Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe
-
Size
456KB
-
MD5
9dd26fc3e2915f9f302bcde5f3f1e760
-
SHA1
7a03430ac573d329b8ec6d7d33bf21c921a960e9
-
SHA256
6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154c
-
SHA512
c08ecc7535aceabcd954e2548ea8a52f40ce52adb9adb53a242a7e94851e2e0394439d9d5659429e00f0a2d72808d7d2f50b39b5f01e8b44a0b5597723542c37
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRv:q7Tc2NYHUrAwfMp3CDRv
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/5052-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2480-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/724-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4648-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3596-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3912-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-522-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3956-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-398-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2748-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/648-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-796-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-863-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-942-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-964-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-1206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 5052 hhbtnh.exe 4648 vdjdv.exe 3596 3frlxrl.exe 1864 xflxrlf.exe 2104 7hhtnh.exe 3968 dvpjd.exe 4100 frrfrlx.exe 2460 xflxrrr.exe 1656 tthtbt.exe 3976 bbbthh.exe 2944 jvddv.exe 1748 xllfxrl.exe 444 tnbnth.exe 3152 dvvpj.exe 2924 rxlrlfx.exe 4744 htnhbt.exe 1856 pvpvp.exe 2988 lllrllf.exe 1892 fxfxlfx.exe 3684 3ntntn.exe 4928 jdjdv.exe 1848 lrrfrlx.exe 4560 1hnbhb.exe 3648 jjdvj.exe 1472 xrfrllf.exe 4624 tnhtnh.exe 1692 3rlfxxr.exe 928 7bhbbb.exe 3540 7thhbb.exe 1756 fxrlxxr.exe 5008 httnhh.exe 3200 djvdp.exe 2868 1rlrlxx.exe 3708 7hbtnh.exe 5076 ddppj.exe 1720 flrlrxx.exe 4112 xflrfxr.exe 5028 hbnhhb.exe 64 pjdvp.exe 4916 lxlxrxr.exe 2124 1lllllx.exe 5040 nnhbtn.exe 1440 ttbbbb.exe 2724 vddvp.exe 1032 9flfxrx.exe 3132 hhhbtt.exe 3508 1vpdv.exe 660 fffrrrl.exe 724 rffxxxr.exe 4860 thhhbb.exe 4476 9jpdv.exe 4808 lllrlfx.exe 4104 xxlllll.exe 3412 hbnnhb.exe 4648 pddvv.exe 3596 fxxrrrx.exe 4688 nnhbtt.exe 5016 vpdpj.exe 3852 3ppdv.exe 3912 rfxrfxr.exe 4100 hbntbh.exe 2460 pjjvv.exe 1132 fxxrrrr.exe 4264 flfrfxr.exe -
resource yara_rule behavioral2/memory/5052-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2480-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/724-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4648-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3912-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-522-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3956-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-398-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2748-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3584-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/648-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-796-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-863-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-942-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 5052 2480 6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe 83 PID 2480 wrote to memory of 5052 2480 6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe 83 PID 2480 wrote to memory of 5052 2480 6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe 83 PID 5052 wrote to memory of 4648 5052 hhbtnh.exe 137 PID 5052 wrote to memory of 4648 5052 hhbtnh.exe 137 PID 5052 wrote to memory of 4648 5052 hhbtnh.exe 137 PID 4648 wrote to memory of 3596 4648 vdjdv.exe 85 PID 4648 wrote to memory of 3596 4648 vdjdv.exe 85 PID 4648 wrote to memory of 3596 4648 vdjdv.exe 85 PID 3596 wrote to memory of 1864 3596 3frlxrl.exe 86 PID 3596 wrote to memory of 1864 3596 3frlxrl.exe 86 PID 3596 wrote to memory of 1864 3596 3frlxrl.exe 86 PID 1864 wrote to memory of 2104 1864 xflxrlf.exe 87 PID 1864 wrote to memory of 2104 1864 xflxrlf.exe 87 PID 1864 wrote to memory of 2104 1864 xflxrlf.exe 87 PID 2104 wrote to memory of 3968 2104 7hhtnh.exe 88 PID 2104 wrote to memory of 3968 2104 7hhtnh.exe 88 PID 2104 wrote to memory of 3968 2104 7hhtnh.exe 88 PID 3968 wrote to memory of 4100 3968 dvpjd.exe 89 PID 3968 wrote to memory of 4100 3968 dvpjd.exe 89 PID 3968 wrote to memory of 4100 3968 dvpjd.exe 89 PID 4100 wrote to memory of 2460 4100 frrfrlx.exe 90 PID 4100 wrote to memory of 2460 4100 frrfrlx.exe 90 PID 4100 wrote to memory of 2460 4100 frrfrlx.exe 90 PID 2460 wrote to memory of 1656 2460 xflxrrr.exe 91 PID 2460 wrote to memory of 1656 2460 xflxrrr.exe 91 PID 2460 wrote to memory of 1656 2460 xflxrrr.exe 91 PID 1656 wrote to memory of 3976 1656 tthtbt.exe 92 PID 1656 wrote to memory of 3976 1656 tthtbt.exe 92 PID 1656 wrote to memory of 3976 1656 tthtbt.exe 92 PID 3976 wrote to memory of 2944 3976 bbbthh.exe 93 PID 3976 wrote to memory of 2944 3976 bbbthh.exe 93 PID 3976 wrote to memory of 2944 3976 bbbthh.exe 93 PID 2944 wrote to memory of 1748 2944 jvddv.exe 94 PID 2944 wrote to memory of 1748 2944 jvddv.exe 94 PID 2944 wrote to memory of 1748 2944 jvddv.exe 94 PID 1748 wrote to memory of 444 1748 xllfxrl.exe 95 PID 1748 wrote to memory of 444 1748 xllfxrl.exe 95 PID 1748 wrote to memory of 444 1748 xllfxrl.exe 95 PID 444 wrote to memory of 3152 444 tnbnth.exe 96 PID 444 wrote to memory of 3152 444 tnbnth.exe 96 PID 444 wrote to memory of 3152 444 tnbnth.exe 96 PID 3152 wrote to memory of 2924 3152 dvvpj.exe 97 PID 3152 wrote to memory of 2924 3152 dvvpj.exe 97 PID 3152 wrote to memory of 2924 3152 dvvpj.exe 97 PID 2924 wrote to memory of 4744 2924 rxlrlfx.exe 98 PID 2924 wrote to memory of 4744 2924 rxlrlfx.exe 98 PID 2924 wrote to memory of 4744 2924 rxlrlfx.exe 98 PID 4744 wrote to memory of 1856 4744 htnhbt.exe 99 PID 4744 wrote to memory of 1856 4744 htnhbt.exe 99 PID 4744 wrote to memory of 1856 4744 htnhbt.exe 99 PID 1856 wrote to memory of 2988 1856 pvpvp.exe 100 PID 1856 wrote to memory of 2988 1856 pvpvp.exe 100 PID 1856 wrote to memory of 2988 1856 pvpvp.exe 100 PID 2988 wrote to memory of 1892 2988 lllrllf.exe 101 PID 2988 wrote to memory of 1892 2988 lllrllf.exe 101 PID 2988 wrote to memory of 1892 2988 lllrllf.exe 101 PID 1892 wrote to memory of 3684 1892 fxfxlfx.exe 102 PID 1892 wrote to memory of 3684 1892 fxfxlfx.exe 102 PID 1892 wrote to memory of 3684 1892 fxfxlfx.exe 102 PID 3684 wrote to memory of 4928 3684 3ntntn.exe 103 PID 3684 wrote to memory of 4928 3684 3ntntn.exe 103 PID 3684 wrote to memory of 4928 3684 3ntntn.exe 103 PID 4928 wrote to memory of 1848 4928 jdjdv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe"C:\Users\Admin\AppData\Local\Temp\6cb6269fe9c95f30a85b4fe348698f3db7721ac31c6c22a4714e6b25091b154cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\hhbtnh.exec:\hhbtnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
\??\c:\vdjdv.exec:\vdjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
\??\c:\3frlxrl.exec:\3frlxrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
\??\c:\xflxrlf.exec:\xflxrlf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\7hhtnh.exec:\7hhtnh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\dvpjd.exec:\dvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
\??\c:\frrfrlx.exec:\frrfrlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\xflxrrr.exec:\xflxrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2460 -
\??\c:\tthtbt.exec:\tthtbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\bbbthh.exec:\bbbthh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\jvddv.exec:\jvddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\xllfxrl.exec:\xllfxrl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\tnbnth.exec:\tnbnth.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\dvvpj.exec:\dvvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\rxlrlfx.exec:\rxlrlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\htnhbt.exec:\htnhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\pvpvp.exec:\pvpvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\lllrllf.exec:\lllrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\fxfxlfx.exec:\fxfxlfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\3ntntn.exec:\3ntntn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\jdjdv.exec:\jdjdv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe23⤵
- Executes dropped EXE
PID:1848 -
\??\c:\1hnbhb.exec:\1hnbhb.exe24⤵
- Executes dropped EXE
PID:4560 -
\??\c:\jjdvj.exec:\jjdvj.exe25⤵
- Executes dropped EXE
PID:3648 -
\??\c:\xrfrllf.exec:\xrfrllf.exe26⤵
- Executes dropped EXE
PID:1472 -
\??\c:\tnhtnh.exec:\tnhtnh.exe27⤵
- Executes dropped EXE
PID:4624 -
\??\c:\3rlfxxr.exec:\3rlfxxr.exe28⤵
- Executes dropped EXE
PID:1692 -
\??\c:\7bhbbb.exec:\7bhbbb.exe29⤵
- Executes dropped EXE
PID:928 -
\??\c:\7thhbb.exec:\7thhbb.exe30⤵
- Executes dropped EXE
PID:3540 -
\??\c:\fxrlxxr.exec:\fxrlxxr.exe31⤵
- Executes dropped EXE
PID:1756 -
\??\c:\httnhh.exec:\httnhh.exe32⤵
- Executes dropped EXE
PID:5008 -
\??\c:\djvdp.exec:\djvdp.exe33⤵
- Executes dropped EXE
PID:3200 -
\??\c:\1rlrlxx.exec:\1rlrlxx.exe34⤵
- Executes dropped EXE
PID:2868 -
\??\c:\7hbtnh.exec:\7hbtnh.exe35⤵
- Executes dropped EXE
PID:3708 -
\??\c:\ddppj.exec:\ddppj.exe36⤵
- Executes dropped EXE
PID:5076 -
\??\c:\flrlrxx.exec:\flrlrxx.exe37⤵
- Executes dropped EXE
PID:1720 -
\??\c:\xflrfxr.exec:\xflrfxr.exe38⤵
- Executes dropped EXE
PID:4112 -
\??\c:\hbnhhb.exec:\hbnhhb.exe39⤵
- Executes dropped EXE
PID:5028 -
\??\c:\pjdvp.exec:\pjdvp.exe40⤵
- Executes dropped EXE
PID:64 -
\??\c:\lxlxrxr.exec:\lxlxrxr.exe41⤵
- Executes dropped EXE
PID:4916 -
\??\c:\1lllllx.exec:\1lllllx.exe42⤵
- Executes dropped EXE
PID:2124 -
\??\c:\nnhbtn.exec:\nnhbtn.exe43⤵
- Executes dropped EXE
PID:5040 -
\??\c:\ttbbbb.exec:\ttbbbb.exe44⤵
- Executes dropped EXE
PID:1440 -
\??\c:\vddvp.exec:\vddvp.exe45⤵
- Executes dropped EXE
PID:2724 -
\??\c:\9flfxrx.exec:\9flfxrx.exe46⤵
- Executes dropped EXE
PID:1032 -
\??\c:\hhhbtt.exec:\hhhbtt.exe47⤵
- Executes dropped EXE
PID:3132 -
\??\c:\1vpdv.exec:\1vpdv.exe48⤵
- Executes dropped EXE
PID:3508 -
\??\c:\fffrrrl.exec:\fffrrrl.exe49⤵
- Executes dropped EXE
PID:660 -
\??\c:\rffxxxr.exec:\rffxxxr.exe50⤵
- Executes dropped EXE
PID:724 -
\??\c:\thhhbb.exec:\thhhbb.exe51⤵
- Executes dropped EXE
PID:4860 -
\??\c:\9jpdv.exec:\9jpdv.exe52⤵
- Executes dropped EXE
PID:4476 -
\??\c:\lllrlfx.exec:\lllrlfx.exe53⤵
- Executes dropped EXE
PID:4808 -
\??\c:\xxlllll.exec:\xxlllll.exe54⤵
- Executes dropped EXE
PID:4104 -
\??\c:\hbnnhb.exec:\hbnnhb.exe55⤵
- Executes dropped EXE
PID:3412 -
\??\c:\pddvv.exec:\pddvv.exe56⤵
- Executes dropped EXE
PID:4648 -
\??\c:\fxxrrrx.exec:\fxxrrrx.exe57⤵
- Executes dropped EXE
PID:3596 -
\??\c:\nnhbtt.exec:\nnhbtt.exe58⤵
- Executes dropped EXE
PID:4688 -
\??\c:\vpdpj.exec:\vpdpj.exe59⤵
- Executes dropped EXE
PID:5016 -
\??\c:\3ppdv.exec:\3ppdv.exe60⤵
- Executes dropped EXE
PID:3852 -
\??\c:\rfxrfxr.exec:\rfxrfxr.exe61⤵
- Executes dropped EXE
PID:3912 -
\??\c:\hbntbh.exec:\hbntbh.exe62⤵
- Executes dropped EXE
PID:4100 -
\??\c:\pjjvv.exec:\pjjvv.exe63⤵
- Executes dropped EXE
PID:2460 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe64⤵
- Executes dropped EXE
PID:1132 -
\??\c:\flfrfxr.exec:\flfrfxr.exe65⤵
- Executes dropped EXE
PID:4264 -
\??\c:\9bhbnt.exec:\9bhbnt.exe66⤵PID:2624
-
\??\c:\7vpdp.exec:\7vpdp.exe67⤵PID:2008
-
\??\c:\dpvpp.exec:\dpvpp.exe68⤵PID:2748
-
\??\c:\9rrfrlr.exec:\9rrfrlr.exe69⤵PID:2156
-
\??\c:\tbthtn.exec:\tbthtn.exe70⤵PID:1748
-
\??\c:\tthnbh.exec:\tthnbh.exe71⤵PID:3688
-
\??\c:\dpdvp.exec:\dpdvp.exe72⤵PID:3108
-
\??\c:\3rxfxlx.exec:\3rxfxlx.exe73⤵PID:4000
-
\??\c:\nhnhnb.exec:\nhnhnb.exe74⤵PID:4588
-
\??\c:\httbtb.exec:\httbtb.exe75⤵PID:4236
-
\??\c:\vdjpd.exec:\vdjpd.exe76⤵PID:516
-
\??\c:\lrfxfrx.exec:\lrfxfrx.exe77⤵PID:3384
-
\??\c:\1thnth.exec:\1thnth.exe78⤵PID:2312
-
\??\c:\5thtbt.exec:\5thtbt.exe79⤵PID:1524
-
\??\c:\vppjv.exec:\vppjv.exe80⤵PID:4228
-
\??\c:\rfxrfrl.exec:\rfxrfrl.exe81⤵PID:1480
-
\??\c:\xlfxlfl.exec:\xlfxlfl.exe82⤵PID:1460
-
\??\c:\nhhtnb.exec:\nhhtnb.exe83⤵PID:1544
-
\??\c:\jjdvj.exec:\jjdvj.exe84⤵PID:3604
-
\??\c:\pdpdv.exec:\pdpdv.exe85⤵PID:2540
-
\??\c:\xlxlfxr.exec:\xlxlfxr.exe86⤵PID:1540
-
\??\c:\5ffxllx.exec:\5ffxllx.exe87⤵PID:3776
-
\??\c:\tntnhb.exec:\tntnhb.exe88⤵PID:4956
-
\??\c:\vvdpd.exec:\vvdpd.exe89⤵PID:4640
-
\??\c:\dvjjj.exec:\dvjjj.exe90⤵PID:1156
-
\??\c:\lxxllrl.exec:\lxxllrl.exe91⤵PID:1924
-
\??\c:\7lffxxl.exec:\7lffxxl.exe92⤵PID:2636
-
\??\c:\7bbbtt.exec:\7bbbtt.exe93⤵PID:3408
-
\??\c:\pdvdv.exec:\pdvdv.exe94⤵PID:4036
-
\??\c:\3jpdv.exec:\3jpdv.exe95⤵PID:2404
-
\??\c:\ffrlrlx.exec:\ffrlrlx.exe96⤵PID:1008
-
\??\c:\1hhnbb.exec:\1hhnbb.exe97⤵PID:3956
-
\??\c:\nbhtnn.exec:\nbhtnn.exe98⤵PID:4112
-
\??\c:\1jjdv.exec:\1jjdv.exe99⤵PID:2204
-
\??\c:\rlrllfx.exec:\rlrllfx.exe100⤵PID:2464
-
\??\c:\nnttnb.exec:\nnttnb.exe101⤵PID:5092
-
\??\c:\hhhtnt.exec:\hhhtnt.exe102⤵PID:4260
-
\??\c:\djpdv.exec:\djpdv.exe103⤵PID:216
-
\??\c:\5jpdj.exec:\5jpdj.exe104⤵PID:1704
-
\??\c:\fxrlxxl.exec:\fxrlxxl.exe105⤵PID:3496
-
\??\c:\tbhbnh.exec:\tbhbnh.exe106⤵PID:3144
-
\??\c:\btthbt.exec:\btthbt.exe107⤵PID:2372
-
\??\c:\pppjd.exec:\pppjd.exe108⤵PID:4460
-
\??\c:\fxrlrlf.exec:\fxrlrlf.exe109⤵PID:4280
-
\??\c:\xxxxxxx.exec:\xxxxxxx.exe110⤵PID:5108
-
\??\c:\1bnhtb.exec:\1bnhtb.exe111⤵PID:2260
-
\??\c:\djpjv.exec:\djpjv.exe112⤵PID:4968
-
\??\c:\jdvdj.exec:\jdvdj.exe113⤵PID:4600
-
\??\c:\frlfxrl.exec:\frlfxrl.exe114⤵PID:4448
-
\??\c:\3bnhtn.exec:\3bnhtn.exe115⤵PID:4936
-
\??\c:\bnthbt.exec:\bnthbt.exe116⤵
- System Location Discovery: System Language Discovery
PID:3948 -
\??\c:\jdvjv.exec:\jdvjv.exe117⤵PID:404
-
\??\c:\rrxlxrf.exec:\rrxlxrf.exe118⤵PID:3252
-
\??\c:\1xrlxrf.exec:\1xrlxrf.exe119⤵PID:2472
-
\??\c:\hbbhnb.exec:\hbbhnb.exe120⤵PID:3596
-
\??\c:\ppjdv.exec:\ppjdv.exe121⤵PID:768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-