Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe
Resource
win7-20240729-en
7 signatures
150 seconds
General
-
Target
c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe
-
Size
455KB
-
MD5
9517cd45110a99aacbe4ecb7b474b3b6
-
SHA1
296de4475495f8bc8281c800129b511517f2140f
-
SHA256
c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985
-
SHA512
61247fcd020a157a8723cdfb9a71935ffbd91082f8d5a560bf90598129853b820ea8c028c058f3abc00b3dedc63da170607e65540dc38812f30adfac24776c25
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbem:q7Tc2NYHUrAwfMp3CDm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1604-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2112-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/828-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4960-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2524-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-450-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-650-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-1053-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1764-1238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 696 xlxlxlx.exe 1604 nhbnhh.exe 4848 vvddj.exe 1496 9ffffxx.exe 3272 hnhtbn.exe 2376 fxllffr.exe 2020 bthhnn.exe 2772 tbnnnn.exe 2112 1xrxrll.exe 2544 frrlfxr.exe 828 1tnhhh.exe 3228 jjvvv.exe 4940 rllrlfl.exe 3100 djppj.exe 3820 lrrrxxr.exe 4028 3bttnt.exe 1816 rrxffrr.exe 1896 3tbtnn.exe 3752 vdppp.exe 2996 7vdvp.exe 4960 hnthnt.exe 2956 tnbttt.exe 1512 xfffxrr.exe 1196 bthnhh.exe 3092 1bbtnt.exe 1792 lxxxxxx.exe 2632 1ppjd.exe 3000 bttnnb.exe 912 fxxfrrr.exe 892 dvppd.exe 4280 tntnhb.exe 704 btttbt.exe 1844 vvddd.exe 2936 pjppp.exe 3944 pjddv.exe 2616 thhbtt.exe 2744 vjpjv.exe 1460 rlrllfx.exe 496 xrxrlfx.exe 4716 5bnnhn.exe 2524 pjvvv.exe 3908 rlrlfff.exe 648 lfxxrrl.exe 5052 ttttnn.exe 2484 9jpvv.exe 3896 lxffxxr.exe 3180 rlfxrrl.exe 1964 3hnhnt.exe 976 ppddv.exe 4420 llffxxl.exe 2424 flrlrxr.exe 696 hhbbht.exe 5020 jdvpj.exe 2164 frrlfxr.exe 5028 ntbtnt.exe 3552 tbtnhb.exe 568 9dvvj.exe 3272 xxxfrxr.exe 312 dddvp.exe 1940 xlfxrrl.exe 2340 ttbttn.exe 4032 nbhbtt.exe 2212 vpvvp.exe 2112 lflfffl.exe -
resource yara_rule behavioral2/memory/1604-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2772-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2112-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/828-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4960-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2524-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-450-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-650-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-657-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xrxrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frflflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1tbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxlxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 696 4916 c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe 83 PID 4916 wrote to memory of 696 4916 c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe 83 PID 4916 wrote to memory of 696 4916 c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe 83 PID 696 wrote to memory of 1604 696 xlxlxlx.exe 84 PID 696 wrote to memory of 1604 696 xlxlxlx.exe 84 PID 696 wrote to memory of 1604 696 xlxlxlx.exe 84 PID 1604 wrote to memory of 4848 1604 nhbnhh.exe 85 PID 1604 wrote to memory of 4848 1604 nhbnhh.exe 85 PID 1604 wrote to memory of 4848 1604 nhbnhh.exe 85 PID 4848 wrote to memory of 1496 4848 vvddj.exe 86 PID 4848 wrote to memory of 1496 4848 vvddj.exe 86 PID 4848 wrote to memory of 1496 4848 vvddj.exe 86 PID 1496 wrote to memory of 3272 1496 9ffffxx.exe 87 PID 1496 wrote to memory of 3272 1496 9ffffxx.exe 87 PID 1496 wrote to memory of 3272 1496 9ffffxx.exe 87 PID 3272 wrote to memory of 2376 3272 hnhtbn.exe 88 PID 3272 wrote to memory of 2376 3272 hnhtbn.exe 88 PID 3272 wrote to memory of 2376 3272 hnhtbn.exe 88 PID 2376 wrote to memory of 2020 2376 fxllffr.exe 89 PID 2376 wrote to memory of 2020 2376 fxllffr.exe 89 PID 2376 wrote to memory of 2020 2376 fxllffr.exe 89 PID 2020 wrote to memory of 2772 2020 bthhnn.exe 90 PID 2020 wrote to memory of 2772 2020 bthhnn.exe 90 PID 2020 wrote to memory of 2772 2020 bthhnn.exe 90 PID 2772 wrote to memory of 2112 2772 tbnnnn.exe 91 PID 2772 wrote to memory of 2112 2772 tbnnnn.exe 91 PID 2772 wrote to memory of 2112 2772 tbnnnn.exe 91 PID 2112 wrote to memory of 2544 2112 1xrxrll.exe 92 PID 2112 wrote to memory of 2544 2112 1xrxrll.exe 92 PID 2112 wrote to memory of 2544 2112 1xrxrll.exe 92 PID 2544 wrote to memory of 828 2544 frrlfxr.exe 93 PID 2544 wrote to memory of 828 2544 frrlfxr.exe 93 PID 2544 wrote to memory of 828 2544 frrlfxr.exe 93 PID 828 wrote to memory of 3228 828 1tnhhh.exe 94 PID 828 wrote to memory of 3228 828 1tnhhh.exe 94 PID 828 wrote to memory of 3228 828 1tnhhh.exe 94 PID 3228 wrote to memory of 4940 3228 jjvvv.exe 95 PID 3228 wrote to memory of 4940 3228 jjvvv.exe 95 PID 3228 wrote to memory of 4940 3228 jjvvv.exe 95 PID 4940 wrote to memory of 3100 4940 rllrlfl.exe 96 PID 4940 wrote to memory of 3100 4940 rllrlfl.exe 96 PID 4940 wrote to memory of 3100 4940 rllrlfl.exe 96 PID 3100 wrote to memory of 3820 3100 djppj.exe 97 PID 3100 wrote to memory of 3820 3100 djppj.exe 97 PID 3100 wrote to memory of 3820 3100 djppj.exe 97 PID 3820 wrote to memory of 4028 3820 lrrrxxr.exe 98 PID 3820 wrote to memory of 4028 3820 lrrrxxr.exe 98 PID 3820 wrote to memory of 4028 3820 lrrrxxr.exe 98 PID 4028 wrote to memory of 1816 4028 3bttnt.exe 99 PID 4028 wrote to memory of 1816 4028 3bttnt.exe 99 PID 4028 wrote to memory of 1816 4028 3bttnt.exe 99 PID 1816 wrote to memory of 1896 1816 rrxffrr.exe 100 PID 1816 wrote to memory of 1896 1816 rrxffrr.exe 100 PID 1816 wrote to memory of 1896 1816 rrxffrr.exe 100 PID 1896 wrote to memory of 3752 1896 3tbtnn.exe 101 PID 1896 wrote to memory of 3752 1896 3tbtnn.exe 101 PID 1896 wrote to memory of 3752 1896 3tbtnn.exe 101 PID 3752 wrote to memory of 2996 3752 vdppp.exe 102 PID 3752 wrote to memory of 2996 3752 vdppp.exe 102 PID 3752 wrote to memory of 2996 3752 vdppp.exe 102 PID 2996 wrote to memory of 4960 2996 7vdvp.exe 103 PID 2996 wrote to memory of 4960 2996 7vdvp.exe 103 PID 2996 wrote to memory of 4960 2996 7vdvp.exe 103 PID 4960 wrote to memory of 2956 4960 hnthnt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe"C:\Users\Admin\AppData\Local\Temp\c16b31d3c646ed8978f7af83340ff2a0779b653585ccd5b535114883632b3985.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\xlxlxlx.exec:\xlxlxlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\nhbnhh.exec:\nhbnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\vvddj.exec:\vvddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\9ffffxx.exec:\9ffffxx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\hnhtbn.exec:\hnhtbn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\fxllffr.exec:\fxllffr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\bthhnn.exec:\bthhnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\tbnnnn.exec:\tbnnnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\1xrxrll.exec:\1xrxrll.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
\??\c:\frrlfxr.exec:\frrlfxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\1tnhhh.exec:\1tnhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\jjvvv.exec:\jjvvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\rllrlfl.exec:\rllrlfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\djppj.exec:\djppj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\lrrrxxr.exec:\lrrrxxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\3bttnt.exec:\3bttnt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\rrxffrr.exec:\rrxffrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1816 -
\??\c:\3tbtnn.exec:\3tbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\vdppp.exec:\vdppp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\7vdvp.exec:\7vdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\hnthnt.exec:\hnthnt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\tnbttt.exec:\tnbttt.exe23⤵
- Executes dropped EXE
PID:2956 -
\??\c:\xfffxrr.exec:\xfffxrr.exe24⤵
- Executes dropped EXE
PID:1512 -
\??\c:\bthnhh.exec:\bthnhh.exe25⤵
- Executes dropped EXE
PID:1196 -
\??\c:\1bbtnt.exec:\1bbtnt.exe26⤵
- Executes dropped EXE
PID:3092 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe27⤵
- Executes dropped EXE
PID:1792 -
\??\c:\1ppjd.exec:\1ppjd.exe28⤵
- Executes dropped EXE
PID:2632 -
\??\c:\bttnnb.exec:\bttnnb.exe29⤵
- Executes dropped EXE
PID:3000 -
\??\c:\fxxfrrr.exec:\fxxfrrr.exe30⤵
- Executes dropped EXE
PID:912 -
\??\c:\dvppd.exec:\dvppd.exe31⤵
- Executes dropped EXE
PID:892 -
\??\c:\tntnhb.exec:\tntnhb.exe32⤵
- Executes dropped EXE
PID:4280 -
\??\c:\btttbt.exec:\btttbt.exe33⤵
- Executes dropped EXE
PID:704 -
\??\c:\vvddd.exec:\vvddd.exe34⤵
- Executes dropped EXE
PID:1844 -
\??\c:\pjppp.exec:\pjppp.exe35⤵
- Executes dropped EXE
PID:2936 -
\??\c:\pjddv.exec:\pjddv.exe36⤵
- Executes dropped EXE
PID:3944 -
\??\c:\thhbtt.exec:\thhbtt.exe37⤵
- Executes dropped EXE
PID:2616 -
\??\c:\vjpjv.exec:\vjpjv.exe38⤵
- Executes dropped EXE
PID:2744 -
\??\c:\rlrllfx.exec:\rlrllfx.exe39⤵
- Executes dropped EXE
PID:1460 -
\??\c:\xrxrlfx.exec:\xrxrlfx.exe40⤵
- Executes dropped EXE
PID:496 -
\??\c:\5bnnhn.exec:\5bnnhn.exe41⤵
- Executes dropped EXE
PID:4716 -
\??\c:\pjvvv.exec:\pjvvv.exe42⤵
- Executes dropped EXE
PID:2524 -
\??\c:\rlrlfff.exec:\rlrlfff.exe43⤵
- Executes dropped EXE
PID:3908 -
\??\c:\lfxxrrl.exec:\lfxxrrl.exe44⤵
- Executes dropped EXE
PID:648 -
\??\c:\ttttnn.exec:\ttttnn.exe45⤵
- Executes dropped EXE
PID:5052 -
\??\c:\9jpvv.exec:\9jpvv.exe46⤵
- Executes dropped EXE
PID:2484 -
\??\c:\lxffxxr.exec:\lxffxxr.exe47⤵
- Executes dropped EXE
PID:3896 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe48⤵
- Executes dropped EXE
PID:3180 -
\??\c:\3hnhnt.exec:\3hnhnt.exe49⤵
- Executes dropped EXE
PID:1964 -
\??\c:\ppddv.exec:\ppddv.exe50⤵
- Executes dropped EXE
PID:976 -
\??\c:\llffxxl.exec:\llffxxl.exe51⤵
- Executes dropped EXE
PID:4420 -
\??\c:\flrlrxr.exec:\flrlrxr.exe52⤵
- Executes dropped EXE
PID:2424 -
\??\c:\hhbbht.exec:\hhbbht.exe53⤵
- Executes dropped EXE
PID:696 -
\??\c:\jdvpj.exec:\jdvpj.exe54⤵
- Executes dropped EXE
PID:5020 -
\??\c:\frrlfxr.exec:\frrlfxr.exe55⤵
- Executes dropped EXE
PID:2164 -
\??\c:\ntbtnt.exec:\ntbtnt.exe56⤵
- Executes dropped EXE
PID:5028 -
\??\c:\tbtnhb.exec:\tbtnhb.exe57⤵
- Executes dropped EXE
PID:3552 -
\??\c:\9dvvj.exec:\9dvvj.exe58⤵
- Executes dropped EXE
PID:568 -
\??\c:\xxxfrxr.exec:\xxxfrxr.exe59⤵
- Executes dropped EXE
PID:3272 -
\??\c:\dddvp.exec:\dddvp.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:312 -
\??\c:\xlfxrrl.exec:\xlfxrrl.exe61⤵
- Executes dropped EXE
PID:1940 -
\??\c:\ttbttn.exec:\ttbttn.exe62⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nbhbtt.exec:\nbhbtt.exe63⤵
- Executes dropped EXE
PID:4032 -
\??\c:\vpvvp.exec:\vpvvp.exe64⤵
- Executes dropped EXE
PID:2212 -
\??\c:\lflfffl.exec:\lflfffl.exe65⤵
- Executes dropped EXE
PID:2112 -
\??\c:\flrrrrl.exec:\flrrrrl.exe66⤵PID:2848
-
\??\c:\bttnhh.exec:\bttnhh.exe67⤵PID:4544
-
\??\c:\dpvvp.exec:\dpvvp.exe68⤵PID:2804
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe69⤵PID:1080
-
\??\c:\9ntntt.exec:\9ntntt.exe70⤵PID:4972
-
\??\c:\ttnhbt.exec:\ttnhbt.exe71⤵PID:4560
-
\??\c:\5pjjv.exec:\5pjjv.exe72⤵PID:1412
-
\??\c:\xfxlffx.exec:\xfxlffx.exe73⤵PID:3024
-
\??\c:\hbtnbb.exec:\hbtnbb.exe74⤵PID:2084
-
\??\c:\djvdv.exec:\djvdv.exe75⤵PID:1440
-
\??\c:\xflfxxr.exec:\xflfxxr.exe76⤵PID:5068
-
\??\c:\bhhhtn.exec:\bhhhtn.exe77⤵PID:3544
-
\??\c:\jpddv.exec:\jpddv.exe78⤵PID:3752
-
\??\c:\fflxlfr.exec:\fflxlfr.exe79⤵PID:1632
-
\??\c:\1ffxxxx.exec:\1ffxxxx.exe80⤵PID:4340
-
\??\c:\bbbbnh.exec:\bbbbnh.exe81⤵PID:3316
-
\??\c:\vdddj.exec:\vdddj.exe82⤵PID:2636
-
\??\c:\rrfxxrr.exec:\rrfxxrr.exe83⤵PID:1960
-
\??\c:\bhbthb.exec:\bhbthb.exe84⤵PID:1284
-
\??\c:\ppppj.exec:\ppppj.exe85⤵PID:1196
-
\??\c:\7vvpp.exec:\7vvpp.exe86⤵PID:4108
-
\??\c:\llrfxxr.exec:\llrfxxr.exe87⤵PID:3672
-
\??\c:\tnhhbb.exec:\tnhhbb.exe88⤵PID:4496
-
\??\c:\jjpjd.exec:\jjpjd.exe89⤵PID:748
-
\??\c:\rxfxlll.exec:\rxfxlll.exe90⤵PID:1780
-
\??\c:\tnttnt.exec:\tnttnt.exe91⤵PID:3000
-
\??\c:\ppddp.exec:\ppddp.exe92⤵PID:3096
-
\??\c:\xxfxfxl.exec:\xxfxfxl.exe93⤵PID:4888
-
\??\c:\xxfffxl.exec:\xxfffxl.exe94⤵PID:4144
-
\??\c:\dpjvv.exec:\dpjvv.exe95⤵PID:2816
-
\??\c:\pdpvp.exec:\pdpvp.exe96⤵PID:4068
-
\??\c:\frrlfxf.exec:\frrlfxf.exe97⤵PID:2240
-
\??\c:\hbhttt.exec:\hbhttt.exe98⤵PID:2936
-
\??\c:\jjvvv.exec:\jjvvv.exe99⤵PID:764
-
\??\c:\5xlrlrr.exec:\5xlrlrr.exe100⤵PID:2888
-
\??\c:\btnnhh.exec:\btnnhh.exe101⤵PID:3688
-
\??\c:\vjpjv.exec:\vjpjv.exe102⤵PID:2612
-
\??\c:\rlxrlfx.exec:\rlxrlfx.exe103⤵PID:3536
-
\??\c:\nhnnht.exec:\nhnnht.exe104⤵PID:2520
-
\??\c:\dvvvp.exec:\dvvvp.exe105⤵PID:5004
-
\??\c:\vpddv.exec:\vpddv.exe106⤵PID:4908
-
\??\c:\lxfrrll.exec:\lxfrrll.exe107⤵PID:640
-
\??\c:\ttnbbt.exec:\ttnbbt.exe108⤵PID:2592
-
\??\c:\dvjdd.exec:\dvjdd.exe109⤵PID:4276
-
\??\c:\1lllxrx.exec:\1lllxrx.exe110⤵PID:4132
-
\??\c:\thnthh.exec:\thnthh.exe111⤵PID:2492
-
\??\c:\vjppj.exec:\vjppj.exe112⤵PID:4328
-
\??\c:\vjjvp.exec:\vjjvp.exe113⤵PID:1192
-
\??\c:\5llfxrl.exec:\5llfxrl.exe114⤵PID:2092
-
\??\c:\nhnnnt.exec:\nhnnnt.exe115⤵PID:1184
-
\??\c:\vpppd.exec:\vpppd.exe116⤵PID:696
-
\??\c:\flrllff.exec:\flrllff.exe117⤵PID:5020
-
\??\c:\frxrffx.exec:\frxrffx.exe118⤵PID:1112
-
\??\c:\nnbtnt.exec:\nnbtnt.exe119⤵PID:4976
-
\??\c:\jvvpj.exec:\jvvpj.exe120⤵PID:3684
-
\??\c:\frxlxxl.exec:\frxlxxl.exe121⤵PID:1376
-
\??\c:\nhhbnn.exec:\nhhbnn.exe122⤵PID:2080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-