Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 19:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe
-
Size
454KB
-
MD5
6487f96ed5baf873c7c08ebf03e24ec0
-
SHA1
dface4a32a8109a86c8fbde4a21cc26b915a33d8
-
SHA256
ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfa
-
SHA512
4090650089ed61df43770f5747df261fc77fca6392868a63046dfea1adbc8a380ece83c2f0f430a0a88e01583fa967d384075b55cc2471081998af52e22fbdac
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT:q7Tc2NYHUrAwfMp3CDT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4808-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/556-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2976-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/68-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1368-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2728-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1148-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-371-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1852-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-559-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-612-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-789-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-1359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-1402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3976 5lllxrf.exe 2164 tnbhnh.exe 3236 nhhntt.exe 556 5ffxrrr.exe 2976 pvdpp.exe 2876 xxrlrlr.exe 4476 dvppj.exe 68 rrlfxxr.exe 4472 9pppp.exe 3712 fllfxrr.exe 1368 nhhhhh.exe 1792 1llfxxr.exe 1344 bbhbhh.exe 3124 vjpjj.exe 2088 lxlxlfx.exe 816 nhhhbb.exe 3492 lxlxrxr.exe 3208 bnhbtn.exe 2584 3lflffl.exe 3432 thnbtt.exe 680 hnnnhh.exe 5092 jjpvv.exe 4396 1bnbnn.exe 4572 jpjvj.exe 2172 rlrfxfx.exe 640 3hhtnn.exe 2300 jppvj.exe 1360 hbttnh.exe 4720 pppdp.exe 4540 nbhhnn.exe 5068 ttthbb.exe 696 lrrfrlf.exe 1996 fxfxxxx.exe 4092 vdjdv.exe 2188 fffrfxl.exe 3128 bthhnn.exe 3024 jvdvp.exe 3200 1fxlfxr.exe 2780 ntbtnh.exe 2728 7dpjv.exe 1264 rlfrllr.exe 372 flrlfxx.exe 3184 ttbntn.exe 5020 3dddp.exe 4496 xrxxxxx.exe 4356 3tthbt.exe 4568 bhnbnh.exe 3976 jddpj.exe 2184 xlxlrxl.exe 3248 tbhhbb.exe 3572 3vppd.exe 3444 rxxrfxr.exe 3512 9hbbtb.exe 1092 pddvp.exe 2804 rfxlxlx.exe 3464 tnhhbh.exe 4760 dvpjv.exe 3972 pvvpp.exe 3180 5rrlfff.exe 3616 nhnhhb.exe 3104 ddpdj.exe 4172 xflxxrl.exe 1744 5nnhbb.exe 4756 9nnhhh.exe -
resource yara_rule behavioral2/memory/4808-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/556-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2976-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/68-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1368-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2728-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1148-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-371-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1852-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-559-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-612-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-649-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxrfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5nhnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xflfxr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4808 wrote to memory of 3976 4808 ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe 82 PID 4808 wrote to memory of 3976 4808 ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe 82 PID 4808 wrote to memory of 3976 4808 ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe 82 PID 3976 wrote to memory of 2164 3976 5lllxrf.exe 83 PID 3976 wrote to memory of 2164 3976 5lllxrf.exe 83 PID 3976 wrote to memory of 2164 3976 5lllxrf.exe 83 PID 2164 wrote to memory of 3236 2164 tnbhnh.exe 84 PID 2164 wrote to memory of 3236 2164 tnbhnh.exe 84 PID 2164 wrote to memory of 3236 2164 tnbhnh.exe 84 PID 3236 wrote to memory of 556 3236 nhhntt.exe 85 PID 3236 wrote to memory of 556 3236 nhhntt.exe 85 PID 3236 wrote to memory of 556 3236 nhhntt.exe 85 PID 556 wrote to memory of 2976 556 5ffxrrr.exe 86 PID 556 wrote to memory of 2976 556 5ffxrrr.exe 86 PID 556 wrote to memory of 2976 556 5ffxrrr.exe 86 PID 2976 wrote to memory of 2876 2976 pvdpp.exe 87 PID 2976 wrote to memory of 2876 2976 pvdpp.exe 87 PID 2976 wrote to memory of 2876 2976 pvdpp.exe 87 PID 2876 wrote to memory of 4476 2876 xxrlrlr.exe 88 PID 2876 wrote to memory of 4476 2876 xxrlrlr.exe 88 PID 2876 wrote to memory of 4476 2876 xxrlrlr.exe 88 PID 4476 wrote to memory of 68 4476 dvppj.exe 89 PID 4476 wrote to memory of 68 4476 dvppj.exe 89 PID 4476 wrote to memory of 68 4476 dvppj.exe 89 PID 68 wrote to memory of 4472 68 rrlfxxr.exe 90 PID 68 wrote to memory of 4472 68 rrlfxxr.exe 90 PID 68 wrote to memory of 4472 68 rrlfxxr.exe 90 PID 4472 wrote to memory of 3712 4472 9pppp.exe 91 PID 4472 wrote to memory of 3712 4472 9pppp.exe 91 PID 4472 wrote to memory of 3712 4472 9pppp.exe 91 PID 3712 wrote to memory of 1368 3712 fllfxrr.exe 92 PID 3712 wrote to memory of 1368 3712 fllfxrr.exe 92 PID 3712 wrote to memory of 1368 3712 fllfxrr.exe 92 PID 1368 wrote to memory of 1792 1368 nhhhhh.exe 93 PID 1368 wrote to memory of 1792 1368 nhhhhh.exe 93 PID 1368 wrote to memory of 1792 1368 nhhhhh.exe 93 PID 1792 wrote to memory of 1344 1792 1llfxxr.exe 94 PID 1792 wrote to memory of 1344 1792 1llfxxr.exe 94 PID 1792 wrote to memory of 1344 1792 1llfxxr.exe 94 PID 1344 wrote to memory of 3124 1344 bbhbhh.exe 95 PID 1344 wrote to memory of 3124 1344 bbhbhh.exe 95 PID 1344 wrote to memory of 3124 1344 bbhbhh.exe 95 PID 3124 wrote to memory of 2088 3124 vjpjj.exe 96 PID 3124 wrote to memory of 2088 3124 vjpjj.exe 96 PID 3124 wrote to memory of 2088 3124 vjpjj.exe 96 PID 2088 wrote to memory of 816 2088 lxlxlfx.exe 97 PID 2088 wrote to memory of 816 2088 lxlxlfx.exe 97 PID 2088 wrote to memory of 816 2088 lxlxlfx.exe 97 PID 816 wrote to memory of 3492 816 nhhhbb.exe 98 PID 816 wrote to memory of 3492 816 nhhhbb.exe 98 PID 816 wrote to memory of 3492 816 nhhhbb.exe 98 PID 3492 wrote to memory of 3208 3492 lxlxrxr.exe 99 PID 3492 wrote to memory of 3208 3492 lxlxrxr.exe 99 PID 3492 wrote to memory of 3208 3492 lxlxrxr.exe 99 PID 3208 wrote to memory of 2584 3208 bnhbtn.exe 100 PID 3208 wrote to memory of 2584 3208 bnhbtn.exe 100 PID 3208 wrote to memory of 2584 3208 bnhbtn.exe 100 PID 2584 wrote to memory of 3432 2584 3lflffl.exe 101 PID 2584 wrote to memory of 3432 2584 3lflffl.exe 101 PID 2584 wrote to memory of 3432 2584 3lflffl.exe 101 PID 3432 wrote to memory of 680 3432 thnbtt.exe 102 PID 3432 wrote to memory of 680 3432 thnbtt.exe 102 PID 3432 wrote to memory of 680 3432 thnbtt.exe 102 PID 680 wrote to memory of 5092 680 hnnnhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe"C:\Users\Admin\AppData\Local\Temp\ef069e6ba3d01fd76248a382e2faf0258f8d12696195bbe51b8ea1bccb5adbfaN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\5lllxrf.exec:\5lllxrf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\tnbhnh.exec:\tnbhnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2164 -
\??\c:\nhhntt.exec:\nhhntt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\5ffxrrr.exec:\5ffxrrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\pvdpp.exec:\pvdpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\xxrlrlr.exec:\xxrlrlr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2876 -
\??\c:\dvppj.exec:\dvppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\rrlfxxr.exec:\rrlfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:68 -
\??\c:\9pppp.exec:\9pppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\fllfxrr.exec:\fllfxrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\nhhhhh.exec:\nhhhhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\1llfxxr.exec:\1llfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1792 -
\??\c:\bbhbhh.exec:\bbhbhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344 -
\??\c:\vjpjj.exec:\vjpjj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\lxlxlfx.exec:\lxlxlfx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\nhhhbb.exec:\nhhhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
\??\c:\lxlxrxr.exec:\lxlxrxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\bnhbtn.exec:\bnhbtn.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3208 -
\??\c:\3lflffl.exec:\3lflffl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\thnbtt.exec:\thnbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\hnnnhh.exec:\hnnnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\jjpvv.exec:\jjpvv.exe23⤵
- Executes dropped EXE
PID:5092 -
\??\c:\1bnbnn.exec:\1bnbnn.exe24⤵
- Executes dropped EXE
PID:4396 -
\??\c:\jpjvj.exec:\jpjvj.exe25⤵
- Executes dropped EXE
PID:4572 -
\??\c:\rlrfxfx.exec:\rlrfxfx.exe26⤵
- Executes dropped EXE
PID:2172 -
\??\c:\3hhtnn.exec:\3hhtnn.exe27⤵
- Executes dropped EXE
PID:640 -
\??\c:\jppvj.exec:\jppvj.exe28⤵
- Executes dropped EXE
PID:2300 -
\??\c:\hbttnh.exec:\hbttnh.exe29⤵
- Executes dropped EXE
PID:1360 -
\??\c:\pppdp.exec:\pppdp.exe30⤵
- Executes dropped EXE
PID:4720 -
\??\c:\nbhhnn.exec:\nbhhnn.exe31⤵
- Executes dropped EXE
PID:4540 -
\??\c:\ttthbb.exec:\ttthbb.exe32⤵
- Executes dropped EXE
PID:5068 -
\??\c:\lrrfrlf.exec:\lrrfrlf.exe33⤵
- Executes dropped EXE
PID:696 -
\??\c:\fxfxxxx.exec:\fxfxxxx.exe34⤵
- Executes dropped EXE
PID:1996 -
\??\c:\vdjdv.exec:\vdjdv.exe35⤵
- Executes dropped EXE
PID:4092 -
\??\c:\fffrfxl.exec:\fffrfxl.exe36⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bthhnn.exec:\bthhnn.exe37⤵
- Executes dropped EXE
PID:3128 -
\??\c:\jvdvp.exec:\jvdvp.exe38⤵
- Executes dropped EXE
PID:3024 -
\??\c:\1fxlfxr.exec:\1fxlfxr.exe39⤵
- Executes dropped EXE
PID:3200 -
\??\c:\ntbtnh.exec:\ntbtnh.exe40⤵
- Executes dropped EXE
PID:2780 -
\??\c:\7dpjv.exec:\7dpjv.exe41⤵
- Executes dropped EXE
PID:2728 -
\??\c:\rlfrllr.exec:\rlfrllr.exe42⤵
- Executes dropped EXE
PID:1264 -
\??\c:\flrlfxx.exec:\flrlfxx.exe43⤵
- Executes dropped EXE
PID:372 -
\??\c:\ttbntn.exec:\ttbntn.exe44⤵
- Executes dropped EXE
PID:3184 -
\??\c:\3dddp.exec:\3dddp.exe45⤵
- Executes dropped EXE
PID:5020 -
\??\c:\xrxxxxx.exec:\xrxxxxx.exe46⤵
- Executes dropped EXE
PID:4496 -
\??\c:\3tthbt.exec:\3tthbt.exe47⤵
- Executes dropped EXE
PID:4356 -
\??\c:\bhnbnh.exec:\bhnbnh.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4568 -
\??\c:\jddpj.exec:\jddpj.exe49⤵
- Executes dropped EXE
PID:3976 -
\??\c:\xlxlrxl.exec:\xlxlrxl.exe50⤵
- Executes dropped EXE
PID:2184 -
\??\c:\tbhhbb.exec:\tbhhbb.exe51⤵
- Executes dropped EXE
PID:3248 -
\??\c:\3vppd.exec:\3vppd.exe52⤵
- Executes dropped EXE
PID:3572 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe53⤵
- Executes dropped EXE
PID:3444 -
\??\c:\9hbbtb.exec:\9hbbtb.exe54⤵
- Executes dropped EXE
PID:3512 -
\??\c:\pddvp.exec:\pddvp.exe55⤵
- Executes dropped EXE
PID:1092 -
\??\c:\rfxlxlx.exec:\rfxlxlx.exe56⤵
- Executes dropped EXE
PID:2804 -
\??\c:\tnhhbh.exec:\tnhhbh.exe57⤵
- Executes dropped EXE
PID:3464 -
\??\c:\dvpjv.exec:\dvpjv.exe58⤵
- Executes dropped EXE
PID:4760 -
\??\c:\pvvpp.exec:\pvvpp.exe59⤵
- Executes dropped EXE
PID:3972 -
\??\c:\5rrlfff.exec:\5rrlfff.exe60⤵
- Executes dropped EXE
PID:3180 -
\??\c:\nhnhhb.exec:\nhnhhb.exe61⤵
- Executes dropped EXE
PID:3616 -
\??\c:\ddpdj.exec:\ddpdj.exe62⤵
- Executes dropped EXE
PID:3104 -
\??\c:\xflxxrl.exec:\xflxxrl.exe63⤵
- Executes dropped EXE
PID:4172 -
\??\c:\5nnhbb.exec:\5nnhbb.exe64⤵
- Executes dropped EXE
PID:1744 -
\??\c:\9nnhhh.exec:\9nnhhh.exe65⤵
- Executes dropped EXE
PID:4756 -
\??\c:\rrxrrll.exec:\rrxrrll.exe66⤵PID:4456
-
\??\c:\nnhnth.exec:\nnhnth.exe67⤵PID:1964
-
\??\c:\hntnbb.exec:\hntnbb.exe68⤵PID:4804
-
\??\c:\5ppjd.exec:\5ppjd.exe69⤵PID:4500
-
\??\c:\jpdpj.exec:\jpdpj.exe70⤵PID:1756
-
\??\c:\rllfrrl.exec:\rllfrrl.exe71⤵PID:3456
-
\??\c:\nhnhbb.exec:\nhnhbb.exe72⤵PID:3536
-
\??\c:\pjpjj.exec:\pjpjj.exe73⤵PID:60
-
\??\c:\rrlxllx.exec:\rrlxllx.exe74⤵PID:2264
-
\??\c:\rflfxxr.exec:\rflfxxr.exe75⤵PID:3576
-
\??\c:\thtnnn.exec:\thtnnn.exe76⤵PID:4656
-
\??\c:\9ddvp.exec:\9ddvp.exe77⤵
- System Location Discovery: System Language Discovery
PID:4684 -
\??\c:\xrxxrrl.exec:\xrxxrrl.exe78⤵
- System Location Discovery: System Language Discovery
PID:1680 -
\??\c:\httnhh.exec:\httnhh.exe79⤵PID:1148
-
\??\c:\vjvpp.exec:\vjvpp.exe80⤵PID:3752
-
\??\c:\ffxrrlf.exec:\ffxrrlf.exe81⤵PID:3432
-
\??\c:\3xxxrrl.exec:\3xxxrrl.exe82⤵PID:1856
-
\??\c:\htbbtn.exec:\htbbtn.exe83⤵PID:4956
-
\??\c:\3dvvp.exec:\3dvvp.exe84⤵PID:2580
-
\??\c:\vvvjv.exec:\vvvjv.exe85⤵PID:1632
-
\??\c:\3xrxrfx.exec:\3xrxrfx.exe86⤵PID:2276
-
\??\c:\9bbbtn.exec:\9bbbtn.exe87⤵PID:4140
-
\??\c:\btnhhh.exec:\btnhhh.exe88⤵PID:4088
-
\??\c:\5pvjv.exec:\5pvjv.exe89⤵PID:3396
-
\??\c:\lrxrffx.exec:\lrxrffx.exe90⤵PID:2060
-
\??\c:\btttbb.exec:\btttbb.exe91⤵PID:4532
-
\??\c:\nhbbtt.exec:\nhbbtt.exe92⤵PID:3892
-
\??\c:\pvddv.exec:\pvddv.exe93⤵PID:2300
-
\??\c:\frxrffx.exec:\frxrffx.exe94⤵PID:5116
-
\??\c:\btbtbt.exec:\btbtbt.exe95⤵PID:544
-
\??\c:\9pvjp.exec:\9pvjp.exe96⤵PID:4112
-
\??\c:\xfrlxrf.exec:\xfrlxrf.exe97⤵PID:2964
-
\??\c:\xrlxrlf.exec:\xrlxrlf.exe98⤵PID:780
-
\??\c:\nhbtnh.exec:\nhbtnh.exe99⤵PID:1328
-
\??\c:\djpdp.exec:\djpdp.exe100⤵PID:388
-
\??\c:\5xflfxr.exec:\5xflfxr.exe101⤵
- System Location Discovery: System Language Discovery
PID:5016 -
\??\c:\9bnhth.exec:\9bnhth.exe102⤵PID:1332
-
\??\c:\1dppv.exec:\1dppv.exe103⤵PID:4588
-
\??\c:\xflxlfx.exec:\xflxlfx.exe104⤵PID:3136
-
\??\c:\hhnbtn.exec:\hhnbtn.exe105⤵PID:2180
-
\??\c:\nbbhbt.exec:\nbbhbt.exe106⤵PID:1660
-
\??\c:\5vvjv.exec:\5vvjv.exe107⤵PID:4596
-
\??\c:\rffxrrl.exec:\rffxrrl.exe108⤵PID:1132
-
\??\c:\9nttnb.exec:\9nttnb.exe109⤵PID:2728
-
\??\c:\pvdvv.exec:\pvdvv.exe110⤵PID:1264
-
\??\c:\3jjdp.exec:\3jjdp.exe111⤵PID:4972
-
\??\c:\lrxxllr.exec:\lrxxllr.exe112⤵PID:3596
-
\??\c:\tbhtnh.exec:\tbhtnh.exe113⤵PID:3436
-
\??\c:\hbtttt.exec:\hbtttt.exe114⤵PID:4352
-
\??\c:\xfrlfxr.exec:\xfrlfxr.exe115⤵PID:1760
-
\??\c:\bnnhbt.exec:\bnnhbt.exe116⤵PID:1004
-
\??\c:\jvpjd.exec:\jvpjd.exe117⤵PID:4984
-
\??\c:\rrlffxf.exec:\rrlffxf.exe118⤵PID:2484
-
\??\c:\3bhbtt.exec:\3bhbtt.exe119⤵PID:2776
-
\??\c:\1dpvv.exec:\1dpvv.exe120⤵PID:3856
-
\??\c:\jdjdj.exec:\jdjdj.exe121⤵PID:4068
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-