Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe
Resource
win7-20241023-en
7 signatures
120 seconds
General
-
Target
0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe
-
Size
454KB
-
MD5
3924396d3afe4570f09e2419b4203000
-
SHA1
505e7f8dcd61dc7259e53569fc07bf408685da53
-
SHA256
0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7
-
SHA512
b1019c53afc239ed7fb72b48743ced645d0354ebedcf7f3d82f4d348dbb1dbea78b4458ebb770be9242fe288f1a7a63e3f02cd1c123c01e6b2db8e916d50071e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbei:q7Tc2NYHUrAwfMp3CDi
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3492-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3136-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4796-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1428-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1500-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-836-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-1197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-1249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-1817-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4208 hthbtt.exe 4520 nhbtbh.exe 4692 5ttnnn.exe 3404 lxffrxx.exe 5064 jdvvj.exe 2380 3jvvp.exe 4188 lllfxxr.exe 4136 nhhbtt.exe 3456 btbbbb.exe 1632 pdvpj.exe 2668 jdddv.exe 1292 ttbttt.exe 4936 lfxrfxl.exe 3136 nnbbbb.exe 1744 lfrrxll.exe 2572 pdjjd.exe 4408 lfllrrx.exe 2408 rxfxrrl.exe 2984 vjppv.exe 1068 lflxrrl.exe 4912 1pvpj.exe 1248 lxlffff.exe 1936 htnhbb.exe 1456 ddpjp.exe 1536 bttntt.exe 1668 dddpp.exe 3668 ttttnt.exe 3148 pvjdv.exe 964 nhhbbb.exe 2608 pjjdp.exe 2972 frffxxx.exe 548 hbtnhh.exe 4560 5vjdp.exe 4796 bhbnnb.exe 1620 vvjdj.exe 2228 rlxrllf.exe 1256 hbbbnn.exe 808 5jvvv.exe 3440 xrxxrrr.exe 4392 tbnhnh.exe 1428 vdpjj.exe 4304 frlxfxr.exe 1532 hhnnhn.exe 372 jjjjd.exe 4208 9flxrll.exe 4568 5nhhht.exe 3320 vpvpv.exe 3004 7fxrrrl.exe 1760 rlrlxrr.exe 4792 hnhhbb.exe 408 jdjjd.exe 5112 dvvvp.exe 440 rlllfff.exe 4128 hbhbhb.exe 4012 7jjjd.exe 3656 llrxrrl.exe 2320 thnnhb.exe 1632 nbbtnn.exe 2928 5ppjv.exe 2072 xlrrlfx.exe 2108 3thhhb.exe 1832 tbnntt.exe 2956 dvpjd.exe 1928 frrlffx.exe -
resource yara_rule behavioral2/memory/4208-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3136-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4796-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1428-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1500-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-662-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bnntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5ddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3492 wrote to memory of 4208 3492 0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe 83 PID 3492 wrote to memory of 4208 3492 0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe 83 PID 3492 wrote to memory of 4208 3492 0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe 83 PID 4208 wrote to memory of 4520 4208 hthbtt.exe 84 PID 4208 wrote to memory of 4520 4208 hthbtt.exe 84 PID 4208 wrote to memory of 4520 4208 hthbtt.exe 84 PID 4520 wrote to memory of 4692 4520 nhbtbh.exe 85 PID 4520 wrote to memory of 4692 4520 nhbtbh.exe 85 PID 4520 wrote to memory of 4692 4520 nhbtbh.exe 85 PID 4692 wrote to memory of 3404 4692 5ttnnn.exe 86 PID 4692 wrote to memory of 3404 4692 5ttnnn.exe 86 PID 4692 wrote to memory of 3404 4692 5ttnnn.exe 86 PID 3404 wrote to memory of 5064 3404 lxffrxx.exe 87 PID 3404 wrote to memory of 5064 3404 lxffrxx.exe 87 PID 3404 wrote to memory of 5064 3404 lxffrxx.exe 87 PID 5064 wrote to memory of 2380 5064 jdvvj.exe 88 PID 5064 wrote to memory of 2380 5064 jdvvj.exe 88 PID 5064 wrote to memory of 2380 5064 jdvvj.exe 88 PID 2380 wrote to memory of 4188 2380 3jvvp.exe 89 PID 2380 wrote to memory of 4188 2380 3jvvp.exe 89 PID 2380 wrote to memory of 4188 2380 3jvvp.exe 89 PID 4188 wrote to memory of 4136 4188 lllfxxr.exe 90 PID 4188 wrote to memory of 4136 4188 lllfxxr.exe 90 PID 4188 wrote to memory of 4136 4188 lllfxxr.exe 90 PID 4136 wrote to memory of 3456 4136 nhhbtt.exe 91 PID 4136 wrote to memory of 3456 4136 nhhbtt.exe 91 PID 4136 wrote to memory of 3456 4136 nhhbtt.exe 91 PID 3456 wrote to memory of 1632 3456 btbbbb.exe 92 PID 3456 wrote to memory of 1632 3456 btbbbb.exe 92 PID 3456 wrote to memory of 1632 3456 btbbbb.exe 92 PID 1632 wrote to memory of 2668 1632 pdvpj.exe 93 PID 1632 wrote to memory of 2668 1632 pdvpj.exe 93 PID 1632 wrote to memory of 2668 1632 pdvpj.exe 93 PID 2668 wrote to memory of 1292 2668 jdddv.exe 94 PID 2668 wrote to memory of 1292 2668 jdddv.exe 94 PID 2668 wrote to memory of 1292 2668 jdddv.exe 94 PID 1292 wrote to memory of 4936 1292 ttbttt.exe 95 PID 1292 wrote to memory of 4936 1292 ttbttt.exe 95 PID 1292 wrote to memory of 4936 1292 ttbttt.exe 95 PID 4936 wrote to memory of 3136 4936 lfxrfxl.exe 96 PID 4936 wrote to memory of 3136 4936 lfxrfxl.exe 96 PID 4936 wrote to memory of 3136 4936 lfxrfxl.exe 96 PID 3136 wrote to memory of 1744 3136 nnbbbb.exe 97 PID 3136 wrote to memory of 1744 3136 nnbbbb.exe 97 PID 3136 wrote to memory of 1744 3136 nnbbbb.exe 97 PID 1744 wrote to memory of 2572 1744 lfrrxll.exe 98 PID 1744 wrote to memory of 2572 1744 lfrrxll.exe 98 PID 1744 wrote to memory of 2572 1744 lfrrxll.exe 98 PID 2572 wrote to memory of 4408 2572 pdjjd.exe 99 PID 2572 wrote to memory of 4408 2572 pdjjd.exe 99 PID 2572 wrote to memory of 4408 2572 pdjjd.exe 99 PID 4408 wrote to memory of 2408 4408 lfllrrx.exe 100 PID 4408 wrote to memory of 2408 4408 lfllrrx.exe 100 PID 4408 wrote to memory of 2408 4408 lfllrrx.exe 100 PID 2408 wrote to memory of 2984 2408 rxfxrrl.exe 101 PID 2408 wrote to memory of 2984 2408 rxfxrrl.exe 101 PID 2408 wrote to memory of 2984 2408 rxfxrrl.exe 101 PID 2984 wrote to memory of 1068 2984 vjppv.exe 102 PID 2984 wrote to memory of 1068 2984 vjppv.exe 102 PID 2984 wrote to memory of 1068 2984 vjppv.exe 102 PID 1068 wrote to memory of 4912 1068 lflxrrl.exe 103 PID 1068 wrote to memory of 4912 1068 lflxrrl.exe 103 PID 1068 wrote to memory of 4912 1068 lflxrrl.exe 103 PID 4912 wrote to memory of 1248 4912 1pvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe"C:\Users\Admin\AppData\Local\Temp\0e172532d70cdd8b41f3f1995e2f9671eee5b82eb23658d5456d23e6105fafb7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\hthbtt.exec:\hthbtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\nhbtbh.exec:\nhbtbh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\5ttnnn.exec:\5ttnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\lxffrxx.exec:\lxffrxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
\??\c:\jdvvj.exec:\jdvvj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\3jvvp.exec:\3jvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
\??\c:\lllfxxr.exec:\lllfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\nhhbtt.exec:\nhhbtt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
\??\c:\btbbbb.exec:\btbbbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\pdvpj.exec:\pdvpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\jdddv.exec:\jdddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\ttbttt.exec:\ttbttt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\lfxrfxl.exec:\lfxrfxl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\nnbbbb.exec:\nnbbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3136 -
\??\c:\lfrrxll.exec:\lfrrxll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\pdjjd.exec:\pdjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\lfllrrx.exec:\lfllrrx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\vjppv.exec:\vjppv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\lflxrrl.exec:\lflxrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\1pvpj.exec:\1pvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\lxlffff.exec:\lxlffff.exe23⤵
- Executes dropped EXE
PID:1248 -
\??\c:\htnhbb.exec:\htnhbb.exe24⤵
- Executes dropped EXE
PID:1936 -
\??\c:\ddpjp.exec:\ddpjp.exe25⤵
- Executes dropped EXE
PID:1456 -
\??\c:\bttntt.exec:\bttntt.exe26⤵
- Executes dropped EXE
PID:1536 -
\??\c:\dddpp.exec:\dddpp.exe27⤵
- Executes dropped EXE
PID:1668 -
\??\c:\ttttnt.exec:\ttttnt.exe28⤵
- Executes dropped EXE
PID:3668 -
\??\c:\pvjdv.exec:\pvjdv.exe29⤵
- Executes dropped EXE
PID:3148 -
\??\c:\nhhbbb.exec:\nhhbbb.exe30⤵
- Executes dropped EXE
PID:964 -
\??\c:\pjjdp.exec:\pjjdp.exe31⤵
- Executes dropped EXE
PID:2608 -
\??\c:\frffxxx.exec:\frffxxx.exe32⤵
- Executes dropped EXE
PID:2972 -
\??\c:\hbtnhh.exec:\hbtnhh.exe33⤵
- Executes dropped EXE
PID:548 -
\??\c:\5vjdp.exec:\5vjdp.exe34⤵
- Executes dropped EXE
PID:4560 -
\??\c:\bhbnnb.exec:\bhbnnb.exe35⤵
- Executes dropped EXE
PID:4796 -
\??\c:\vvjdj.exec:\vvjdj.exe36⤵
- Executes dropped EXE
PID:1620 -
\??\c:\rlxrllf.exec:\rlxrllf.exe37⤵
- Executes dropped EXE
PID:2228 -
\??\c:\hbbbnn.exec:\hbbbnn.exe38⤵
- Executes dropped EXE
PID:1256 -
\??\c:\5jvvv.exec:\5jvvv.exe39⤵
- Executes dropped EXE
PID:808 -
\??\c:\xrxxrrr.exec:\xrxxrrr.exe40⤵
- Executes dropped EXE
PID:3440 -
\??\c:\tbnhnh.exec:\tbnhnh.exe41⤵
- Executes dropped EXE
PID:4392 -
\??\c:\vdpjj.exec:\vdpjj.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1428 -
\??\c:\frlxfxr.exec:\frlxfxr.exe43⤵
- Executes dropped EXE
PID:4304 -
\??\c:\hhnnhn.exec:\hhnnhn.exe44⤵
- Executes dropped EXE
PID:1532 -
\??\c:\jjjjd.exec:\jjjjd.exe45⤵
- Executes dropped EXE
PID:372 -
\??\c:\9flxrll.exec:\9flxrll.exe46⤵
- Executes dropped EXE
PID:4208 -
\??\c:\5nhhht.exec:\5nhhht.exe47⤵
- Executes dropped EXE
PID:4568 -
\??\c:\vpvpv.exec:\vpvpv.exe48⤵
- Executes dropped EXE
PID:3320 -
\??\c:\7fxrrrl.exec:\7fxrrrl.exe49⤵
- Executes dropped EXE
PID:3004 -
\??\c:\rlrlxrr.exec:\rlrlxrr.exe50⤵
- Executes dropped EXE
PID:1760 -
\??\c:\hnhhbb.exec:\hnhhbb.exe51⤵
- Executes dropped EXE
PID:4792 -
\??\c:\jdjjd.exec:\jdjjd.exe52⤵
- Executes dropped EXE
PID:408 -
\??\c:\dvvvp.exec:\dvvvp.exe53⤵
- Executes dropped EXE
PID:5112 -
\??\c:\rlllfff.exec:\rlllfff.exe54⤵
- Executes dropped EXE
PID:440 -
\??\c:\hbhbhb.exec:\hbhbhb.exe55⤵
- Executes dropped EXE
PID:4128 -
\??\c:\7jjjd.exec:\7jjjd.exe56⤵
- Executes dropped EXE
PID:4012 -
\??\c:\llrxrrl.exec:\llrxrrl.exe57⤵
- Executes dropped EXE
PID:3656 -
\??\c:\thnnhb.exec:\thnnhb.exe58⤵
- Executes dropped EXE
PID:2320 -
\??\c:\nbbtnn.exec:\nbbtnn.exe59⤵
- Executes dropped EXE
PID:1632 -
\??\c:\5ppjv.exec:\5ppjv.exe60⤵
- Executes dropped EXE
PID:2928 -
\??\c:\xlrrlfx.exec:\xlrrlfx.exe61⤵
- Executes dropped EXE
PID:2072 -
\??\c:\3thhhb.exec:\3thhhb.exe62⤵
- Executes dropped EXE
PID:2108 -
\??\c:\tbnntt.exec:\tbnntt.exe63⤵
- Executes dropped EXE
PID:1832 -
\??\c:\dvpjd.exec:\dvpjd.exe64⤵
- Executes dropped EXE
PID:2956 -
\??\c:\frrlffx.exec:\frrlffx.exe65⤵
- Executes dropped EXE
PID:1928 -
\??\c:\ttbbhh.exec:\ttbbhh.exe66⤵PID:3688
-
\??\c:\ddjjd.exec:\ddjjd.exe67⤵PID:4032
-
\??\c:\xxfxrrx.exec:\xxfxrrx.exe68⤵PID:1960
-
\??\c:\bnbthb.exec:\bnbthb.exe69⤵PID:4408
-
\??\c:\vpjdv.exec:\vpjdv.exe70⤵PID:3876
-
\??\c:\lfxrlll.exec:\lfxrlll.exe71⤵PID:3216
-
\??\c:\hnttnb.exec:\hnttnb.exe72⤵PID:712
-
\??\c:\ppvpp.exec:\ppvpp.exe73⤵PID:1968
-
\??\c:\rxrlflf.exec:\rxrlflf.exe74⤵PID:2196
-
\??\c:\lfffrfx.exec:\lfffrfx.exe75⤵PID:4252
-
\??\c:\bntnnh.exec:\bntnnh.exe76⤵PID:4892
-
\??\c:\jvdvp.exec:\jvdvp.exe77⤵PID:3208
-
\??\c:\pjjdv.exec:\pjjdv.exe78⤵PID:3624
-
\??\c:\rrffrrf.exec:\rrffrrf.exe79⤵PID:2980
-
\??\c:\7bhhnt.exec:\7bhhnt.exe80⤵PID:2964
-
\??\c:\djppj.exec:\djppj.exe81⤵PID:1484
-
\??\c:\xxrfxrf.exec:\xxrfxrf.exe82⤵PID:1756
-
\??\c:\nhnnnn.exec:\nhnnnn.exe83⤵
- System Location Discovery: System Language Discovery
PID:1444 -
\??\c:\jdvvp.exec:\jdvvp.exe84⤵PID:3148
-
\??\c:\jvvjd.exec:\jvvjd.exe85⤵PID:2404
-
\??\c:\lfrrrll.exec:\lfrrrll.exe86⤵PID:5084
-
\??\c:\bntnhh.exec:\bntnhh.exe87⤵PID:556
-
\??\c:\9djpj.exec:\9djpj.exe88⤵PID:3104
-
\??\c:\xrfxfxl.exec:\xrfxfxl.exe89⤵PID:4760
-
\??\c:\3hbbhn.exec:\3hbbhn.exe90⤵PID:4496
-
\??\c:\pddvp.exec:\pddvp.exe91⤵PID:2272
-
\??\c:\1ppjp.exec:\1ppjp.exe92⤵PID:5072
-
\??\c:\frxrllf.exec:\frxrllf.exe93⤵PID:5080
-
\??\c:\hbnhhh.exec:\hbnhhh.exe94⤵PID:3664
-
\??\c:\ddvvp.exec:\ddvvp.exe95⤵PID:3616
-
\??\c:\frffxrr.exec:\frffxrr.exe96⤵PID:1988
-
\??\c:\nhnhbb.exec:\nhnhbb.exe97⤵PID:4392
-
\??\c:\tbhbhb.exec:\tbhbhb.exe98⤵PID:4440
-
\??\c:\pvdpp.exec:\pvdpp.exe99⤵PID:2584
-
\??\c:\xrxrlfr.exec:\xrxrlfr.exe100⤵PID:1796
-
\??\c:\9tttnn.exec:\9tttnn.exe101⤵PID:1164
-
\??\c:\pdvpj.exec:\pdvpj.exe102⤵PID:2400
-
\??\c:\xxffxxf.exec:\xxffxxf.exe103⤵PID:3332
-
\??\c:\tntnhh.exec:\tntnhh.exe104⤵PID:4204
-
\??\c:\jpddp.exec:\jpddp.exe105⤵PID:3404
-
\??\c:\fxxxlll.exec:\fxxxlll.exe106⤵PID:1416
-
\??\c:\hbnhtn.exec:\hbnhtn.exe107⤵PID:4792
-
\??\c:\nhnhbb.exec:\nhnhbb.exe108⤵PID:2224
-
\??\c:\jdjdv.exec:\jdjdv.exe109⤵PID:1332
-
\??\c:\xlxxrrl.exec:\xlxxrrl.exe110⤵PID:440
-
\??\c:\frrxrrr.exec:\frrxrrr.exe111⤵
- System Location Discovery: System Language Discovery
PID:4128 -
\??\c:\1hnhhh.exec:\1hnhhh.exe112⤵PID:4012
-
\??\c:\dpppj.exec:\dpppj.exe113⤵PID:552
-
\??\c:\pdpjd.exec:\pdpjd.exe114⤵PID:2320
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe115⤵PID:2668
-
\??\c:\nnhbbt.exec:\nnhbbt.exe116⤵PID:4396
-
\??\c:\vvvvd.exec:\vvvvd.exe117⤵PID:2072
-
\??\c:\xrrrllf.exec:\xrrrllf.exe118⤵PID:2108
-
\??\c:\9lrlffx.exec:\9lrlffx.exe119⤵PID:4480
-
\??\c:\bntttb.exec:\bntttb.exe120⤵PID:1500
-
\??\c:\llfxffl.exec:\llfxffl.exe121⤵PID:1932
-
\??\c:\9ntnhh.exec:\9ntnhh.exe122⤵PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-