Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe
-
Size
454KB
-
MD5
1c977ccb5393f8f5cff03b6ce0871d9f
-
SHA1
bc0d6f2e5733d0192033a4a1a6f543443a5cf2b1
-
SHA256
efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b
-
SHA512
91fbe701f28ae8552ad002b1e2219708b451aeb3048d42346bb3b5edd10cd6c569004290c0a85396464dd9512054909bfadb40b428f6e7b5395686d0b82bce0b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe83:q7Tc2NYHUrAwfMp3CD83
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1444-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3472-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3836-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/752-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1412-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/788-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/728-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3864-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2084-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-731-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-829-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-960-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-1081-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-1175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-1368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4080 02448.exe 2076 djpjd.exe 2248 nhnnhb.exe 3008 rfxrllf.exe 3672 thnnbb.exe 1668 3pddj.exe 3308 2622880.exe 3472 o866660.exe 5028 jdddd.exe 4032 5lxrrrl.exe 856 682042.exe 1752 0042042.exe 4656 hhtbht.exe 4536 vpvjv.exe 4576 28624.exe 1624 264400.exe 5112 404866.exe 676 6804600.exe 3080 xlrllfl.exe 2020 6462042.exe 1380 pdjjd.exe 2488 042484.exe 4928 nbnhbb.exe 4564 28044.exe 2184 82220.exe 3836 ffrlxxf.exe 4908 ffxxxxx.exe 4388 o000060.exe 3452 xxlfxlf.exe 752 828666.exe 4916 nntbtb.exe 1388 m4606.exe 1776 46008.exe 1884 9rlxfxl.exe 2028 rlfrlfl.exe 2168 hnbnbt.exe 1972 06004.exe 4948 9frfxrl.exe 468 pjddv.exe 1720 82402.exe 1504 86866.exe 1656 w80202.exe 1488 httnnb.exe 3772 htnnbt.exe 1252 thnbhh.exe 5100 tthhnt.exe 2468 0660808.exe 1524 822626.exe 1224 hnhtht.exe 4492 66260.exe 4788 082262.exe 2936 k40426.exe 1836 06424.exe 3144 888600.exe 2008 vvjdj.exe 4020 btbnnh.exe 4744 5ttnhh.exe 720 k26082.exe 1412 xrrlllf.exe 2484 9hbnbt.exe 3068 lfllrlr.exe 540 6026228.exe 4888 vvdvv.exe 5028 vddpd.exe -
resource yara_rule behavioral2/memory/1444-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3472-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3836-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/752-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1412-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/788-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/728-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3864-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2084-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-582-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-597-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-731-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-759-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 642644.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 824826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 86420.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflxrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24426.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 42440.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 266000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 222200.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1444 wrote to memory of 4080 1444 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 85 PID 1444 wrote to memory of 4080 1444 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 85 PID 1444 wrote to memory of 4080 1444 efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe 85 PID 4080 wrote to memory of 2076 4080 02448.exe 86 PID 4080 wrote to memory of 2076 4080 02448.exe 86 PID 4080 wrote to memory of 2076 4080 02448.exe 86 PID 2076 wrote to memory of 2248 2076 djpjd.exe 87 PID 2076 wrote to memory of 2248 2076 djpjd.exe 87 PID 2076 wrote to memory of 2248 2076 djpjd.exe 87 PID 2248 wrote to memory of 3008 2248 nhnnhb.exe 88 PID 2248 wrote to memory of 3008 2248 nhnnhb.exe 88 PID 2248 wrote to memory of 3008 2248 nhnnhb.exe 88 PID 3008 wrote to memory of 3672 3008 rfxrllf.exe 89 PID 3008 wrote to memory of 3672 3008 rfxrllf.exe 89 PID 3008 wrote to memory of 3672 3008 rfxrllf.exe 89 PID 3672 wrote to memory of 1668 3672 thnnbb.exe 90 PID 3672 wrote to memory of 1668 3672 thnnbb.exe 90 PID 3672 wrote to memory of 1668 3672 thnnbb.exe 90 PID 1668 wrote to memory of 3308 1668 3pddj.exe 91 PID 1668 wrote to memory of 3308 1668 3pddj.exe 91 PID 1668 wrote to memory of 3308 1668 3pddj.exe 91 PID 3308 wrote to memory of 3472 3308 2622880.exe 92 PID 3308 wrote to memory of 3472 3308 2622880.exe 92 PID 3308 wrote to memory of 3472 3308 2622880.exe 92 PID 3472 wrote to memory of 5028 3472 o866660.exe 93 PID 3472 wrote to memory of 5028 3472 o866660.exe 93 PID 3472 wrote to memory of 5028 3472 o866660.exe 93 PID 5028 wrote to memory of 4032 5028 jdddd.exe 94 PID 5028 wrote to memory of 4032 5028 jdddd.exe 94 PID 5028 wrote to memory of 4032 5028 jdddd.exe 94 PID 4032 wrote to memory of 856 4032 5lxrrrl.exe 95 PID 4032 wrote to memory of 856 4032 5lxrrrl.exe 95 PID 4032 wrote to memory of 856 4032 5lxrrrl.exe 95 PID 856 wrote to memory of 1752 856 682042.exe 96 PID 856 wrote to memory of 1752 856 682042.exe 96 PID 856 wrote to memory of 1752 856 682042.exe 96 PID 1752 wrote to memory of 4656 1752 0042042.exe 97 PID 1752 wrote to memory of 4656 1752 0042042.exe 97 PID 1752 wrote to memory of 4656 1752 0042042.exe 97 PID 4656 wrote to memory of 4536 4656 hhtbht.exe 98 PID 4656 wrote to memory of 4536 4656 hhtbht.exe 98 PID 4656 wrote to memory of 4536 4656 hhtbht.exe 98 PID 4536 wrote to memory of 4576 4536 vpvjv.exe 99 PID 4536 wrote to memory of 4576 4536 vpvjv.exe 99 PID 4536 wrote to memory of 4576 4536 vpvjv.exe 99 PID 4576 wrote to memory of 1624 4576 28624.exe 100 PID 4576 wrote to memory of 1624 4576 28624.exe 100 PID 4576 wrote to memory of 1624 4576 28624.exe 100 PID 1624 wrote to memory of 5112 1624 264400.exe 101 PID 1624 wrote to memory of 5112 1624 264400.exe 101 PID 1624 wrote to memory of 5112 1624 264400.exe 101 PID 5112 wrote to memory of 676 5112 404866.exe 102 PID 5112 wrote to memory of 676 5112 404866.exe 102 PID 5112 wrote to memory of 676 5112 404866.exe 102 PID 676 wrote to memory of 3080 676 6804600.exe 103 PID 676 wrote to memory of 3080 676 6804600.exe 103 PID 676 wrote to memory of 3080 676 6804600.exe 103 PID 3080 wrote to memory of 2020 3080 xlrllfl.exe 104 PID 3080 wrote to memory of 2020 3080 xlrllfl.exe 104 PID 3080 wrote to memory of 2020 3080 xlrllfl.exe 104 PID 2020 wrote to memory of 1380 2020 6462042.exe 105 PID 2020 wrote to memory of 1380 2020 6462042.exe 105 PID 2020 wrote to memory of 1380 2020 6462042.exe 105 PID 1380 wrote to memory of 2488 1380 pdjjd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"C:\Users\Admin\AppData\Local\Temp\efb1119aadc2b3f574e9a708b1fb4fc3590861a8481d93d561d8719b60a57e8b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
\??\c:\02448.exec:\02448.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\djpjd.exec:\djpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
\??\c:\nhnnhb.exec:\nhnnhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
\??\c:\rfxrllf.exec:\rfxrllf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\thnnbb.exec:\thnnbb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
\??\c:\3pddj.exec:\3pddj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\2622880.exec:\2622880.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\o866660.exec:\o866660.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\jdddd.exec:\jdddd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5028 -
\??\c:\5lxrrrl.exec:\5lxrrrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032 -
\??\c:\682042.exec:\682042.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
\??\c:\0042042.exec:\0042042.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\hhtbht.exec:\hhtbht.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\vpvjv.exec:\vpvjv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\28624.exec:\28624.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\264400.exec:\264400.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\404866.exec:\404866.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\6804600.exec:\6804600.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\xlrllfl.exec:\xlrllfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\6462042.exec:\6462042.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\pdjjd.exec:\pdjjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\042484.exec:\042484.exe23⤵
- Executes dropped EXE
PID:2488 -
\??\c:\nbnhbb.exec:\nbnhbb.exe24⤵
- Executes dropped EXE
PID:4928 -
\??\c:\28044.exec:\28044.exe25⤵
- Executes dropped EXE
PID:4564 -
\??\c:\82220.exec:\82220.exe26⤵
- Executes dropped EXE
PID:2184 -
\??\c:\ffrlxxf.exec:\ffrlxxf.exe27⤵
- Executes dropped EXE
PID:3836 -
\??\c:\ffxxxxx.exec:\ffxxxxx.exe28⤵
- Executes dropped EXE
PID:4908 -
\??\c:\o000060.exec:\o000060.exe29⤵
- Executes dropped EXE
PID:4388 -
\??\c:\xxlfxlf.exec:\xxlfxlf.exe30⤵
- Executes dropped EXE
PID:3452 -
\??\c:\828666.exec:\828666.exe31⤵
- Executes dropped EXE
PID:752 -
\??\c:\nntbtb.exec:\nntbtb.exe32⤵
- Executes dropped EXE
PID:4916 -
\??\c:\m4606.exec:\m4606.exe33⤵
- Executes dropped EXE
PID:1388 -
\??\c:\46008.exec:\46008.exe34⤵
- Executes dropped EXE
PID:1776 -
\??\c:\9rlxfxl.exec:\9rlxfxl.exe35⤵
- Executes dropped EXE
PID:1884 -
\??\c:\rlfrlfl.exec:\rlfrlfl.exe36⤵
- Executes dropped EXE
PID:2028 -
\??\c:\hnbnbt.exec:\hnbnbt.exe37⤵
- Executes dropped EXE
PID:2168 -
\??\c:\06004.exec:\06004.exe38⤵
- Executes dropped EXE
PID:1972 -
\??\c:\9frfxrl.exec:\9frfxrl.exe39⤵
- Executes dropped EXE
PID:4948 -
\??\c:\pjddv.exec:\pjddv.exe40⤵
- Executes dropped EXE
PID:468 -
\??\c:\82402.exec:\82402.exe41⤵
- Executes dropped EXE
PID:1720 -
\??\c:\86866.exec:\86866.exe42⤵
- Executes dropped EXE
PID:1504 -
\??\c:\w80202.exec:\w80202.exe43⤵
- Executes dropped EXE
PID:1656 -
\??\c:\httnnb.exec:\httnnb.exe44⤵
- Executes dropped EXE
PID:1488 -
\??\c:\htnnbt.exec:\htnnbt.exe45⤵
- Executes dropped EXE
PID:3772 -
\??\c:\thnbhh.exec:\thnbhh.exe46⤵
- Executes dropped EXE
PID:1252 -
\??\c:\tthhnt.exec:\tthhnt.exe47⤵
- Executes dropped EXE
PID:5100 -
\??\c:\0660808.exec:\0660808.exe48⤵
- Executes dropped EXE
PID:2468 -
\??\c:\822626.exec:\822626.exe49⤵
- Executes dropped EXE
PID:1524 -
\??\c:\hnhtht.exec:\hnhtht.exe50⤵
- Executes dropped EXE
PID:1224 -
\??\c:\66260.exec:\66260.exe51⤵
- Executes dropped EXE
PID:4492 -
\??\c:\082262.exec:\082262.exe52⤵
- Executes dropped EXE
PID:4788 -
\??\c:\k40426.exec:\k40426.exe53⤵
- Executes dropped EXE
PID:2936 -
\??\c:\06424.exec:\06424.exe54⤵
- Executes dropped EXE
PID:1836 -
\??\c:\888600.exec:\888600.exe55⤵
- Executes dropped EXE
PID:3144 -
\??\c:\vvjdj.exec:\vvjdj.exe56⤵
- Executes dropped EXE
PID:2008 -
\??\c:\btbnnh.exec:\btbnnh.exe57⤵
- Executes dropped EXE
PID:4020 -
\??\c:\5ttnhh.exec:\5ttnhh.exe58⤵
- Executes dropped EXE
PID:4744 -
\??\c:\k26082.exec:\k26082.exe59⤵
- Executes dropped EXE
PID:720 -
\??\c:\xrrlllf.exec:\xrrlllf.exe60⤵
- Executes dropped EXE
PID:1412 -
\??\c:\9hbnbt.exec:\9hbnbt.exe61⤵
- Executes dropped EXE
PID:2484 -
\??\c:\lfllrlr.exec:\lfllrlr.exe62⤵
- Executes dropped EXE
PID:3068 -
\??\c:\6026228.exec:\6026228.exe63⤵
- Executes dropped EXE
PID:540 -
\??\c:\vvdvv.exec:\vvdvv.exe64⤵
- Executes dropped EXE
PID:4888 -
\??\c:\vddpd.exec:\vddpd.exe65⤵
- Executes dropped EXE
PID:5028 -
\??\c:\68442.exec:\68442.exe66⤵PID:4640
-
\??\c:\86040.exec:\86040.exe67⤵PID:1936
-
\??\c:\26000.exec:\26000.exe68⤵PID:1772
-
\??\c:\48222.exec:\48222.exe69⤵PID:1392
-
\??\c:\9ddvj.exec:\9ddvj.exe70⤵PID:3268
-
\??\c:\xrlxlfx.exec:\xrlxlfx.exe71⤵PID:788
-
\??\c:\bhhthb.exec:\bhhthb.exe72⤵PID:4672
-
\??\c:\rxxlxrl.exec:\rxxlxrl.exe73⤵PID:4268
-
\??\c:\frlxlxr.exec:\frlxlxr.exe74⤵PID:4464
-
\??\c:\200448.exec:\200448.exe75⤵PID:1624
-
\??\c:\1ffrrfr.exec:\1ffrrfr.exe76⤵PID:1860
-
\??\c:\bnhnth.exec:\bnhnth.exe77⤵PID:5112
-
\??\c:\jdjjd.exec:\jdjjd.exe78⤵PID:4980
-
\??\c:\dppdv.exec:\dppdv.exe79⤵PID:2500
-
\??\c:\7xxrxlr.exec:\7xxrxlr.exe80⤵PID:3080
-
\??\c:\rffxfxl.exec:\rffxfxl.exe81⤵PID:1904
-
\??\c:\nbbbtt.exec:\nbbbtt.exe82⤵PID:1184
-
\??\c:\262426.exec:\262426.exe83⤵PID:2172
-
\??\c:\840482.exec:\840482.exe84⤵PID:1808
-
\??\c:\thnhnn.exec:\thnhnn.exe85⤵PID:1596
-
\??\c:\hthttn.exec:\hthttn.exe86⤵PID:4488
-
\??\c:\dvdvp.exec:\dvdvp.exe87⤵PID:1052
-
\??\c:\9ntnnn.exec:\9ntnnn.exe88⤵PID:728
-
\??\c:\nbnbtt.exec:\nbnbtt.exe89⤵PID:4964
-
\??\c:\20648.exec:\20648.exe90⤵PID:2228
-
\??\c:\vdvjp.exec:\vdvjp.exe91⤵PID:904
-
\??\c:\e46600.exec:\e46600.exe92⤵PID:2916
-
\??\c:\nhnbtn.exec:\nhnbtn.exe93⤵PID:2596
-
\??\c:\rfffffr.exec:\rfffffr.exe94⤵PID:1880
-
\??\c:\84600.exec:\84600.exe95⤵PID:320
-
\??\c:\62882.exec:\62882.exe96⤵PID:2368
-
\??\c:\840044.exec:\840044.exe97⤵PID:3272
-
\??\c:\lfffxxx.exec:\lfffxxx.exe98⤵PID:1188
-
\??\c:\bbntth.exec:\bbntth.exe99⤵PID:1840
-
\??\c:\jddpd.exec:\jddpd.exe100⤵PID:3800
-
\??\c:\llfrlfr.exec:\llfrlfr.exe101⤵PID:4148
-
\??\c:\nhnhhb.exec:\nhnhhb.exe102⤵PID:4812
-
\??\c:\2286608.exec:\2286608.exe103⤵PID:4264
-
\??\c:\6606482.exec:\6606482.exe104⤵PID:3300
-
\??\c:\862206.exec:\862206.exe105⤵PID:2088
-
\??\c:\thtnhb.exec:\thtnhb.exe106⤵PID:5024
-
\??\c:\420828.exec:\420828.exe107⤵PID:1900
-
\??\c:\e28860.exec:\e28860.exe108⤵PID:1488
-
\??\c:\48864.exec:\48864.exe109⤵PID:548
-
\??\c:\8668042.exec:\8668042.exe110⤵PID:1252
-
\??\c:\bnthnh.exec:\bnthnh.exe111⤵PID:5100
-
\??\c:\tbtnhb.exec:\tbtnhb.exe112⤵PID:2468
-
\??\c:\64428.exec:\64428.exe113⤵PID:4344
-
\??\c:\e66426.exec:\e66426.exe114⤵PID:1224
-
\??\c:\vdvdv.exec:\vdvdv.exe115⤵PID:4432
-
\??\c:\4204266.exec:\4204266.exe116⤵PID:2840
-
\??\c:\088268.exec:\088268.exe117⤵PID:3864
-
\??\c:\rflxrxl.exec:\rflxrxl.exe118⤵
- System Location Discovery: System Language Discovery
PID:5064 -
\??\c:\tnthbt.exec:\tnthbt.exe119⤵PID:2772
-
\??\c:\tbbhnh.exec:\tbbhnh.exe120⤵PID:4072
-
\??\c:\fxxfrfr.exec:\fxxfrfr.exe121⤵PID:2008
-
\??\c:\o020482.exec:\o020482.exe122⤵PID:4020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-