Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe
-
Size
454KB
-
MD5
01bb3e5eed4bb5943ffe7627893bf5ad
-
SHA1
ae12608104bef4f0dd3473df8f2416f0688978f2
-
SHA256
4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229
-
SHA512
df1e96cdd9b7bc97e23036d7a8979a068fa8049bc350f84b3c7ff029ba6b628aacad91352ec9733243ab732ee6989e567a0374dd7ab293ae406530192a1134e1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeS2:q7Tc2NYHUrAwfMp3CDS2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4416-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3252-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2488-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/684-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1872-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-511-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-547-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-636-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-683-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1596-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2948-824-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-936-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-994-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-1040-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3252 nhbthb.exe 4464 tnhbtn.exe 1016 fxfrlll.exe 3704 vvvdd.exe 1892 nhtbtt.exe 556 7rfrrlx.exe 2516 nhtnhb.exe 3496 lfxlxrf.exe 2488 9hhttb.exe 1048 llxfflr.exe 972 jdvjd.exe 440 fxfxllf.exe 2288 ntnhbn.exe 2280 jppvj.exe 2592 pddvv.exe 4812 btbttt.exe 1852 xrrlfxx.exe 400 tthbtn.exe 3732 dddvp.exe 1820 rxrlfff.exe 2568 jddjj.exe 3880 jjdvv.exe 1840 flrlxfx.exe 5040 httnnh.exe 4956 xrrlfff.exe 3240 7bbtnt.exe 2616 dddvv.exe 5100 nnttbn.exe 1224 nhnhtt.exe 3120 jpppp.exe 684 rlrlfff.exe 5012 xxllflf.exe 2296 djjdv.exe 3516 5ffxlll.exe 5028 7tnnhh.exe 2120 5flfrrr.exe 1568 bhtnhh.exe 4216 djdvp.exe 2068 5rllflf.exe 3696 thntnn.exe 4556 hbhbhh.exe 2816 dvpjj.exe 3520 xfrflxl.exe 3076 tthhbb.exe 3672 1pppd.exe 4408 vdjdv.exe 1228 7rlfrrl.exe 4448 tthbhn.exe 4996 pjjjd.exe 4596 lxlfrrl.exe 3736 fffxrll.exe 1864 thtnhh.exe 4476 djdjj.exe 960 3rxrrrx.exe 1160 tttnhn.exe 4288 dvddj.exe 5036 xxlrxfx.exe 2516 nhtnhh.exe 4484 3thbnn.exe 212 dpppj.exe 3228 llxxxxf.exe 2796 9tbttt.exe 1076 nnnhbb.exe 1032 jjvpj.exe -
resource yara_rule behavioral2/memory/4416-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3252-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2488-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/684-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-511-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-547-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-636-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-683-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1596-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2948-824-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-936-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlxrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1djjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4416 wrote to memory of 3252 4416 4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe 82 PID 4416 wrote to memory of 3252 4416 4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe 82 PID 4416 wrote to memory of 3252 4416 4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe 82 PID 3252 wrote to memory of 4464 3252 nhbthb.exe 83 PID 3252 wrote to memory of 4464 3252 nhbthb.exe 83 PID 3252 wrote to memory of 4464 3252 nhbthb.exe 83 PID 4464 wrote to memory of 1016 4464 tnhbtn.exe 84 PID 4464 wrote to memory of 1016 4464 tnhbtn.exe 84 PID 4464 wrote to memory of 1016 4464 tnhbtn.exe 84 PID 1016 wrote to memory of 3704 1016 fxfrlll.exe 85 PID 1016 wrote to memory of 3704 1016 fxfrlll.exe 85 PID 1016 wrote to memory of 3704 1016 fxfrlll.exe 85 PID 3704 wrote to memory of 1892 3704 vvvdd.exe 86 PID 3704 wrote to memory of 1892 3704 vvvdd.exe 86 PID 3704 wrote to memory of 1892 3704 vvvdd.exe 86 PID 1892 wrote to memory of 556 1892 nhtbtt.exe 87 PID 1892 wrote to memory of 556 1892 nhtbtt.exe 87 PID 1892 wrote to memory of 556 1892 nhtbtt.exe 87 PID 556 wrote to memory of 2516 556 7rfrrlx.exe 88 PID 556 wrote to memory of 2516 556 7rfrrlx.exe 88 PID 556 wrote to memory of 2516 556 7rfrrlx.exe 88 PID 2516 wrote to memory of 3496 2516 nhtnhb.exe 89 PID 2516 wrote to memory of 3496 2516 nhtnhb.exe 89 PID 2516 wrote to memory of 3496 2516 nhtnhb.exe 89 PID 3496 wrote to memory of 2488 3496 lfxlxrf.exe 90 PID 3496 wrote to memory of 2488 3496 lfxlxrf.exe 90 PID 3496 wrote to memory of 2488 3496 lfxlxrf.exe 90 PID 2488 wrote to memory of 1048 2488 9hhttb.exe 91 PID 2488 wrote to memory of 1048 2488 9hhttb.exe 91 PID 2488 wrote to memory of 1048 2488 9hhttb.exe 91 PID 1048 wrote to memory of 972 1048 llxfflr.exe 92 PID 1048 wrote to memory of 972 1048 llxfflr.exe 92 PID 1048 wrote to memory of 972 1048 llxfflr.exe 92 PID 972 wrote to memory of 440 972 jdvjd.exe 93 PID 972 wrote to memory of 440 972 jdvjd.exe 93 PID 972 wrote to memory of 440 972 jdvjd.exe 93 PID 440 wrote to memory of 2288 440 fxfxllf.exe 94 PID 440 wrote to memory of 2288 440 fxfxllf.exe 94 PID 440 wrote to memory of 2288 440 fxfxllf.exe 94 PID 2288 wrote to memory of 2280 2288 ntnhbn.exe 95 PID 2288 wrote to memory of 2280 2288 ntnhbn.exe 95 PID 2288 wrote to memory of 2280 2288 ntnhbn.exe 95 PID 2280 wrote to memory of 2592 2280 jppvj.exe 96 PID 2280 wrote to memory of 2592 2280 jppvj.exe 96 PID 2280 wrote to memory of 2592 2280 jppvj.exe 96 PID 2592 wrote to memory of 4812 2592 pddvv.exe 97 PID 2592 wrote to memory of 4812 2592 pddvv.exe 97 PID 2592 wrote to memory of 4812 2592 pddvv.exe 97 PID 4812 wrote to memory of 1852 4812 btbttt.exe 98 PID 4812 wrote to memory of 1852 4812 btbttt.exe 98 PID 4812 wrote to memory of 1852 4812 btbttt.exe 98 PID 1852 wrote to memory of 400 1852 xrrlfxx.exe 99 PID 1852 wrote to memory of 400 1852 xrrlfxx.exe 99 PID 1852 wrote to memory of 400 1852 xrrlfxx.exe 99 PID 400 wrote to memory of 3732 400 tthbtn.exe 100 PID 400 wrote to memory of 3732 400 tthbtn.exe 100 PID 400 wrote to memory of 3732 400 tthbtn.exe 100 PID 3732 wrote to memory of 1820 3732 dddvp.exe 101 PID 3732 wrote to memory of 1820 3732 dddvp.exe 101 PID 3732 wrote to memory of 1820 3732 dddvp.exe 101 PID 1820 wrote to memory of 2568 1820 rxrlfff.exe 102 PID 1820 wrote to memory of 2568 1820 rxrlfff.exe 102 PID 1820 wrote to memory of 2568 1820 rxrlfff.exe 102 PID 2568 wrote to memory of 3880 2568 jddjj.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe"C:\Users\Admin\AppData\Local\Temp\4e927e722283600038f8bab446ca1879b780759e4c8e4d58db470604dd2b2229.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\nhbthb.exec:\nhbthb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\tnhbtn.exec:\tnhbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\fxfrlll.exec:\fxfrlll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1016 -
\??\c:\vvvdd.exec:\vvvdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\nhtbtt.exec:\nhtbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\7rfrrlx.exec:\7rfrrlx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\nhtnhb.exec:\nhtnhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\9hhttb.exec:\9hhttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\llxfflr.exec:\llxfflr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\jdvjd.exec:\jdvjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:972 -
\??\c:\fxfxllf.exec:\fxfxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\ntnhbn.exec:\ntnhbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\jppvj.exec:\jppvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
\??\c:\pddvv.exec:\pddvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\btbttt.exec:\btbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\tthbtn.exec:\tthbtn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\dddvp.exec:\dddvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\rxrlfff.exec:\rxrlfff.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\jddjj.exec:\jddjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
\??\c:\jjdvv.exec:\jjdvv.exe23⤵
- Executes dropped EXE
PID:3880 -
\??\c:\flrlxfx.exec:\flrlxfx.exe24⤵
- Executes dropped EXE
PID:1840 -
\??\c:\httnnh.exec:\httnnh.exe25⤵
- Executes dropped EXE
PID:5040 -
\??\c:\xrrlfff.exec:\xrrlfff.exe26⤵
- Executes dropped EXE
PID:4956 -
\??\c:\7bbtnt.exec:\7bbtnt.exe27⤵
- Executes dropped EXE
PID:3240 -
\??\c:\dddvv.exec:\dddvv.exe28⤵
- Executes dropped EXE
PID:2616 -
\??\c:\nnttbn.exec:\nnttbn.exe29⤵
- Executes dropped EXE
PID:5100 -
\??\c:\nhnhtt.exec:\nhnhtt.exe30⤵
- Executes dropped EXE
PID:1224 -
\??\c:\jpppp.exec:\jpppp.exe31⤵
- Executes dropped EXE
PID:3120 -
\??\c:\rlrlfff.exec:\rlrlfff.exe32⤵
- Executes dropped EXE
PID:684 -
\??\c:\xxllflf.exec:\xxllflf.exe33⤵
- Executes dropped EXE
PID:5012 -
\??\c:\djjdv.exec:\djjdv.exe34⤵
- Executes dropped EXE
PID:2296 -
\??\c:\5ffxlll.exec:\5ffxlll.exe35⤵
- Executes dropped EXE
PID:3516 -
\??\c:\7tnnhh.exec:\7tnnhh.exe36⤵
- Executes dropped EXE
PID:5028 -
\??\c:\5flfrrr.exec:\5flfrrr.exe37⤵
- Executes dropped EXE
PID:2120 -
\??\c:\bhtnhh.exec:\bhtnhh.exe38⤵
- Executes dropped EXE
PID:1568 -
\??\c:\djdvp.exec:\djdvp.exe39⤵
- Executes dropped EXE
PID:4216 -
\??\c:\5rllflf.exec:\5rllflf.exe40⤵
- Executes dropped EXE
PID:2068 -
\??\c:\thntnn.exec:\thntnn.exe41⤵
- Executes dropped EXE
PID:3696 -
\??\c:\hbhbhh.exec:\hbhbhh.exe42⤵
- Executes dropped EXE
PID:4556 -
\??\c:\dvpjj.exec:\dvpjj.exe43⤵
- Executes dropped EXE
PID:2816 -
\??\c:\xfrflxl.exec:\xfrflxl.exe44⤵
- Executes dropped EXE
PID:3520 -
\??\c:\tthhbb.exec:\tthhbb.exe45⤵
- Executes dropped EXE
PID:3076 -
\??\c:\1pppd.exec:\1pppd.exe46⤵
- Executes dropped EXE
PID:3672 -
\??\c:\vdjdv.exec:\vdjdv.exe47⤵
- Executes dropped EXE
PID:4408 -
\??\c:\7rlfrrl.exec:\7rlfrrl.exe48⤵
- Executes dropped EXE
PID:1228 -
\??\c:\tthbhn.exec:\tthbhn.exe49⤵
- Executes dropped EXE
PID:4448 -
\??\c:\pjjjd.exec:\pjjjd.exe50⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lxlfrrl.exec:\lxlfrrl.exe51⤵
- Executes dropped EXE
PID:4596 -
\??\c:\fffxrll.exec:\fffxrll.exe52⤵
- Executes dropped EXE
PID:3736 -
\??\c:\thtnhh.exec:\thtnhh.exe53⤵
- Executes dropped EXE
PID:1864 -
\??\c:\djdjj.exec:\djdjj.exe54⤵
- Executes dropped EXE
PID:4476 -
\??\c:\3rxrrrx.exec:\3rxrrrx.exe55⤵
- Executes dropped EXE
PID:960 -
\??\c:\tttnhn.exec:\tttnhn.exe56⤵
- Executes dropped EXE
PID:1160 -
\??\c:\dvddj.exec:\dvddj.exe57⤵
- Executes dropped EXE
PID:4288 -
\??\c:\xxlrxfx.exec:\xxlrxfx.exe58⤵
- Executes dropped EXE
PID:5036 -
\??\c:\nhtnhh.exec:\nhtnhh.exe59⤵
- Executes dropped EXE
PID:2516 -
\??\c:\3thbnn.exec:\3thbnn.exe60⤵
- Executes dropped EXE
PID:4484 -
\??\c:\dpppj.exec:\dpppj.exe61⤵
- Executes dropped EXE
PID:212 -
\??\c:\llxxxxf.exec:\llxxxxf.exe62⤵
- Executes dropped EXE
PID:3228 -
\??\c:\9tbttt.exec:\9tbttt.exe63⤵
- Executes dropped EXE
PID:2796 -
\??\c:\nnnhbb.exec:\nnnhbb.exe64⤵
- Executes dropped EXE
PID:1076 -
\??\c:\jjvpj.exec:\jjvpj.exe65⤵
- Executes dropped EXE
PID:1032 -
\??\c:\xxlfffx.exec:\xxlfffx.exe66⤵PID:2688
-
\??\c:\httnhh.exec:\httnhh.exe67⤵PID:1204
-
\??\c:\9vjjv.exec:\9vjjv.exe68⤵PID:804
-
\??\c:\xrfxrrr.exec:\xrfxrrr.exe69⤵PID:3140
-
\??\c:\lxlffxr.exec:\lxlffxr.exe70⤵PID:4920
-
\??\c:\nbhhbb.exec:\nbhhbb.exe71⤵PID:4928
-
\??\c:\vpddd.exec:\vpddd.exe72⤵PID:4536
-
\??\c:\llrlrlx.exec:\llrlrlx.exe73⤵PID:4740
-
\??\c:\lfxrrrr.exec:\lfxrrrr.exe74⤵PID:908
-
\??\c:\nbttnh.exec:\nbttnh.exe75⤵PID:3364
-
\??\c:\jjjjd.exec:\jjjjd.exe76⤵PID:4316
-
\??\c:\xlrlffx.exec:\xlrlffx.exe77⤵PID:4896
-
\??\c:\hhbbhh.exec:\hhbbhh.exe78⤵PID:2608
-
\??\c:\jpdvp.exec:\jpdvp.exe79⤵PID:2064
-
\??\c:\lrxrrrr.exec:\lrxrrrr.exe80⤵PID:4064
-
\??\c:\bbhbbh.exec:\bbhbbh.exe81⤵PID:4560
-
\??\c:\ddjjd.exec:\ddjjd.exe82⤵PID:2088
-
\??\c:\9rlfxxr.exec:\9rlfxxr.exe83⤵PID:4336
-
\??\c:\3rxxxxx.exec:\3rxxxxx.exe84⤵PID:4428
-
\??\c:\bbhhnn.exec:\bbhhnn.exe85⤵PID:1872
-
\??\c:\jjjdd.exec:\jjjdd.exe86⤵PID:3392
-
\??\c:\9xxlllf.exec:\9xxlllf.exe87⤵PID:1940
-
\??\c:\bbbthh.exec:\bbbthh.exe88⤵PID:3120
-
\??\c:\bthbbb.exec:\bthbbb.exe89⤵PID:760
-
\??\c:\xxlrrrl.exec:\xxlrrrl.exe90⤵PID:1440
-
\??\c:\1rrrlrl.exec:\1rrrlrl.exe91⤵PID:3728
-
\??\c:\nthbtt.exec:\nthbtt.exe92⤵PID:5032
-
\??\c:\5ppjd.exec:\5ppjd.exe93⤵PID:4108
-
\??\c:\xllfrxl.exec:\xllfrxl.exe94⤵PID:4436
-
\??\c:\hhhhtt.exec:\hhhhtt.exe95⤵PID:3820
-
\??\c:\5ppjj.exec:\5ppjj.exe96⤵PID:4472
-
\??\c:\vpvpj.exec:\vpvpj.exe97⤵PID:1568
-
\??\c:\rrrfflr.exec:\rrrfflr.exe98⤵PID:3560
-
\??\c:\ntttnn.exec:\ntttnn.exe99⤵PID:516
-
\??\c:\djjdp.exec:\djjdp.exe100⤵PID:448
-
\??\c:\3pjjd.exec:\3pjjd.exe101⤵PID:2620
-
\??\c:\lrxxfxf.exec:\lrxxfxf.exe102⤵PID:3232
-
\??\c:\nnhbtn.exec:\nnhbtn.exe103⤵PID:2324
-
\??\c:\vpvdd.exec:\vpvdd.exe104⤵PID:4360
-
\??\c:\5lfrfll.exec:\5lfrfll.exe105⤵PID:964
-
\??\c:\bbnhbb.exec:\bbnhbb.exe106⤵PID:4376
-
\??\c:\pvjdd.exec:\pvjdd.exe107⤵PID:4408
-
\??\c:\1djjp.exec:\1djjp.exe108⤵
- System Location Discovery: System Language Discovery
PID:3436 -
\??\c:\3xxlxrx.exec:\3xxlxrx.exe109⤵PID:4644
-
\??\c:\thhtht.exec:\thhtht.exe110⤵PID:2512
-
\??\c:\vjvjv.exec:\vjvjv.exe111⤵PID:1016
-
\??\c:\9lxrlxr.exec:\9lxrlxr.exe112⤵PID:4768
-
\??\c:\3tbhhb.exec:\3tbhhb.exe113⤵PID:4608
-
\??\c:\7tthtn.exec:\7tthtn.exe114⤵PID:4828
-
\??\c:\9pjvj.exec:\9pjvj.exe115⤵PID:1168
-
\??\c:\rrrxlxl.exec:\rrrxlxl.exe116⤵PID:1160
-
\??\c:\7bnhth.exec:\7bnhth.exe117⤵PID:1348
-
\??\c:\jpjdp.exec:\jpjdp.exe118⤵PID:2108
-
\??\c:\3lxlffx.exec:\3lxlffx.exe119⤵PID:3496
-
\??\c:\lfrflfl.exec:\lfrflfl.exe120⤵PID:3328
-
\??\c:\bntnnn.exec:\bntnnn.exe121⤵PID:940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-