Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 21:06
Behavioral task
behavioral1
Sample
2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13.exe
-
Size
96KB
-
MD5
7a4194279f68230e8f4427f745592fb3
-
SHA1
9179e48e2f4073cfa54971ded13b3778d153dd2e
-
SHA256
2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13
-
SHA512
2cf3549320556409c16f64382bcd3db9af470af824b453eba7bcfd31f42501fa2e13a4bea4e8183f07bffc482150763c25ec2a137e076fd04f05e235625bd394
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgf:8cm4FmowdHoSgWrXUgf
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4712-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3328-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4348-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4140-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3568-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-46-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1948-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/992-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4124-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/808-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2592-96-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2840-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4232-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4192-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-127-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4100-130-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1360-139-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4548-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5072-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3864-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4740-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3232-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5112-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4376-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4356-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1112-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3328-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4816-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1560-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1908-259-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3420-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/736-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/396-312-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3192-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2652-340-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-366-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3640-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4880-393-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4964-434-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3492-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3988-474-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3168-609-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3664-644-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1536-685-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2720-714-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-795-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-940-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 464 5bhbnn.exe 1112 nhtntn.exe 3328 7jpjj.exe 1928 xrlxrff.exe 4348 tthhbh.exe 4140 7djvp.exe 3568 fxxrrrl.exe 2468 bhhnhb.exe 1536 tnhbth.exe 1632 vvjpv.exe 1984 3hnbtt.exe 1948 5nbtbb.exe 4068 nttnhb.exe 4924 pvdpj.exe 992 xxxlxrf.exe 2720 nttnhh.exe 4124 htnbhb.exe 808 vddjd.exe 2592 rxffxrl.exe 2840 vvpvp.exe 4232 dvpdd.exe 4192 rlxrffx.exe 2088 5tbtbb.exe 4564 3tbhth.exe 1756 jdddv.exe 4100 rffxxxx.exe 3908 frrlxrl.exe 1360 jddvj.exe 2588 rrxrlll.exe 1716 nbttnn.exe 4548 dpdpd.exe 5072 ffrrlrr.exe 4136 thttnn.exe 4852 tnnhtn.exe 3864 vdvvp.exe 940 llfxrll.exe 2420 nntnbn.exe 1860 pdpjv.exe 4108 rxxrrrr.exe 4740 dddvd.exe 3232 xrxrxxl.exe 4992 hhtnnn.exe 5112 bthtnt.exe 1768 vvpdv.exe 212 lflrxfl.exe 1676 xfffllf.exe 1564 tnttbn.exe 4428 vvvpj.exe 3664 vpvpv.exe 4356 rlfxrlf.exe 3548 nnhbbb.exe 3336 ppdpp.exe 2032 5dvjv.exe 1112 9lxlxrl.exe 3328 rffxrrl.exe 2796 nhbbtn.exe 3780 vdddv.exe 4816 lfrlfxr.exe 4836 9xxrlll.exe 2480 hbnbbt.exe 4512 hnthbt.exe 2468 djjdp.exe 1536 fxrlrrr.exe 3200 rxfxrrl.exe -
resource yara_rule behavioral2/memory/4712-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b23-3.dat upx behavioral2/memory/464-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4712-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b7e-10.dat upx behavioral2/memory/1112-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/464-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-13.dat upx behavioral2/memory/1112-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-20.dat upx behavioral2/memory/3328-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-24.dat upx behavioral2/files/0x000a000000023b89-29.dat upx behavioral2/memory/4348-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-34.dat upx behavioral2/memory/4140-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-39.dat upx behavioral2/memory/3568-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-44.dat upx behavioral2/memory/2468-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-49.dat upx behavioral2/memory/1536-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-54.dat upx behavioral2/memory/1632-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-60.dat upx behavioral2/memory/1948-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-65.dat upx behavioral2/memory/4068-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-70.dat upx behavioral2/files/0x000a000000023b92-72.dat upx behavioral2/files/0x000a000000023b93-77.dat upx behavioral2/memory/992-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-82.dat upx behavioral2/files/0x000a000000023b95-86.dat upx behavioral2/memory/4124-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-90.dat upx behavioral2/memory/808-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2592-96-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-97.dat upx behavioral2/memory/2840-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-101.dat upx behavioral2/files/0x000a000000023b99-106.dat upx behavioral2/memory/4232-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4192-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b9a-113.dat upx behavioral2/files/0x000b000000023b9b-117.dat upx behavioral2/files/0x000b000000023b9c-121.dat upx behavioral2/memory/4564-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bab-125.dat upx behavioral2/memory/2720-127-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4100-130-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bb4-131.dat upx behavioral2/files/0x000b000000023b82-136.dat upx behavioral2/files/0x0009000000023bb9-140.dat upx behavioral2/memory/1360-139-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2588-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bba-145.dat upx behavioral2/files/0x0009000000023bbb-150.dat upx behavioral2/memory/4548-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bbf-154.dat upx behavioral2/memory/5072-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4852-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3864-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4108-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4712 wrote to memory of 464 4712 2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13.exe 83 PID 4712 wrote to memory of 464 4712 2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13.exe 83 PID 4712 wrote to memory of 464 4712 2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13.exe 83 PID 464 wrote to memory of 1112 464 5bhbnn.exe 84 PID 464 wrote to memory of 1112 464 5bhbnn.exe 84 PID 464 wrote to memory of 1112 464 5bhbnn.exe 84 PID 1112 wrote to memory of 3328 1112 nhtntn.exe 85 PID 1112 wrote to memory of 3328 1112 nhtntn.exe 85 PID 1112 wrote to memory of 3328 1112 nhtntn.exe 85 PID 3328 wrote to memory of 1928 3328 7jpjj.exe 86 PID 3328 wrote to memory of 1928 3328 7jpjj.exe 86 PID 3328 wrote to memory of 1928 3328 7jpjj.exe 86 PID 1928 wrote to memory of 4348 1928 xrlxrff.exe 87 PID 1928 wrote to memory of 4348 1928 xrlxrff.exe 87 PID 1928 wrote to memory of 4348 1928 xrlxrff.exe 87 PID 4348 wrote to memory of 4140 4348 tthhbh.exe 88 PID 4348 wrote to memory of 4140 4348 tthhbh.exe 88 PID 4348 wrote to memory of 4140 4348 tthhbh.exe 88 PID 4140 wrote to memory of 3568 4140 7djvp.exe 89 PID 4140 wrote to memory of 3568 4140 7djvp.exe 89 PID 4140 wrote to memory of 3568 4140 7djvp.exe 89 PID 3568 wrote to memory of 2468 3568 fxxrrrl.exe 90 PID 3568 wrote to memory of 2468 3568 fxxrrrl.exe 90 PID 3568 wrote to memory of 2468 3568 fxxrrrl.exe 90 PID 2468 wrote to memory of 1536 2468 bhhnhb.exe 91 PID 2468 wrote to memory of 1536 2468 bhhnhb.exe 91 PID 2468 wrote to memory of 1536 2468 bhhnhb.exe 91 PID 1536 wrote to memory of 1632 1536 tnhbth.exe 92 PID 1536 wrote to memory of 1632 1536 tnhbth.exe 92 PID 1536 wrote to memory of 1632 1536 tnhbth.exe 92 PID 1632 wrote to memory of 1984 1632 vvjpv.exe 93 PID 1632 wrote to memory of 1984 1632 vvjpv.exe 93 PID 1632 wrote to memory of 1984 1632 vvjpv.exe 93 PID 1984 wrote to memory of 1948 1984 3hnbtt.exe 94 PID 1984 wrote to memory of 1948 1984 3hnbtt.exe 94 PID 1984 wrote to memory of 1948 1984 3hnbtt.exe 94 PID 1948 wrote to memory of 4068 1948 5nbtbb.exe 95 PID 1948 wrote to memory of 4068 1948 5nbtbb.exe 95 PID 1948 wrote to memory of 4068 1948 5nbtbb.exe 95 PID 4068 wrote to memory of 4924 4068 nttnhb.exe 96 PID 4068 wrote to memory of 4924 4068 nttnhb.exe 96 PID 4068 wrote to memory of 4924 4068 nttnhb.exe 96 PID 4924 wrote to memory of 992 4924 pvdpj.exe 97 PID 4924 wrote to memory of 992 4924 pvdpj.exe 97 PID 4924 wrote to memory of 992 4924 pvdpj.exe 97 PID 992 wrote to memory of 2720 992 xxxlxrf.exe 98 PID 992 wrote to memory of 2720 992 xxxlxrf.exe 98 PID 992 wrote to memory of 2720 992 xxxlxrf.exe 98 PID 2720 wrote to memory of 4124 2720 nttnhh.exe 99 PID 2720 wrote to memory of 4124 2720 nttnhh.exe 99 PID 2720 wrote to memory of 4124 2720 nttnhh.exe 99 PID 4124 wrote to memory of 808 4124 htnbhb.exe 100 PID 4124 wrote to memory of 808 4124 htnbhb.exe 100 PID 4124 wrote to memory of 808 4124 htnbhb.exe 100 PID 808 wrote to memory of 2592 808 vddjd.exe 101 PID 808 wrote to memory of 2592 808 vddjd.exe 101 PID 808 wrote to memory of 2592 808 vddjd.exe 101 PID 2592 wrote to memory of 2840 2592 rxffxrl.exe 102 PID 2592 wrote to memory of 2840 2592 rxffxrl.exe 102 PID 2592 wrote to memory of 2840 2592 rxffxrl.exe 102 PID 2840 wrote to memory of 4232 2840 vvpvp.exe 103 PID 2840 wrote to memory of 4232 2840 vvpvp.exe 103 PID 2840 wrote to memory of 4232 2840 vvpvp.exe 103 PID 4232 wrote to memory of 4192 4232 dvpdd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13.exe"C:\Users\Admin\AppData\Local\Temp\2efa616d3b50db4693213e81277ac82f4e8629c657d5971a5781d99ea4d6cd13.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\5bhbnn.exec:\5bhbnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\nhtntn.exec:\nhtntn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\7jpjj.exec:\7jpjj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\xrlxrff.exec:\xrlxrff.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\tthhbh.exec:\tthhbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\7djvp.exec:\7djvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
\??\c:\fxxrrrl.exec:\fxxrrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\bhhnhb.exec:\bhhnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2468 -
\??\c:\tnhbth.exec:\tnhbth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
\??\c:\vvjpv.exec:\vvjpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\3hnbtt.exec:\3hnbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\5nbtbb.exec:\5nbtbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\nttnhb.exec:\nttnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
\??\c:\pvdpj.exec:\pvdpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992 -
\??\c:\nttnhh.exec:\nttnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
\??\c:\htnbhb.exec:\htnbhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124 -
\??\c:\vddjd.exec:\vddjd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\rxffxrl.exec:\rxffxrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\vvpvp.exec:\vvpvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\dvpdd.exec:\dvpdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
\??\c:\rlxrffx.exec:\rlxrffx.exe23⤵
- Executes dropped EXE
PID:4192 -
\??\c:\5tbtbb.exec:\5tbtbb.exe24⤵
- Executes dropped EXE
PID:2088 -
\??\c:\3tbhth.exec:\3tbhth.exe25⤵
- Executes dropped EXE
PID:4564 -
\??\c:\jdddv.exec:\jdddv.exe26⤵
- Executes dropped EXE
PID:1756 -
\??\c:\rffxxxx.exec:\rffxxxx.exe27⤵
- Executes dropped EXE
PID:4100 -
\??\c:\frrlxrl.exec:\frrlxrl.exe28⤵
- Executes dropped EXE
PID:3908 -
\??\c:\jddvj.exec:\jddvj.exe29⤵
- Executes dropped EXE
PID:1360 -
\??\c:\rrxrlll.exec:\rrxrlll.exe30⤵
- Executes dropped EXE
PID:2588 -
\??\c:\nbttnn.exec:\nbttnn.exe31⤵
- Executes dropped EXE
PID:1716 -
\??\c:\dpdpd.exec:\dpdpd.exe32⤵
- Executes dropped EXE
PID:4548 -
\??\c:\ffrrlrr.exec:\ffrrlrr.exe33⤵
- Executes dropped EXE
PID:5072 -
\??\c:\thttnn.exec:\thttnn.exe34⤵
- Executes dropped EXE
PID:4136 -
\??\c:\tnnhtn.exec:\tnnhtn.exe35⤵
- Executes dropped EXE
PID:4852 -
\??\c:\vdvvp.exec:\vdvvp.exe36⤵
- Executes dropped EXE
PID:3864 -
\??\c:\llfxrll.exec:\llfxrll.exe37⤵
- Executes dropped EXE
PID:940 -
\??\c:\nntnbn.exec:\nntnbn.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420 -
\??\c:\pdpjv.exec:\pdpjv.exe39⤵
- Executes dropped EXE
PID:1860 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe40⤵
- Executes dropped EXE
PID:4108 -
\??\c:\dddvd.exec:\dddvd.exe41⤵
- Executes dropped EXE
PID:4740 -
\??\c:\xrxrxxl.exec:\xrxrxxl.exe42⤵
- Executes dropped EXE
PID:3232 -
\??\c:\hhtnnn.exec:\hhtnnn.exe43⤵
- Executes dropped EXE
PID:4992 -
\??\c:\bthtnt.exec:\bthtnt.exe44⤵
- Executes dropped EXE
PID:5112 -
\??\c:\vvpdv.exec:\vvpdv.exe45⤵
- Executes dropped EXE
PID:1768 -
\??\c:\lflrxfl.exec:\lflrxfl.exe46⤵
- Executes dropped EXE
PID:212 -
\??\c:\xfffllf.exec:\xfffllf.exe47⤵
- Executes dropped EXE
PID:1676 -
\??\c:\tnttbn.exec:\tnttbn.exe48⤵
- Executes dropped EXE
PID:1564 -
\??\c:\vvvpj.exec:\vvvpj.exe49⤵
- Executes dropped EXE
PID:4428 -
\??\c:\vpvpv.exec:\vpvpv.exe50⤵
- Executes dropped EXE
PID:3664 -
\??\c:\rxlrffx.exec:\rxlrffx.exe51⤵PID:4376
-
\??\c:\rlfxrlf.exec:\rlfxrlf.exe52⤵
- Executes dropped EXE
PID:4356 -
\??\c:\nnhbbb.exec:\nnhbbb.exe53⤵
- Executes dropped EXE
PID:3548 -
\??\c:\ppdpp.exec:\ppdpp.exe54⤵
- Executes dropped EXE
PID:3336 -
\??\c:\5dvjv.exec:\5dvjv.exe55⤵
- Executes dropped EXE
PID:2032 -
\??\c:\9lxlxrl.exec:\9lxlxrl.exe56⤵
- Executes dropped EXE
PID:1112 -
\??\c:\rffxrrl.exec:\rffxrrl.exe57⤵
- Executes dropped EXE
PID:3328 -
\??\c:\nhbbtn.exec:\nhbbtn.exe58⤵
- Executes dropped EXE
PID:2796 -
\??\c:\vdddv.exec:\vdddv.exe59⤵
- Executes dropped EXE
PID:3780 -
\??\c:\lfrlfxr.exec:\lfrlfxr.exe60⤵
- Executes dropped EXE
PID:4816 -
\??\c:\9xxrlll.exec:\9xxrlll.exe61⤵
- Executes dropped EXE
PID:4836 -
\??\c:\hbnbbt.exec:\hbnbbt.exe62⤵
- Executes dropped EXE
PID:2480 -
\??\c:\hnthbt.exec:\hnthbt.exe63⤵
- Executes dropped EXE
PID:4512 -
\??\c:\djjdp.exec:\djjdp.exe64⤵
- Executes dropped EXE
PID:2468 -
\??\c:\fxrlrrr.exec:\fxrlrrr.exe65⤵
- Executes dropped EXE
PID:1536 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe66⤵
- Executes dropped EXE
PID:3200 -
\??\c:\xrlxrlf.exec:\xrlxrlf.exe67⤵PID:1560
-
\??\c:\vpvpv.exec:\vpvpv.exe68⤵PID:4252
-
\??\c:\fxffrll.exec:\fxffrll.exe69⤵PID:2036
-
\??\c:\bthbnn.exec:\bthbnn.exe70⤵PID:2608
-
\??\c:\hhbtht.exec:\hhbtht.exe71⤵PID:5000
-
\??\c:\vpjjv.exec:\vpjjv.exe72⤵PID:4908
-
\??\c:\rfrfxrl.exec:\rfrfxrl.exe73⤵PID:4552
-
\??\c:\1lffxrr.exec:\1lffxrr.exe74⤵PID:1800
-
\??\c:\htnttn.exec:\htnttn.exe75⤵PID:1908
-
\??\c:\hbbnnh.exec:\hbbnnh.exe76⤵PID:756
-
\??\c:\pddpj.exec:\pddpj.exe77⤵PID:3420
-
\??\c:\rflxrlf.exec:\rflxrlf.exe78⤵PID:676
-
\??\c:\3bnhbt.exec:\3bnhbt.exe79⤵PID:4532
-
\??\c:\tbbbtb.exec:\tbbbtb.exe80⤵PID:2592
-
\??\c:\bnhbtn.exec:\bnhbtn.exe81⤵PID:2460
-
\??\c:\jdvdv.exec:\jdvdv.exe82⤵PID:5004
-
\??\c:\lfxllff.exec:\lfxllff.exe83⤵PID:4932
-
\??\c:\fllxxlf.exec:\fllxxlf.exe84⤵PID:3028
-
\??\c:\tbtnnb.exec:\tbtnnb.exe85⤵PID:736
-
\??\c:\bttnbh.exec:\bttnbh.exe86⤵PID:4820
-
\??\c:\vdpdv.exec:\vdpdv.exe87⤵PID:3452
-
\??\c:\xfxrfxr.exec:\xfxrfxr.exe88⤵PID:4976
-
\??\c:\rffxrrl.exec:\rffxrrl.exe89⤵PID:4840
-
\??\c:\5lfflrx.exec:\5lfflrx.exe90⤵PID:2280
-
\??\c:\nhnntn.exec:\nhnntn.exe91⤵PID:3720
-
\??\c:\dpvjd.exec:\dpvjd.exe92⤵PID:448
-
\??\c:\jpvpd.exec:\jpvpd.exe93⤵PID:532
-
\??\c:\fflfrrl.exec:\fflfrrl.exe94⤵PID:5020
-
\??\c:\5rllfff.exec:\5rllfff.exe95⤵PID:5092
-
\??\c:\hhnhtn.exec:\hhnhtn.exe96⤵PID:4496
-
\??\c:\bhtnht.exec:\bhtnht.exe97⤵PID:4548
-
\??\c:\5ppdv.exec:\5ppdv.exe98⤵PID:852
-
\??\c:\7rrrlff.exec:\7rrrlff.exe99⤵PID:3712
-
\??\c:\fxxrrrr.exec:\fxxrrrr.exe100⤵PID:396
-
\??\c:\hbttnh.exec:\hbttnh.exe101⤵PID:3192
-
\??\c:\nbbnhb.exec:\nbbnhb.exe102⤵PID:3612
-
\??\c:\dvdvv.exec:\dvdvv.exe103⤵PID:2924
-
\??\c:\dppdp.exec:\dppdp.exe104⤵
- System Location Discovery: System Language Discovery
PID:1040 -
\??\c:\9llxlfx.exec:\9llxlfx.exe105⤵PID:2336
-
\??\c:\nbbtnh.exec:\nbbtnh.exe106⤵
- System Location Discovery: System Language Discovery
PID:4108 -
\??\c:\httntt.exec:\httntt.exe107⤵PID:3632
-
\??\c:\pjvdv.exec:\pjvdv.exe108⤵PID:3576
-
\??\c:\llfxxxx.exec:\llfxxxx.exe109⤵PID:100
-
\??\c:\xrrrlll.exec:\xrrrlll.exe110⤵PID:732
-
\??\c:\hbhhhh.exec:\hbhhhh.exe111⤵PID:1496
-
\??\c:\djddj.exec:\djddj.exe112⤵PID:1372
-
\??\c:\jvvvd.exec:\jvvvd.exe113⤵PID:2652
-
\??\c:\fxlxrlf.exec:\fxlxrlf.exe114⤵PID:4056
-
\??\c:\bthnbn.exec:\bthnbn.exe115⤵PID:2136
-
\??\c:\thttnt.exec:\thttnt.exe116⤵PID:5080
-
\??\c:\3pjdp.exec:\3pjdp.exe117⤵PID:2008
-
\??\c:\vjddv.exec:\vjddv.exe118⤵PID:4376
-
\??\c:\fxxrllx.exec:\fxxrllx.exe119⤵PID:4356
-
\??\c:\hthbtt.exec:\hthbtt.exe120⤵PID:3548
-
\??\c:\ntbbnn.exec:\ntbbnn.exe121⤵PID:4904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-