Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 01:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421N.exe
-
Size
456KB
-
MD5
117da6eb82496c10554430683054b840
-
SHA1
0ee3eb5f8360581a896e0f77f177e29be7ebaf45
-
SHA256
2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421
-
SHA512
bd419d2e3f58fbce14f40df9f391063f17ac110e82404d7f37f151c0387db3ac42089ddc4f1209ef0f452999b2996e646bcc2a3559ad2326358cd4eb02deddd9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRZ:q7Tc2NYHUrAwfMp3CDRZ
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/4320-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4956-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1296-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3160-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-337-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3908-449-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-602-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-667-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-1176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2540 flxrrrr.exe 436 vpjdv.exe 4012 hnthhb.exe 1020 9vjdj.exe 1228 vddvv.exe 3216 bnbtth.exe 4208 9vvpp.exe 2464 1ntnhb.exe 1924 7jjjj.exe 932 htthbb.exe 4120 xxlflfl.exe 1844 btntht.exe 3444 lfxlxrf.exe 4956 hbtnhb.exe 2960 rlrlfff.exe 4792 vpjvd.exe 3244 vdvdp.exe 4948 htnhbt.exe 4820 7ppdv.exe 2348 xrrlxrl.exe 4892 7rffxlr.exe 3232 jdvpv.exe 3744 bnhbbt.exe 1624 jpjvj.exe 1944 7lllxrl.exe 5044 htttnh.exe 3256 5xxrllf.exe 1628 1flfrlf.exe 4612 5btntt.exe 5020 thhtht.exe 3308 5fxxxrl.exe 760 5ppjj.exe 1360 xffrlxr.exe 4260 9nhtnh.exe 3784 1pvpv.exe 4292 nhhtth.exe 5060 9vpdj.exe 868 7jjdv.exe 4828 5ffrllf.exe 1556 tnhtbh.exe 4912 dvvpj.exe 3212 rxxrrrl.exe 3452 7hbbtn.exe 3068 1nttnt.exe 4696 jjpdd.exe 4000 1xrfxxr.exe 4356 bhtnhh.exe 4556 vjddv.exe 2200 frrllff.exe 4620 3xxrxxx.exe 3944 hhtbhh.exe 4884 jddvv.exe 2772 vvvpj.exe 4156 rxrxrxx.exe 1408 bbhhtt.exe 348 jjpjv.exe 3684 lflxrrf.exe 468 1ttnhh.exe 1296 3ttnhb.exe 2020 ppjpd.exe 2260 lfffxxx.exe 540 nhhbtn.exe 3800 dpppp.exe 5096 rrrxrlf.exe -
resource yara_rule behavioral2/memory/4320-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4956-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1296-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3160-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-337-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3908-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-602-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-667-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-692-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-803-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxllllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4320 wrote to memory of 2540 4320 2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421N.exe 83 PID 4320 wrote to memory of 2540 4320 2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421N.exe 83 PID 4320 wrote to memory of 2540 4320 2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421N.exe 83 PID 2540 wrote to memory of 436 2540 flxrrrr.exe 84 PID 2540 wrote to memory of 436 2540 flxrrrr.exe 84 PID 2540 wrote to memory of 436 2540 flxrrrr.exe 84 PID 436 wrote to memory of 4012 436 vpjdv.exe 85 PID 436 wrote to memory of 4012 436 vpjdv.exe 85 PID 436 wrote to memory of 4012 436 vpjdv.exe 85 PID 4012 wrote to memory of 1020 4012 hnthhb.exe 86 PID 4012 wrote to memory of 1020 4012 hnthhb.exe 86 PID 4012 wrote to memory of 1020 4012 hnthhb.exe 86 PID 1020 wrote to memory of 1228 1020 9vjdj.exe 87 PID 1020 wrote to memory of 1228 1020 9vjdj.exe 87 PID 1020 wrote to memory of 1228 1020 9vjdj.exe 87 PID 1228 wrote to memory of 3216 1228 vddvv.exe 88 PID 1228 wrote to memory of 3216 1228 vddvv.exe 88 PID 1228 wrote to memory of 3216 1228 vddvv.exe 88 PID 3216 wrote to memory of 4208 3216 bnbtth.exe 89 PID 3216 wrote to memory of 4208 3216 bnbtth.exe 89 PID 3216 wrote to memory of 4208 3216 bnbtth.exe 89 PID 4208 wrote to memory of 2464 4208 9vvpp.exe 90 PID 4208 wrote to memory of 2464 4208 9vvpp.exe 90 PID 4208 wrote to memory of 2464 4208 9vvpp.exe 90 PID 2464 wrote to memory of 1924 2464 1ntnhb.exe 91 PID 2464 wrote to memory of 1924 2464 1ntnhb.exe 91 PID 2464 wrote to memory of 1924 2464 1ntnhb.exe 91 PID 1924 wrote to memory of 932 1924 7jjjj.exe 92 PID 1924 wrote to memory of 932 1924 7jjjj.exe 92 PID 1924 wrote to memory of 932 1924 7jjjj.exe 92 PID 932 wrote to memory of 4120 932 htthbb.exe 93 PID 932 wrote to memory of 4120 932 htthbb.exe 93 PID 932 wrote to memory of 4120 932 htthbb.exe 93 PID 4120 wrote to memory of 1844 4120 xxlflfl.exe 94 PID 4120 wrote to memory of 1844 4120 xxlflfl.exe 94 PID 4120 wrote to memory of 1844 4120 xxlflfl.exe 94 PID 1844 wrote to memory of 3444 1844 btntht.exe 95 PID 1844 wrote to memory of 3444 1844 btntht.exe 95 PID 1844 wrote to memory of 3444 1844 btntht.exe 95 PID 3444 wrote to memory of 4956 3444 lfxlxrf.exe 96 PID 3444 wrote to memory of 4956 3444 lfxlxrf.exe 96 PID 3444 wrote to memory of 4956 3444 lfxlxrf.exe 96 PID 4956 wrote to memory of 2960 4956 hbtnhb.exe 97 PID 4956 wrote to memory of 2960 4956 hbtnhb.exe 97 PID 4956 wrote to memory of 2960 4956 hbtnhb.exe 97 PID 2960 wrote to memory of 4792 2960 rlrlfff.exe 98 PID 2960 wrote to memory of 4792 2960 rlrlfff.exe 98 PID 2960 wrote to memory of 4792 2960 rlrlfff.exe 98 PID 4792 wrote to memory of 3244 4792 vpjvd.exe 99 PID 4792 wrote to memory of 3244 4792 vpjvd.exe 99 PID 4792 wrote to memory of 3244 4792 vpjvd.exe 99 PID 3244 wrote to memory of 4948 3244 vdvdp.exe 100 PID 3244 wrote to memory of 4948 3244 vdvdp.exe 100 PID 3244 wrote to memory of 4948 3244 vdvdp.exe 100 PID 4948 wrote to memory of 4820 4948 htnhbt.exe 101 PID 4948 wrote to memory of 4820 4948 htnhbt.exe 101 PID 4948 wrote to memory of 4820 4948 htnhbt.exe 101 PID 4820 wrote to memory of 2348 4820 7ppdv.exe 102 PID 4820 wrote to memory of 2348 4820 7ppdv.exe 102 PID 4820 wrote to memory of 2348 4820 7ppdv.exe 102 PID 2348 wrote to memory of 4892 2348 xrrlxrl.exe 103 PID 2348 wrote to memory of 4892 2348 xrrlxrl.exe 103 PID 2348 wrote to memory of 4892 2348 xrrlxrl.exe 103 PID 4892 wrote to memory of 3232 4892 7rffxlr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421N.exe"C:\Users\Admin\AppData\Local\Temp\2bcd0f34c3b05a26f98c48cc1f939e57f81bc03cd4c14509e867487511371421N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
\??\c:\flxrrrr.exec:\flxrrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\vpjdv.exec:\vpjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\hnthhb.exec:\hnthhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\9vjdj.exec:\9vjdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
\??\c:\vddvv.exec:\vddvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
\??\c:\bnbtth.exec:\bnbtth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\9vvpp.exec:\9vvpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\1ntnhb.exec:\1ntnhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\7jjjj.exec:\7jjjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\htthbb.exec:\htthbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\xxlflfl.exec:\xxlflfl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\btntht.exec:\btntht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\lfxlxrf.exec:\lfxlxrf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\hbtnhb.exec:\hbtnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\rlrlfff.exec:\rlrlfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\vpjvd.exec:\vpjvd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\vdvdp.exec:\vdvdp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
\??\c:\htnhbt.exec:\htnhbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
\??\c:\7ppdv.exec:\7ppdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\xrrlxrl.exec:\xrrlxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348 -
\??\c:\7rffxlr.exec:\7rffxlr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\jdvpv.exec:\jdvpv.exe23⤵
- Executes dropped EXE
PID:3232 -
\??\c:\bnhbbt.exec:\bnhbbt.exe24⤵
- Executes dropped EXE
PID:3744 -
\??\c:\jpjvj.exec:\jpjvj.exe25⤵
- Executes dropped EXE
PID:1624 -
\??\c:\7lllxrl.exec:\7lllxrl.exe26⤵
- Executes dropped EXE
PID:1944 -
\??\c:\htttnh.exec:\htttnh.exe27⤵
- Executes dropped EXE
PID:5044 -
\??\c:\5xxrllf.exec:\5xxrllf.exe28⤵
- Executes dropped EXE
PID:3256 -
\??\c:\1flfrlf.exec:\1flfrlf.exe29⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5btntt.exec:\5btntt.exe30⤵
- Executes dropped EXE
PID:4612 -
\??\c:\thhtht.exec:\thhtht.exe31⤵
- Executes dropped EXE
PID:5020 -
\??\c:\5fxxxrl.exec:\5fxxxrl.exe32⤵
- Executes dropped EXE
PID:3308 -
\??\c:\5ppjj.exec:\5ppjj.exe33⤵
- Executes dropped EXE
PID:760 -
\??\c:\xffrlxr.exec:\xffrlxr.exe34⤵
- Executes dropped EXE
PID:1360 -
\??\c:\9nhtnh.exec:\9nhtnh.exe35⤵
- Executes dropped EXE
PID:4260 -
\??\c:\1pvpv.exec:\1pvpv.exe36⤵
- Executes dropped EXE
PID:3784 -
\??\c:\nhhtth.exec:\nhhtth.exe37⤵
- Executes dropped EXE
PID:4292 -
\??\c:\9vpdj.exec:\9vpdj.exe38⤵
- Executes dropped EXE
PID:5060 -
\??\c:\7jjdv.exec:\7jjdv.exe39⤵
- Executes dropped EXE
PID:868 -
\??\c:\5ffrllf.exec:\5ffrllf.exe40⤵
- Executes dropped EXE
PID:4828 -
\??\c:\tnhtbh.exec:\tnhtbh.exe41⤵
- Executes dropped EXE
PID:1556 -
\??\c:\dvvpj.exec:\dvvpj.exe42⤵
- Executes dropped EXE
PID:4912 -
\??\c:\rxxrrrl.exec:\rxxrrrl.exe43⤵
- Executes dropped EXE
PID:3212 -
\??\c:\7hbbtn.exec:\7hbbtn.exe44⤵
- Executes dropped EXE
PID:3452 -
\??\c:\1nttnt.exec:\1nttnt.exe45⤵
- Executes dropped EXE
PID:3068 -
\??\c:\jjpdd.exec:\jjpdd.exe46⤵
- Executes dropped EXE
PID:4696 -
\??\c:\1xrfxxr.exec:\1xrfxxr.exe47⤵
- Executes dropped EXE
PID:4000 -
\??\c:\bhtnhh.exec:\bhtnhh.exe48⤵
- Executes dropped EXE
PID:4356 -
\??\c:\vjddv.exec:\vjddv.exe49⤵
- Executes dropped EXE
PID:4556 -
\??\c:\frrllff.exec:\frrllff.exe50⤵
- Executes dropped EXE
PID:2200 -
\??\c:\3xxrxxx.exec:\3xxrxxx.exe51⤵
- Executes dropped EXE
PID:4620 -
\??\c:\hhtbhh.exec:\hhtbhh.exe52⤵
- Executes dropped EXE
PID:3944 -
\??\c:\jddvv.exec:\jddvv.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4884 -
\??\c:\vvvpj.exec:\vvvpj.exe54⤵
- Executes dropped EXE
PID:2772 -
\??\c:\rxrxrxx.exec:\rxrxrxx.exe55⤵
- Executes dropped EXE
PID:4156 -
\??\c:\bbhhtt.exec:\bbhhtt.exe56⤵
- Executes dropped EXE
PID:1408 -
\??\c:\jjpjv.exec:\jjpjv.exe57⤵
- Executes dropped EXE
PID:348 -
\??\c:\lflxrrf.exec:\lflxrrf.exe58⤵
- Executes dropped EXE
PID:3684 -
\??\c:\1ttnhh.exec:\1ttnhh.exe59⤵
- Executes dropped EXE
PID:468 -
\??\c:\3ttnhb.exec:\3ttnhb.exe60⤵
- Executes dropped EXE
PID:1296 -
\??\c:\ppjpd.exec:\ppjpd.exe61⤵
- Executes dropped EXE
PID:2020 -
\??\c:\lfffxxx.exec:\lfffxxx.exe62⤵
- Executes dropped EXE
PID:2260 -
\??\c:\nhhbtn.exec:\nhhbtn.exe63⤵
- Executes dropped EXE
PID:540 -
\??\c:\dpppp.exec:\dpppp.exe64⤵
- Executes dropped EXE
PID:3800 -
\??\c:\rrrxrlf.exec:\rrrxrlf.exe65⤵
- Executes dropped EXE
PID:5096 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe66⤵PID:3584
-
\??\c:\btnhnh.exec:\btnhnh.exe67⤵PID:212
-
\??\c:\1vjdj.exec:\1vjdj.exe68⤵PID:4444
-
\??\c:\xlrllll.exec:\xlrllll.exe69⤵PID:3444
-
\??\c:\bbhbtb.exec:\bbhbtb.exe70⤵PID:2964
-
\??\c:\dpdpj.exec:\dpdpj.exe71⤵PID:440
-
\??\c:\7djpp.exec:\7djpp.exe72⤵PID:3508
-
\??\c:\lfxrxxr.exec:\lfxrxxr.exe73⤵PID:3032
-
\??\c:\5btbbb.exec:\5btbbb.exe74⤵PID:4844
-
\??\c:\ttbtnh.exec:\ttbtnh.exe75⤵PID:3160
-
\??\c:\9pppp.exec:\9pppp.exe76⤵PID:3660
-
\??\c:\rffffff.exec:\rffffff.exe77⤵PID:4316
-
\??\c:\nbnnhn.exec:\nbnnhn.exe78⤵PID:4024
-
\??\c:\jvdvp.exec:\jvdvp.exe79⤵PID:5072
-
\??\c:\vpvpj.exec:\vpvpj.exe80⤵PID:1008
-
\??\c:\xrxxxxf.exec:\xrxxxxf.exe81⤵PID:5016
-
\??\c:\tnbttt.exec:\tnbttt.exe82⤵PID:3792
-
\??\c:\pjppp.exec:\pjppp.exe83⤵PID:1624
-
\??\c:\lxfxlll.exec:\lxfxlll.exe84⤵PID:1440
-
\??\c:\tnnbtt.exec:\tnnbtt.exe85⤵PID:2136
-
\??\c:\tbbntb.exec:\tbbntb.exe86⤵PID:3988
-
\??\c:\pjjdv.exec:\pjjdv.exe87⤵PID:3256
-
\??\c:\llrlrrx.exec:\llrlrrx.exe88⤵PID:1628
-
\??\c:\ttnnnh.exec:\ttnnnh.exe89⤵PID:2936
-
\??\c:\tnttnh.exec:\tnttnh.exe90⤵PID:2948
-
\??\c:\pdjvp.exec:\pdjvp.exe91⤵PID:5024
-
\??\c:\xxllxxl.exec:\xxllxxl.exe92⤵PID:5064
-
\??\c:\9tnhbb.exec:\9tnhbb.exe93⤵PID:3308
-
\??\c:\9pvvp.exec:\9pvvp.exe94⤵PID:2052
-
\??\c:\vpvpp.exec:\vpvpp.exe95⤵PID:1824
-
\??\c:\xlflflf.exec:\xlflflf.exe96⤵PID:1360
-
\??\c:\hnttnn.exec:\hnttnn.exe97⤵PID:3924
-
\??\c:\jddvp.exec:\jddvp.exe98⤵PID:8
-
\??\c:\jdvdd.exec:\jdvdd.exe99⤵PID:1724
-
\??\c:\frxrrlr.exec:\frxrrlr.exe100⤵PID:1108
-
\??\c:\lfrrfxl.exec:\lfrrfxl.exe101⤵PID:4760
-
\??\c:\5tnnhb.exec:\5tnnhb.exe102⤵
- System Location Discovery: System Language Discovery
PID:1304 -
\??\c:\5jvjd.exec:\5jvjd.exe103⤵PID:5032
-
\??\c:\xflfrrl.exec:\xflfrrl.exe104⤵PID:1620
-
\??\c:\tthbtt.exec:\tthbtt.exe105⤵PID:3588
-
\??\c:\7vpvj.exec:\7vpvj.exe106⤵PID:3452
-
\??\c:\pjpjd.exec:\pjpjd.exe107⤵PID:1328
-
\??\c:\7rxxrxr.exec:\7rxxrxr.exe108⤵PID:4340
-
\??\c:\thnhhh.exec:\thnhhh.exe109⤵PID:3808
-
\??\c:\ppjjd.exec:\ppjjd.exe110⤵PID:2180
-
\??\c:\ddvpd.exec:\ddvpd.exe111⤵PID:3908
-
\??\c:\1ffxxxr.exec:\1ffxxxr.exe112⤵PID:2096
-
\??\c:\3thbtt.exec:\3thbtt.exe113⤵PID:4932
-
\??\c:\5jjdv.exec:\5jjdv.exe114⤵PID:4012
-
\??\c:\fxxrlff.exec:\fxxrlff.exe115⤵PID:180
-
\??\c:\rllllff.exec:\rllllff.exe116⤵PID:228
-
\??\c:\bbnbht.exec:\bbnbht.exe117⤵PID:4400
-
\??\c:\1ddvp.exec:\1ddvp.exe118⤵PID:1668
-
\??\c:\lfrlffx.exec:\lfrlffx.exe119⤵PID:2056
-
\??\c:\nnhbbh.exec:\nnhbbh.exe120⤵PID:4376
-
\??\c:\tthbhh.exec:\tthbhh.exe121⤵PID:4796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-