Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe
-
Size
455KB
-
MD5
b96f5b25dd88c51b30f0bb97e63b3ead
-
SHA1
03a8910cca8726b168d2b9e91bc5336d013eb03b
-
SHA256
2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1
-
SHA512
f124a1b246c29aeda0bf27a13ac57f023c857297222ee0bdf68cc1bde6c7208182490b94034a55d052eb643acae57fecbb387c1a871c648dce72e0252c96aa02
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3132-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/672-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3832-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1672-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2692-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1400-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4116-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/700-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-462-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-987-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-1104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-1619-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-1632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4464 thbnht.exe 672 9rrxrlf.exe 3832 thhthb.exe 4080 dppdp.exe 3804 xrrlffx.exe 4984 bnnhbt.exe 3040 pvjpj.exe 4808 9jdvj.exe 1672 ppvpj.exe 3712 jpdvp.exe 2868 nntbnh.exe 4788 rlrflfl.exe 4040 7vdvv.exe 4336 tnnhbt.exe 2692 9pvjj.exe 3172 9xxrlfx.exe 1696 frxrfff.exe 3820 nnhbbb.exe 2740 5jpjd.exe 5040 dvvpd.exe 4012 5xxlxrl.exe 4924 nbthth.exe 4212 hbbnnh.exe 1400 7flxxxl.exe 1316 tbhbnn.exe 3828 xxxfrlr.exe 1020 hbnnbt.exe 4452 nbbhhh.exe 2840 1bbnbt.exe 4536 vpdjj.exe 2444 ttnhbb.exe 2624 lrxlfxr.exe 1276 hhtnht.exe 4568 rlxrxrl.exe 980 hbbnnh.exe 4116 vjpdp.exe 3292 dpjvp.exe 2600 llxxlll.exe 700 tbbthb.exe 4268 jddvj.exe 4508 pjpdd.exe 3132 xrrlrrf.exe 4760 tntnnn.exe 4408 dppjj.exe 4476 fflffff.exe 1584 7ttnhh.exe 4776 hbbtnn.exe 4060 jvvjd.exe 3640 lxfffxf.exe 2720 3bbtnh.exe 2816 pjjdv.exe 1964 lrxrxxr.exe 2460 bhnnhh.exe 2188 bbbbbb.exe 1920 pdvjd.exe 5024 fllfrrf.exe 3468 nntnbh.exe 2516 dppdv.exe 324 vvvpp.exe 4352 7lrrfrl.exe 4512 nntnnh.exe 2716 tnthbb.exe 2748 vjpdd.exe 5016 lxfrfxx.exe -
resource yara_rule behavioral2/memory/3132-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/672-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3832-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1672-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2692-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1400-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4116-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/700-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-481-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-803-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-987-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-1094-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrfrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ppdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrfxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ntnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflfrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbttbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxrxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rllxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3132 wrote to memory of 4464 3132 2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe 83 PID 3132 wrote to memory of 4464 3132 2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe 83 PID 3132 wrote to memory of 4464 3132 2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe 83 PID 4464 wrote to memory of 672 4464 thbnht.exe 84 PID 4464 wrote to memory of 672 4464 thbnht.exe 84 PID 4464 wrote to memory of 672 4464 thbnht.exe 84 PID 672 wrote to memory of 3832 672 9rrxrlf.exe 85 PID 672 wrote to memory of 3832 672 9rrxrlf.exe 85 PID 672 wrote to memory of 3832 672 9rrxrlf.exe 85 PID 3832 wrote to memory of 4080 3832 thhthb.exe 86 PID 3832 wrote to memory of 4080 3832 thhthb.exe 86 PID 3832 wrote to memory of 4080 3832 thhthb.exe 86 PID 4080 wrote to memory of 3804 4080 dppdp.exe 87 PID 4080 wrote to memory of 3804 4080 dppdp.exe 87 PID 4080 wrote to memory of 3804 4080 dppdp.exe 87 PID 3804 wrote to memory of 4984 3804 xrrlffx.exe 88 PID 3804 wrote to memory of 4984 3804 xrrlffx.exe 88 PID 3804 wrote to memory of 4984 3804 xrrlffx.exe 88 PID 4984 wrote to memory of 3040 4984 bnnhbt.exe 89 PID 4984 wrote to memory of 3040 4984 bnnhbt.exe 89 PID 4984 wrote to memory of 3040 4984 bnnhbt.exe 89 PID 3040 wrote to memory of 4808 3040 pvjpj.exe 90 PID 3040 wrote to memory of 4808 3040 pvjpj.exe 90 PID 3040 wrote to memory of 4808 3040 pvjpj.exe 90 PID 4808 wrote to memory of 1672 4808 9jdvj.exe 91 PID 4808 wrote to memory of 1672 4808 9jdvj.exe 91 PID 4808 wrote to memory of 1672 4808 9jdvj.exe 91 PID 1672 wrote to memory of 3712 1672 ppvpj.exe 92 PID 1672 wrote to memory of 3712 1672 ppvpj.exe 92 PID 1672 wrote to memory of 3712 1672 ppvpj.exe 92 PID 3712 wrote to memory of 2868 3712 jpdvp.exe 93 PID 3712 wrote to memory of 2868 3712 jpdvp.exe 93 PID 3712 wrote to memory of 2868 3712 jpdvp.exe 93 PID 2868 wrote to memory of 4788 2868 nntbnh.exe 94 PID 2868 wrote to memory of 4788 2868 nntbnh.exe 94 PID 2868 wrote to memory of 4788 2868 nntbnh.exe 94 PID 4788 wrote to memory of 4040 4788 rlrflfl.exe 95 PID 4788 wrote to memory of 4040 4788 rlrflfl.exe 95 PID 4788 wrote to memory of 4040 4788 rlrflfl.exe 95 PID 4040 wrote to memory of 4336 4040 7vdvv.exe 96 PID 4040 wrote to memory of 4336 4040 7vdvv.exe 96 PID 4040 wrote to memory of 4336 4040 7vdvv.exe 96 PID 4336 wrote to memory of 2692 4336 tnnhbt.exe 97 PID 4336 wrote to memory of 2692 4336 tnnhbt.exe 97 PID 4336 wrote to memory of 2692 4336 tnnhbt.exe 97 PID 2692 wrote to memory of 3172 2692 9pvjj.exe 98 PID 2692 wrote to memory of 3172 2692 9pvjj.exe 98 PID 2692 wrote to memory of 3172 2692 9pvjj.exe 98 PID 3172 wrote to memory of 1696 3172 9xxrlfx.exe 99 PID 3172 wrote to memory of 1696 3172 9xxrlfx.exe 99 PID 3172 wrote to memory of 1696 3172 9xxrlfx.exe 99 PID 1696 wrote to memory of 3820 1696 frxrfff.exe 100 PID 1696 wrote to memory of 3820 1696 frxrfff.exe 100 PID 1696 wrote to memory of 3820 1696 frxrfff.exe 100 PID 3820 wrote to memory of 2740 3820 nnhbbb.exe 101 PID 3820 wrote to memory of 2740 3820 nnhbbb.exe 101 PID 3820 wrote to memory of 2740 3820 nnhbbb.exe 101 PID 2740 wrote to memory of 5040 2740 5jpjd.exe 102 PID 2740 wrote to memory of 5040 2740 5jpjd.exe 102 PID 2740 wrote to memory of 5040 2740 5jpjd.exe 102 PID 5040 wrote to memory of 4012 5040 dvvpd.exe 103 PID 5040 wrote to memory of 4012 5040 dvvpd.exe 103 PID 5040 wrote to memory of 4012 5040 dvvpd.exe 103 PID 4012 wrote to memory of 4924 4012 5xxlxrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe"C:\Users\Admin\AppData\Local\Temp\2bf222894d3a47b7f41ceee3cba823202014c93677aa3c8b88ef17e1a94d8fc1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\thbnht.exec:\thbnht.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\9rrxrlf.exec:\9rrxrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:672 -
\??\c:\thhthb.exec:\thhthb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
\??\c:\dppdp.exec:\dppdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\xrrlffx.exec:\xrrlffx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3804 -
\??\c:\bnnhbt.exec:\bnnhbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
\??\c:\pvjpj.exec:\pvjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040 -
\??\c:\9jdvj.exec:\9jdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
\??\c:\ppvpj.exec:\ppvpj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\jpdvp.exec:\jpdvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
\??\c:\nntbnh.exec:\nntbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\rlrflfl.exec:\rlrflfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\7vdvv.exec:\7vdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\tnnhbt.exec:\tnnhbt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
\??\c:\9pvjj.exec:\9pvjj.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\9xxrlfx.exec:\9xxrlfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\frxrfff.exec:\frxrfff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
\??\c:\nnhbbb.exec:\nnhbbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820 -
\??\c:\5jpjd.exec:\5jpjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\dvvpd.exec:\dvvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
\??\c:\5xxlxrl.exec:\5xxlxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\nbthth.exec:\nbthth.exe23⤵
- Executes dropped EXE
PID:4924 -
\??\c:\hbbnnh.exec:\hbbnnh.exe24⤵
- Executes dropped EXE
PID:4212 -
\??\c:\7flxxxl.exec:\7flxxxl.exe25⤵
- Executes dropped EXE
PID:1400 -
\??\c:\tbhbnn.exec:\tbhbnn.exe26⤵
- Executes dropped EXE
PID:1316 -
\??\c:\xxxfrlr.exec:\xxxfrlr.exe27⤵
- Executes dropped EXE
PID:3828 -
\??\c:\hbnnbt.exec:\hbnnbt.exe28⤵
- Executes dropped EXE
PID:1020 -
\??\c:\nbbhhh.exec:\nbbhhh.exe29⤵
- Executes dropped EXE
PID:4452 -
\??\c:\1bbnbt.exec:\1bbnbt.exe30⤵
- Executes dropped EXE
PID:2840 -
\??\c:\vpdjj.exec:\vpdjj.exe31⤵
- Executes dropped EXE
PID:4536 -
\??\c:\ttnhbb.exec:\ttnhbb.exe32⤵
- Executes dropped EXE
PID:2444 -
\??\c:\lrxlfxr.exec:\lrxlfxr.exe33⤵
- Executes dropped EXE
PID:2624 -
\??\c:\hhtnht.exec:\hhtnht.exe34⤵
- Executes dropped EXE
PID:1276 -
\??\c:\rlxrxrl.exec:\rlxrxrl.exe35⤵
- Executes dropped EXE
PID:4568 -
\??\c:\hbbnnh.exec:\hbbnnh.exe36⤵
- Executes dropped EXE
PID:980 -
\??\c:\vjpdp.exec:\vjpdp.exe37⤵
- Executes dropped EXE
PID:4116 -
\??\c:\dpjvp.exec:\dpjvp.exe38⤵
- Executes dropped EXE
PID:3292 -
\??\c:\llxxlll.exec:\llxxlll.exe39⤵
- Executes dropped EXE
PID:2600 -
\??\c:\tbbthb.exec:\tbbthb.exe40⤵
- Executes dropped EXE
PID:700 -
\??\c:\jddvj.exec:\jddvj.exe41⤵
- Executes dropped EXE
PID:4268 -
\??\c:\pjpdd.exec:\pjpdd.exe42⤵
- Executes dropped EXE
PID:4508 -
\??\c:\xrrlrrf.exec:\xrrlrrf.exe43⤵
- Executes dropped EXE
PID:3132 -
\??\c:\tntnnn.exec:\tntnnn.exe44⤵
- Executes dropped EXE
PID:4760 -
\??\c:\dppjj.exec:\dppjj.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\fflffff.exec:\fflffff.exe46⤵
- Executes dropped EXE
PID:4476 -
\??\c:\7ttnhh.exec:\7ttnhh.exe47⤵
- Executes dropped EXE
PID:1584 -
\??\c:\hbbtnn.exec:\hbbtnn.exe48⤵
- Executes dropped EXE
PID:4776 -
\??\c:\jvvjd.exec:\jvvjd.exe49⤵
- Executes dropped EXE
PID:4060 -
\??\c:\lxfffxf.exec:\lxfffxf.exe50⤵
- Executes dropped EXE
PID:3640 -
\??\c:\3bbtnh.exec:\3bbtnh.exe51⤵
- Executes dropped EXE
PID:2720 -
\??\c:\pjjdv.exec:\pjjdv.exe52⤵
- Executes dropped EXE
PID:2816 -
\??\c:\lrxrxxr.exec:\lrxrxxr.exe53⤵
- Executes dropped EXE
PID:1964 -
\??\c:\bhnnhh.exec:\bhnnhh.exe54⤵
- Executes dropped EXE
PID:2460 -
\??\c:\bbbbbb.exec:\bbbbbb.exe55⤵
- Executes dropped EXE
PID:2188 -
\??\c:\pdvjd.exec:\pdvjd.exe56⤵
- Executes dropped EXE
PID:1920 -
\??\c:\fllfrrf.exec:\fllfrrf.exe57⤵
- Executes dropped EXE
PID:5024 -
\??\c:\nntnbh.exec:\nntnbh.exe58⤵
- Executes dropped EXE
PID:3468 -
\??\c:\dppdv.exec:\dppdv.exe59⤵
- Executes dropped EXE
PID:2516 -
\??\c:\vvvpp.exec:\vvvpp.exe60⤵
- Executes dropped EXE
PID:324 -
\??\c:\7lrrfrl.exec:\7lrrfrl.exe61⤵
- Executes dropped EXE
PID:4352 -
\??\c:\nntnnh.exec:\nntnnh.exe62⤵
- Executes dropped EXE
PID:4512 -
\??\c:\tnthbb.exec:\tnthbb.exe63⤵
- Executes dropped EXE
PID:2716 -
\??\c:\vjpdd.exec:\vjpdd.exe64⤵
- Executes dropped EXE
PID:2748 -
\??\c:\lxfrfxx.exec:\lxfrfxx.exe65⤵
- Executes dropped EXE
PID:5016 -
\??\c:\xxxxlrl.exec:\xxxxlrl.exe66⤵PID:3192
-
\??\c:\bthhbb.exec:\bthhbb.exe67⤵PID:4532
-
\??\c:\9jpjd.exec:\9jpjd.exe68⤵PID:1560
-
\??\c:\xllfrrf.exec:\xllfrrf.exe69⤵PID:2688
-
\??\c:\nbhhtt.exec:\nbhhtt.exe70⤵PID:3860
-
\??\c:\jjdpj.exec:\jjdpj.exe71⤵PID:2540
-
\??\c:\rlrlxrl.exec:\rlrlxrl.exe72⤵PID:1788
-
\??\c:\hbhtnt.exec:\hbhtnt.exe73⤵PID:4644
-
\??\c:\1bbnhh.exec:\1bbnhh.exe74⤵PID:1848
-
\??\c:\dvjjp.exec:\dvjjp.exe75⤵PID:3588
-
\??\c:\lflxxxl.exec:\lflxxxl.exe76⤵PID:3520
-
\??\c:\tnnbnn.exec:\tnnbnn.exe77⤵PID:1496
-
\??\c:\7jjjd.exec:\7jjjd.exe78⤵PID:1316
-
\??\c:\ppdvp.exec:\ppdvp.exe79⤵PID:3868
-
\??\c:\llxlllf.exec:\llxlllf.exe80⤵PID:3332
-
\??\c:\hnthbh.exec:\hnthbh.exe81⤵PID:3360
-
\??\c:\pdpjd.exec:\pdpjd.exe82⤵PID:1912
-
\??\c:\djpdv.exec:\djpdv.exe83⤵PID:3632
-
\??\c:\xxxlxrl.exec:\xxxlxrl.exe84⤵PID:4068
-
\??\c:\5nhnhb.exec:\5nhnhb.exe85⤵PID:956
-
\??\c:\1tthtt.exec:\1tthtt.exe86⤵PID:1068
-
\??\c:\jjpdp.exec:\jjpdp.exe87⤵PID:2344
-
\??\c:\7fxllfx.exec:\7fxllfx.exe88⤵PID:1072
-
\??\c:\xxxllfx.exec:\xxxllfx.exe89⤵PID:4340
-
\??\c:\9ttttt.exec:\9ttttt.exe90⤵PID:1544
-
\??\c:\3djdd.exec:\3djdd.exe91⤵PID:3656
-
\??\c:\xlrllxf.exec:\xlrllxf.exe92⤵PID:1472
-
\??\c:\5bbttt.exec:\5bbttt.exe93⤵PID:4228
-
\??\c:\djpdj.exec:\djpdj.exe94⤵PID:2600
-
\??\c:\djpvv.exec:\djpvv.exe95⤵PID:700
-
\??\c:\xllxlfr.exec:\xllxlfr.exe96⤵PID:3424
-
\??\c:\frrlxlf.exec:\frrlxlf.exe97⤵PID:4276
-
\??\c:\bnnbtn.exec:\bnnbtn.exe98⤵PID:3452
-
\??\c:\pvdpv.exec:\pvdpv.exe99⤵PID:1296
-
\??\c:\xfrlfff.exec:\xfrlfff.exe100⤵PID:4760
-
\??\c:\7hntnh.exec:\7hntnh.exe101⤵PID:1664
-
\??\c:\dpjdd.exec:\dpjdd.exe102⤵PID:3472
-
\??\c:\rrfxlll.exec:\rrfxlll.exe103⤵PID:632
-
\??\c:\1xfxllf.exec:\1xfxllf.exe104⤵PID:1584
-
\??\c:\tnthbh.exec:\tnthbh.exe105⤵PID:4072
-
\??\c:\pjvpp.exec:\pjvpp.exe106⤵PID:4080
-
\??\c:\xxlfrrx.exec:\xxlfrrx.exe107⤵PID:4880
-
\??\c:\1tbthh.exec:\1tbthh.exe108⤵PID:4984
-
\??\c:\vpvpj.exec:\vpvpj.exe109⤵PID:1636
-
\??\c:\dvjjd.exec:\dvjjd.exe110⤵PID:2432
-
\??\c:\lfxrfxr.exec:\lfxrfxr.exe111⤵PID:4800
-
\??\c:\tbnhbh.exec:\tbnhbh.exe112⤵PID:2020
-
\??\c:\nbhtnh.exec:\nbhtnh.exe113⤵PID:2460
-
\??\c:\jvjdd.exec:\jvjdd.exe114⤵PID:1384
-
\??\c:\xlrlfxf.exec:\xlrlfxf.exe115⤵PID:4736
-
\??\c:\1xfxllf.exec:\1xfxllf.exe116⤵PID:4180
-
\??\c:\7tnnbb.exec:\7tnnbb.exe117⤵PID:3484
-
\??\c:\ddjdp.exec:\ddjdp.exe118⤵PID:2616
-
\??\c:\fxfxlrl.exec:\fxfxlrl.exe119⤵PID:4824
-
\??\c:\1ffrlfx.exec:\1ffrlfx.exe120⤵PID:2144
-
\??\c:\nbhbht.exec:\nbhbht.exe121⤵PID:3872
-
\??\c:\dvdvj.exec:\dvdvj.exe122⤵PID:4900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-