhnb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\jjjdv.exec:\jjjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\fxlfxrr.exec:\fxlfxrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
\??\c:\3pdvp.exec:\3pdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\htbbnt.exec:\htbbnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\jvvpj.exec:\jvvpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
\??\c:\3hnhhn.exec:\3hnhhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\rlllfff.exec:\rlllfff.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\htnbnh.exec:\htnbnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\pvpvv.exec:\pvpvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:32 -
\??\c:\pjdvv.exec:\pjdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\1rlfffx.exec:\1rlfffx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\pjpjd.exec:\pjpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\nbhhbb.exec:\nbhhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\fflxrll.exec:\fflxrll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\hbhhhh.exec:\hbhhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\jdpjj.exec:\jdpjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
\??\c:\1xfxffr.exec:\1xfxffr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
\??\c:\nnhhtb.exec:\nnhhtb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\hbhbhb.exec:\hbhbhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248 -
\??\c:\ppddd.exec:\ppddd.exe23⤵
- Executes dropped EXE
PID:4492 -
\??\c:\rfxrlll.exec:\rfxrlll.exe24⤵
- Executes dropped EXE
PID:4724 -
\??\c:\hnnhbt.exec:\hnnhbt.exe25⤵
- Executes dropped EXE
PID:2564 -
\??\c:\lllffff.exec:\lllffff.exe26⤵
- Executes dropped EXE
PID:3412 -
\??\c:\ppjdd.exec:\ppjdd.exe27⤵
- Executes dropped EXE
PID:1312 -
\??\c:\flrfxxl.exec:\flrfxxl.exe28⤵
- Executes dropped EXE
PID:732 -
\??\c:\rlxxffx.exec:\rlxxffx.exe29⤵
- Executes dropped EXE
PID:4308 -
\??\c:\3hhbbb.exec:\3hhbbb.exe30⤵
- Executes dropped EXE
PID:4944 -
\??\c:\lxxxrxf.exec:\lxxxrxf.exe31⤵
- Executes dropped EXE
PID:908 -
\??\c:\vpvpd.exec:\vpvpd.exe32⤵
- Executes dropped EXE
PID:4056 -
\??\c:\bhnbtn.exec:\bhnbtn.exe33⤵
- Executes dropped EXE
PID:2684 -
\??\c:\xrxrrlf.exec:\xrxrrlf.exe34⤵
- Executes dropped EXE
PID:4588 -
\??\c:\jddvp.exec:\jddvp.exe35⤵
- Executes dropped EXE
PID:3536 -
\??\c:\lxrlffx.exec:\lxrlffx.exe36⤵
- Executes dropped EXE
PID:4416 -
\??\c:\7bbnbb.exec:\7bbnbb.exe37⤵
- Executes dropped EXE
PID:2216 -
\??\c:\9pvvj.exec:\9pvvj.exe38⤵
- Executes dropped EXE
PID:720 -
\??\c:\rlrllfx.exec:\rlrllfx.exe39⤵
- Executes dropped EXE
PID:4712 -
\??\c:\nnnhtt.exec:\nnnhtt.exe40⤵
- Executes dropped EXE
PID:4408 -
\??\c:\xxfxxrr.exec:\xxfxxrr.exe41⤵
- Executes dropped EXE
PID:3272 -
\??\c:\nntbtt.exec:\nntbtt.exe42⤵PID:4064
-
\??\c:\jddvp.exec:\jddvp.exe43⤵
- Executes dropped EXE
PID:3028 -
\??\c:\vdpjv.exec:\vdpjv.exe44⤵
- Executes dropped EXE
PID:3408 -
\??\c:\3xlfrrf.exec:\3xlfrrf.exe45⤵
- Executes dropped EXE
PID:1444 -
\??\c:\hnnbnh.exec:\hnnbnh.exe46⤵
- Executes dropped EXE
PID:1688 -
\??\c:\jddvj.exec:\jddvj.exe47⤵
- Executes dropped EXE
PID:3900 -
\??\c:\1rrfxxr.exec:\1rrfxxr.exe48⤵
- Executes dropped EXE
PID:2240 -
\??\c:\xrllfff.exec:\xrllfff.exe49⤵
- Executes dropped EXE
PID:1344 -
\??\c:\3ntnht.exec:\3ntnht.exe50⤵
- Executes dropped EXE
PID:4860 -
\??\c:\pppjd.exec:\pppjd.exe51⤵
- Executes dropped EXE
PID:3676 -
\??\c:\fflxxrr.exec:\fflxxrr.exe52⤵
- Executes dropped EXE
PID:1268 -
\??\c:\3lrffxf.exec:\3lrffxf.exe53⤵
- Executes dropped EXE
PID:1632 -
\??\c:\ntbthh.exec:\ntbthh.exe54⤵
- Executes dropped EXE
PID:2088 -
\??\c:\5djvp.exec:\5djvp.exe55⤵
- Executes dropped EXE
PID:3508 -
\??\c:\rfrllff.exec:\rfrllff.exe56⤵
- Executes dropped EXE
PID:1636 -
\??\c:\nthbnn.exec:\nthbnn.exe57⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vppjv.exec:\vppjv.exe58⤵
- Executes dropped EXE
PID:1464 -
\??\c:\vdddp.exec:\vdddp.exe59⤵
- Executes dropped EXE
PID:2192 -
\??\c:\3xrlxxx.exec:\3xrlxxx.exe60⤵
- Executes dropped EXE
PID:1748 -
\??\c:\rxfrlfx.exec:\rxfrlfx.exe61⤵
- Executes dropped EXE
PID:4772 -
\??\c:\tttnhn.exec:\tttnhn.exe62⤵
- Executes dropped EXE
PID:4304 -
\??\c:\vddvv.exec:\vddvv.exe63⤵
- Executes dropped EXE
PID:3212 -
\??\c:\jjpdv.exec:\jjpdv.exe64⤵
- Executes dropped EXE
PID:4424 -
\??\c:\xrxrlll.exec:\xrxrlll.exe65⤵
- Executes dropped EXE
PID:1056 -
\??\c:\jdjdv.exec:\jdjdv.exe66⤵
- Executes dropped EXE
PID:3696 -
\??\c:\lrfflll.exec:\lrfflll.exe67⤵PID:468
-
\??\c:\9bbbtt.exec:\9bbbtt.exe68⤵PID:1372
-
\??\c:\vppdv.exec:\vppdv.exe69⤵PID:3840
-
\??\c:\dvjdp.exec:\dvjdp.exe70⤵PID:3556
-
\??\c:\lffxlxx.exec:\lffxlxx.exe71⤵PID:4740
-
\??\c:\7nthbt.exec:\7nthbt.exe72⤵PID:1700
-
\??\c:\dvdvp.exec:\dvdvp.exe73⤵PID:3440
-
\??\c:\fxfxfrr.exec:\fxfxfrr.exe74⤵PID:4888
-
\??\c:\tntntt.exec:\tntntt.exe75⤵PID:2724
-
\??\c:\5jddv.exec:\5jddv.exe76⤵PID:2480
-
\??\c:\3pvpv.exec:\3pvpv.exe77⤵PID:3356
-
\??\c:\xfxrlll.exec:\xfxrlll.exe78⤵PID:4072
-
\??\c:\pjdvp.exec:\pjdvp.exe79⤵PID:4228
-
\??\c:\9jdvp.exec:\9jdvp.exe80⤵PID:2852
-
\??\c:\rllllll.exec:\rllllll.exe81⤵PID:3360
-
\??\c:\7bnhbt.exec:\7bnhbt.exe82⤵PID:4484
-
\??\c:\9vppp.exec:\9vppp.exe83⤵PID:3128
-
\??\c:\7djdj.exec:\7djdj.exe84⤵PID:1312
-
\??\c:\rlxrrrx.exec:\rlxrrrx.exe85⤵PID:4260
-
\??\c:\bbbhbh.exec:\bbbhbh.exe86⤵PID:1092
-
\??\c:\ppvpd.exec:\ppvpd.exe87⤵PID:1660
-
\??\c:\3flfrrr.exec:\3flfrrr.exe88⤵PID:4308
-
\??\c:\rrfxfff.exec:\rrfxfff.exe89⤵PID:3012
-
\??\c:\ddjdj.exec:\ddjdj.exe90⤵PID:3984
-
\??\c:\7jjvp.exec:\7jjvp.exe91⤵PID:908
-
\??\c:\xlxllfl.exec:\xlxllfl.exe92⤵PID:4980
-
\??\c:\btntnn.exec:\btntnn.exe93⤵PID:3992
-
\??\c:\vpvpd.exec:\vpvpd.exe94⤵PID:1388
-
\??\c:\dvdvj.exec:\dvdvj.exe95⤵PID:1680
-
\??\c:\3rrrllf.exec:\3rrrllf.exe96⤵PID:968
-
\??\c:\dvvvp.exec:\dvvvp.exe97⤵PID:840
-
\??\c:\dpjdv.exec:\dpjdv.exe98⤵PID:3860
-
\??\c:\lflrxlr.exec:\lflrxlr.exe99⤵PID:5100
-
\??\c:\7bthbt.exec:\7bthbt.exe100⤵PID:1120
-
\??\c:\jvddp.exec:\jvddp.exe101⤵PID:2604
-
\??\c:\lflfxxx.exec:\lflfxxx.exe102⤵PID:4372
-
\??\c:\tntbnt.exec:\tntbnt.exe103⤵PID:2312
-
\??\c:\pdjvj.exec:\pdjvj.exe104⤵PID:4376
-
\??\c:\9llfrlf.exec:\9llfrlf.exe105⤵PID:1548
-
\??\c:\bnnnhb.exec:\bnnnhb.exe106⤵PID:2760
-
\??\c:\dddvp.exec:\dddvp.exe107⤵PID:3716
-
\??\c:\fxrlfxx.exec:\fxrlfxx.exe108⤵PID:64
-
\??\c:\lflxrfx.exec:\lflxrfx.exe109⤵PID:3688
-
\??\c:\bnnhbt.exec:\bnnhbt.exe110⤵PID:3728
-
\??\c:\pvddd.exec:\pvddd.exe111⤵PID:3096
-
\??\c:\rxxlfxf.exec:\rxxlfxf.exe112⤵PID:3732
-
\??\c:\nhnnhh.exec:\nhnnhh.exe113⤵PID:220
-
\??\c:\1pdvv.exec:\1pdvv.exe114⤵PID:2056
-
\??\c:\fffxxll.exec:\fffxxll.exe115⤵PID:1740
-
\??\c:\rfrlffx.exec:\rfrlffx.exe116⤵
- System Location Discovery: System Language Discovery
PID:2856 -
\??\c:\tthtnh.exec:\tthtnh.exe117⤵PID:100
-
\??\c:\1pvvp.exec:\1pvvp.exe118⤵PID:2548
-
\??\c:\9vjvd.exec:\9vjvd.exe119⤵PID:3340
-
\??\c:\lflfxrr.exec:\lflfxrr.exe120⤵PID:852
-
\??\c:\1nbbtt.exec:\1nbbtt.exe121⤵PID:4420
-
\??\c:\hbnntt.exec:\hbnntt.exe122⤵PID:2064
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-