Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2024, 01:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906N.exe
-
Size
454KB
-
MD5
86678042be9645902123d3d0c34e4f90
-
SHA1
607b530c51f12783f119fc5512e8d84523261953
-
SHA256
3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906
-
SHA512
48681060f74736f5f1bd2c5ff8263781d7ee9f4abbffe0d7f8eae61acbd1bf94552a0e09be43463bd0258ff532ab60813762157b1a52db75eb6da03e1a81e8f1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2340-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1980-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-567-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-758-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-1086-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4236 btthbt.exe 3964 a2824.exe 3564 nhnhtt.exe 4040 864844.exe 4504 64426.exe 3588 3vvvp.exe 1980 42820.exe 1804 hthbtn.exe 1388 6288226.exe 3004 008608.exe 4820 jdvpj.exe 2140 ffrffxx.exe 4788 w40422.exe 4244 480048.exe 3572 7rlxllx.exe 376 tnhnbt.exe 4876 dvdvp.exe 3020 a6260.exe 4224 s6686.exe 1656 q86866.exe 4588 1jvpj.exe 4860 thhhbn.exe 3120 000860.exe 1072 8482004.exe 3028 6442048.exe 3608 hhnbnh.exe 940 s2864.exe 2972 lrrlxxr.exe 2396 02804.exe 4840 006082.exe 5108 flrfrfx.exe 4796 bhtnht.exe 3156 lllfxrr.exe 3008 dvppd.exe 4584 0804826.exe 2432 hhtnhb.exe 3084 nhhbtn.exe 3356 3xxrrrl.exe 428 644486.exe 1976 48822.exe 5068 pvddp.exe 2628 q84266.exe 4564 002422.exe 1940 vdpjd.exe 2492 ttnnhb.exe 2968 w00488.exe 1328 i208660.exe 1096 pdjjv.exe 2260 286626.exe 4040 402600.exe 2180 pjpjd.exe 4072 xrlfxxx.exe 3588 3pvpj.exe 1228 lxfxrlf.exe 4912 s2860.exe 4940 e22088.exe 4480 0808662.exe 4996 thnhhb.exe 4956 frflrxf.exe 4004 dvjdj.exe 4976 vppjd.exe 3168 httnhb.exe 2808 pddpv.exe 4244 rlxrllf.exe -
resource yara_rule behavioral2/memory/2340-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1980-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-567-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-758-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-801-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0242468.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6426486.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 608448.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626044.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60884.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language o626666.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6226660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5htnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 846240.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 244204.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnnth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 4236 2340 3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906N.exe 83 PID 2340 wrote to memory of 4236 2340 3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906N.exe 83 PID 2340 wrote to memory of 4236 2340 3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906N.exe 83 PID 4236 wrote to memory of 3964 4236 btthbt.exe 84 PID 4236 wrote to memory of 3964 4236 btthbt.exe 84 PID 4236 wrote to memory of 3964 4236 btthbt.exe 84 PID 3964 wrote to memory of 3564 3964 a2824.exe 85 PID 3964 wrote to memory of 3564 3964 a2824.exe 85 PID 3964 wrote to memory of 3564 3964 a2824.exe 85 PID 3564 wrote to memory of 4040 3564 nhnhtt.exe 86 PID 3564 wrote to memory of 4040 3564 nhnhtt.exe 86 PID 3564 wrote to memory of 4040 3564 nhnhtt.exe 86 PID 4040 wrote to memory of 4504 4040 864844.exe 87 PID 4040 wrote to memory of 4504 4040 864844.exe 87 PID 4040 wrote to memory of 4504 4040 864844.exe 87 PID 4504 wrote to memory of 3588 4504 64426.exe 88 PID 4504 wrote to memory of 3588 4504 64426.exe 88 PID 4504 wrote to memory of 3588 4504 64426.exe 88 PID 3588 wrote to memory of 1980 3588 3vvvp.exe 89 PID 3588 wrote to memory of 1980 3588 3vvvp.exe 89 PID 3588 wrote to memory of 1980 3588 3vvvp.exe 89 PID 1980 wrote to memory of 1804 1980 42820.exe 90 PID 1980 wrote to memory of 1804 1980 42820.exe 90 PID 1980 wrote to memory of 1804 1980 42820.exe 90 PID 1804 wrote to memory of 1388 1804 hthbtn.exe 91 PID 1804 wrote to memory of 1388 1804 hthbtn.exe 91 PID 1804 wrote to memory of 1388 1804 hthbtn.exe 91 PID 1388 wrote to memory of 3004 1388 6288226.exe 92 PID 1388 wrote to memory of 3004 1388 6288226.exe 92 PID 1388 wrote to memory of 3004 1388 6288226.exe 92 PID 3004 wrote to memory of 4820 3004 008608.exe 93 PID 3004 wrote to memory of 4820 3004 008608.exe 93 PID 3004 wrote to memory of 4820 3004 008608.exe 93 PID 4820 wrote to memory of 2140 4820 jdvpj.exe 94 PID 4820 wrote to memory of 2140 4820 jdvpj.exe 94 PID 4820 wrote to memory of 2140 4820 jdvpj.exe 94 PID 2140 wrote to memory of 4788 2140 ffrffxx.exe 95 PID 2140 wrote to memory of 4788 2140 ffrffxx.exe 95 PID 2140 wrote to memory of 4788 2140 ffrffxx.exe 95 PID 4788 wrote to memory of 4244 4788 w40422.exe 96 PID 4788 wrote to memory of 4244 4788 w40422.exe 96 PID 4788 wrote to memory of 4244 4788 w40422.exe 96 PID 4244 wrote to memory of 3572 4244 480048.exe 97 PID 4244 wrote to memory of 3572 4244 480048.exe 97 PID 4244 wrote to memory of 3572 4244 480048.exe 97 PID 3572 wrote to memory of 376 3572 7rlxllx.exe 98 PID 3572 wrote to memory of 376 3572 7rlxllx.exe 98 PID 3572 wrote to memory of 376 3572 7rlxllx.exe 98 PID 376 wrote to memory of 4876 376 tnhnbt.exe 99 PID 376 wrote to memory of 4876 376 tnhnbt.exe 99 PID 376 wrote to memory of 4876 376 tnhnbt.exe 99 PID 4876 wrote to memory of 3020 4876 dvdvp.exe 100 PID 4876 wrote to memory of 3020 4876 dvdvp.exe 100 PID 4876 wrote to memory of 3020 4876 dvdvp.exe 100 PID 3020 wrote to memory of 4224 3020 a6260.exe 101 PID 3020 wrote to memory of 4224 3020 a6260.exe 101 PID 3020 wrote to memory of 4224 3020 a6260.exe 101 PID 4224 wrote to memory of 1656 4224 s6686.exe 102 PID 4224 wrote to memory of 1656 4224 s6686.exe 102 PID 4224 wrote to memory of 1656 4224 s6686.exe 102 PID 1656 wrote to memory of 4588 1656 q86866.exe 103 PID 1656 wrote to memory of 4588 1656 q86866.exe 103 PID 1656 wrote to memory of 4588 1656 q86866.exe 103 PID 4588 wrote to memory of 4860 4588 1jvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906N.exe"C:\Users\Admin\AppData\Local\Temp\3872f35951eeabc9d9fd9caab949914a229d0c045e92197b940f56c5e1e26906N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\btthbt.exec:\btthbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\a2824.exec:\a2824.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\nhnhtt.exec:\nhnhtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\864844.exec:\864844.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\64426.exec:\64426.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504 -
\??\c:\3vvvp.exec:\3vvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\42820.exec:\42820.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980 -
\??\c:\hthbtn.exec:\hthbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1804 -
\??\c:\6288226.exec:\6288226.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\008608.exec:\008608.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\jdvpj.exec:\jdvpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\ffrffxx.exec:\ffrffxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\w40422.exec:\w40422.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\480048.exec:\480048.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244 -
\??\c:\7rlxllx.exec:\7rlxllx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
\??\c:\tnhnbt.exec:\tnhnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\dvdvp.exec:\dvdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\a6260.exec:\a6260.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\s6686.exec:\s6686.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\q86866.exec:\q86866.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\1jvpj.exec:\1jvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\thhhbn.exec:\thhhbn.exe23⤵
- Executes dropped EXE
PID:4860 -
\??\c:\000860.exec:\000860.exe24⤵
- Executes dropped EXE
PID:3120 -
\??\c:\8482004.exec:\8482004.exe25⤵
- Executes dropped EXE
PID:1072 -
\??\c:\6442048.exec:\6442048.exe26⤵
- Executes dropped EXE
PID:3028 -
\??\c:\hhnbnh.exec:\hhnbnh.exe27⤵
- Executes dropped EXE
PID:3608 -
\??\c:\s2864.exec:\s2864.exe28⤵
- Executes dropped EXE
PID:940 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2972 -
\??\c:\02804.exec:\02804.exe30⤵
- Executes dropped EXE
PID:2396 -
\??\c:\006082.exec:\006082.exe31⤵
- Executes dropped EXE
PID:4840 -
\??\c:\flrfrfx.exec:\flrfrfx.exe32⤵
- Executes dropped EXE
PID:5108 -
\??\c:\bhtnht.exec:\bhtnht.exe33⤵
- Executes dropped EXE
PID:4796 -
\??\c:\lllfxrr.exec:\lllfxrr.exe34⤵
- Executes dropped EXE
PID:3156 -
\??\c:\dvppd.exec:\dvppd.exe35⤵
- Executes dropped EXE
PID:3008 -
\??\c:\0804826.exec:\0804826.exe36⤵
- Executes dropped EXE
PID:4584 -
\??\c:\hhtnhb.exec:\hhtnhb.exe37⤵
- Executes dropped EXE
PID:2432 -
\??\c:\nhhbtn.exec:\nhhbtn.exe38⤵
- Executes dropped EXE
PID:3084 -
\??\c:\3xxrrrl.exec:\3xxrrrl.exe39⤵
- Executes dropped EXE
PID:3356 -
\??\c:\644486.exec:\644486.exe40⤵
- Executes dropped EXE
PID:428 -
\??\c:\48822.exec:\48822.exe41⤵
- Executes dropped EXE
PID:1976 -
\??\c:\pvddp.exec:\pvddp.exe42⤵
- Executes dropped EXE
PID:5068 -
\??\c:\q84266.exec:\q84266.exe43⤵
- Executes dropped EXE
PID:2628 -
\??\c:\002422.exec:\002422.exe44⤵
- Executes dropped EXE
PID:4564 -
\??\c:\vdpjd.exec:\vdpjd.exe45⤵
- Executes dropped EXE
PID:1940 -
\??\c:\ttnnhb.exec:\ttnnhb.exe46⤵
- Executes dropped EXE
PID:2492 -
\??\c:\w00488.exec:\w00488.exe47⤵
- Executes dropped EXE
PID:2968 -
\??\c:\i208660.exec:\i208660.exe48⤵
- Executes dropped EXE
PID:1328 -
\??\c:\pdjjv.exec:\pdjjv.exe49⤵
- Executes dropped EXE
PID:1096 -
\??\c:\286626.exec:\286626.exe50⤵
- Executes dropped EXE
PID:2260 -
\??\c:\402600.exec:\402600.exe51⤵
- Executes dropped EXE
PID:4040 -
\??\c:\pjpjd.exec:\pjpjd.exe52⤵
- Executes dropped EXE
PID:2180 -
\??\c:\xrlfxxx.exec:\xrlfxxx.exe53⤵
- Executes dropped EXE
PID:4072 -
\??\c:\3pvpj.exec:\3pvpj.exe54⤵
- Executes dropped EXE
PID:3588 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe55⤵
- Executes dropped EXE
PID:1228 -
\??\c:\s2860.exec:\s2860.exe56⤵
- Executes dropped EXE
PID:4912 -
\??\c:\e22088.exec:\e22088.exe57⤵
- Executes dropped EXE
PID:4940 -
\??\c:\0808662.exec:\0808662.exe58⤵
- Executes dropped EXE
PID:4480 -
\??\c:\thnhhb.exec:\thnhhb.exe59⤵
- Executes dropped EXE
PID:4996 -
\??\c:\frflrxf.exec:\frflrxf.exe60⤵
- Executes dropped EXE
PID:4956 -
\??\c:\dvjdj.exec:\dvjdj.exe61⤵
- Executes dropped EXE
PID:4004 -
\??\c:\vppjd.exec:\vppjd.exe62⤵
- Executes dropped EXE
PID:4976 -
\??\c:\httnhb.exec:\httnhb.exe63⤵
- Executes dropped EXE
PID:3168 -
\??\c:\pddpv.exec:\pddpv.exe64⤵
- Executes dropped EXE
PID:2808 -
\??\c:\rlxrllf.exec:\rlxrllf.exe65⤵
- Executes dropped EXE
PID:4244 -
\??\c:\40260.exec:\40260.exe66⤵PID:448
-
\??\c:\g4040.exec:\g4040.exe67⤵PID:1480
-
\??\c:\pdvjp.exec:\pdvjp.exe68⤵
- System Location Discovery: System Language Discovery
PID:2528 -
\??\c:\w00482.exec:\w00482.exe69⤵PID:3696
-
\??\c:\5ffxrrr.exec:\5ffxrrr.exe70⤵PID:224
-
\??\c:\286622.exec:\286622.exe71⤵PID:1248
-
\??\c:\280822.exec:\280822.exe72⤵PID:3716
-
\??\c:\pdjdv.exec:\pdjdv.exe73⤵PID:2920
-
\??\c:\046004.exec:\046004.exe74⤵PID:4544
-
\??\c:\jjvpj.exec:\jjvpj.exe75⤵PID:1948
-
\??\c:\xrllfff.exec:\xrllfff.exe76⤵PID:4848
-
\??\c:\4442846.exec:\4442846.exe77⤵PID:1484
-
\??\c:\6464826.exec:\6464826.exe78⤵PID:3120
-
\??\c:\rffxrlf.exec:\rffxrlf.exe79⤵PID:2356
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe80⤵PID:752
-
\??\c:\nbhtnn.exec:\nbhtnn.exe81⤵PID:3820
-
\??\c:\22222.exec:\22222.exe82⤵PID:3652
-
\??\c:\pvdvp.exec:\pvdvp.exe83⤵PID:1492
-
\??\c:\tttntn.exec:\tttntn.exe84⤵
- System Location Discovery: System Language Discovery
PID:4408 -
\??\c:\rflxxxr.exec:\rflxxxr.exe85⤵PID:2396
-
\??\c:\6660004.exec:\6660004.exe86⤵PID:4928
-
\??\c:\6000044.exec:\6000044.exe87⤵PID:2896
-
\??\c:\2626482.exec:\2626482.exe88⤵PID:5108
-
\??\c:\662004.exec:\662004.exe89⤵PID:1188
-
\??\c:\pjvvp.exec:\pjvvp.exe90⤵PID:392
-
\??\c:\3xxrlfl.exec:\3xxrlfl.exe91⤵PID:1684
-
\??\c:\fxffxrr.exec:\fxffxrr.exe92⤵PID:3984
-
\??\c:\7bhhnn.exec:\7bhhnn.exe93⤵PID:4436
-
\??\c:\1hbttt.exec:\1hbttt.exe94⤵PID:1424
-
\??\c:\0884862.exec:\0884862.exe95⤵PID:1036
-
\??\c:\ddvpj.exec:\ddvpj.exe96⤵PID:3600
-
\??\c:\26242.exec:\26242.exe97⤵PID:3480
-
\??\c:\9hnntn.exec:\9hnntn.exe98⤵PID:1976
-
\??\c:\2882282.exec:\2882282.exe99⤵PID:3172
-
\??\c:\3xxrllf.exec:\3xxrllf.exe100⤵PID:1936
-
\??\c:\9ffxrlf.exec:\9ffxrlf.exe101⤵PID:4944
-
\??\c:\84820.exec:\84820.exe102⤵PID:1420
-
\??\c:\402604.exec:\402604.exe103⤵PID:4232
-
\??\c:\86262.exec:\86262.exe104⤵PID:1560
-
\??\c:\28488.exec:\28488.exe105⤵PID:1840
-
\??\c:\280826.exec:\280826.exe106⤵PID:2084
-
\??\c:\8420448.exec:\8420448.exe107⤵PID:228
-
\??\c:\66406.exec:\66406.exe108⤵PID:4344
-
\??\c:\vvvpj.exec:\vvvpj.exe109⤵PID:2180
-
\??\c:\tnnbtt.exec:\tnnbtt.exe110⤵PID:2016
-
\??\c:\dpjvv.exec:\dpjvv.exe111⤵PID:1500
-
\??\c:\lxflrlr.exec:\lxflrlr.exe112⤵PID:2004
-
\??\c:\86884.exec:\86884.exe113⤵PID:1100
-
\??\c:\e02666.exec:\e02666.exe114⤵PID:1436
-
\??\c:\0402424.exec:\0402424.exe115⤵PID:3960
-
\??\c:\djpdv.exec:\djpdv.exe116⤵PID:4524
-
\??\c:\hnbttb.exec:\hnbttb.exe117⤵PID:4172
-
\??\c:\422626.exec:\422626.exe118⤵PID:1992
-
\??\c:\82282.exec:\82282.exe119⤵PID:2136
-
\??\c:\tbtnhh.exec:\tbtnhh.exe120⤵PID:4788
-
\??\c:\84848.exec:\84848.exe121⤵PID:3128
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-