Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 05:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe
-
Size
453KB
-
MD5
4ad9576f008b10da688ab637f2807b70
-
SHA1
5842fce613b82b93e14a46fda4bdb6a37a8fecb1
-
SHA256
0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccf
-
SHA512
0a7b786655aa61b6fd4d808807a4e9be7fcd0a15f2c3f170d51e392d2036ad121cdb00351ef22f72b749c43d0623f6b22bf3680d5250f501997fa94adabd6115
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex:q7Tc2NYHUrAwfMp3CDx
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1756-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/32-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/704-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/896-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1716-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3364-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4156-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-797-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-886-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-1590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-1618-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4492 hhbnhb.exe 4064 7jdvp.exe 1844 vpjdp.exe 4600 7pvpv.exe 5000 xffrlll.exe 3712 pdjdv.exe 3604 ntnhbt.exe 3580 lxfxfxr.exe 1556 jvdvp.exe 3028 ffrrffr.exe 4188 bhtnbh.exe 3568 fxxxllf.exe 412 7bhhnt.exe 3812 vppjd.exe 4928 pjvpd.exe 2828 lflfffx.exe 3116 7llfxfl.exe 4876 lfxfxlf.exe 3476 1pdvv.exe 3444 htbtnh.exe 3940 ddjvd.exe 5044 xrrxxxr.exe 1516 1rlfrrl.exe 1656 xflllll.exe 4504 nbnbtt.exe 3684 rrfxrll.exe 4532 pdvpj.exe 3696 rlrllrl.exe 4996 7tbthh.exe 2716 lllflrr.exe 2000 7jvdv.exe 4012 hbbtnn.exe 1896 lrffflf.exe 1580 9nnhbb.exe 1956 vppdv.exe 5080 lffxxxx.exe 4720 thnhbn.exe 2872 jdvpj.exe 4912 fffxrxr.exe 1368 xlrrrrr.exe 2172 9tbbhh.exe 3064 9pvvp.exe 2072 rfllxxr.exe 32 tnbttt.exe 4804 pvjjd.exe 704 flrlxrl.exe 1728 7lrlfxx.exe 4352 nbbnhb.exe 3572 vpjdv.exe 896 fffrllf.exe 4728 nbnhbb.exe 4064 pjpjd.exe 4100 pvdvj.exe 1936 frrlrrl.exe 5108 bnttnt.exe 1716 dpvpp.exe 4972 5lrrrxx.exe 2568 bhbthh.exe 4448 jpdvv.exe 4940 rlllxxr.exe 1476 lffxrlx.exe 4024 httbth.exe 4556 jpvvd.exe 4700 rlllxxr.exe -
resource yara_rule behavioral2/memory/1756-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3028-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/32-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/704-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/896-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1716-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3364-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4156-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-797-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-886-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 4492 1756 0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe 82 PID 1756 wrote to memory of 4492 1756 0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe 82 PID 1756 wrote to memory of 4492 1756 0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe 82 PID 4492 wrote to memory of 4064 4492 hhbnhb.exe 83 PID 4492 wrote to memory of 4064 4492 hhbnhb.exe 83 PID 4492 wrote to memory of 4064 4492 hhbnhb.exe 83 PID 4064 wrote to memory of 1844 4064 7jdvp.exe 84 PID 4064 wrote to memory of 1844 4064 7jdvp.exe 84 PID 4064 wrote to memory of 1844 4064 7jdvp.exe 84 PID 1844 wrote to memory of 4600 1844 vpjdp.exe 85 PID 1844 wrote to memory of 4600 1844 vpjdp.exe 85 PID 1844 wrote to memory of 4600 1844 vpjdp.exe 85 PID 4600 wrote to memory of 5000 4600 7pvpv.exe 86 PID 4600 wrote to memory of 5000 4600 7pvpv.exe 86 PID 4600 wrote to memory of 5000 4600 7pvpv.exe 86 PID 5000 wrote to memory of 3712 5000 xffrlll.exe 87 PID 5000 wrote to memory of 3712 5000 xffrlll.exe 87 PID 5000 wrote to memory of 3712 5000 xffrlll.exe 87 PID 3712 wrote to memory of 3604 3712 pdjdv.exe 88 PID 3712 wrote to memory of 3604 3712 pdjdv.exe 88 PID 3712 wrote to memory of 3604 3712 pdjdv.exe 88 PID 3604 wrote to memory of 3580 3604 ntnhbt.exe 89 PID 3604 wrote to memory of 3580 3604 ntnhbt.exe 89 PID 3604 wrote to memory of 3580 3604 ntnhbt.exe 89 PID 3580 wrote to memory of 1556 3580 lxfxfxr.exe 90 PID 3580 wrote to memory of 1556 3580 lxfxfxr.exe 90 PID 3580 wrote to memory of 1556 3580 lxfxfxr.exe 90 PID 1556 wrote to memory of 3028 1556 jvdvp.exe 91 PID 1556 wrote to memory of 3028 1556 jvdvp.exe 91 PID 1556 wrote to memory of 3028 1556 jvdvp.exe 91 PID 3028 wrote to memory of 4188 3028 ffrrffr.exe 92 PID 3028 wrote to memory of 4188 3028 ffrrffr.exe 92 PID 3028 wrote to memory of 4188 3028 ffrrffr.exe 92 PID 4188 wrote to memory of 3568 4188 bhtnbh.exe 93 PID 4188 wrote to memory of 3568 4188 bhtnbh.exe 93 PID 4188 wrote to memory of 3568 4188 bhtnbh.exe 93 PID 3568 wrote to memory of 412 3568 fxxxllf.exe 94 PID 3568 wrote to memory of 412 3568 fxxxllf.exe 94 PID 3568 wrote to memory of 412 3568 fxxxllf.exe 94 PID 412 wrote to memory of 3812 412 7bhhnt.exe 95 PID 412 wrote to memory of 3812 412 7bhhnt.exe 95 PID 412 wrote to memory of 3812 412 7bhhnt.exe 95 PID 3812 wrote to memory of 4928 3812 vppjd.exe 96 PID 3812 wrote to memory of 4928 3812 vppjd.exe 96 PID 3812 wrote to memory of 4928 3812 vppjd.exe 96 PID 4928 wrote to memory of 2828 4928 pjvpd.exe 97 PID 4928 wrote to memory of 2828 4928 pjvpd.exe 97 PID 4928 wrote to memory of 2828 4928 pjvpd.exe 97 PID 2828 wrote to memory of 3116 2828 lflfffx.exe 98 PID 2828 wrote to memory of 3116 2828 lflfffx.exe 98 PID 2828 wrote to memory of 3116 2828 lflfffx.exe 98 PID 3116 wrote to memory of 4876 3116 7llfxfl.exe 99 PID 3116 wrote to memory of 4876 3116 7llfxfl.exe 99 PID 3116 wrote to memory of 4876 3116 7llfxfl.exe 99 PID 4876 wrote to memory of 3476 4876 lfxfxlf.exe 100 PID 4876 wrote to memory of 3476 4876 lfxfxlf.exe 100 PID 4876 wrote to memory of 3476 4876 lfxfxlf.exe 100 PID 3476 wrote to memory of 3444 3476 1pdvv.exe 101 PID 3476 wrote to memory of 3444 3476 1pdvv.exe 101 PID 3476 wrote to memory of 3444 3476 1pdvv.exe 101 PID 3444 wrote to memory of 3940 3444 htbtnh.exe 102 PID 3444 wrote to memory of 3940 3444 htbtnh.exe 102 PID 3444 wrote to memory of 3940 3444 htbtnh.exe 102 PID 3940 wrote to memory of 5044 3940 ddjvd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe"C:\Users\Admin\AppData\Local\Temp\0d08559e4b9dc61907ffc741205dc7a589a041032507a6b81180c27c2b95fccfN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\hhbnhb.exec:\hhbnhb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\7jdvp.exec:\7jdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\vpjdp.exec:\vpjdp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\7pvpv.exec:\7pvpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\xffrlll.exec:\xffrlll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\pdjdv.exec:\pdjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\ntnhbt.exec:\ntnhbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\lxfxfxr.exec:\lxfxfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\jvdvp.exec:\jvdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\ffrrffr.exec:\ffrrffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\bhtnbh.exec:\bhtnbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\fxxxllf.exec:\fxxxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\7bhhnt.exec:\7bhhnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\vppjd.exec:\vppjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\pjvpd.exec:\pjvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\lflfffx.exec:\lflfffx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\7llfxfl.exec:\7llfxfl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\lfxfxlf.exec:\lfxfxlf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\1pdvv.exec:\1pdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\htbtnh.exec:\htbtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\ddjvd.exec:\ddjvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\xrrxxxr.exec:\xrrxxxr.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5044 -
\??\c:\1rlfrrl.exec:\1rlfrrl.exe24⤵
- Executes dropped EXE
PID:1516 -
\??\c:\xflllll.exec:\xflllll.exe25⤵
- Executes dropped EXE
PID:1656 -
\??\c:\nbnbtt.exec:\nbnbtt.exe26⤵
- Executes dropped EXE
PID:4504 -
\??\c:\rrfxrll.exec:\rrfxrll.exe27⤵
- Executes dropped EXE
PID:3684 -
\??\c:\pdvpj.exec:\pdvpj.exe28⤵
- Executes dropped EXE
PID:4532 -
\??\c:\rlrllrl.exec:\rlrllrl.exe29⤵
- Executes dropped EXE
PID:3696 -
\??\c:\7tbthh.exec:\7tbthh.exe30⤵
- Executes dropped EXE
PID:4996 -
\??\c:\lllflrr.exec:\lllflrr.exe31⤵
- Executes dropped EXE
PID:2716 -
\??\c:\7jvdv.exec:\7jvdv.exe32⤵
- Executes dropped EXE
PID:2000 -
\??\c:\hbbtnn.exec:\hbbtnn.exe33⤵
- Executes dropped EXE
PID:4012 -
\??\c:\lrffflf.exec:\lrffflf.exe34⤵
- Executes dropped EXE
PID:1896 -
\??\c:\9nnhbb.exec:\9nnhbb.exe35⤵
- Executes dropped EXE
PID:1580 -
\??\c:\vppdv.exec:\vppdv.exe36⤵
- Executes dropped EXE
PID:1956 -
\??\c:\lffxxxx.exec:\lffxxxx.exe37⤵
- Executes dropped EXE
PID:5080 -
\??\c:\thnhbn.exec:\thnhbn.exe38⤵
- Executes dropped EXE
PID:4720 -
\??\c:\jdvpj.exec:\jdvpj.exe39⤵
- Executes dropped EXE
PID:2872 -
\??\c:\fffxrxr.exec:\fffxrxr.exe40⤵
- Executes dropped EXE
PID:4912 -
\??\c:\xlrrrrr.exec:\xlrrrrr.exe41⤵
- Executes dropped EXE
PID:1368 -
\??\c:\9tbbhh.exec:\9tbbhh.exe42⤵
- Executes dropped EXE
PID:2172 -
\??\c:\9pvvp.exec:\9pvvp.exe43⤵
- Executes dropped EXE
PID:3064 -
\??\c:\rfllxxr.exec:\rfllxxr.exe44⤵
- Executes dropped EXE
PID:2072 -
\??\c:\tnbttt.exec:\tnbttt.exe45⤵
- Executes dropped EXE
PID:32 -
\??\c:\pvjjd.exec:\pvjjd.exe46⤵
- Executes dropped EXE
PID:4804 -
\??\c:\flrlxrl.exec:\flrlxrl.exe47⤵
- Executes dropped EXE
PID:704 -
\??\c:\7lrlfxx.exec:\7lrlfxx.exe48⤵
- Executes dropped EXE
PID:1728 -
\??\c:\nbbnhb.exec:\nbbnhb.exe49⤵
- Executes dropped EXE
PID:4352 -
\??\c:\dvdvv.exec:\dvdvv.exe50⤵PID:2268
-
\??\c:\vpjdv.exec:\vpjdv.exe51⤵
- Executes dropped EXE
PID:3572 -
\??\c:\fffrllf.exec:\fffrllf.exe52⤵
- Executes dropped EXE
PID:896 -
\??\c:\nbnhbb.exec:\nbnhbb.exe53⤵
- Executes dropped EXE
PID:4728 -
\??\c:\pjpjd.exec:\pjpjd.exe54⤵
- Executes dropped EXE
PID:4064 -
\??\c:\pvdvj.exec:\pvdvj.exe55⤵
- Executes dropped EXE
PID:4100 -
\??\c:\frrlrrl.exec:\frrlrrl.exe56⤵
- Executes dropped EXE
PID:1936 -
\??\c:\bnttnt.exec:\bnttnt.exe57⤵
- Executes dropped EXE
PID:5108 -
\??\c:\dpvpp.exec:\dpvpp.exe58⤵
- Executes dropped EXE
PID:1716 -
\??\c:\5lrrrxx.exec:\5lrrrxx.exe59⤵
- Executes dropped EXE
PID:4972 -
\??\c:\bhbthh.exec:\bhbthh.exe60⤵
- Executes dropped EXE
PID:2568 -
\??\c:\jpdvv.exec:\jpdvv.exe61⤵
- Executes dropped EXE
PID:4448 -
\??\c:\rlllxxr.exec:\rlllxxr.exe62⤵
- Executes dropped EXE
PID:4940 -
\??\c:\lffxrlx.exec:\lffxrlx.exe63⤵
- Executes dropped EXE
PID:1476 -
\??\c:\httbth.exec:\httbth.exe64⤵
- Executes dropped EXE
PID:4024 -
\??\c:\jpvvd.exec:\jpvvd.exe65⤵
- Executes dropped EXE
PID:4556 -
\??\c:\rlllxxr.exec:\rlllxxr.exe66⤵
- Executes dropped EXE
PID:4700 -
\??\c:\nnhthn.exec:\nnhthn.exe67⤵PID:2248
-
\??\c:\jvjjj.exec:\jvjjj.exe68⤵PID:2456
-
\??\c:\fxfxrxr.exec:\fxfxrxr.exe69⤵PID:3568
-
\??\c:\nhtnhn.exec:\nhtnhn.exe70⤵PID:2500
-
\??\c:\pjvpj.exec:\pjvpj.exe71⤵PID:996
-
\??\c:\lfllfff.exec:\lfllfff.exe72⤵PID:1612
-
\??\c:\rrfffff.exec:\rrfffff.exe73⤵PID:2920
-
\??\c:\bnnnnn.exec:\bnnnnn.exe74⤵PID:4988
-
\??\c:\jjppd.exec:\jjppd.exe75⤵PID:5048
-
\??\c:\pvdvv.exec:\pvdvv.exe76⤵PID:4828
-
\??\c:\ffllfll.exec:\ffllfll.exe77⤵PID:3740
-
\??\c:\nhnnhb.exec:\nhnnhb.exe78⤵PID:4508
-
\??\c:\3jvvv.exec:\3jvvv.exe79⤵PID:2144
-
\??\c:\ffffxxr.exec:\ffffxxr.exe80⤵PID:2336
-
\??\c:\nbnnnt.exec:\nbnnnt.exe81⤵PID:1952
-
\??\c:\ntbbnn.exec:\ntbbnn.exe82⤵PID:3940
-
\??\c:\vvvpj.exec:\vvvpj.exe83⤵PID:3668
-
\??\c:\xrlfllf.exec:\xrlfllf.exe84⤵PID:3364
-
\??\c:\nbbtnn.exec:\nbbtnn.exe85⤵PID:3304
-
\??\c:\pvjdd.exec:\pvjdd.exe86⤵PID:1592
-
\??\c:\3lrrrxf.exec:\3lrrrxf.exe87⤵PID:3140
-
\??\c:\3xllflr.exec:\3xllflr.exe88⤵PID:4660
-
\??\c:\9nbbbn.exec:\9nbbbn.exe89⤵PID:1976
-
\??\c:\vvjjp.exec:\vvjjp.exe90⤵PID:5116
-
\??\c:\ffxrxfr.exec:\ffxrxfr.exe91⤵PID:4444
-
\??\c:\thtnht.exec:\thtnht.exe92⤵PID:184
-
\??\c:\nnttbn.exec:\nnttbn.exe93⤵PID:2712
-
\??\c:\vjvpj.exec:\vjvpj.exe94⤵PID:3256
-
\??\c:\fxlfxrr.exec:\fxlfxrr.exe95⤵PID:5004
-
\??\c:\1ttthh.exec:\1ttthh.exe96⤵PID:3228
-
\??\c:\jvjdj.exec:\jvjdj.exe97⤵PID:2576
-
\??\c:\rxllfff.exec:\rxllfff.exe98⤵PID:1896
-
\??\c:\thbtnh.exec:\thbtnh.exe99⤵PID:1964
-
\??\c:\ppjdv.exec:\ppjdv.exe100⤵PID:2876
-
\??\c:\pdppj.exec:\pdppj.exe101⤵PID:4860
-
\??\c:\lflrlll.exec:\lflrlll.exe102⤵PID:832
-
\??\c:\tbtbtt.exec:\tbtbtt.exe103⤵PID:3920
-
\??\c:\btnhtt.exec:\btnhtt.exe104⤵PID:3460
-
\??\c:\5dddv.exec:\5dddv.exe105⤵PID:2160
-
\??\c:\flfxxfx.exec:\flfxxfx.exe106⤵PID:3632
-
\??\c:\nhtnbh.exec:\nhtnbh.exe107⤵PID:916
-
\??\c:\jdvjv.exec:\jdvjv.exe108⤵PID:4568
-
\??\c:\vvppp.exec:\vvppp.exe109⤵PID:4800
-
\??\c:\flfxrxr.exec:\flfxrxr.exe110⤵PID:1916
-
\??\c:\btbhhh.exec:\btbhhh.exe111⤵PID:3192
-
\??\c:\dddvv.exec:\dddvv.exe112⤵PID:3592
-
\??\c:\vvdvp.exec:\vvdvp.exe113⤵PID:2904
-
\??\c:\frrfflf.exec:\frrfflf.exe114⤵PID:2252
-
\??\c:\hhhhhh.exec:\hhhhhh.exe115⤵PID:4492
-
\??\c:\djpdv.exec:\djpdv.exe116⤵PID:1572
-
\??\c:\vvddv.exec:\vvddv.exe117⤵PID:1844
-
\??\c:\3xfxrrr.exec:\3xfxrrr.exe118⤵PID:4528
-
\??\c:\hhtttb.exec:\hhtttb.exe119⤵PID:1812
-
\??\c:\nnntnn.exec:\nnntnn.exe120⤵PID:2540
-
\??\c:\1dpvd.exec:\1dpvd.exe121⤵PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-