Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 05:39
Behavioral task
behavioral1
Sample
7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe
-
Size
345KB
-
MD5
f71b220df3dcfffd0380112f44a33edc
-
SHA1
5b094cc982f2f0bbef20e532b5a68180172f22be
-
SHA256
7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b
-
SHA512
9822a720d58ff28f5ea41e83d950ed9d5e720a9332657af388e86f0600b3293c0586ac018d3e00f73d7256ea5b448e44551abde35a24bcb230d07129a04da104
-
SSDEEP
6144:Lcm4FmowdHoSEYW5fNZWB5hFfci3Add4kGYAm:R4wFHoS3WXZshJX2VGdm
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1368-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1540-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3008-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5096-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2400-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-47-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2644-53-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1108-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1972-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4436-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4324-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2988-92-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5036-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2472-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4272-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1156-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4012-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1720-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2456-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3772-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/336-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4796-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5064-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2556-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1368-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2668-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2448-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4496-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2360-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3716-255-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2204-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3352-274-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-293-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5068-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1476-309-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-333-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-350-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1268-388-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4016-420-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4200-448-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3556-475-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-480-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-543-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-566-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4544-659-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-704-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-729-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/556-770-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1540 7nbttt.exe 3008 xrlffxx.exe 3512 htthtn.exe 1960 vpjjv.exe 1840 1bhttn.exe 5096 dpvjv.exe 2140 7hhnbn.exe 2400 jjvpd.exe 4464 frlrfxl.exe 2644 hbhbht.exe 1108 3djvv.exe 1972 nhthnb.exe 4616 jdjdv.exe 4436 1xxrffr.exe 4232 bbbbnh.exe 3152 dvjpj.exe 4324 rflrxff.exe 2988 vjdpj.exe 5036 lxxrfxr.exe 4080 frxrffx.exe 3564 pjdvj.exe 2472 rxfrlfr.exe 2752 tnnnhb.exe 1156 1pjvj.exe 4272 1fxrfrf.exe 4012 9nthtn.exe 3048 hthbtn.exe 2684 rxflllr.exe 1720 ntbnbn.exe 2456 vpppj.exe 4736 htbthb.exe 4864 vvvvd.exe 3772 3jjjv.exe 720 frrlxxl.exe 1392 nhthtn.exe 336 ddjvv.exe 1076 xxffxrr.exe 1904 xrxrfxr.exe 2772 7hhtnh.exe 4156 djjvj.exe 4796 rflxfxf.exe 5064 5hbnht.exe 2012 bnnbtn.exe 3624 pdjvp.exe 1956 xxfrlff.exe 872 flrfrfr.exe 2556 tnnbnh.exe 3908 djddv.exe 676 fxlxlxr.exe 2880 xlxxxlf.exe 3612 btbnbn.exe 1924 pvvpv.exe 2740 dddpd.exe 944 xxxrxxf.exe 4400 xfrlfxr.exe 2828 7hbnhh.exe 1368 djdpd.exe 2552 djppd.exe 1832 fxxrfrl.exe 1696 xflfxxx.exe 1864 hhnnhh.exe 1268 jjjvp.exe 2876 pppdv.exe 2668 rxxflxr.exe -
resource yara_rule behavioral2/memory/1368-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b8e-3.dat upx behavioral2/memory/1368-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c83-8.dat upx behavioral2/memory/1540-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c87-11.dat upx behavioral2/memory/3008-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c88-19.dat upx behavioral2/memory/3512-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c89-23.dat upx behavioral2/memory/1960-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8a-28.dat upx behavioral2/memory/1840-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8b-33.dat upx behavioral2/memory/5096-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8d-38.dat upx behavioral2/files/0x0007000000023c8e-42.dat upx behavioral2/memory/2400-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4464-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c8f-48.dat upx behavioral2/files/0x0007000000023c90-52.dat upx behavioral2/memory/2644-53-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1108-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c91-57.dat upx behavioral2/files/0x0007000000023c92-61.dat upx behavioral2/memory/1972-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4616-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c93-67.dat upx behavioral2/files/0x0007000000023c94-73.dat upx behavioral2/memory/4436-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c95-77.dat upx behavioral2/memory/4232-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c96-82.dat upx behavioral2/files/0x0008000000023c84-88.dat upx behavioral2/memory/4324-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c98-91.dat upx behavioral2/memory/2988-92-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c99-97.dat upx behavioral2/memory/5036-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9a-101.dat upx behavioral2/memory/4080-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9b-106.dat upx behavioral2/files/0x0007000000023c9c-111.dat upx behavioral2/memory/2472-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9d-116.dat upx behavioral2/files/0x0007000000023c9e-122.dat upx behavioral2/memory/4272-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023c9f-126.dat upx behavioral2/memory/2752-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1156-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca0-129.dat upx behavioral2/memory/4012-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca1-135.dat upx behavioral2/files/0x0007000000023ca2-139.dat upx behavioral2/files/0x0007000000023ca3-143.dat upx behavioral2/memory/1720-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2456-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-148.dat upx behavioral2/files/0x0007000000023ca5-153.dat upx behavioral2/memory/3772-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1392-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/336-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2772-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4796-179-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbthth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1368 wrote to memory of 1540 1368 7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe 84 PID 1368 wrote to memory of 1540 1368 7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe 84 PID 1368 wrote to memory of 1540 1368 7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe 84 PID 1540 wrote to memory of 3008 1540 7nbttt.exe 85 PID 1540 wrote to memory of 3008 1540 7nbttt.exe 85 PID 1540 wrote to memory of 3008 1540 7nbttt.exe 85 PID 3008 wrote to memory of 3512 3008 xrlffxx.exe 86 PID 3008 wrote to memory of 3512 3008 xrlffxx.exe 86 PID 3008 wrote to memory of 3512 3008 xrlffxx.exe 86 PID 3512 wrote to memory of 1960 3512 htthtn.exe 87 PID 3512 wrote to memory of 1960 3512 htthtn.exe 87 PID 3512 wrote to memory of 1960 3512 htthtn.exe 87 PID 1960 wrote to memory of 1840 1960 vpjjv.exe 88 PID 1960 wrote to memory of 1840 1960 vpjjv.exe 88 PID 1960 wrote to memory of 1840 1960 vpjjv.exe 88 PID 1840 wrote to memory of 5096 1840 1bhttn.exe 89 PID 1840 wrote to memory of 5096 1840 1bhttn.exe 89 PID 1840 wrote to memory of 5096 1840 1bhttn.exe 89 PID 5096 wrote to memory of 2140 5096 dpvjv.exe 90 PID 5096 wrote to memory of 2140 5096 dpvjv.exe 90 PID 5096 wrote to memory of 2140 5096 dpvjv.exe 90 PID 2140 wrote to memory of 2400 2140 7hhnbn.exe 91 PID 2140 wrote to memory of 2400 2140 7hhnbn.exe 91 PID 2140 wrote to memory of 2400 2140 7hhnbn.exe 91 PID 2400 wrote to memory of 4464 2400 jjvpd.exe 92 PID 2400 wrote to memory of 4464 2400 jjvpd.exe 92 PID 2400 wrote to memory of 4464 2400 jjvpd.exe 92 PID 4464 wrote to memory of 2644 4464 frlrfxl.exe 93 PID 4464 wrote to memory of 2644 4464 frlrfxl.exe 93 PID 4464 wrote to memory of 2644 4464 frlrfxl.exe 93 PID 2644 wrote to memory of 1108 2644 hbhbht.exe 94 PID 2644 wrote to memory of 1108 2644 hbhbht.exe 94 PID 2644 wrote to memory of 1108 2644 hbhbht.exe 94 PID 1108 wrote to memory of 1972 1108 3djvv.exe 95 PID 1108 wrote to memory of 1972 1108 3djvv.exe 95 PID 1108 wrote to memory of 1972 1108 3djvv.exe 95 PID 1972 wrote to memory of 4616 1972 nhthnb.exe 96 PID 1972 wrote to memory of 4616 1972 nhthnb.exe 96 PID 1972 wrote to memory of 4616 1972 nhthnb.exe 96 PID 4616 wrote to memory of 4436 4616 jdjdv.exe 97 PID 4616 wrote to memory of 4436 4616 jdjdv.exe 97 PID 4616 wrote to memory of 4436 4616 jdjdv.exe 97 PID 4436 wrote to memory of 4232 4436 1xxrffr.exe 98 PID 4436 wrote to memory of 4232 4436 1xxrffr.exe 98 PID 4436 wrote to memory of 4232 4436 1xxrffr.exe 98 PID 4232 wrote to memory of 3152 4232 bbbbnh.exe 99 PID 4232 wrote to memory of 3152 4232 bbbbnh.exe 99 PID 4232 wrote to memory of 3152 4232 bbbbnh.exe 99 PID 3152 wrote to memory of 4324 3152 dvjpj.exe 100 PID 3152 wrote to memory of 4324 3152 dvjpj.exe 100 PID 3152 wrote to memory of 4324 3152 dvjpj.exe 100 PID 4324 wrote to memory of 2988 4324 rflrxff.exe 101 PID 4324 wrote to memory of 2988 4324 rflrxff.exe 101 PID 4324 wrote to memory of 2988 4324 rflrxff.exe 101 PID 2988 wrote to memory of 5036 2988 vjdpj.exe 102 PID 2988 wrote to memory of 5036 2988 vjdpj.exe 102 PID 2988 wrote to memory of 5036 2988 vjdpj.exe 102 PID 5036 wrote to memory of 4080 5036 lxxrfxr.exe 103 PID 5036 wrote to memory of 4080 5036 lxxrfxr.exe 103 PID 5036 wrote to memory of 4080 5036 lxxrfxr.exe 103 PID 4080 wrote to memory of 3564 4080 frxrffx.exe 104 PID 4080 wrote to memory of 3564 4080 frxrffx.exe 104 PID 4080 wrote to memory of 3564 4080 frxrffx.exe 104 PID 3564 wrote to memory of 2472 3564 pjdvj.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe"C:\Users\Admin\AppData\Local\Temp\7459b02fa9e3f3dcbfe02e7632b1679e816abb8e24d9d402cba88837c4879c6b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\7nbttt.exec:\7nbttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\xrlffxx.exec:\xrlffxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\htthtn.exec:\htthtn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\vpjjv.exec:\vpjjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\1bhttn.exec:\1bhttn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\dpvjv.exec:\dpvjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\7hhnbn.exec:\7hhnbn.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\jjvpd.exec:\jjvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\frlrfxl.exec:\frlrfxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\hbhbht.exec:\hbhbht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\3djvv.exec:\3djvv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\nhthnb.exec:\nhthnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
\??\c:\jdjdv.exec:\jdjdv.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4616 -
\??\c:\1xxrffr.exec:\1xxrffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
\??\c:\bbbbnh.exec:\bbbbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\dvjpj.exec:\dvjpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\rflrxff.exec:\rflrxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
\??\c:\vjdpj.exec:\vjdpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\frxrffx.exec:\frxrffx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\pjdvj.exec:\pjdvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe23⤵
- Executes dropped EXE
PID:2472 -
\??\c:\tnnnhb.exec:\tnnnhb.exe24⤵
- Executes dropped EXE
PID:2752 -
\??\c:\1pjvj.exec:\1pjvj.exe25⤵
- Executes dropped EXE
PID:1156 -
\??\c:\1fxrfrf.exec:\1fxrfrf.exe26⤵
- Executes dropped EXE
PID:4272 -
\??\c:\9nthtn.exec:\9nthtn.exe27⤵
- Executes dropped EXE
PID:4012 -
\??\c:\hthbtn.exec:\hthbtn.exe28⤵
- Executes dropped EXE
PID:3048 -
\??\c:\rxflllr.exec:\rxflllr.exe29⤵
- Executes dropped EXE
PID:2684 -
\??\c:\ntbnbn.exec:\ntbnbn.exe30⤵
- Executes dropped EXE
PID:1720 -
\??\c:\vpppj.exec:\vpppj.exe31⤵
- Executes dropped EXE
PID:2456 -
\??\c:\htbthb.exec:\htbthb.exe32⤵
- Executes dropped EXE
PID:4736 -
\??\c:\vvvvd.exec:\vvvvd.exe33⤵
- Executes dropped EXE
PID:4864 -
\??\c:\3jjjv.exec:\3jjjv.exe34⤵
- Executes dropped EXE
PID:3772 -
\??\c:\frrlxxl.exec:\frrlxxl.exe35⤵
- Executes dropped EXE
PID:720 -
\??\c:\nhthtn.exec:\nhthtn.exe36⤵
- Executes dropped EXE
PID:1392 -
\??\c:\ddjvv.exec:\ddjvv.exe37⤵
- Executes dropped EXE
PID:336 -
\??\c:\xxffxrr.exec:\xxffxrr.exe38⤵
- Executes dropped EXE
PID:1076 -
\??\c:\xrxrfxr.exec:\xrxrfxr.exe39⤵
- Executes dropped EXE
PID:1904 -
\??\c:\7hhtnh.exec:\7hhtnh.exe40⤵
- Executes dropped EXE
PID:2772 -
\??\c:\djjvj.exec:\djjvj.exe41⤵
- Executes dropped EXE
PID:4156 -
\??\c:\rflxfxf.exec:\rflxfxf.exe42⤵
- Executes dropped EXE
PID:4796 -
\??\c:\5hbnht.exec:\5hbnht.exe43⤵
- Executes dropped EXE
PID:5064 -
\??\c:\bnnbtn.exec:\bnnbtn.exe44⤵
- Executes dropped EXE
PID:2012 -
\??\c:\pdjvp.exec:\pdjvp.exe45⤵
- Executes dropped EXE
PID:3624 -
\??\c:\xxfrlff.exec:\xxfrlff.exe46⤵
- Executes dropped EXE
PID:1956 -
\??\c:\flrfrfr.exec:\flrfrfr.exe47⤵
- Executes dropped EXE
PID:872 -
\??\c:\tnnbnh.exec:\tnnbnh.exe48⤵
- Executes dropped EXE
PID:2556 -
\??\c:\djddv.exec:\djddv.exe49⤵
- Executes dropped EXE
PID:3908 -
\??\c:\fxlxlxr.exec:\fxlxlxr.exe50⤵
- Executes dropped EXE
PID:676 -
\??\c:\xlxxxlf.exec:\xlxxxlf.exe51⤵
- Executes dropped EXE
PID:2880 -
\??\c:\btbnbn.exec:\btbnbn.exe52⤵
- Executes dropped EXE
PID:3612 -
\??\c:\pvvpv.exec:\pvvpv.exe53⤵
- Executes dropped EXE
PID:1924 -
\??\c:\dddpd.exec:\dddpd.exe54⤵
- Executes dropped EXE
PID:2740 -
\??\c:\xxxrxxf.exec:\xxxrxxf.exe55⤵
- Executes dropped EXE
PID:944 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe56⤵
- Executes dropped EXE
PID:4400 -
\??\c:\7hbnhh.exec:\7hbnhh.exe57⤵
- Executes dropped EXE
PID:2828 -
\??\c:\djdpd.exec:\djdpd.exe58⤵
- Executes dropped EXE
PID:1368 -
\??\c:\djppd.exec:\djppd.exe59⤵
- Executes dropped EXE
PID:2552 -
\??\c:\fxxrfrl.exec:\fxxrfrl.exe60⤵
- Executes dropped EXE
PID:1832 -
\??\c:\xflfxxx.exec:\xflfxxx.exe61⤵
- Executes dropped EXE
PID:1696 -
\??\c:\hhnnhh.exec:\hhnnhh.exe62⤵
- Executes dropped EXE
PID:1864 -
\??\c:\jjjvp.exec:\jjjvp.exe63⤵
- Executes dropped EXE
PID:1268 -
\??\c:\pppdv.exec:\pppdv.exe64⤵
- Executes dropped EXE
PID:2876 -
\??\c:\rxxflxr.exec:\rxxflxr.exe65⤵
- Executes dropped EXE
PID:2668 -
\??\c:\3llffxx.exec:\3llffxx.exe66⤵PID:2448
-
\??\c:\hnnhbb.exec:\hnnhbb.exe67⤵PID:1636
-
\??\c:\pvvpj.exec:\pvvpj.exe68⤵PID:744
-
\??\c:\jjjjp.exec:\jjjjp.exe69⤵PID:4468
-
\??\c:\rxxxrll.exec:\rxxxrll.exe70⤵PID:4496
-
\??\c:\ttnhbb.exec:\ttnhbb.exe71⤵PID:4464
-
\??\c:\nhhbnh.exec:\nhhbnh.exe72⤵PID:2360
-
\??\c:\pjjjd.exec:\pjjjd.exe73⤵PID:1084
-
\??\c:\xllxlfx.exec:\xllxlfx.exe74⤵PID:3716
-
\??\c:\lrxrfxr.exec:\lrxrfxr.exe75⤵PID:264
-
\??\c:\thhhbb.exec:\thhhbb.exe76⤵PID:4016
-
\??\c:\pjvpv.exec:\pjvpv.exe77⤵PID:2184
-
\??\c:\jvjvd.exec:\jvjvd.exe78⤵PID:3108
-
\??\c:\3xflxlf.exec:\3xflxlf.exe79⤵PID:4960
-
\??\c:\ffxxrxx.exec:\ffxxrxx.exe80⤵PID:2204
-
\??\c:\bnhttb.exec:\bnhttb.exe81⤵PID:2560
-
\??\c:\ppppp.exec:\ppppp.exe82⤵PID:3352
-
\??\c:\dvdpd.exec:\dvdpd.exe83⤵PID:3024
-
\??\c:\fffxllf.exec:\fffxllf.exe84⤵PID:2312
-
\??\c:\nhhbnh.exec:\nhhbnh.exe85⤵PID:1584
-
\??\c:\bbnhbt.exec:\bbnhbt.exe86⤵PID:4132
-
\??\c:\dpvpj.exec:\dpvpj.exe87⤵PID:3000
-
\??\c:\rxxrfxr.exec:\rxxrfxr.exe88⤵PID:3680
-
\??\c:\bnthtn.exec:\bnthtn.exe89⤵PID:2404
-
\??\c:\nnbthh.exec:\nnbthh.exe90⤵PID:2872
-
\??\c:\jpjpj.exec:\jpjpj.exe91⤵PID:228
-
\??\c:\llxrrxx.exec:\llxrrxx.exe92⤵PID:2592
-
\??\c:\lrxrllf.exec:\lrxrllf.exe93⤵PID:3876
-
\??\c:\1bhbtt.exec:\1bhbtt.exe94⤵PID:956
-
\??\c:\hbnnnn.exec:\hbnnnn.exe95⤵PID:3664
-
\??\c:\3jppp.exec:\3jppp.exe96⤵PID:4012
-
\??\c:\fxlfrrl.exec:\fxlfrrl.exe97⤵PID:5068
-
\??\c:\xflfxxf.exec:\xflfxxf.exe98⤵PID:1476
-
\??\c:\nnttth.exec:\nnttth.exe99⤵PID:2832
-
\??\c:\dpvjv.exec:\dpvjv.exe100⤵PID:5000
-
\??\c:\vjvpj.exec:\vjvpj.exe101⤵PID:5104
-
\??\c:\frfxxrf.exec:\frfxxrf.exe102⤵PID:3932
-
\??\c:\thttnh.exec:\thttnh.exe103⤵PID:4864
-
\??\c:\pvppd.exec:\pvppd.exe104⤵PID:4432
-
\??\c:\7rlfrrl.exec:\7rlfrrl.exe105⤵PID:2432
-
\??\c:\lflfrlx.exec:\lflfrlx.exe106⤵PID:3444
-
\??\c:\1ntnnh.exec:\1ntnnh.exe107⤵PID:3968
-
\??\c:\vjpjd.exec:\vjpjd.exe108⤵PID:112
-
\??\c:\ddvpp.exec:\ddvpp.exe109⤵PID:4952
-
\??\c:\xlfxfxr.exec:\xlfxfxr.exe110⤵PID:1904
-
\??\c:\hnnnhh.exec:\hnnnhh.exe111⤵PID:2772
-
\??\c:\vpvvp.exec:\vpvvp.exe112⤵PID:4156
-
\??\c:\pvdvp.exec:\pvdvp.exe113⤵PID:1668
-
\??\c:\lxxrfff.exec:\lxxrfff.exe114⤵PID:2356
-
\??\c:\xfrrllf.exec:\xfrrllf.exe115⤵PID:3076
-
\??\c:\5htnbt.exec:\5htnbt.exe116⤵PID:4844
-
\??\c:\dpvjd.exec:\dpvjd.exe117⤵PID:972
-
\??\c:\frrlxxr.exec:\frrlxxr.exe118⤵PID:1500
-
\??\c:\frrlllr.exec:\frrlllr.exe119⤵PID:5088
-
\??\c:\thhhnb.exec:\thhhnb.exe120⤵PID:556
-
\??\c:\hhbthh.exec:\hhbthh.exe121⤵PID:324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-