Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 00:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4.exe
-
Size
337KB
-
MD5
9683d6b6ddec7aaa057b6d3cc71d5389
-
SHA1
61037c955f1a09903996301c53bce96d50a38703
-
SHA256
7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4
-
SHA512
ea82797f27e131be12eed6ee64acb71218b6382e9b4116c6e41dfe0ec341b5c44b74f28038dbd90909db11ea958aac88a3b9a6add029629952e1304d5105d49f
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhb:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTL
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4700-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1992-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4296-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-453-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3652-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2240-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-613-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-1239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-1438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-1466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-1697-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5084 bntnhb.exe 436 hhnnbt.exe 4820 jvdpp.exe 1676 htbttt.exe 1992 frxrrrl.exe 3104 vvppp.exe 4912 tnbtnn.exe 1544 pjvvd.exe 4360 7bbtnn.exe 5056 bbhhbb.exe 640 3rffrxr.exe 232 bthbbt.exe 4776 xfxxrlf.exe 100 nbnntt.exe 2660 jjpjd.exe 3064 xrfxffl.exe 4760 nhtntt.exe 4280 pvjdp.exe 2700 xllfxfx.exe 840 thhbtt.exe 3756 pdvvp.exe 2008 pppjd.exe 1704 llxfxfx.exe 2876 nntnbt.exe 1524 vvvpj.exe 1736 llfxxrx.exe 2576 ttttbb.exe 3432 ppjpj.exe 3504 frrlfxl.exe 3660 bbnnnn.exe 1612 dpvpd.exe 4372 hbhbnn.exe 2752 jdvpj.exe 3744 rffxrrl.exe 1812 nbhbbh.exe 2012 dppvp.exe 3316 xlfffxx.exe 4916 nhbbtn.exe 1960 pppdj.exe 1436 fxffxxx.exe 4640 htbhbb.exe 3616 rxfflll.exe 4348 pvddv.exe 2900 fxlfrlf.exe 968 ntbttn.exe 2708 jdpdd.exe 2828 jdjjp.exe 2704 5bbbtt.exe 2592 btbtnh.exe 4992 ddpjj.exe 1608 rllxffl.exe 4052 rfxrllf.exe 2920 djpdj.exe 1048 3jjvp.exe 208 7ffxrrr.exe 2004 tbnnhh.exe 1492 3tnbtt.exe 1908 djjdv.exe 2072 xlxrffx.exe 3928 nbnhtt.exe 640 btnbbh.exe 1572 pjvpj.exe 3372 1xxrlff.exe 4588 tthbbb.exe -
resource yara_rule behavioral2/memory/4700-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1992-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4296-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-453-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3652-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2240-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-613-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-921-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxlrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4700 wrote to memory of 5084 4700 7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4.exe 83 PID 4700 wrote to memory of 5084 4700 7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4.exe 83 PID 4700 wrote to memory of 5084 4700 7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4.exe 83 PID 5084 wrote to memory of 436 5084 bntnhb.exe 84 PID 5084 wrote to memory of 436 5084 bntnhb.exe 84 PID 5084 wrote to memory of 436 5084 bntnhb.exe 84 PID 436 wrote to memory of 4820 436 hhnnbt.exe 85 PID 436 wrote to memory of 4820 436 hhnnbt.exe 85 PID 436 wrote to memory of 4820 436 hhnnbt.exe 85 PID 4820 wrote to memory of 1676 4820 jvdpp.exe 86 PID 4820 wrote to memory of 1676 4820 jvdpp.exe 86 PID 4820 wrote to memory of 1676 4820 jvdpp.exe 86 PID 1676 wrote to memory of 1992 1676 htbttt.exe 87 PID 1676 wrote to memory of 1992 1676 htbttt.exe 87 PID 1676 wrote to memory of 1992 1676 htbttt.exe 87 PID 1992 wrote to memory of 3104 1992 frxrrrl.exe 88 PID 1992 wrote to memory of 3104 1992 frxrrrl.exe 88 PID 1992 wrote to memory of 3104 1992 frxrrrl.exe 88 PID 3104 wrote to memory of 4912 3104 vvppp.exe 89 PID 3104 wrote to memory of 4912 3104 vvppp.exe 89 PID 3104 wrote to memory of 4912 3104 vvppp.exe 89 PID 4912 wrote to memory of 1544 4912 tnbtnn.exe 90 PID 4912 wrote to memory of 1544 4912 tnbtnn.exe 90 PID 4912 wrote to memory of 1544 4912 tnbtnn.exe 90 PID 1544 wrote to memory of 4360 1544 pjvvd.exe 91 PID 1544 wrote to memory of 4360 1544 pjvvd.exe 91 PID 1544 wrote to memory of 4360 1544 pjvvd.exe 91 PID 4360 wrote to memory of 5056 4360 7bbtnn.exe 92 PID 4360 wrote to memory of 5056 4360 7bbtnn.exe 92 PID 4360 wrote to memory of 5056 4360 7bbtnn.exe 92 PID 5056 wrote to memory of 640 5056 bbhhbb.exe 93 PID 5056 wrote to memory of 640 5056 bbhhbb.exe 93 PID 5056 wrote to memory of 640 5056 bbhhbb.exe 93 PID 640 wrote to memory of 232 640 3rffrxr.exe 94 PID 640 wrote to memory of 232 640 3rffrxr.exe 94 PID 640 wrote to memory of 232 640 3rffrxr.exe 94 PID 232 wrote to memory of 4776 232 bthbbt.exe 95 PID 232 wrote to memory of 4776 232 bthbbt.exe 95 PID 232 wrote to memory of 4776 232 bthbbt.exe 95 PID 4776 wrote to memory of 100 4776 xfxxrlf.exe 96 PID 4776 wrote to memory of 100 4776 xfxxrlf.exe 96 PID 4776 wrote to memory of 100 4776 xfxxrlf.exe 96 PID 100 wrote to memory of 2660 100 nbnntt.exe 97 PID 100 wrote to memory of 2660 100 nbnntt.exe 97 PID 100 wrote to memory of 2660 100 nbnntt.exe 97 PID 2660 wrote to memory of 3064 2660 jjpjd.exe 98 PID 2660 wrote to memory of 3064 2660 jjpjd.exe 98 PID 2660 wrote to memory of 3064 2660 jjpjd.exe 98 PID 3064 wrote to memory of 4760 3064 xrfxffl.exe 99 PID 3064 wrote to memory of 4760 3064 xrfxffl.exe 99 PID 3064 wrote to memory of 4760 3064 xrfxffl.exe 99 PID 4760 wrote to memory of 4280 4760 nhtntt.exe 100 PID 4760 wrote to memory of 4280 4760 nhtntt.exe 100 PID 4760 wrote to memory of 4280 4760 nhtntt.exe 100 PID 4280 wrote to memory of 2700 4280 pvjdp.exe 101 PID 4280 wrote to memory of 2700 4280 pvjdp.exe 101 PID 4280 wrote to memory of 2700 4280 pvjdp.exe 101 PID 2700 wrote to memory of 840 2700 xllfxfx.exe 102 PID 2700 wrote to memory of 840 2700 xllfxfx.exe 102 PID 2700 wrote to memory of 840 2700 xllfxfx.exe 102 PID 840 wrote to memory of 3756 840 thhbtt.exe 103 PID 840 wrote to memory of 3756 840 thhbtt.exe 103 PID 840 wrote to memory of 3756 840 thhbtt.exe 103 PID 3756 wrote to memory of 2008 3756 pdvvp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4.exe"C:\Users\Admin\AppData\Local\Temp\7c70183eee233b1bbae85f2ad89084630b32e9ef762dbf07a52fa4999e5791b4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\bntnhb.exec:\bntnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\hhnnbt.exec:\hhnnbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\jvdpp.exec:\jvdpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\htbttt.exec:\htbttt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\frxrrrl.exec:\frxrrrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\vvppp.exec:\vvppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
\??\c:\tnbtnn.exec:\tnbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\pjvvd.exec:\pjvvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\7bbtnn.exec:\7bbtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\bbhhbb.exec:\bbhhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\3rffrxr.exec:\3rffrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\bthbbt.exec:\bthbbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\xfxxrlf.exec:\xfxxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\nbnntt.exec:\nbnntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\jjpjd.exec:\jjpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\xrfxffl.exec:\xrfxffl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\nhtntt.exec:\nhtntt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\pvjdp.exec:\pvjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
\??\c:\xllfxfx.exec:\xllfxfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\thhbtt.exec:\thhbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\pdvvp.exec:\pdvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\pppjd.exec:\pppjd.exe23⤵
- Executes dropped EXE
PID:2008 -
\??\c:\llxfxfx.exec:\llxfxfx.exe24⤵
- Executes dropped EXE
PID:1704 -
\??\c:\nntnbt.exec:\nntnbt.exe25⤵
- Executes dropped EXE
PID:2876 -
\??\c:\vvvpj.exec:\vvvpj.exe26⤵
- Executes dropped EXE
PID:1524 -
\??\c:\llfxxrx.exec:\llfxxrx.exe27⤵
- Executes dropped EXE
PID:1736 -
\??\c:\ttttbb.exec:\ttttbb.exe28⤵
- Executes dropped EXE
PID:2576 -
\??\c:\ppjpj.exec:\ppjpj.exe29⤵
- Executes dropped EXE
PID:3432 -
\??\c:\frrlfxl.exec:\frrlfxl.exe30⤵
- Executes dropped EXE
PID:3504 -
\??\c:\bbnnnn.exec:\bbnnnn.exe31⤵
- Executes dropped EXE
PID:3660 -
\??\c:\dpvpd.exec:\dpvpd.exe32⤵
- Executes dropped EXE
PID:1612 -
\??\c:\hbhbnn.exec:\hbhbnn.exe33⤵
- Executes dropped EXE
PID:4372 -
\??\c:\jdvpj.exec:\jdvpj.exe34⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rffxrrl.exec:\rffxrrl.exe35⤵
- Executes dropped EXE
PID:3744 -
\??\c:\nbhbbh.exec:\nbhbbh.exe36⤵
- Executes dropped EXE
PID:1812 -
\??\c:\dppvp.exec:\dppvp.exe37⤵
- Executes dropped EXE
PID:2012 -
\??\c:\xlfffxx.exec:\xlfffxx.exe38⤵
- Executes dropped EXE
PID:3316 -
\??\c:\nhbbtn.exec:\nhbbtn.exe39⤵
- Executes dropped EXE
PID:4916 -
\??\c:\pppdj.exec:\pppdj.exe40⤵
- Executes dropped EXE
PID:1960 -
\??\c:\fxffxxx.exec:\fxffxxx.exe41⤵
- Executes dropped EXE
PID:1436 -
\??\c:\htbhbb.exec:\htbhbb.exe42⤵
- Executes dropped EXE
PID:4640 -
\??\c:\rxfflll.exec:\rxfflll.exe43⤵
- Executes dropped EXE
PID:3616 -
\??\c:\pvddv.exec:\pvddv.exe44⤵
- Executes dropped EXE
PID:4348 -
\??\c:\fxlfrlf.exec:\fxlfrlf.exe45⤵
- Executes dropped EXE
PID:2900 -
\??\c:\ntbttn.exec:\ntbttn.exe46⤵
- Executes dropped EXE
PID:968 -
\??\c:\jdpdd.exec:\jdpdd.exe47⤵
- Executes dropped EXE
PID:2708 -
\??\c:\jdjjp.exec:\jdjjp.exe48⤵
- Executes dropped EXE
PID:2828 -
\??\c:\5bbbtt.exec:\5bbbtt.exe49⤵
- Executes dropped EXE
PID:2704 -
\??\c:\btbtnh.exec:\btbtnh.exe50⤵
- Executes dropped EXE
PID:2592 -
\??\c:\ddpjj.exec:\ddpjj.exe51⤵
- Executes dropped EXE
PID:4992 -
\??\c:\rllxffl.exec:\rllxffl.exe52⤵
- Executes dropped EXE
PID:1608 -
\??\c:\rfxrllf.exec:\rfxrllf.exe53⤵
- Executes dropped EXE
PID:4052 -
\??\c:\djpdj.exec:\djpdj.exe54⤵
- Executes dropped EXE
PID:2920 -
\??\c:\3jjvp.exec:\3jjvp.exe55⤵
- Executes dropped EXE
PID:1048 -
\??\c:\7ffxrrr.exec:\7ffxrrr.exe56⤵
- Executes dropped EXE
PID:208 -
\??\c:\tbnnhh.exec:\tbnnhh.exe57⤵
- Executes dropped EXE
PID:2004 -
\??\c:\3tnbtt.exec:\3tnbtt.exe58⤵
- Executes dropped EXE
PID:1492 -
\??\c:\djjdv.exec:\djjdv.exe59⤵
- Executes dropped EXE
PID:1908 -
\??\c:\xlxrffx.exec:\xlxrffx.exe60⤵
- Executes dropped EXE
PID:2072 -
\??\c:\nbnhtt.exec:\nbnhtt.exe61⤵
- Executes dropped EXE
PID:3928 -
\??\c:\btnbbh.exec:\btnbbh.exe62⤵
- Executes dropped EXE
PID:640 -
\??\c:\pjvpj.exec:\pjvpj.exe63⤵
- Executes dropped EXE
PID:1572 -
\??\c:\1xxrlff.exec:\1xxrlff.exe64⤵
- Executes dropped EXE
PID:3372 -
\??\c:\tthbbb.exec:\tthbbb.exe65⤵
- Executes dropped EXE
PID:4588 -
\??\c:\thnhbb.exec:\thnhbb.exe66⤵PID:4192
-
\??\c:\djpjv.exec:\djpjv.exe67⤵PID:4428
-
\??\c:\lfxrllf.exec:\lfxrllf.exe68⤵PID:1296
-
\??\c:\tbnnhn.exec:\tbnnhn.exe69⤵PID:4000
-
\??\c:\bntnhh.exec:\bntnhh.exe70⤵PID:3288
-
\??\c:\jdpjj.exec:\jdpjj.exe71⤵PID:3164
-
\??\c:\rxxlfxx.exec:\rxxlfxx.exe72⤵PID:4984
-
\??\c:\9thhbb.exec:\9thhbb.exe73⤵PID:944
-
\??\c:\tbnhbb.exec:\tbnhbb.exe74⤵PID:3896
-
\??\c:\jdjjd.exec:\jdjjd.exe75⤵PID:2588
-
\??\c:\frxlrxx.exec:\frxlrxx.exe76⤵PID:4836
-
\??\c:\hbnnhh.exec:\hbnnhh.exe77⤵PID:3996
-
\??\c:\tnnhhh.exec:\tnnhhh.exe78⤵PID:4104
-
\??\c:\djjvj.exec:\djjvj.exe79⤵PID:5036
-
\??\c:\xfxxlfx.exec:\xfxxlfx.exe80⤵PID:748
-
\??\c:\thhbtt.exec:\thhbtt.exe81⤵PID:1152
-
\??\c:\bhhhnt.exec:\bhhhnt.exe82⤵PID:3116
-
\??\c:\dpjdd.exec:\dpjdd.exe83⤵PID:1736
-
\??\c:\fllxrrl.exec:\fllxrrl.exe84⤵PID:1744
-
\??\c:\bttnhh.exec:\bttnhh.exe85⤵PID:2040
-
\??\c:\httbnh.exec:\httbnh.exe86⤵PID:3496
-
\??\c:\jdvvd.exec:\jdvvd.exe87⤵PID:2956
-
\??\c:\ffrlrll.exec:\ffrlrll.exe88⤵PID:836
-
\??\c:\nhhbbn.exec:\nhhbbn.exe89⤵PID:3796
-
\??\c:\1bthth.exec:\1bthth.exe90⤵PID:4940
-
\??\c:\vjvpj.exec:\vjvpj.exe91⤵PID:2204
-
\??\c:\7rxrffx.exec:\7rxrffx.exe92⤵PID:1876
-
\??\c:\1llfxrf.exec:\1llfxrf.exe93⤵PID:2436
-
\??\c:\tnnnnh.exec:\tnnnnh.exe94⤵PID:116
-
\??\c:\7vvdj.exec:\7vvdj.exe95⤵PID:4420
-
\??\c:\7pvpj.exec:\7pvpj.exe96⤵PID:1812
-
\??\c:\frxrfff.exec:\frxrfff.exe97⤵PID:2924
-
\??\c:\bnnhhh.exec:\bnnhhh.exe98⤵PID:4080
-
\??\c:\tbhbtt.exec:\tbhbtt.exe99⤵PID:4996
-
\??\c:\vvpvp.exec:\vvpvp.exe100⤵PID:4296
-
\??\c:\fxxfrxr.exec:\fxxfrxr.exe101⤵PID:4516
-
\??\c:\tbbtnt.exec:\tbbtnt.exe102⤵PID:1144
-
\??\c:\hhntbh.exec:\hhntbh.exe103⤵PID:2112
-
\??\c:\pjjdv.exec:\pjjdv.exe104⤵PID:1372
-
\??\c:\rlxxrrl.exec:\rlxxrrl.exe105⤵PID:2268
-
\??\c:\fxfxrrf.exec:\fxfxrrf.exe106⤵PID:968
-
\??\c:\tbttnn.exec:\tbttnn.exe107⤵PID:540
-
\??\c:\9ddvv.exec:\9ddvv.exe108⤵PID:392
-
\??\c:\xflfrrl.exec:\xflfrrl.exe109⤵PID:2784
-
\??\c:\nnnnhh.exec:\nnnnhh.exe110⤵PID:4936
-
\??\c:\ttbhnh.exec:\ttbhnh.exe111⤵PID:1548
-
\??\c:\ppddd.exec:\ppddd.exe112⤵PID:1712
-
\??\c:\ddvvj.exec:\ddvvj.exe113⤵PID:3104
-
\??\c:\xrrfxxr.exec:\xrrfxxr.exe114⤵PID:1988
-
\??\c:\nhhbtt.exec:\nhhbtt.exe115⤵PID:4988
-
\??\c:\9nthbb.exec:\9nthbb.exe116⤵PID:3108
-
\??\c:\vdjvp.exec:\vdjvp.exe117⤵PID:948
-
\??\c:\rlxrffx.exec:\rlxrffx.exe118⤵PID:972
-
\??\c:\tttbbt.exec:\tttbbt.exe119⤵PID:2036
-
\??\c:\3ntnbb.exec:\3ntnbb.exe120⤵PID:3652
-
\??\c:\dvjjj.exec:\dvjjj.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-