Analysis
-
max time kernel
118s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe
-
Size
452KB
-
MD5
9b5f5c496740a90f0be8bf8bcb256110
-
SHA1
46f1efafa6623130dc998d0709dd201cc3d351fd
-
SHA256
9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9
-
SHA512
3298f46d35430cb1587334705d9734cc5900e4daef5e54269c43227151f1e3a67f11345cba455671ec3a0ed59370fd6a76fc61639e226e82816a4aeef44d3957
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3644-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4036-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2152-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/396-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1768-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-668-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-708-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-956-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-1012-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-1209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-1288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2188 dvpvd.exe 728 bnnhtn.exe 2468 hnnthb.exe 4644 5ppdp.exe 4840 xxrlxrl.exe 4892 hbbnhb.exe 3884 vjjvd.exe 2008 7lfrxrf.exe 4036 1vvjd.exe 4836 hnnhnh.exe 968 pdvjv.exe 668 xxllxrf.exe 2120 vjvpd.exe 4060 htnhnh.exe 4560 nhbnbt.exe 1472 pjpjp.exe 1748 tnnbhb.exe 1744 pjpvd.exe 468 tnhthb.exe 1696 bhhtht.exe 5060 5jjpd.exe 3292 xrlxrlx.exe 556 5fxxfll.exe 3676 3nhbnn.exe 3316 5dvjj.exe 464 nbbthb.exe 1536 3ppjv.exe 2884 fxfrllx.exe 2232 7nhbtt.exe 5112 9hhtnn.exe 3428 fxfxlxr.exe 2152 5lxlxrl.exe 4416 nbbtnh.exe 4084 pjvdp.exe 2976 rlfrlfx.exe 2880 nnnbnb.exe 3068 nbbnhb.exe 3896 pjpjj.exe 4300 lxfrxrf.exe 688 5tnhbt.exe 5020 jvjdj.exe 2032 lllfxxr.exe 2260 btbtbb.exe 2268 dvjvv.exe 1852 5ddpv.exe 2548 fxxfrrx.exe 4464 1nnhbb.exe 628 1pdvp.exe 3144 fffxrfx.exe 4952 1nthbt.exe 1676 thhbtt.exe 536 ppvjv.exe 4644 7lrflfl.exe 3088 7tthtb.exe 3616 vdjvp.exe 3392 rxxrfxl.exe 1668 1fxrrlr.exe 4808 bnthbt.exe 4792 jdjdd.exe 4528 lxrfxlf.exe 1268 xffrxrl.exe 4640 3bhbnh.exe 968 7pvpd.exe 3968 rxxrlxr.exe -
resource yara_rule behavioral2/memory/3644-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4036-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2152-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/396-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1768-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-532-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-668-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3644 wrote to memory of 2188 3644 9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe 82 PID 3644 wrote to memory of 2188 3644 9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe 82 PID 3644 wrote to memory of 2188 3644 9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe 82 PID 2188 wrote to memory of 728 2188 dvpvd.exe 83 PID 2188 wrote to memory of 728 2188 dvpvd.exe 83 PID 2188 wrote to memory of 728 2188 dvpvd.exe 83 PID 728 wrote to memory of 2468 728 bnnhtn.exe 84 PID 728 wrote to memory of 2468 728 bnnhtn.exe 84 PID 728 wrote to memory of 2468 728 bnnhtn.exe 84 PID 2468 wrote to memory of 4644 2468 hnnthb.exe 85 PID 2468 wrote to memory of 4644 2468 hnnthb.exe 85 PID 2468 wrote to memory of 4644 2468 hnnthb.exe 85 PID 4644 wrote to memory of 4840 4644 5ppdp.exe 86 PID 4644 wrote to memory of 4840 4644 5ppdp.exe 86 PID 4644 wrote to memory of 4840 4644 5ppdp.exe 86 PID 4840 wrote to memory of 4892 4840 xxrlxrl.exe 87 PID 4840 wrote to memory of 4892 4840 xxrlxrl.exe 87 PID 4840 wrote to memory of 4892 4840 xxrlxrl.exe 87 PID 4892 wrote to memory of 3884 4892 hbbnhb.exe 88 PID 4892 wrote to memory of 3884 4892 hbbnhb.exe 88 PID 4892 wrote to memory of 3884 4892 hbbnhb.exe 88 PID 3884 wrote to memory of 2008 3884 vjjvd.exe 89 PID 3884 wrote to memory of 2008 3884 vjjvd.exe 89 PID 3884 wrote to memory of 2008 3884 vjjvd.exe 89 PID 2008 wrote to memory of 4036 2008 7lfrxrf.exe 90 PID 2008 wrote to memory of 4036 2008 7lfrxrf.exe 90 PID 2008 wrote to memory of 4036 2008 7lfrxrf.exe 90 PID 4036 wrote to memory of 4836 4036 1vvjd.exe 91 PID 4036 wrote to memory of 4836 4036 1vvjd.exe 91 PID 4036 wrote to memory of 4836 4036 1vvjd.exe 91 PID 4836 wrote to memory of 968 4836 hnnhnh.exe 92 PID 4836 wrote to memory of 968 4836 hnnhnh.exe 92 PID 4836 wrote to memory of 968 4836 hnnhnh.exe 92 PID 968 wrote to memory of 668 968 pdvjv.exe 93 PID 968 wrote to memory of 668 968 pdvjv.exe 93 PID 968 wrote to memory of 668 968 pdvjv.exe 93 PID 668 wrote to memory of 2120 668 xxllxrf.exe 94 PID 668 wrote to memory of 2120 668 xxllxrf.exe 94 PID 668 wrote to memory of 2120 668 xxllxrf.exe 94 PID 2120 wrote to memory of 4060 2120 vjvpd.exe 95 PID 2120 wrote to memory of 4060 2120 vjvpd.exe 95 PID 2120 wrote to memory of 4060 2120 vjvpd.exe 95 PID 4060 wrote to memory of 4560 4060 htnhnh.exe 96 PID 4060 wrote to memory of 4560 4060 htnhnh.exe 96 PID 4060 wrote to memory of 4560 4060 htnhnh.exe 96 PID 4560 wrote to memory of 1472 4560 nhbnbt.exe 97 PID 4560 wrote to memory of 1472 4560 nhbnbt.exe 97 PID 4560 wrote to memory of 1472 4560 nhbnbt.exe 97 PID 1472 wrote to memory of 1748 1472 pjpjp.exe 98 PID 1472 wrote to memory of 1748 1472 pjpjp.exe 98 PID 1472 wrote to memory of 1748 1472 pjpjp.exe 98 PID 1748 wrote to memory of 1744 1748 tnnbhb.exe 99 PID 1748 wrote to memory of 1744 1748 tnnbhb.exe 99 PID 1748 wrote to memory of 1744 1748 tnnbhb.exe 99 PID 1744 wrote to memory of 468 1744 pjpvd.exe 100 PID 1744 wrote to memory of 468 1744 pjpvd.exe 100 PID 1744 wrote to memory of 468 1744 pjpvd.exe 100 PID 468 wrote to memory of 1696 468 tnhthb.exe 101 PID 468 wrote to memory of 1696 468 tnhthb.exe 101 PID 468 wrote to memory of 1696 468 tnhthb.exe 101 PID 1696 wrote to memory of 5060 1696 bhhtht.exe 102 PID 1696 wrote to memory of 5060 1696 bhhtht.exe 102 PID 1696 wrote to memory of 5060 1696 bhhtht.exe 102 PID 5060 wrote to memory of 3292 5060 5jjpd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe"C:\Users\Admin\AppData\Local\Temp\9650aa02e224a1de270acc5110913ffa5bf05584246ea8ca8b128a5d70d5f0b9N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
\??\c:\dvpvd.exec:\dvpvd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\bnnhtn.exec:\bnnhtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:728 -
\??\c:\hnnthb.exec:\hnnthb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\5ppdp.exec:\5ppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\xxrlxrl.exec:\xxrlxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\hbbnhb.exec:\hbbnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\vjjvd.exec:\vjjvd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884 -
\??\c:\7lfrxrf.exec:\7lfrxrf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\1vvjd.exec:\1vvjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\hnnhnh.exec:\hnnhnh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
\??\c:\pdvjv.exec:\pdvjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
\??\c:\xxllxrf.exec:\xxllxrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\vjvpd.exec:\vjvpd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
\??\c:\htnhnh.exec:\htnhnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\nhbnbt.exec:\nhbnbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\pjpjp.exec:\pjpjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1472 -
\??\c:\tnnbhb.exec:\tnnbhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\pjpvd.exec:\pjpvd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\tnhthb.exec:\tnhthb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\bhhtht.exec:\bhhtht.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\5jjpd.exec:\5jjpd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\xrlxrlx.exec:\xrlxrlx.exe23⤵
- Executes dropped EXE
PID:3292 -
\??\c:\5fxxfll.exec:\5fxxfll.exe24⤵
- Executes dropped EXE
PID:556 -
\??\c:\3nhbnn.exec:\3nhbnn.exe25⤵
- Executes dropped EXE
PID:3676 -
\??\c:\5dvjj.exec:\5dvjj.exe26⤵
- Executes dropped EXE
PID:3316 -
\??\c:\nbbthb.exec:\nbbthb.exe27⤵
- Executes dropped EXE
PID:464 -
\??\c:\3ppjv.exec:\3ppjv.exe28⤵
- Executes dropped EXE
PID:1536 -
\??\c:\fxfrllx.exec:\fxfrllx.exe29⤵
- Executes dropped EXE
PID:2884 -
\??\c:\7nhbtt.exec:\7nhbtt.exe30⤵
- Executes dropped EXE
PID:2232 -
\??\c:\9hhtnn.exec:\9hhtnn.exe31⤵
- Executes dropped EXE
PID:5112 -
\??\c:\fxfxlxr.exec:\fxfxlxr.exe32⤵
- Executes dropped EXE
PID:3428 -
\??\c:\5lxlxrl.exec:\5lxlxrl.exe33⤵
- Executes dropped EXE
PID:2152 -
\??\c:\nbbtnh.exec:\nbbtnh.exe34⤵
- Executes dropped EXE
PID:4416 -
\??\c:\pjvdp.exec:\pjvdp.exe35⤵
- Executes dropped EXE
PID:4084 -
\??\c:\rlfrlfx.exec:\rlfrlfx.exe36⤵
- Executes dropped EXE
PID:2976 -
\??\c:\nnnbnb.exec:\nnnbnb.exe37⤵
- Executes dropped EXE
PID:2880 -
\??\c:\nbbnhb.exec:\nbbnhb.exe38⤵
- Executes dropped EXE
PID:3068 -
\??\c:\pjpjj.exec:\pjpjj.exe39⤵
- Executes dropped EXE
PID:3896 -
\??\c:\lxfrxrf.exec:\lxfrxrf.exe40⤵
- Executes dropped EXE
PID:4300 -
\??\c:\5tnhbt.exec:\5tnhbt.exe41⤵
- Executes dropped EXE
PID:688 -
\??\c:\jvjdj.exec:\jvjdj.exe42⤵
- Executes dropped EXE
PID:5020 -
\??\c:\lllfxxr.exec:\lllfxxr.exe43⤵
- Executes dropped EXE
PID:2032 -
\??\c:\btbtbb.exec:\btbtbb.exe44⤵
- Executes dropped EXE
PID:2260 -
\??\c:\dvjvv.exec:\dvjvv.exe45⤵
- Executes dropped EXE
PID:2268 -
\??\c:\5ddpv.exec:\5ddpv.exe46⤵
- Executes dropped EXE
PID:1852 -
\??\c:\fxxfrrx.exec:\fxxfrrx.exe47⤵
- Executes dropped EXE
PID:2548 -
\??\c:\1nnhbb.exec:\1nnhbb.exe48⤵
- Executes dropped EXE
PID:4464 -
\??\c:\1pdvp.exec:\1pdvp.exe49⤵
- Executes dropped EXE
PID:628 -
\??\c:\fffxrfx.exec:\fffxrfx.exe50⤵
- Executes dropped EXE
PID:3144 -
\??\c:\1nthbt.exec:\1nthbt.exe51⤵
- Executes dropped EXE
PID:4952 -
\??\c:\thhbtt.exec:\thhbtt.exe52⤵
- Executes dropped EXE
PID:1676 -
\??\c:\ppvjv.exec:\ppvjv.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
\??\c:\7lrflfl.exec:\7lrflfl.exe54⤵
- Executes dropped EXE
PID:4644 -
\??\c:\7tthtb.exec:\7tthtb.exe55⤵
- Executes dropped EXE
PID:3088 -
\??\c:\vdjvp.exec:\vdjvp.exe56⤵
- Executes dropped EXE
PID:3616 -
\??\c:\rxxrfxl.exec:\rxxrfxl.exe57⤵
- Executes dropped EXE
PID:3392 -
\??\c:\1fxrrlr.exec:\1fxrrlr.exe58⤵
- Executes dropped EXE
PID:1668 -
\??\c:\bnthbt.exec:\bnthbt.exe59⤵
- Executes dropped EXE
PID:4808 -
\??\c:\jdjdd.exec:\jdjdd.exe60⤵
- Executes dropped EXE
PID:4792 -
\??\c:\lxrfxlf.exec:\lxrfxlf.exe61⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xffrxrl.exec:\xffrxrl.exe62⤵
- Executes dropped EXE
PID:1268 -
\??\c:\3bhbnh.exec:\3bhbnh.exe63⤵
- Executes dropped EXE
PID:4640 -
\??\c:\7pvpd.exec:\7pvpd.exe64⤵
- Executes dropped EXE
PID:968 -
\??\c:\rxxrlxr.exec:\rxxrlxr.exe65⤵
- Executes dropped EXE
PID:3968 -
\??\c:\nbhbbn.exec:\nbhbbn.exe66⤵PID:2076
-
\??\c:\djdpd.exec:\djdpd.exe67⤵PID:3652
-
\??\c:\ddjvv.exec:\ddjvv.exe68⤵PID:644
-
\??\c:\3xxrxrr.exec:\3xxrxrr.exe69⤵PID:2004
-
\??\c:\bnnhbt.exec:\bnnhbt.exe70⤵PID:2080
-
\??\c:\5ddvd.exec:\5ddvd.exe71⤵PID:5044
-
\??\c:\flfllxf.exec:\flfllxf.exe72⤵PID:1728
-
\??\c:\bttnbh.exec:\bttnbh.exe73⤵PID:3448
-
\??\c:\pvvpd.exec:\pvvpd.exe74⤵PID:2636
-
\??\c:\pjdpp.exec:\pjdpp.exe75⤵PID:2396
-
\??\c:\rlfxrrx.exec:\rlfxrrx.exe76⤵PID:1200
-
\??\c:\hbbnhb.exec:\hbbnhb.exe77⤵PID:1840
-
\??\c:\vpjvp.exec:\vpjvp.exe78⤵
- System Location Discovery: System Language Discovery
PID:4856 -
\??\c:\jvjvv.exec:\jvjvv.exe79⤵PID:4380
-
\??\c:\rxxlxrf.exec:\rxxlxrf.exe80⤵PID:412
-
\??\c:\bhnbnh.exec:\bhnbnh.exe81⤵PID:3792
-
\??\c:\hntntn.exec:\hntntn.exe82⤵PID:1964
-
\??\c:\jpvjv.exec:\jpvjv.exe83⤵PID:3080
-
\??\c:\hhbntn.exec:\hhbntn.exe84⤵PID:2800
-
\??\c:\btnbbt.exec:\btnbbt.exe85⤵PID:2020
-
\??\c:\vdppv.exec:\vdppv.exe86⤵PID:2388
-
\??\c:\rlxxrxx.exec:\rlxxrxx.exe87⤵PID:512
-
\??\c:\rflffff.exec:\rflffff.exe88⤵PID:2232
-
\??\c:\httnbh.exec:\httnbh.exe89⤵PID:2084
-
\??\c:\vvdpd.exec:\vvdpd.exe90⤵PID:1000
-
\??\c:\xrrfrlx.exec:\xrrfrlx.exe91⤵PID:3428
-
\??\c:\rrxrlff.exec:\rrxrlff.exe92⤵PID:2828
-
\??\c:\thhbtn.exec:\thhbtn.exe93⤵PID:2624
-
\??\c:\9dvpd.exec:\9dvpd.exe94⤵PID:4680
-
\??\c:\jdpjd.exec:\jdpjd.exe95⤵PID:3516
-
\??\c:\rffrfxr.exec:\rffrfxr.exe96⤵PID:3556
-
\??\c:\bttnbt.exec:\bttnbt.exe97⤵PID:4012
-
\??\c:\3nbnhb.exec:\3nbnhb.exe98⤵PID:2612
-
\??\c:\5dpjd.exec:\5dpjd.exe99⤵PID:2448
-
\??\c:\vjdvj.exec:\vjdvj.exe100⤵PID:396
-
\??\c:\9lfrxrf.exec:\9lfrxrf.exe101⤵PID:2456
-
\??\c:\nhbnbt.exec:\nhbnbt.exe102⤵PID:3452
-
\??\c:\dvpvd.exec:\dvpvd.exe103⤵PID:2840
-
\??\c:\xrxlfxx.exec:\xrxlfxx.exe104⤵
- System Location Discovery: System Language Discovery
PID:1612 -
\??\c:\htnbht.exec:\htnbht.exe105⤵PID:1672
-
\??\c:\bnnbhn.exec:\bnnbhn.exe106⤵PID:2328
-
\??\c:\dvpjv.exec:\dvpjv.exe107⤵PID:4776
-
\??\c:\frxlfxr.exec:\frxlfxr.exe108⤵PID:2784
-
\??\c:\3thbnh.exec:\3thbnh.exe109⤵PID:3924
-
\??\c:\bhbnbt.exec:\bhbnbt.exe110⤵PID:816
-
\??\c:\jvvpd.exec:\jvvpd.exe111⤵PID:3060
-
\??\c:\lxrfrlx.exec:\lxrfrlx.exe112⤵PID:1552
-
\??\c:\xrlxxrf.exec:\xrlxxrf.exe113⤵PID:3456
-
\??\c:\hhbntn.exec:\hhbntn.exe114⤵PID:4244
-
\??\c:\bnnbnb.exec:\bnnbnb.exe115⤵PID:1540
-
\??\c:\jdjvd.exec:\jdjvd.exe116⤵PID:2672
-
\??\c:\llxlrlx.exec:\llxlrlx.exe117⤵PID:548
-
\??\c:\nbbnhb.exec:\nbbnhb.exe118⤵PID:760
-
\??\c:\vdjvj.exec:\vdjvj.exe119⤵PID:452
-
\??\c:\lrrfrlx.exec:\lrrfrlx.exe120⤵PID:2888
-
\??\c:\nhnnnh.exec:\nhnnnh.exe121⤵PID:856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-