Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99bN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99bN.exe
-
Size
456KB
-
MD5
8b996d3ea9cad975a116e6adc01b46f0
-
SHA1
5e7fb3e02588ee6a7507d408dc0367c814431e60
-
SHA256
b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99b
-
SHA512
19c1b8dd27dd07edaf34d110c50b9403f2960b14cc1d1df3a5b058a206c105df30e86a9d50b47b1bd40975c6bf1957ad3d23d4a0c37b15eb86b4f4deca4aac97
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRo:q7Tc2NYHUrAwfMp3CDRo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3484-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1896-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3228-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/712-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3300-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1688-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3056-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2752-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/220-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-366-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/660-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-419-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-524-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-843-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-1019-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-1033-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-1693-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2368 hnnhtn.exe 1096 pvvpj.exe 3724 bbhttn.exe 1336 jvpdj.exe 1376 frrfrlf.exe 1896 rlrrrlf.exe 3228 hbnnth.exe 3264 dpjvj.exe 4308 pdjdv.exe 4824 lfrfrlx.exe 2996 vjpjv.exe 1320 hbhnbn.exe 3936 dvdjv.exe 3004 ntnhbt.exe 208 dvdpd.exe 3176 lxrfxrl.exe 3704 3pjdp.exe 220 hthhnh.exe 712 hhbbbn.exe 3720 pddpd.exe 2868 fxflxxr.exe 4672 bnthbt.exe 3168 thhbnn.exe 2664 7ffrlll.exe 1852 nbbnth.exe 3944 jdppj.exe 2208 9nhbnh.exe 1752 3djjv.exe 4916 dpjvp.exe 3300 fxxffxx.exe 1600 pppdv.exe 4912 rlxrfxr.exe 4544 xffrfxl.exe 4524 1htnbt.exe 2780 vjdvp.exe 1256 bhnhnh.exe 1228 1thbnh.exe 1688 pvjdp.exe 3824 rxfrrll.exe 1800 nnbnth.exe 2004 tnhnth.exe 1420 5pjvd.exe 3056 3fxlxrf.exe 4408 lrrlxxr.exe 4588 vjjvj.exe 3608 1rxflfl.exe 1064 rflxlfl.exe 460 hnnbnh.exe 3832 jjpjv.exe 1476 lxxrxrf.exe 4956 7tnbnh.exe 4076 7jjdv.exe 4400 pddpd.exe 372 frxlrlx.exe 4792 nnnhtn.exe 2604 7jvpd.exe 2752 pdvjj.exe 3696 rxxrlfr.exe 1884 hnthbt.exe 4180 vpvpv.exe 3972 pddpd.exe 1456 ffrlfxl.exe 1084 thhbnh.exe 3896 jvvjd.exe -
resource yara_rule behavioral2/memory/2368-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1896-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3228-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1320-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/712-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3300-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1688-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3056-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2752-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-366-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/660-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-419-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-524-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-843-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-937-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rfrrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxlfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 2368 3484 b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99bN.exe 82 PID 3484 wrote to memory of 2368 3484 b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99bN.exe 82 PID 3484 wrote to memory of 2368 3484 b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99bN.exe 82 PID 2368 wrote to memory of 1096 2368 hnnhtn.exe 83 PID 2368 wrote to memory of 1096 2368 hnnhtn.exe 83 PID 2368 wrote to memory of 1096 2368 hnnhtn.exe 83 PID 1096 wrote to memory of 3724 1096 pvvpj.exe 84 PID 1096 wrote to memory of 3724 1096 pvvpj.exe 84 PID 1096 wrote to memory of 3724 1096 pvvpj.exe 84 PID 3724 wrote to memory of 1336 3724 bbhttn.exe 85 PID 3724 wrote to memory of 1336 3724 bbhttn.exe 85 PID 3724 wrote to memory of 1336 3724 bbhttn.exe 85 PID 1336 wrote to memory of 1376 1336 jvpdj.exe 86 PID 1336 wrote to memory of 1376 1336 jvpdj.exe 86 PID 1336 wrote to memory of 1376 1336 jvpdj.exe 86 PID 1376 wrote to memory of 1896 1376 frrfrlf.exe 87 PID 1376 wrote to memory of 1896 1376 frrfrlf.exe 87 PID 1376 wrote to memory of 1896 1376 frrfrlf.exe 87 PID 1896 wrote to memory of 3228 1896 rlrrrlf.exe 88 PID 1896 wrote to memory of 3228 1896 rlrrrlf.exe 88 PID 1896 wrote to memory of 3228 1896 rlrrrlf.exe 88 PID 3228 wrote to memory of 3264 3228 hbnnth.exe 89 PID 3228 wrote to memory of 3264 3228 hbnnth.exe 89 PID 3228 wrote to memory of 3264 3228 hbnnth.exe 89 PID 3264 wrote to memory of 4308 3264 dpjvj.exe 90 PID 3264 wrote to memory of 4308 3264 dpjvj.exe 90 PID 3264 wrote to memory of 4308 3264 dpjvj.exe 90 PID 4308 wrote to memory of 4824 4308 pdjdv.exe 91 PID 4308 wrote to memory of 4824 4308 pdjdv.exe 91 PID 4308 wrote to memory of 4824 4308 pdjdv.exe 91 PID 4824 wrote to memory of 2996 4824 lfrfrlx.exe 92 PID 4824 wrote to memory of 2996 4824 lfrfrlx.exe 92 PID 4824 wrote to memory of 2996 4824 lfrfrlx.exe 92 PID 2996 wrote to memory of 1320 2996 vjpjv.exe 93 PID 2996 wrote to memory of 1320 2996 vjpjv.exe 93 PID 2996 wrote to memory of 1320 2996 vjpjv.exe 93 PID 1320 wrote to memory of 3936 1320 hbhnbn.exe 94 PID 1320 wrote to memory of 3936 1320 hbhnbn.exe 94 PID 1320 wrote to memory of 3936 1320 hbhnbn.exe 94 PID 3936 wrote to memory of 3004 3936 dvdjv.exe 95 PID 3936 wrote to memory of 3004 3936 dvdjv.exe 95 PID 3936 wrote to memory of 3004 3936 dvdjv.exe 95 PID 3004 wrote to memory of 208 3004 ntnhbt.exe 96 PID 3004 wrote to memory of 208 3004 ntnhbt.exe 96 PID 3004 wrote to memory of 208 3004 ntnhbt.exe 96 PID 208 wrote to memory of 3176 208 dvdpd.exe 97 PID 208 wrote to memory of 3176 208 dvdpd.exe 97 PID 208 wrote to memory of 3176 208 dvdpd.exe 97 PID 3176 wrote to memory of 3704 3176 lxrfxrl.exe 98 PID 3176 wrote to memory of 3704 3176 lxrfxrl.exe 98 PID 3176 wrote to memory of 3704 3176 lxrfxrl.exe 98 PID 3704 wrote to memory of 220 3704 3pjdp.exe 99 PID 3704 wrote to memory of 220 3704 3pjdp.exe 99 PID 3704 wrote to memory of 220 3704 3pjdp.exe 99 PID 220 wrote to memory of 712 220 hthhnh.exe 100 PID 220 wrote to memory of 712 220 hthhnh.exe 100 PID 220 wrote to memory of 712 220 hthhnh.exe 100 PID 712 wrote to memory of 3720 712 hhbbbn.exe 101 PID 712 wrote to memory of 3720 712 hhbbbn.exe 101 PID 712 wrote to memory of 3720 712 hhbbbn.exe 101 PID 3720 wrote to memory of 2868 3720 pddpd.exe 102 PID 3720 wrote to memory of 2868 3720 pddpd.exe 102 PID 3720 wrote to memory of 2868 3720 pddpd.exe 102 PID 2868 wrote to memory of 4672 2868 fxflxxr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99bN.exe"C:\Users\Admin\AppData\Local\Temp\b471d7daef022cf3586fe49b8e8863ac38666f0faa33da9ea501022a0401b99bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\hnnhtn.exec:\hnnhtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\pvvpj.exec:\pvvpj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1096 -
\??\c:\bbhttn.exec:\bbhttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\jvpdj.exec:\jvpdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1336 -
\??\c:\frrfrlf.exec:\frrfrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\rlrrrlf.exec:\rlrrrlf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\hbnnth.exec:\hbnnth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3228 -
\??\c:\dpjvj.exec:\dpjvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
\??\c:\pdjdv.exec:\pdjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\lfrfrlx.exec:\lfrfrlx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\vjpjv.exec:\vjpjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
\??\c:\hbhnbn.exec:\hbhnbn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1320 -
\??\c:\dvdjv.exec:\dvdjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\ntnhbt.exec:\ntnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\dvdpd.exec:\dvdpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\lxrfxrl.exec:\lxrfxrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\3pjdp.exec:\3pjdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\hthhnh.exec:\hthhnh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\hhbbbn.exec:\hhbbbn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\pddpd.exec:\pddpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\fxflxxr.exec:\fxflxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\bnthbt.exec:\bnthbt.exe23⤵
- Executes dropped EXE
PID:4672 -
\??\c:\thhbnn.exec:\thhbnn.exe24⤵
- Executes dropped EXE
PID:3168 -
\??\c:\7ffrlll.exec:\7ffrlll.exe25⤵
- Executes dropped EXE
PID:2664 -
\??\c:\nbbnth.exec:\nbbnth.exe26⤵
- Executes dropped EXE
PID:1852 -
\??\c:\jdppj.exec:\jdppj.exe27⤵
- Executes dropped EXE
PID:3944 -
\??\c:\9nhbnh.exec:\9nhbnh.exe28⤵
- Executes dropped EXE
PID:2208 -
\??\c:\3djjv.exec:\3djjv.exe29⤵
- Executes dropped EXE
PID:1752 -
\??\c:\dpjvp.exec:\dpjvp.exe30⤵
- Executes dropped EXE
PID:4916 -
\??\c:\fxxffxx.exec:\fxxffxx.exe31⤵
- Executes dropped EXE
PID:3300 -
\??\c:\pppdv.exec:\pppdv.exe32⤵
- Executes dropped EXE
PID:1600 -
\??\c:\rlxrfxr.exec:\rlxrfxr.exe33⤵
- Executes dropped EXE
PID:4912 -
\??\c:\xffrfxl.exec:\xffrfxl.exe34⤵
- Executes dropped EXE
PID:4544 -
\??\c:\1htnbt.exec:\1htnbt.exe35⤵
- Executes dropped EXE
PID:4524 -
\??\c:\vjdvp.exec:\vjdvp.exe36⤵
- Executes dropped EXE
PID:2780 -
\??\c:\bhnhnh.exec:\bhnhnh.exe37⤵
- Executes dropped EXE
PID:1256 -
\??\c:\1thbnh.exec:\1thbnh.exe38⤵
- Executes dropped EXE
PID:1228 -
\??\c:\pvjdp.exec:\pvjdp.exe39⤵
- Executes dropped EXE
PID:1688 -
\??\c:\rxfrrll.exec:\rxfrrll.exe40⤵
- Executes dropped EXE
PID:3824 -
\??\c:\nnbnth.exec:\nnbnth.exe41⤵
- Executes dropped EXE
PID:1800 -
\??\c:\tnhnth.exec:\tnhnth.exe42⤵
- Executes dropped EXE
PID:2004 -
\??\c:\5pjvd.exec:\5pjvd.exe43⤵
- Executes dropped EXE
PID:1420 -
\??\c:\3fxlxrf.exec:\3fxlxrf.exe44⤵
- Executes dropped EXE
PID:3056 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\vjjvj.exec:\vjjvj.exe46⤵
- Executes dropped EXE
PID:4588 -
\??\c:\1rxflfl.exec:\1rxflfl.exe47⤵
- Executes dropped EXE
PID:3608 -
\??\c:\rflxlfl.exec:\rflxlfl.exe48⤵
- Executes dropped EXE
PID:1064 -
\??\c:\hnnbnh.exec:\hnnbnh.exe49⤵
- Executes dropped EXE
PID:460 -
\??\c:\jjpjv.exec:\jjpjv.exe50⤵
- Executes dropped EXE
PID:3832 -
\??\c:\lxxrxrf.exec:\lxxrxrf.exe51⤵
- Executes dropped EXE
PID:1476 -
\??\c:\7tnbnh.exec:\7tnbnh.exe52⤵
- Executes dropped EXE
PID:4956 -
\??\c:\7jjdv.exec:\7jjdv.exe53⤵
- Executes dropped EXE
PID:4076 -
\??\c:\pddpd.exec:\pddpd.exe54⤵
- Executes dropped EXE
PID:4400 -
\??\c:\frxlrlx.exec:\frxlrlx.exe55⤵
- Executes dropped EXE
PID:372 -
\??\c:\nnnhtn.exec:\nnnhtn.exe56⤵
- Executes dropped EXE
PID:4792 -
\??\c:\7jvpd.exec:\7jvpd.exe57⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pdvjj.exec:\pdvjj.exe58⤵
- Executes dropped EXE
PID:2752 -
\??\c:\rxxrlfr.exec:\rxxrlfr.exe59⤵
- Executes dropped EXE
PID:3696 -
\??\c:\hnthbt.exec:\hnthbt.exe60⤵
- Executes dropped EXE
PID:1884 -
\??\c:\vpvpv.exec:\vpvpv.exe61⤵
- Executes dropped EXE
PID:4180 -
\??\c:\pddpd.exec:\pddpd.exe62⤵
- Executes dropped EXE
PID:3972 -
\??\c:\ffrlfxl.exec:\ffrlfxl.exe63⤵
- Executes dropped EXE
PID:1456 -
\??\c:\thhbnh.exec:\thhbnh.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
\??\c:\jvvjd.exec:\jvvjd.exe65⤵
- Executes dropped EXE
PID:3896 -
\??\c:\dvdpd.exec:\dvdpd.exe66⤵PID:3264
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe67⤵PID:456
-
\??\c:\hntbbb.exec:\hntbbb.exe68⤵PID:636
-
\??\c:\5jpdd.exec:\5jpdd.exe69⤵PID:4024
-
\??\c:\5xxlfxr.exec:\5xxlfxr.exe70⤵PID:4824
-
\??\c:\1rfrfxr.exec:\1rfrfxr.exe71⤵PID:1148
-
\??\c:\bnntnh.exec:\bnntnh.exe72⤵PID:2240
-
\??\c:\jppjd.exec:\jppjd.exe73⤵PID:1292
-
\??\c:\xffxlfx.exec:\xffxlfx.exe74⤵PID:4748
-
\??\c:\rxlxlfr.exec:\rxlxlfr.exe75⤵PID:4772
-
\??\c:\tnbttb.exec:\tnbttb.exe76⤵PID:1028
-
\??\c:\7ppjv.exec:\7ppjv.exe77⤵PID:32
-
\??\c:\ppdpd.exec:\ppdpd.exe78⤵PID:3648
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe79⤵PID:3812
-
\??\c:\nbhbtb.exec:\nbhbtb.exe80⤵PID:264
-
\??\c:\jdjvj.exec:\jdjvj.exe81⤵PID:3704
-
\??\c:\lflflfl.exec:\lflflfl.exe82⤵PID:220
-
\??\c:\rxrfrrf.exec:\rxrfrrf.exe83⤵PID:712
-
\??\c:\5jdpj.exec:\5jdpj.exe84⤵PID:560
-
\??\c:\frllxlx.exec:\frllxlx.exe85⤵PID:3736
-
\??\c:\lflffxx.exec:\lflffxx.exe86⤵PID:3060
-
\??\c:\nhbbtt.exec:\nhbbtt.exe87⤵PID:4844
-
\??\c:\vpvvp.exec:\vpvvp.exe88⤵PID:4028
-
\??\c:\1xxrlxr.exec:\1xxrlxr.exe89⤵PID:2816
-
\??\c:\rlfxrfx.exec:\rlfxrfx.exe90⤵PID:2664
-
\??\c:\nhnnbb.exec:\nhnnbb.exe91⤵PID:4264
-
\??\c:\vpvpj.exec:\vpvpj.exe92⤵PID:4684
-
\??\c:\5ppdp.exec:\5ppdp.exe93⤵PID:660
-
\??\c:\xffrfxx.exec:\xffrfxx.exe94⤵PID:3732
-
\??\c:\hhnbtt.exec:\hhnbtt.exe95⤵PID:4916
-
\??\c:\vdjdv.exec:\vdjdv.exe96⤵PID:920
-
\??\c:\djvjd.exec:\djvjd.exe97⤵PID:4460
-
\??\c:\frxrlfx.exec:\frxrlfx.exe98⤵PID:4448
-
\??\c:\tnthbt.exec:\tnthbt.exe99⤵PID:3588
-
\??\c:\vjppj.exec:\vjppj.exe100⤵PID:116
-
\??\c:\rxfxffx.exec:\rxfxffx.exe101⤵PID:3128
-
\??\c:\9bbnhh.exec:\9bbnhh.exe102⤵PID:1980
-
\??\c:\hhhnbt.exec:\hhhnbt.exe103⤵PID:3224
-
\??\c:\1vddv.exec:\1vddv.exe104⤵PID:2180
-
\??\c:\lxfrrll.exec:\lxfrrll.exe105⤵PID:4184
-
\??\c:\bnhthb.exec:\bnhthb.exe106⤵PID:1628
-
\??\c:\vjpjv.exec:\vjpjv.exe107⤵PID:4896
-
\??\c:\vvvpj.exec:\vvvpj.exe108⤵PID:3824
-
\??\c:\bhhthb.exec:\bhhthb.exe109⤵PID:2800
-
\??\c:\nbnbnh.exec:\nbnbnh.exe110⤵PID:4848
-
\??\c:\dvjvj.exec:\dvjvj.exe111⤵PID:4948
-
\??\c:\xrflfrl.exec:\xrflfrl.exe112⤵PID:3056
-
\??\c:\5hhthb.exec:\5hhthb.exe113⤵PID:4408
-
\??\c:\jvdpj.exec:\jvdpj.exe114⤵PID:3932
-
\??\c:\rflffxl.exec:\rflffxl.exe115⤵PID:4816
-
\??\c:\btnbth.exec:\btnbth.exe116⤵PID:4128
-
\??\c:\djppd.exec:\djppd.exe117⤵PID:3668
-
\??\c:\lrxrlfl.exec:\lrxrlfl.exe118⤵PID:2748
-
\??\c:\7xlfxrl.exec:\7xlfxrl.exe119⤵PID:3832
-
\??\c:\bnnhbt.exec:\bnnhbt.exe120⤵PID:3700
-
\??\c:\jvpvj.exec:\jvpvj.exe121⤵PID:4956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-