Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 21:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe
-
Size
454KB
-
MD5
ca175a8654e17740060bd3dc7beecc4c
-
SHA1
1fca61813a09a03bc15d5d3e8904ac619cd66949
-
SHA256
45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4
-
SHA512
7b2ebc19b512ae2c36f8c9a52d2ac70ec60bfaf72ce8bb910ad43ba2eb694d79ad10d09b8535d52d8803608da17b304b54da9af807bfc20412773917138842e1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTx:q7Tc2NYHUrAwfMp3CDd
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4724-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1560-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3044-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/980-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4832-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1724-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-446-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3264-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/652-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-720-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-767-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-774-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-805-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-809-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-849-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-1201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4856 tnnhbt.exe 672 nthbtt.exe 3592 lxlxlxx.exe 4060 lfxrllf.exe 1424 vjdvp.exe 1948 5xxrllf.exe 400 bntnhh.exe 2460 7hhbtn.exe 464 3pdvp.exe 1308 hbhbtt.exe 2960 5ffxrrr.exe 1264 nhnnhh.exe 324 1djdv.exe 1784 fxxrlll.exe 4704 3btnhh.exe 2748 1vdjd.exe 4900 rlxrxxf.exe 3820 lflfrrl.exe 1560 nnnttn.exe 4296 btthhn.exe 2540 jpdjj.exe 2876 lfrllff.exe 2648 9bhbbb.exe 1016 thttnt.exe 1496 9fxrffx.exe 3044 vvvjd.exe 940 bbnhbb.exe 4640 vvppv.exe 1908 jdjdd.exe 1168 7xxrlrl.exe 3864 xlfllfr.exe 2624 pppjd.exe 884 ththbn.exe 5064 dvdvj.exe 980 lxfxrfx.exe 4116 3bnbtt.exe 3900 3vjdv.exe 216 flxrrrr.exe 700 tnnhbb.exe 4832 7jjdv.exe 3760 9flfxxr.exe 184 hnbnhb.exe 1924 1nnhhn.exe 1188 jdjjp.exe 4420 lflfxrl.exe 4080 3bbnhh.exe 3592 pvjvd.exe 3932 vpvvp.exe 1184 fflllfl.exe 3704 7nbtbb.exe 3064 jvjjj.exe 4564 jpvvd.exe 2272 lxlxxxr.exe 4780 nhhbtn.exe 3908 hbnnnh.exe 544 pdvpj.exe 4460 1frrllx.exe 3468 7nhhth.exe 2960 9hhbnn.exe 4616 jvdvp.exe 3484 rfxrfxr.exe 2092 hbhtnh.exe 4360 7nnhbb.exe 3172 vjjdv.exe -
resource yara_rule behavioral2/memory/4724-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1560-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3044-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/980-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1724-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1228-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-446-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3264-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/652-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-720-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-767-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-774-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-805-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-809-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-849-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxfxfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4724 wrote to memory of 4856 4724 45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe 83 PID 4724 wrote to memory of 4856 4724 45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe 83 PID 4724 wrote to memory of 4856 4724 45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe 83 PID 4856 wrote to memory of 672 4856 tnnhbt.exe 84 PID 4856 wrote to memory of 672 4856 tnnhbt.exe 84 PID 4856 wrote to memory of 672 4856 tnnhbt.exe 84 PID 672 wrote to memory of 3592 672 nthbtt.exe 85 PID 672 wrote to memory of 3592 672 nthbtt.exe 85 PID 672 wrote to memory of 3592 672 nthbtt.exe 85 PID 3592 wrote to memory of 4060 3592 lxlxlxx.exe 86 PID 3592 wrote to memory of 4060 3592 lxlxlxx.exe 86 PID 3592 wrote to memory of 4060 3592 lxlxlxx.exe 86 PID 4060 wrote to memory of 1424 4060 lfxrllf.exe 87 PID 4060 wrote to memory of 1424 4060 lfxrllf.exe 87 PID 4060 wrote to memory of 1424 4060 lfxrllf.exe 87 PID 1424 wrote to memory of 1948 1424 vjdvp.exe 88 PID 1424 wrote to memory of 1948 1424 vjdvp.exe 88 PID 1424 wrote to memory of 1948 1424 vjdvp.exe 88 PID 1948 wrote to memory of 400 1948 5xxrllf.exe 89 PID 1948 wrote to memory of 400 1948 5xxrllf.exe 89 PID 1948 wrote to memory of 400 1948 5xxrllf.exe 89 PID 400 wrote to memory of 2460 400 bntnhh.exe 90 PID 400 wrote to memory of 2460 400 bntnhh.exe 90 PID 400 wrote to memory of 2460 400 bntnhh.exe 90 PID 2460 wrote to memory of 464 2460 7hhbtn.exe 91 PID 2460 wrote to memory of 464 2460 7hhbtn.exe 91 PID 2460 wrote to memory of 464 2460 7hhbtn.exe 91 PID 464 wrote to memory of 1308 464 3pdvp.exe 92 PID 464 wrote to memory of 1308 464 3pdvp.exe 92 PID 464 wrote to memory of 1308 464 3pdvp.exe 92 PID 1308 wrote to memory of 2960 1308 hbhbtt.exe 93 PID 1308 wrote to memory of 2960 1308 hbhbtt.exe 93 PID 1308 wrote to memory of 2960 1308 hbhbtt.exe 93 PID 2960 wrote to memory of 1264 2960 5ffxrrr.exe 94 PID 2960 wrote to memory of 1264 2960 5ffxrrr.exe 94 PID 2960 wrote to memory of 1264 2960 5ffxrrr.exe 94 PID 1264 wrote to memory of 324 1264 nhnnhh.exe 95 PID 1264 wrote to memory of 324 1264 nhnnhh.exe 95 PID 1264 wrote to memory of 324 1264 nhnnhh.exe 95 PID 324 wrote to memory of 1784 324 1djdv.exe 96 PID 324 wrote to memory of 1784 324 1djdv.exe 96 PID 324 wrote to memory of 1784 324 1djdv.exe 96 PID 1784 wrote to memory of 4704 1784 fxxrlll.exe 97 PID 1784 wrote to memory of 4704 1784 fxxrlll.exe 97 PID 1784 wrote to memory of 4704 1784 fxxrlll.exe 97 PID 4704 wrote to memory of 2748 4704 3btnhh.exe 98 PID 4704 wrote to memory of 2748 4704 3btnhh.exe 98 PID 4704 wrote to memory of 2748 4704 3btnhh.exe 98 PID 2748 wrote to memory of 4900 2748 1vdjd.exe 99 PID 2748 wrote to memory of 4900 2748 1vdjd.exe 99 PID 2748 wrote to memory of 4900 2748 1vdjd.exe 99 PID 4900 wrote to memory of 3820 4900 rlxrxxf.exe 100 PID 4900 wrote to memory of 3820 4900 rlxrxxf.exe 100 PID 4900 wrote to memory of 3820 4900 rlxrxxf.exe 100 PID 3820 wrote to memory of 1560 3820 lflfrrl.exe 101 PID 3820 wrote to memory of 1560 3820 lflfrrl.exe 101 PID 3820 wrote to memory of 1560 3820 lflfrrl.exe 101 PID 1560 wrote to memory of 4296 1560 nnnttn.exe 102 PID 1560 wrote to memory of 4296 1560 nnnttn.exe 102 PID 1560 wrote to memory of 4296 1560 nnnttn.exe 102 PID 4296 wrote to memory of 2540 4296 btthhn.exe 103 PID 4296 wrote to memory of 2540 4296 btthhn.exe 103 PID 4296 wrote to memory of 2540 4296 btthhn.exe 103 PID 2540 wrote to memory of 2876 2540 jpdjj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe"C:\Users\Admin\AppData\Local\Temp\45928bd41becf97a265b366f383790d17a9b6ec477f488d395cb6cdecc531ae4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\tnnhbt.exec:\tnnhbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\nthbtt.exec:\nthbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\lxlxlxx.exec:\lxlxlxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
\??\c:\lfxrllf.exec:\lfxrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\vjdvp.exec:\vjdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\5xxrllf.exec:\5xxrllf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\bntnhh.exec:\bntnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\7hhbtn.exec:\7hhbtn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\3pdvp.exec:\3pdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\hbhbtt.exec:\hbhbtt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\5ffxrrr.exec:\5ffxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\nhnnhh.exec:\nhnnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
\??\c:\1djdv.exec:\1djdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
\??\c:\fxxrlll.exec:\fxxrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\3btnhh.exec:\3btnhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4704 -
\??\c:\1vdjd.exec:\1vdjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\rlxrxxf.exec:\rlxrxxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\lflfrrl.exec:\lflfrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\nnnttn.exec:\nnnttn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560 -
\??\c:\btthhn.exec:\btthhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
\??\c:\jpdjj.exec:\jpdjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\lfrllff.exec:\lfrllff.exe23⤵
- Executes dropped EXE
PID:2876 -
\??\c:\9bhbbb.exec:\9bhbbb.exe24⤵
- Executes dropped EXE
PID:2648 -
\??\c:\thttnt.exec:\thttnt.exe25⤵
- Executes dropped EXE
PID:1016 -
\??\c:\9fxrffx.exec:\9fxrffx.exe26⤵
- Executes dropped EXE
PID:1496 -
\??\c:\vvvjd.exec:\vvvjd.exe27⤵
- Executes dropped EXE
PID:3044 -
\??\c:\bbnhbb.exec:\bbnhbb.exe28⤵
- Executes dropped EXE
PID:940 -
\??\c:\vvppv.exec:\vvppv.exe29⤵
- Executes dropped EXE
PID:4640 -
\??\c:\jdjdd.exec:\jdjdd.exe30⤵
- Executes dropped EXE
PID:1908 -
\??\c:\7xxrlrl.exec:\7xxrlrl.exe31⤵
- Executes dropped EXE
PID:1168 -
\??\c:\xlfllfr.exec:\xlfllfr.exe32⤵
- Executes dropped EXE
PID:3864 -
\??\c:\pppjd.exec:\pppjd.exe33⤵
- Executes dropped EXE
PID:2624 -
\??\c:\ththbn.exec:\ththbn.exe34⤵
- Executes dropped EXE
PID:884 -
\??\c:\dvdvj.exec:\dvdvj.exe35⤵
- Executes dropped EXE
PID:5064 -
\??\c:\lxfxrfx.exec:\lxfxrfx.exe36⤵
- Executes dropped EXE
PID:980 -
\??\c:\3bnbtt.exec:\3bnbtt.exe37⤵
- Executes dropped EXE
PID:4116 -
\??\c:\3vjdv.exec:\3vjdv.exe38⤵
- Executes dropped EXE
PID:3900 -
\??\c:\flxrrrr.exec:\flxrrrr.exe39⤵
- Executes dropped EXE
PID:216 -
\??\c:\tnnhbb.exec:\tnnhbb.exe40⤵
- Executes dropped EXE
PID:700 -
\??\c:\7jjdv.exec:\7jjdv.exe41⤵
- Executes dropped EXE
PID:4832 -
\??\c:\9flfxxr.exec:\9flfxxr.exe42⤵
- Executes dropped EXE
PID:3760 -
\??\c:\hnbnhb.exec:\hnbnhb.exe43⤵
- Executes dropped EXE
PID:184 -
\??\c:\1nnhhn.exec:\1nnhhn.exe44⤵
- Executes dropped EXE
PID:1924 -
\??\c:\jdjjp.exec:\jdjjp.exe45⤵
- Executes dropped EXE
PID:1188 -
\??\c:\lflfxrl.exec:\lflfxrl.exe46⤵
- Executes dropped EXE
PID:4420 -
\??\c:\3bbnhh.exec:\3bbnhh.exe47⤵
- Executes dropped EXE
PID:4080 -
\??\c:\pvjvd.exec:\pvjvd.exe48⤵
- Executes dropped EXE
PID:3592 -
\??\c:\vpvvp.exec:\vpvvp.exe49⤵
- Executes dropped EXE
PID:3932 -
\??\c:\fflllfl.exec:\fflllfl.exe50⤵
- Executes dropped EXE
PID:1184 -
\??\c:\7nbtbb.exec:\7nbtbb.exe51⤵
- Executes dropped EXE
PID:3704 -
\??\c:\jvjjj.exec:\jvjjj.exe52⤵
- Executes dropped EXE
PID:3064 -
\??\c:\jpvvd.exec:\jpvvd.exe53⤵
- Executes dropped EXE
PID:4564 -
\??\c:\lxlxxxr.exec:\lxlxxxr.exe54⤵
- Executes dropped EXE
PID:2272 -
\??\c:\nhhbtn.exec:\nhhbtn.exe55⤵
- Executes dropped EXE
PID:4780 -
\??\c:\hbnnnh.exec:\hbnnnh.exe56⤵
- Executes dropped EXE
PID:3908 -
\??\c:\pdvpj.exec:\pdvpj.exe57⤵
- Executes dropped EXE
PID:544 -
\??\c:\1frrllx.exec:\1frrllx.exe58⤵
- Executes dropped EXE
PID:4460 -
\??\c:\7nhhth.exec:\7nhhth.exe59⤵
- Executes dropped EXE
PID:3468 -
\??\c:\9hhbnn.exec:\9hhbnn.exe60⤵
- Executes dropped EXE
PID:2960 -
\??\c:\jvdvp.exec:\jvdvp.exe61⤵
- Executes dropped EXE
PID:4616 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe62⤵
- Executes dropped EXE
PID:3484 -
\??\c:\hbhtnh.exec:\hbhtnh.exe63⤵
- Executes dropped EXE
PID:2092 -
\??\c:\7nnhbb.exec:\7nnhbb.exe64⤵
- Executes dropped EXE
PID:4360 -
\??\c:\vjjdv.exec:\vjjdv.exe65⤵
- Executes dropped EXE
PID:3172 -
\??\c:\3rxrlrl.exec:\3rxrlrl.exe66⤵PID:2244
-
\??\c:\nthhhh.exec:\nthhhh.exe67⤵PID:5104
-
\??\c:\vvpjj.exec:\vvpjj.exe68⤵PID:1388
-
\??\c:\dpdvj.exec:\dpdvj.exe69⤵PID:2208
-
\??\c:\lxlfxrl.exec:\lxlfxrl.exe70⤵PID:440
-
\??\c:\ttttnh.exec:\ttttnh.exe71⤵PID:4320
-
\??\c:\3vdpj.exec:\3vdpj.exe72⤵PID:1724
-
\??\c:\3xfxrrr.exec:\3xfxrrr.exe73⤵PID:4324
-
\??\c:\nbtttt.exec:\nbtttt.exe74⤵PID:4928
-
\??\c:\dvdjj.exec:\dvdjj.exe75⤵PID:840
-
\??\c:\frxrllf.exec:\frxrllf.exe76⤵PID:1228
-
\??\c:\fflffff.exec:\fflffff.exe77⤵PID:4552
-
\??\c:\tbhbtb.exec:\tbhbtb.exe78⤵PID:372
-
\??\c:\dvjdj.exec:\dvjdj.exe79⤵PID:1092
-
\??\c:\3pdvd.exec:\3pdvd.exe80⤵PID:4452
-
\??\c:\rxlfrrl.exec:\rxlfrrl.exe81⤵PID:728
-
\??\c:\hbbbtb.exec:\hbbbtb.exe82⤵PID:4992
-
\??\c:\pjppj.exec:\pjppj.exe83⤵PID:4988
-
\??\c:\9vpjv.exec:\9vpjv.exe84⤵PID:4076
-
\??\c:\frrrffx.exec:\frrrffx.exe85⤵PID:4668
-
\??\c:\3ttnhh.exec:\3ttnhh.exe86⤵PID:4656
-
\??\c:\5pvvv.exec:\5pvvv.exe87⤵PID:2344
-
\??\c:\xllfxxr.exec:\xllfxxr.exe88⤵PID:2368
-
\??\c:\nhtbhn.exec:\nhtbhn.exe89⤵PID:4864
-
\??\c:\bnbtbt.exec:\bnbtbt.exe90⤵PID:5084
-
\??\c:\pvjvj.exec:\pvjvj.exe91⤵PID:5064
-
\??\c:\djpdv.exec:\djpdv.exe92⤵PID:980
-
\??\c:\xlrfrlf.exec:\xlrfrlf.exe93⤵PID:4876
-
\??\c:\thtnht.exec:\thtnht.exe94⤵PID:1968
-
\??\c:\5pppd.exec:\5pppd.exe95⤵PID:3900
-
\??\c:\rrfrrrr.exec:\rrfrrrr.exe96⤵PID:2924
-
\??\c:\lfllfff.exec:\lfllfff.exe97⤵PID:4940
-
\??\c:\btbhbh.exec:\btbhbh.exe98⤵PID:652
-
\??\c:\ppdvj.exec:\ppdvj.exe99⤵PID:1288
-
\??\c:\frxrlxr.exec:\frxrlxr.exe100⤵PID:3760
-
\??\c:\xllflfr.exec:\xllflfr.exe101⤵PID:556
-
\??\c:\hhttnn.exec:\hhttnn.exe102⤵PID:3568
-
\??\c:\jdjjd.exec:\jdjjd.exe103⤵PID:3744
-
\??\c:\9llflfx.exec:\9llflfx.exe104⤵PID:4712
-
\??\c:\bttnhh.exec:\bttnhh.exe105⤵PID:672
-
\??\c:\nnbthh.exec:\nnbthh.exe106⤵PID:4740
-
\??\c:\dpjvd.exec:\dpjvd.exe107⤵PID:4060
-
\??\c:\ffrlrrf.exec:\ffrlrrf.exe108⤵PID:1740
-
\??\c:\5nthbn.exec:\5nthbn.exe109⤵PID:2556
-
\??\c:\3jjdv.exec:\3jjdv.exe110⤵PID:2932
-
\??\c:\jpdvj.exec:\jpdvj.exe111⤵PID:4808
-
\??\c:\lflxrlf.exec:\lflxrlf.exe112⤵PID:2180
-
\??\c:\bhthbb.exec:\bhthbb.exe113⤵PID:4800
-
\??\c:\tbnbtt.exec:\tbnbtt.exe114⤵PID:376
-
\??\c:\vdjdp.exec:\vdjdp.exe115⤵PID:3636
-
\??\c:\9xfxrfx.exec:\9xfxrfx.exe116⤵PID:464
-
\??\c:\9ntbtb.exec:\9ntbtb.exe117⤵PID:4260
-
\??\c:\jjjdv.exec:\jjjdv.exe118⤵PID:1096
-
\??\c:\vvvvp.exec:\vvvvp.exe119⤵PID:4120
-
\??\c:\rllffff.exec:\rllffff.exe120⤵PID:5012
-
\??\c:\hthhtb.exec:\hthhtb.exe121⤵PID:4616
-
\??\c:\hthbnn.exec:\hthbnn.exe122⤵PID:4704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-