Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 01:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453.exe
-
Size
455KB
-
MD5
6b13ece23985bc38347e0bb7993024dd
-
SHA1
c0d50b1d5f9b3f988ee93932855eacdde942692b
-
SHA256
7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453
-
SHA512
8855a75c2ec200aa68212ef6ce1d56081f9361249971cc128c930132a641df30b71fd7b1fe048f5d6e0fc939b334159f749f7c39ef0f21d4e3fe1e86b8443ed8
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe/:q7Tc2NYHUrAwfMp3CD/
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4932-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/924-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2404-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3440-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/464-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1232-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-470-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-659-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-703-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-806-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-840-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-890-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-1710-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1444 tnhbnh.exe 3860 vdjvp.exe 5008 pjjpj.exe 1876 lxxrrrl.exe 4128 pjvpj.exe 3288 pvvjj.exe 4892 vppvj.exe 3244 lflxxrl.exe 1912 9ddvv.exe 1512 hnbbtb.exe 4228 lflfrlf.exe 4564 tthhbh.exe 3852 1xfxrlf.exe 2896 nhhhbh.exe 2696 jdvpj.exe 2432 pvvpj.exe 4880 5rrlffr.exe 540 1tnhbb.exe 3936 1fxrxlf.exe 1960 pddpj.exe 4736 bhtnhb.exe 924 dpvdj.exe 3696 lxrlrfl.exe 1316 jppjd.exe 940 djjdj.exe 2104 bhhbnh.exe 2404 vvddj.exe 4392 7pdvd.exe 1668 dvpjd.exe 116 vvpjv.exe 4820 dvdvp.exe 2088 7vddv.exe 1156 3rrlxxr.exe 1620 5btnnn.exe 4940 vpjdd.exe 1684 frrlxrl.exe 3888 5nnhbt.exe 2400 9bbthh.exe 4220 1jppj.exe 4448 xlllxxr.exe 4976 tnthbh.exe 3704 ddpdv.exe 3340 pjpjj.exe 2192 xfxfrrf.exe 2072 9nthbb.exe 5088 3ppjd.exe 2324 llrrfxl.exe 4516 5rlxrrf.exe 216 nbhbnb.exe 2600 hhnnnn.exe 1016 jvdpj.exe 3172 lxfrrlf.exe 2708 9nnhbt.exe 4340 7jddv.exe 1308 pjvpd.exe 2584 bhhbbt.exe 4972 1jpjj.exe 3440 pjvpv.exe 3336 lrflfff.exe 2448 thttnn.exe 2328 5ppdj.exe 4928 xrfrxrf.exe 1816 tthbhh.exe 3244 jvvpj.exe -
resource yara_rule behavioral2/memory/4932-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/924-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2404-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3440-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/464-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1232-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-470-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-659-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-703-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-806-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-840-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-890-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-1294-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlflfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7llfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4932 wrote to memory of 1444 4932 7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453.exe 82 PID 4932 wrote to memory of 1444 4932 7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453.exe 82 PID 4932 wrote to memory of 1444 4932 7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453.exe 82 PID 1444 wrote to memory of 3860 1444 tnhbnh.exe 83 PID 1444 wrote to memory of 3860 1444 tnhbnh.exe 83 PID 1444 wrote to memory of 3860 1444 tnhbnh.exe 83 PID 3860 wrote to memory of 5008 3860 vdjvp.exe 84 PID 3860 wrote to memory of 5008 3860 vdjvp.exe 84 PID 3860 wrote to memory of 5008 3860 vdjvp.exe 84 PID 5008 wrote to memory of 1876 5008 pjjpj.exe 85 PID 5008 wrote to memory of 1876 5008 pjjpj.exe 85 PID 5008 wrote to memory of 1876 5008 pjjpj.exe 85 PID 1876 wrote to memory of 4128 1876 lxxrrrl.exe 86 PID 1876 wrote to memory of 4128 1876 lxxrrrl.exe 86 PID 1876 wrote to memory of 4128 1876 lxxrrrl.exe 86 PID 4128 wrote to memory of 3288 4128 pjvpj.exe 87 PID 4128 wrote to memory of 3288 4128 pjvpj.exe 87 PID 4128 wrote to memory of 3288 4128 pjvpj.exe 87 PID 3288 wrote to memory of 4892 3288 pvvjj.exe 88 PID 3288 wrote to memory of 4892 3288 pvvjj.exe 88 PID 3288 wrote to memory of 4892 3288 pvvjj.exe 88 PID 4892 wrote to memory of 3244 4892 vppvj.exe 89 PID 4892 wrote to memory of 3244 4892 vppvj.exe 89 PID 4892 wrote to memory of 3244 4892 vppvj.exe 89 PID 3244 wrote to memory of 1912 3244 lflxxrl.exe 90 PID 3244 wrote to memory of 1912 3244 lflxxrl.exe 90 PID 3244 wrote to memory of 1912 3244 lflxxrl.exe 90 PID 1912 wrote to memory of 1512 1912 9ddvv.exe 91 PID 1912 wrote to memory of 1512 1912 9ddvv.exe 91 PID 1912 wrote to memory of 1512 1912 9ddvv.exe 91 PID 1512 wrote to memory of 4228 1512 hnbbtb.exe 92 PID 1512 wrote to memory of 4228 1512 hnbbtb.exe 92 PID 1512 wrote to memory of 4228 1512 hnbbtb.exe 92 PID 4228 wrote to memory of 4564 4228 lflfrlf.exe 93 PID 4228 wrote to memory of 4564 4228 lflfrlf.exe 93 PID 4228 wrote to memory of 4564 4228 lflfrlf.exe 93 PID 4564 wrote to memory of 3852 4564 tthhbh.exe 94 PID 4564 wrote to memory of 3852 4564 tthhbh.exe 94 PID 4564 wrote to memory of 3852 4564 tthhbh.exe 94 PID 3852 wrote to memory of 2896 3852 1xfxrlf.exe 95 PID 3852 wrote to memory of 2896 3852 1xfxrlf.exe 95 PID 3852 wrote to memory of 2896 3852 1xfxrlf.exe 95 PID 2896 wrote to memory of 2696 2896 nhhhbh.exe 96 PID 2896 wrote to memory of 2696 2896 nhhhbh.exe 96 PID 2896 wrote to memory of 2696 2896 nhhhbh.exe 96 PID 2696 wrote to memory of 2432 2696 jdvpj.exe 97 PID 2696 wrote to memory of 2432 2696 jdvpj.exe 97 PID 2696 wrote to memory of 2432 2696 jdvpj.exe 97 PID 2432 wrote to memory of 4880 2432 pvvpj.exe 98 PID 2432 wrote to memory of 4880 2432 pvvpj.exe 98 PID 2432 wrote to memory of 4880 2432 pvvpj.exe 98 PID 4880 wrote to memory of 540 4880 5rrlffr.exe 99 PID 4880 wrote to memory of 540 4880 5rrlffr.exe 99 PID 4880 wrote to memory of 540 4880 5rrlffr.exe 99 PID 540 wrote to memory of 3936 540 1tnhbb.exe 100 PID 540 wrote to memory of 3936 540 1tnhbb.exe 100 PID 540 wrote to memory of 3936 540 1tnhbb.exe 100 PID 3936 wrote to memory of 1960 3936 1fxrxlf.exe 101 PID 3936 wrote to memory of 1960 3936 1fxrxlf.exe 101 PID 3936 wrote to memory of 1960 3936 1fxrxlf.exe 101 PID 1960 wrote to memory of 4736 1960 pddpj.exe 102 PID 1960 wrote to memory of 4736 1960 pddpj.exe 102 PID 1960 wrote to memory of 4736 1960 pddpj.exe 102 PID 4736 wrote to memory of 924 4736 bhtnhb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453.exe"C:\Users\Admin\AppData\Local\Temp\7c7df757953bd6ee8d38ffb390111c97f5b5ed685bdbfa082773a37ed2f2b453.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\tnhbnh.exec:\tnhbnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\vdjvp.exec:\vdjvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\pjjpj.exec:\pjjpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\lxxrrrl.exec:\lxxrrrl.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\pjvpj.exec:\pjvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\pvvjj.exec:\pvvjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\vppvj.exec:\vppvj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\lflxxrl.exec:\lflxxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\9ddvv.exec:\9ddvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\hnbbtb.exec:\hnbbtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\lflfrlf.exec:\lflfrlf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\tthhbh.exec:\tthhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\1xfxrlf.exec:\1xfxrlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\nhhhbh.exec:\nhhhbh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
\??\c:\jdvpj.exec:\jdvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
\??\c:\pvvpj.exec:\pvvpj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\5rrlffr.exec:\5rrlffr.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\1tnhbb.exec:\1tnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540 -
\??\c:\1fxrxlf.exec:\1fxrxlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
\??\c:\pddpj.exec:\pddpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\bhtnhb.exec:\bhtnhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736 -
\??\c:\dpvdj.exec:\dpvdj.exe23⤵
- Executes dropped EXE
PID:924 -
\??\c:\lxrlrfl.exec:\lxrlrfl.exe24⤵
- Executes dropped EXE
PID:3696 -
\??\c:\jppjd.exec:\jppjd.exe25⤵
- Executes dropped EXE
PID:1316 -
\??\c:\djjdj.exec:\djjdj.exe26⤵
- Executes dropped EXE
PID:940 -
\??\c:\bhhbnh.exec:\bhhbnh.exe27⤵
- Executes dropped EXE
PID:2104 -
\??\c:\vvddj.exec:\vvddj.exe28⤵
- Executes dropped EXE
PID:2404 -
\??\c:\7pdvd.exec:\7pdvd.exe29⤵
- Executes dropped EXE
PID:4392 -
\??\c:\dvpjd.exec:\dvpjd.exe30⤵
- Executes dropped EXE
PID:1668 -
\??\c:\vvpjv.exec:\vvpjv.exe31⤵
- Executes dropped EXE
PID:116 -
\??\c:\dvdvp.exec:\dvdvp.exe32⤵
- Executes dropped EXE
PID:4820 -
\??\c:\7vddv.exec:\7vddv.exe33⤵
- Executes dropped EXE
PID:2088 -
\??\c:\3rrlxxr.exec:\3rrlxxr.exe34⤵
- Executes dropped EXE
PID:1156 -
\??\c:\5btnnn.exec:\5btnnn.exe35⤵
- Executes dropped EXE
PID:1620 -
\??\c:\vpjdd.exec:\vpjdd.exe36⤵
- Executes dropped EXE
PID:4940 -
\??\c:\frrlxrl.exec:\frrlxrl.exe37⤵
- Executes dropped EXE
PID:1684 -
\??\c:\5nnhbt.exec:\5nnhbt.exe38⤵
- Executes dropped EXE
PID:3888 -
\??\c:\9bbthh.exec:\9bbthh.exe39⤵
- Executes dropped EXE
PID:2400 -
\??\c:\1jppj.exec:\1jppj.exe40⤵
- Executes dropped EXE
PID:4220 -
\??\c:\xlllxxr.exec:\xlllxxr.exe41⤵
- Executes dropped EXE
PID:4448 -
\??\c:\tnthbh.exec:\tnthbh.exe42⤵
- Executes dropped EXE
PID:4976 -
\??\c:\ddpdv.exec:\ddpdv.exe43⤵
- Executes dropped EXE
PID:3704 -
\??\c:\pjpjj.exec:\pjpjj.exe44⤵
- Executes dropped EXE
PID:3340 -
\??\c:\xfxfrrf.exec:\xfxfrrf.exe45⤵
- Executes dropped EXE
PID:2192 -
\??\c:\9nthbb.exec:\9nthbb.exe46⤵
- Executes dropped EXE
PID:2072 -
\??\c:\3ppjd.exec:\3ppjd.exe47⤵
- Executes dropped EXE
PID:5088 -
\??\c:\llrrfxl.exec:\llrrfxl.exe48⤵
- Executes dropped EXE
PID:2324 -
\??\c:\5rlxrrf.exec:\5rlxrrf.exe49⤵
- Executes dropped EXE
PID:4516 -
\??\c:\nbhbnb.exec:\nbhbnb.exe50⤵
- Executes dropped EXE
PID:216 -
\??\c:\hhnnnn.exec:\hhnnnn.exe51⤵
- Executes dropped EXE
PID:2600 -
\??\c:\jvdpj.exec:\jvdpj.exe52⤵
- Executes dropped EXE
PID:1016 -
\??\c:\lxfrrlf.exec:\lxfrrlf.exe53⤵
- Executes dropped EXE
PID:3172 -
\??\c:\9nnhbt.exec:\9nnhbt.exe54⤵
- Executes dropped EXE
PID:2708 -
\??\c:\7jddv.exec:\7jddv.exe55⤵
- Executes dropped EXE
PID:4340 -
\??\c:\pjvpd.exec:\pjvpd.exe56⤵
- Executes dropped EXE
PID:1308 -
\??\c:\bhhbbt.exec:\bhhbbt.exe57⤵
- Executes dropped EXE
PID:2584 -
\??\c:\1jpjj.exec:\1jpjj.exe58⤵
- Executes dropped EXE
PID:4972 -
\??\c:\pjvpv.exec:\pjvpv.exe59⤵
- Executes dropped EXE
PID:3440 -
\??\c:\lrflfff.exec:\lrflfff.exe60⤵
- Executes dropped EXE
PID:3336 -
\??\c:\thttnn.exec:\thttnn.exe61⤵
- Executes dropped EXE
PID:2448 -
\??\c:\5ppdj.exec:\5ppdj.exe62⤵
- Executes dropped EXE
PID:2328 -
\??\c:\xrfrxrf.exec:\xrfrxrf.exe63⤵
- Executes dropped EXE
PID:4928 -
\??\c:\tthbhh.exec:\tthbhh.exe64⤵
- Executes dropped EXE
PID:1816 -
\??\c:\jvvpj.exec:\jvvpj.exe65⤵
- Executes dropped EXE
PID:3244 -
\??\c:\xflfxxr.exec:\xflfxxr.exe66⤵PID:2152
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe67⤵PID:1912
-
\??\c:\tntnhb.exec:\tntnhb.exe68⤵PID:4280
-
\??\c:\jpvjv.exec:\jpvjv.exe69⤵PID:1872
-
\??\c:\7ffrlrl.exec:\7ffrlrl.exe70⤵PID:3144
-
\??\c:\nnnhtn.exec:\nnnhtn.exe71⤵PID:3268
-
\??\c:\thhbtn.exec:\thhbtn.exe72⤵PID:3068
-
\??\c:\pddpj.exec:\pddpj.exe73⤵PID:1456
-
\??\c:\rlflfxr.exec:\rlflfxr.exe74⤵
- System Location Discovery: System Language Discovery
PID:532 -
\??\c:\nthttb.exec:\nthttb.exe75⤵PID:4216
-
\??\c:\3dvpj.exec:\3dvpj.exe76⤵PID:2704
-
\??\c:\fffxrrx.exec:\fffxrrx.exe77⤵PID:464
-
\??\c:\nnntnn.exec:\nnntnn.exe78⤵PID:3236
-
\??\c:\jppjd.exec:\jppjd.exe79⤵PID:2376
-
\??\c:\djvjp.exec:\djvjp.exe80⤵PID:448
-
\??\c:\lfrlllr.exec:\lfrlllr.exe81⤵PID:4980
-
\??\c:\ttbbbt.exec:\ttbbbt.exe82⤵PID:1348
-
\??\c:\jppjd.exec:\jppjd.exe83⤵PID:716
-
\??\c:\pdjdv.exec:\pdjdv.exe84⤵PID:2340
-
\??\c:\xllrfxr.exec:\xllrfxr.exe85⤵PID:1140
-
\??\c:\hbnhtn.exec:\hbnhtn.exe86⤵PID:3872
-
\??\c:\vvjvp.exec:\vvjvp.exe87⤵PID:1884
-
\??\c:\5lrlffl.exec:\5lrlffl.exe88⤵PID:1600
-
\??\c:\hbtnnn.exec:\hbtnnn.exe89⤵PID:3624
-
\??\c:\7nhbtn.exec:\7nhbtn.exe90⤵PID:436
-
\??\c:\jvvvv.exec:\jvvvv.exe91⤵PID:3076
-
\??\c:\rrxrfxl.exec:\rrxrfxl.exe92⤵PID:1500
-
\??\c:\hhbtnt.exec:\hhbtnt.exe93⤵PID:1352
-
\??\c:\vjppj.exec:\vjppj.exe94⤵PID:5020
-
\??\c:\7vvpj.exec:\7vvpj.exe95⤵PID:1668
-
\??\c:\9lfxrrl.exec:\9lfxrrl.exe96⤵PID:2028
-
\??\c:\nttnhh.exec:\nttnhh.exe97⤵PID:4460
-
\??\c:\pvvjd.exec:\pvvjd.exe98⤵PID:748
-
\??\c:\frrlllf.exec:\frrlllf.exe99⤵PID:3556
-
\??\c:\xfrfxrr.exec:\xfrfxrr.exe100⤵PID:1232
-
\??\c:\ntbtnn.exec:\ntbtnn.exe101⤵PID:4760
-
\??\c:\1lxrlrl.exec:\1lxrlrl.exe102⤵PID:4336
-
\??\c:\1lxrxxf.exec:\1lxrxxf.exe103⤵PID:636
-
\??\c:\nntnnh.exec:\nntnnh.exe104⤵PID:2172
-
\??\c:\djpdj.exec:\djpdj.exe105⤵PID:3844
-
\??\c:\flrrffr.exec:\flrrffr.exe106⤵PID:2400
-
\??\c:\bbbtnh.exec:\bbbtnh.exe107⤵PID:3428
-
\??\c:\ttbtbb.exec:\ttbtbb.exe108⤵PID:4788
-
\??\c:\dpvjd.exec:\dpvjd.exe109⤵PID:2596
-
\??\c:\frfxrfx.exec:\frfxrfx.exe110⤵PID:4796
-
\??\c:\bhbhtn.exec:\bhbhtn.exe111⤵PID:4352
-
\??\c:\dppdv.exec:\dppdv.exe112⤵PID:4936
-
\??\c:\lffxffx.exec:\lffxffx.exe113⤵PID:1692
-
\??\c:\fxrlrrf.exec:\fxrlrrf.exe114⤵PID:5088
-
\??\c:\nhhbnh.exec:\nhhbnh.exe115⤵PID:2324
-
\??\c:\pjdvv.exec:\pjdvv.exe116⤵PID:4672
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe117⤵PID:4304
-
\??\c:\bhtbbn.exec:\bhtbbn.exe118⤵PID:4496
-
\??\c:\3pvpd.exec:\3pvpd.exe119⤵PID:4932
-
\??\c:\dvdvp.exec:\dvdvp.exe120⤵PID:8
-
\??\c:\9xfffff.exec:\9xfffff.exe121⤵PID:1840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-