Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe
Resource
win7-20241010-en
7 signatures
120 seconds
General
-
Target
408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe
-
Size
454KB
-
MD5
ff66c05c67cbc07b66df48078073eee2
-
SHA1
daf4e9ee6e5c1500715b45ed593534b138cbc251
-
SHA256
408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa
-
SHA512
9f1685cd01388d93a3b7f7f9d975bb8cba664dcc31691108b6f1133e74465beb65e9d2d621db2b7be5383ea1b142d0f818950d804b667fff5470cf6d9959c574
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1132-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1136-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2732-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1328-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-473-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3220-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-666-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-696-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-848-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-882-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-907-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-1209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-1648-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-1875-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3916 httnhh.exe 1136 3jpjj.exe 3100 xfffxxr.exe 4048 rxllllf.exe 1524 hnhnbt.exe 2252 dpdpp.exe 4536 fxlxlrl.exe 2444 7thbtt.exe 1320 ttbttt.exe 2116 dpdpj.exe 4872 hthnth.exe 5028 jjdpd.exe 1784 lllflfl.exe 1396 ddjvj.exe 1632 pvppv.exe 1872 rxlxxrr.exe 1856 jvppv.exe 640 3xxllfx.exe 5044 xlrllfl.exe 704 bhnbth.exe 3792 xxlllff.exe 3852 nhhbnn.exe 3640 pvvdd.exe 3132 nbbtnh.exe 4172 3vdvj.exe 2732 hhhbtn.exe 3228 pjjvd.exe 3740 bbhbhb.exe 4540 1vdpd.exe 3944 9ffxffr.exe 2860 5vpdv.exe 2184 pdpjv.exe 3192 nbbtnn.exe 3472 hhhhtb.exe 856 dppjv.exe 4868 7lfrfxl.exe 2008 nhnbbt.exe 4988 jpdvj.exe 656 dppjd.exe 1740 7nnhnh.exe 2544 tnnbtt.exe 4316 fxxlxrl.exe 4544 nhhhtt.exe 5016 3jddp.exe 4388 fxxlrlr.exe 5084 hnhhtn.exe 1704 3dvvj.exe 2392 pdjjj.exe 1076 3rlfrlx.exe 1488 7tthbt.exe 2144 jvdvj.exe 4612 lxxlfxr.exe 1328 rllrfxr.exe 2444 hhnhnh.exe 1160 9vpdv.exe 3496 xffrlxr.exe 4332 rllfrlx.exe 4952 nbtnbt.exe 4992 5pvjp.exe 4092 5rlxlfr.exe 5020 nhbnhb.exe 3096 1ppdd.exe 4520 jvdpd.exe 5116 tnhbht.exe -
resource yara_rule behavioral2/memory/1132-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1136-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2732-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1740-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1328-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-473-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3220-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-666-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-696-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-882-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-907-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2472-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1132 wrote to memory of 3916 1132 408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe 83 PID 1132 wrote to memory of 3916 1132 408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe 83 PID 1132 wrote to memory of 3916 1132 408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe 83 PID 3916 wrote to memory of 1136 3916 httnhh.exe 84 PID 3916 wrote to memory of 1136 3916 httnhh.exe 84 PID 3916 wrote to memory of 1136 3916 httnhh.exe 84 PID 1136 wrote to memory of 3100 1136 3jpjj.exe 85 PID 1136 wrote to memory of 3100 1136 3jpjj.exe 85 PID 1136 wrote to memory of 3100 1136 3jpjj.exe 85 PID 3100 wrote to memory of 4048 3100 xfffxxr.exe 86 PID 3100 wrote to memory of 4048 3100 xfffxxr.exe 86 PID 3100 wrote to memory of 4048 3100 xfffxxr.exe 86 PID 4048 wrote to memory of 1524 4048 rxllllf.exe 87 PID 4048 wrote to memory of 1524 4048 rxllllf.exe 87 PID 4048 wrote to memory of 1524 4048 rxllllf.exe 87 PID 1524 wrote to memory of 2252 1524 hnhnbt.exe 88 PID 1524 wrote to memory of 2252 1524 hnhnbt.exe 88 PID 1524 wrote to memory of 2252 1524 hnhnbt.exe 88 PID 2252 wrote to memory of 4536 2252 dpdpp.exe 89 PID 2252 wrote to memory of 4536 2252 dpdpp.exe 89 PID 2252 wrote to memory of 4536 2252 dpdpp.exe 89 PID 4536 wrote to memory of 2444 4536 fxlxlrl.exe 90 PID 4536 wrote to memory of 2444 4536 fxlxlrl.exe 90 PID 4536 wrote to memory of 2444 4536 fxlxlrl.exe 90 PID 2444 wrote to memory of 1320 2444 7thbtt.exe 91 PID 2444 wrote to memory of 1320 2444 7thbtt.exe 91 PID 2444 wrote to memory of 1320 2444 7thbtt.exe 91 PID 1320 wrote to memory of 2116 1320 ttbttt.exe 92 PID 1320 wrote to memory of 2116 1320 ttbttt.exe 92 PID 1320 wrote to memory of 2116 1320 ttbttt.exe 92 PID 2116 wrote to memory of 4872 2116 dpdpj.exe 93 PID 2116 wrote to memory of 4872 2116 dpdpj.exe 93 PID 2116 wrote to memory of 4872 2116 dpdpj.exe 93 PID 4872 wrote to memory of 5028 4872 hthnth.exe 94 PID 4872 wrote to memory of 5028 4872 hthnth.exe 94 PID 4872 wrote to memory of 5028 4872 hthnth.exe 94 PID 5028 wrote to memory of 1784 5028 jjdpd.exe 95 PID 5028 wrote to memory of 1784 5028 jjdpd.exe 95 PID 5028 wrote to memory of 1784 5028 jjdpd.exe 95 PID 1784 wrote to memory of 1396 1784 lllflfl.exe 96 PID 1784 wrote to memory of 1396 1784 lllflfl.exe 96 PID 1784 wrote to memory of 1396 1784 lllflfl.exe 96 PID 1396 wrote to memory of 1632 1396 ddjvj.exe 97 PID 1396 wrote to memory of 1632 1396 ddjvj.exe 97 PID 1396 wrote to memory of 1632 1396 ddjvj.exe 97 PID 1632 wrote to memory of 1872 1632 pvppv.exe 98 PID 1632 wrote to memory of 1872 1632 pvppv.exe 98 PID 1632 wrote to memory of 1872 1632 pvppv.exe 98 PID 1872 wrote to memory of 1856 1872 rxlxxrr.exe 99 PID 1872 wrote to memory of 1856 1872 rxlxxrr.exe 99 PID 1872 wrote to memory of 1856 1872 rxlxxrr.exe 99 PID 1856 wrote to memory of 640 1856 jvppv.exe 100 PID 1856 wrote to memory of 640 1856 jvppv.exe 100 PID 1856 wrote to memory of 640 1856 jvppv.exe 100 PID 640 wrote to memory of 5044 640 3xxllfx.exe 101 PID 640 wrote to memory of 5044 640 3xxllfx.exe 101 PID 640 wrote to memory of 5044 640 3xxllfx.exe 101 PID 5044 wrote to memory of 704 5044 xlrllfl.exe 102 PID 5044 wrote to memory of 704 5044 xlrllfl.exe 102 PID 5044 wrote to memory of 704 5044 xlrllfl.exe 102 PID 704 wrote to memory of 3792 704 bhnbth.exe 103 PID 704 wrote to memory of 3792 704 bhnbth.exe 103 PID 704 wrote to memory of 3792 704 bhnbth.exe 103 PID 3792 wrote to memory of 3852 3792 xxlllff.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe"C:\Users\Admin\AppData\Local\Temp\408f54866e566425a15be3b04820f2dad150746a64a6175c2a98063b4ce203aa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\httnhh.exec:\httnhh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\3jpjj.exec:\3jpjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
\??\c:\xfffxxr.exec:\xfffxxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\rxllllf.exec:\rxllllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\hnhnbt.exec:\hnhnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\dpdpp.exec:\dpdpp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\fxlxlrl.exec:\fxlxlrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\7thbtt.exec:\7thbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\ttbttt.exec:\ttbttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\dpdpj.exec:\dpdpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
\??\c:\hthnth.exec:\hthnth.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\jjdpd.exec:\jjdpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\lllflfl.exec:\lllflfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\ddjvj.exec:\ddjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\pvppv.exec:\pvppv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\rxlxxrr.exec:\rxlxxrr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872 -
\??\c:\jvppv.exec:\jvppv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\3xxllfx.exec:\3xxllfx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\xlrllfl.exec:\xlrllfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\bhnbth.exec:\bhnbth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
\??\c:\xxlllff.exec:\xxlllff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\nhhbnn.exec:\nhhbnn.exe23⤵
- Executes dropped EXE
PID:3852 -
\??\c:\pvvdd.exec:\pvvdd.exe24⤵
- Executes dropped EXE
PID:3640 -
\??\c:\nbbtnh.exec:\nbbtnh.exe25⤵
- Executes dropped EXE
PID:3132 -
\??\c:\3vdvj.exec:\3vdvj.exe26⤵
- Executes dropped EXE
PID:4172 -
\??\c:\hhhbtn.exec:\hhhbtn.exe27⤵
- Executes dropped EXE
PID:2732 -
\??\c:\pjjvd.exec:\pjjvd.exe28⤵
- Executes dropped EXE
PID:3228 -
\??\c:\bbhbhb.exec:\bbhbhb.exe29⤵
- Executes dropped EXE
PID:3740 -
\??\c:\1vdpd.exec:\1vdpd.exe30⤵
- Executes dropped EXE
PID:4540 -
\??\c:\9ffxffr.exec:\9ffxffr.exe31⤵
- Executes dropped EXE
PID:3944 -
\??\c:\5vpdv.exec:\5vpdv.exe32⤵
- Executes dropped EXE
PID:2860 -
\??\c:\pdpjv.exec:\pdpjv.exe33⤵
- Executes dropped EXE
PID:2184 -
\??\c:\nbbtnn.exec:\nbbtnn.exe34⤵
- Executes dropped EXE
PID:3192 -
\??\c:\hhhhtb.exec:\hhhhtb.exe35⤵
- Executes dropped EXE
PID:3472 -
\??\c:\dppjv.exec:\dppjv.exe36⤵
- Executes dropped EXE
PID:856 -
\??\c:\7lfrfxl.exec:\7lfrfxl.exe37⤵
- Executes dropped EXE
PID:4868 -
\??\c:\nhnbbt.exec:\nhnbbt.exe38⤵
- Executes dropped EXE
PID:2008 -
\??\c:\jpdvj.exec:\jpdvj.exe39⤵
- Executes dropped EXE
PID:4988 -
\??\c:\dppjd.exec:\dppjd.exe40⤵
- Executes dropped EXE
PID:656 -
\??\c:\7nnhnh.exec:\7nnhnh.exe41⤵
- Executes dropped EXE
PID:1740 -
\??\c:\tnnbtt.exec:\tnnbtt.exe42⤵
- Executes dropped EXE
PID:2544 -
\??\c:\fxxlxrl.exec:\fxxlxrl.exe43⤵
- Executes dropped EXE
PID:4316 -
\??\c:\nhhhtt.exec:\nhhhtt.exe44⤵
- Executes dropped EXE
PID:4544 -
\??\c:\3jddp.exec:\3jddp.exe45⤵
- Executes dropped EXE
PID:5016 -
\??\c:\fxxlrlr.exec:\fxxlrlr.exe46⤵
- Executes dropped EXE
PID:4388 -
\??\c:\hnhhtn.exec:\hnhhtn.exe47⤵
- Executes dropped EXE
PID:5084 -
\??\c:\3dvvj.exec:\3dvvj.exe48⤵
- Executes dropped EXE
PID:1704 -
\??\c:\pdjjj.exec:\pdjjj.exe49⤵
- Executes dropped EXE
PID:2392 -
\??\c:\3rlfrlx.exec:\3rlfrlx.exe50⤵
- Executes dropped EXE
PID:1076 -
\??\c:\7tthbt.exec:\7tthbt.exe51⤵
- Executes dropped EXE
PID:1488 -
\??\c:\jvdvj.exec:\jvdvj.exe52⤵
- Executes dropped EXE
PID:2144 -
\??\c:\lxxlfxr.exec:\lxxlfxr.exe53⤵
- Executes dropped EXE
PID:4612 -
\??\c:\rllrfxr.exec:\rllrfxr.exe54⤵
- Executes dropped EXE
PID:1328 -
\??\c:\hhnhnh.exec:\hhnhnh.exe55⤵
- Executes dropped EXE
PID:2444 -
\??\c:\9vpdv.exec:\9vpdv.exe56⤵
- Executes dropped EXE
PID:1160 -
\??\c:\xffrlxr.exec:\xffrlxr.exe57⤵
- Executes dropped EXE
PID:3496 -
\??\c:\rllfrlx.exec:\rllfrlx.exe58⤵
- Executes dropped EXE
PID:4332 -
\??\c:\nbtnbt.exec:\nbtnbt.exe59⤵
- Executes dropped EXE
PID:4952 -
\??\c:\5pvjp.exec:\5pvjp.exe60⤵
- Executes dropped EXE
PID:4992 -
\??\c:\5rlxlfr.exec:\5rlxlfr.exe61⤵
- Executes dropped EXE
PID:4092 -
\??\c:\nhbnhb.exec:\nhbnhb.exe62⤵
- Executes dropped EXE
PID:5020 -
\??\c:\1ppdd.exec:\1ppdd.exe63⤵
- Executes dropped EXE
PID:3096 -
\??\c:\jvdpd.exec:\jvdpd.exe64⤵
- Executes dropped EXE
PID:4520 -
\??\c:\tnhbht.exec:\tnhbht.exe65⤵
- Executes dropped EXE
PID:5116 -
\??\c:\bnhbnt.exec:\bnhbnt.exe66⤵PID:440
-
\??\c:\1ddvj.exec:\1ddvj.exe67⤵PID:1224
-
\??\c:\xxlxfxr.exec:\xxlxfxr.exe68⤵PID:816
-
\??\c:\nnhhtb.exec:\nnhhtb.exe69⤵PID:4256
-
\??\c:\jjdpd.exec:\jjdpd.exe70⤵PID:704
-
\??\c:\vppdv.exec:\vppdv.exe71⤵PID:3656
-
\??\c:\fxxrlxr.exec:\fxxrlxr.exe72⤵PID:2352
-
\??\c:\btbthb.exec:\btbthb.exe73⤵PID:3852
-
\??\c:\ppvjp.exec:\ppvjp.exe74⤵PID:3640
-
\??\c:\jdvpd.exec:\jdvpd.exe75⤵PID:4800
-
\??\c:\xflrfxl.exec:\xflrfxl.exe76⤵PID:3132
-
\??\c:\9bhhbh.exec:\9bhhbh.exe77⤵PID:2596
-
\??\c:\5pvvv.exec:\5pvvv.exe78⤵PID:1896
-
\??\c:\lfrllll.exec:\lfrllll.exe79⤵PID:4500
-
\??\c:\9nntnt.exec:\9nntnt.exe80⤵PID:5108
-
\??\c:\7vpjv.exec:\7vpjv.exe81⤵PID:4696
-
\??\c:\xllxrlx.exec:\xllxrlx.exe82⤵PID:3980
-
\??\c:\1btnhb.exec:\1btnhb.exe83⤵PID:3188
-
\??\c:\1tnbtn.exec:\1tnbtn.exe84⤵PID:2860
-
\??\c:\1jvpd.exec:\1jvpd.exe85⤵PID:3368
-
\??\c:\rlrlxfx.exec:\rlrlxfx.exe86⤵PID:1536
-
\??\c:\bnnhbt.exec:\bnnhbt.exe87⤵
- System Location Discovery: System Language Discovery
PID:3616 -
\??\c:\nhhbbn.exec:\nhhbbn.exe88⤵PID:3748
-
\??\c:\jddpj.exec:\jddpj.exe89⤵PID:856
-
\??\c:\xlxffff.exec:\xlxffff.exe90⤵PID:3576
-
\??\c:\nthnhh.exec:\nthnhh.exe91⤵PID:1692
-
\??\c:\7nnhhb.exec:\7nnhhb.exe92⤵PID:4504
-
\??\c:\1ppjd.exec:\1ppjd.exe93⤵PID:888
-
\??\c:\lxxrxxr.exec:\lxxrxxr.exe94⤵PID:2312
-
\??\c:\fxfllrr.exec:\fxfllrr.exe95⤵PID:3336
-
\??\c:\bbhhbt.exec:\bbhhbt.exe96⤵PID:2984
-
\??\c:\dvppd.exec:\dvppd.exe97⤵PID:4316
-
\??\c:\xllxrll.exec:\xllxrll.exe98⤵PID:4980
-
\??\c:\3flfrrf.exec:\3flfrrf.exe99⤵PID:1484
-
\??\c:\bbbtnh.exec:\bbbtnh.exe100⤵PID:1136
-
\??\c:\7vvjp.exec:\7vvjp.exe101⤵PID:4112
-
\??\c:\jjdpp.exec:\jjdpp.exe102⤵PID:3068
-
\??\c:\rlrlfxr.exec:\rlrlfxr.exe103⤵PID:2004
-
\??\c:\btbbbb.exec:\btbbbb.exe104⤵PID:2132
-
\??\c:\ddvjd.exec:\ddvjd.exe105⤵PID:3300
-
\??\c:\dpjdp.exec:\dpjdp.exe106⤵PID:1928
-
\??\c:\llrlflf.exec:\llrlflf.exe107⤵PID:3560
-
\??\c:\httnhb.exec:\httnhb.exe108⤵PID:4740
-
\??\c:\pddpd.exec:\pddpd.exe109⤵PID:2480
-
\??\c:\xllrrlf.exec:\xllrrlf.exe110⤵PID:1036
-
\??\c:\htnhtn.exec:\htnhtn.exe111⤵PID:1512
-
\??\c:\9vvdv.exec:\9vvdv.exe112⤵PID:1068
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe113⤵PID:4872
-
\??\c:\thnbnh.exec:\thnbnh.exe114⤵PID:4964
-
\??\c:\nbhbhb.exec:\nbhbhb.exe115⤵PID:4552
-
\??\c:\vvpdj.exec:\vvpdj.exe116⤵PID:4992
-
\??\c:\lrxrlll.exec:\lrxrlll.exe117⤵PID:3556
-
\??\c:\fxxrffx.exec:\fxxrffx.exe118⤵PID:4028
-
\??\c:\bnnnbb.exec:\bnnnbb.exe119⤵PID:220
-
\??\c:\jdjdp.exec:\jdjdp.exe120⤵PID:2712
-
\??\c:\vdpjj.exec:\vdpjj.exe121⤵PID:4764
-
\??\c:\rflxrlf.exec:\rflxrlf.exe122⤵PID:2748
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-