Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe
-
Size
454KB
-
MD5
bf8dd92f65db3a8656792528570d83c3
-
SHA1
9e3e7fcad8132949cf40be9335f45250efc02374
-
SHA256
a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78
-
SHA512
558bd9edc52c79d8625f131248d0a14328296ad0d7aeb314c8faa364d27608e9ae909de1766a548d0de5a79a5d27f82d6ed81cc838800e325f4772418a002ab2
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeU:q7Tc2NYHUrAwfMp3CDU
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1856-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3132-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1096-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4640-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3128-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4040-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4696-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1448-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3356-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3796-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2848-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-487-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2248-680-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-778-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-869-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-909-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-1093-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-1175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1856 fxxxrrl.exe 228 bbtbhh.exe 1360 bthhbb.exe 5112 vdppd.exe 4316 9tbbtb.exe 4560 vpdpj.exe 1656 rrxrxxf.exe 2328 lxfffxx.exe 1984 thtttt.exe 1636 rrllrrx.exe 1244 7jpjp.exe 2212 frxfxxx.exe 1588 httnnn.exe 3132 rllfffx.exe 796 bnttnn.exe 1720 1pvpp.exe 2408 bhthbb.exe 1088 3jjdv.exe 212 rrxxxxx.exe 1540 dpdvj.exe 1236 pvdvp.exe 3304 nhhbtt.exe 1096 nbtbbh.exe 2732 fxrlrrr.exe 4640 3bhhnn.exe 3672 7pvpj.exe 3128 jpvpj.exe 3384 lfrrxxr.exe 4500 5hhbbh.exe 1112 dvvvv.exe 4612 5tnnhb.exe 3320 lxxrfll.exe 4040 xrxrrrx.exe 1016 vjdpv.exe 2912 rflrxlr.exe 2844 btttnt.exe 4456 djvdv.exe 3448 frflllr.exe 4784 fxxrffx.exe 4696 tnntht.exe 2004 pjjdv.exe 4132 xrrxrrl.exe 3740 bhnnnn.exe 1712 jddpj.exe 4468 pvvvp.exe 392 fxfrllf.exe 1672 hhhttt.exe 4908 vpjdj.exe 3872 frffxrr.exe 3644 tbbntb.exe 4404 dvpdp.exe 1240 xrfxrrl.exe 3012 hhtnnn.exe 1904 ddjjp.exe 3232 ddddp.exe 5088 5lxrffl.exe 208 thhhhn.exe 3752 9vvpd.exe 4168 fxfrllr.exe 2148 rfrlffx.exe 3348 ttntbh.exe 4844 vjvdd.exe 956 ppvdd.exe 3496 xxlxlxr.exe -
resource yara_rule behavioral2/memory/1856-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3132-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1096-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3128-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4040-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4696-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1448-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3356-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3796-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2848-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1564-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-487-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2248-680-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-778-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxrxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 1856 3012 a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe 82 PID 3012 wrote to memory of 1856 3012 a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe 82 PID 3012 wrote to memory of 1856 3012 a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe 82 PID 1856 wrote to memory of 228 1856 fxxxrrl.exe 83 PID 1856 wrote to memory of 228 1856 fxxxrrl.exe 83 PID 1856 wrote to memory of 228 1856 fxxxrrl.exe 83 PID 228 wrote to memory of 1360 228 bbtbhh.exe 84 PID 228 wrote to memory of 1360 228 bbtbhh.exe 84 PID 228 wrote to memory of 1360 228 bbtbhh.exe 84 PID 1360 wrote to memory of 5112 1360 bthhbb.exe 85 PID 1360 wrote to memory of 5112 1360 bthhbb.exe 85 PID 1360 wrote to memory of 5112 1360 bthhbb.exe 85 PID 5112 wrote to memory of 4316 5112 vdppd.exe 86 PID 5112 wrote to memory of 4316 5112 vdppd.exe 86 PID 5112 wrote to memory of 4316 5112 vdppd.exe 86 PID 4316 wrote to memory of 4560 4316 9tbbtb.exe 87 PID 4316 wrote to memory of 4560 4316 9tbbtb.exe 87 PID 4316 wrote to memory of 4560 4316 9tbbtb.exe 87 PID 4560 wrote to memory of 1656 4560 vpdpj.exe 88 PID 4560 wrote to memory of 1656 4560 vpdpj.exe 88 PID 4560 wrote to memory of 1656 4560 vpdpj.exe 88 PID 1656 wrote to memory of 2328 1656 rrxrxxf.exe 89 PID 1656 wrote to memory of 2328 1656 rrxrxxf.exe 89 PID 1656 wrote to memory of 2328 1656 rrxrxxf.exe 89 PID 2328 wrote to memory of 1984 2328 lxfffxx.exe 90 PID 2328 wrote to memory of 1984 2328 lxfffxx.exe 90 PID 2328 wrote to memory of 1984 2328 lxfffxx.exe 90 PID 1984 wrote to memory of 1636 1984 thtttt.exe 91 PID 1984 wrote to memory of 1636 1984 thtttt.exe 91 PID 1984 wrote to memory of 1636 1984 thtttt.exe 91 PID 1636 wrote to memory of 1244 1636 rrllrrx.exe 92 PID 1636 wrote to memory of 1244 1636 rrllrrx.exe 92 PID 1636 wrote to memory of 1244 1636 rrllrrx.exe 92 PID 1244 wrote to memory of 2212 1244 7jpjp.exe 93 PID 1244 wrote to memory of 2212 1244 7jpjp.exe 93 PID 1244 wrote to memory of 2212 1244 7jpjp.exe 93 PID 2212 wrote to memory of 1588 2212 frxfxxx.exe 94 PID 2212 wrote to memory of 1588 2212 frxfxxx.exe 94 PID 2212 wrote to memory of 1588 2212 frxfxxx.exe 94 PID 1588 wrote to memory of 3132 1588 httnnn.exe 95 PID 1588 wrote to memory of 3132 1588 httnnn.exe 95 PID 1588 wrote to memory of 3132 1588 httnnn.exe 95 PID 3132 wrote to memory of 796 3132 rllfffx.exe 96 PID 3132 wrote to memory of 796 3132 rllfffx.exe 96 PID 3132 wrote to memory of 796 3132 rllfffx.exe 96 PID 796 wrote to memory of 1720 796 bnttnn.exe 97 PID 796 wrote to memory of 1720 796 bnttnn.exe 97 PID 796 wrote to memory of 1720 796 bnttnn.exe 97 PID 1720 wrote to memory of 2408 1720 1pvpp.exe 98 PID 1720 wrote to memory of 2408 1720 1pvpp.exe 98 PID 1720 wrote to memory of 2408 1720 1pvpp.exe 98 PID 2408 wrote to memory of 1088 2408 bhthbb.exe 99 PID 2408 wrote to memory of 1088 2408 bhthbb.exe 99 PID 2408 wrote to memory of 1088 2408 bhthbb.exe 99 PID 1088 wrote to memory of 212 1088 3jjdv.exe 100 PID 1088 wrote to memory of 212 1088 3jjdv.exe 100 PID 1088 wrote to memory of 212 1088 3jjdv.exe 100 PID 212 wrote to memory of 1540 212 rrxxxxx.exe 101 PID 212 wrote to memory of 1540 212 rrxxxxx.exe 101 PID 212 wrote to memory of 1540 212 rrxxxxx.exe 101 PID 1540 wrote to memory of 1236 1540 dpdvj.exe 102 PID 1540 wrote to memory of 1236 1540 dpdvj.exe 102 PID 1540 wrote to memory of 1236 1540 dpdvj.exe 102 PID 1236 wrote to memory of 3304 1236 pvdvp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe"C:\Users\Admin\AppData\Local\Temp\a03e31161177fad3e588ed064a4d90fc8a3ba57cb78f92d54ff28db3f5f45f78.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\fxxxrrl.exec:\fxxxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\bbtbhh.exec:\bbtbhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\bthhbb.exec:\bthhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1360 -
\??\c:\vdppd.exec:\vdppd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\9tbbtb.exec:\9tbbtb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4316 -
\??\c:\vpdpj.exec:\vpdpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\rrxrxxf.exec:\rrxrxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656 -
\??\c:\lxfffxx.exec:\lxfffxx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\thtttt.exec:\thtttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
\??\c:\rrllrrx.exec:\rrllrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\7jpjp.exec:\7jpjp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\frxfxxx.exec:\frxfxxx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\httnnn.exec:\httnnn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\rllfffx.exec:\rllfffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
\??\c:\bnttnn.exec:\bnttnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\1pvpp.exec:\1pvpp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
\??\c:\bhthbb.exec:\bhthbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
\??\c:\3jjdv.exec:\3jjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1088 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
\??\c:\dpdvj.exec:\dpdvj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\pvdvp.exec:\pvdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\nhhbtt.exec:\nhhbtt.exe23⤵
- Executes dropped EXE
PID:3304 -
\??\c:\nbtbbh.exec:\nbtbbh.exe24⤵
- Executes dropped EXE
PID:1096 -
\??\c:\fxrlrrr.exec:\fxrlrrr.exe25⤵
- Executes dropped EXE
PID:2732 -
\??\c:\3bhhnn.exec:\3bhhnn.exe26⤵
- Executes dropped EXE
PID:4640 -
\??\c:\7pvpj.exec:\7pvpj.exe27⤵
- Executes dropped EXE
PID:3672 -
\??\c:\jpvpj.exec:\jpvpj.exe28⤵
- Executes dropped EXE
PID:3128 -
\??\c:\lfrrxxr.exec:\lfrrxxr.exe29⤵
- Executes dropped EXE
PID:3384 -
\??\c:\5hhbbh.exec:\5hhbbh.exe30⤵
- Executes dropped EXE
PID:4500 -
\??\c:\dvvvv.exec:\dvvvv.exe31⤵
- Executes dropped EXE
PID:1112 -
\??\c:\5tnnhb.exec:\5tnnhb.exe32⤵
- Executes dropped EXE
PID:4612 -
\??\c:\lxxrfll.exec:\lxxrfll.exe33⤵
- Executes dropped EXE
PID:3320 -
\??\c:\xrxrrrx.exec:\xrxrrrx.exe34⤵
- Executes dropped EXE
PID:4040 -
\??\c:\vjdpv.exec:\vjdpv.exe35⤵
- Executes dropped EXE
PID:1016 -
\??\c:\rflrxlr.exec:\rflrxlr.exe36⤵
- Executes dropped EXE
PID:2912 -
\??\c:\btttnt.exec:\btttnt.exe37⤵
- Executes dropped EXE
PID:2844 -
\??\c:\djvdv.exec:\djvdv.exe38⤵
- Executes dropped EXE
PID:4456 -
\??\c:\frflllr.exec:\frflllr.exe39⤵
- Executes dropped EXE
PID:3448 -
\??\c:\fxxrffx.exec:\fxxrffx.exe40⤵
- Executes dropped EXE
PID:4784 -
\??\c:\tnntht.exec:\tnntht.exe41⤵
- Executes dropped EXE
PID:4696 -
\??\c:\pjjdv.exec:\pjjdv.exe42⤵
- Executes dropped EXE
PID:2004 -
\??\c:\xrrxrrl.exec:\xrrxrrl.exe43⤵
- Executes dropped EXE
PID:4132 -
\??\c:\bhnnnn.exec:\bhnnnn.exe44⤵
- Executes dropped EXE
PID:3740 -
\??\c:\jddpj.exec:\jddpj.exe45⤵
- Executes dropped EXE
PID:1712 -
\??\c:\pvvvp.exec:\pvvvp.exe46⤵
- Executes dropped EXE
PID:4468 -
\??\c:\fxfrllf.exec:\fxfrllf.exe47⤵
- Executes dropped EXE
PID:392 -
\??\c:\hhhttt.exec:\hhhttt.exe48⤵
- Executes dropped EXE
PID:1672 -
\??\c:\vpjdj.exec:\vpjdj.exe49⤵
- Executes dropped EXE
PID:4908 -
\??\c:\frffxrr.exec:\frffxrr.exe50⤵
- Executes dropped EXE
PID:3872 -
\??\c:\tbbntb.exec:\tbbntb.exe51⤵
- Executes dropped EXE
PID:3644 -
\??\c:\dvpdp.exec:\dvpdp.exe52⤵
- Executes dropped EXE
PID:4404 -
\??\c:\xrfxrrl.exec:\xrfxrrl.exe53⤵
- Executes dropped EXE
PID:1240 -
\??\c:\hhtnnn.exec:\hhtnnn.exe54⤵
- Executes dropped EXE
PID:3012 -
\??\c:\ddjjp.exec:\ddjjp.exe55⤵
- Executes dropped EXE
PID:1904 -
\??\c:\ddddp.exec:\ddddp.exe56⤵
- Executes dropped EXE
PID:3232 -
\??\c:\5lxrffl.exec:\5lxrffl.exe57⤵
- Executes dropped EXE
PID:5088 -
\??\c:\thhhhn.exec:\thhhhn.exe58⤵
- Executes dropped EXE
PID:208 -
\??\c:\9vvpd.exec:\9vvpd.exe59⤵
- Executes dropped EXE
PID:3752 -
\??\c:\fxfrllr.exec:\fxfrllr.exe60⤵
- Executes dropped EXE
PID:4168 -
\??\c:\rfrlffx.exec:\rfrlffx.exe61⤵
- Executes dropped EXE
PID:2148 -
\??\c:\ttntbh.exec:\ttntbh.exe62⤵
- Executes dropped EXE
PID:3348 -
\??\c:\vjvdd.exec:\vjvdd.exe63⤵
- Executes dropped EXE
PID:4844 -
\??\c:\ppvdd.exec:\ppvdd.exe64⤵
- Executes dropped EXE
PID:956 -
\??\c:\xxlxlxr.exec:\xxlxlxr.exe65⤵
- Executes dropped EXE
PID:3496 -
\??\c:\nhhbtt.exec:\nhhbtt.exe66⤵PID:3480
-
\??\c:\pjvvp.exec:\pjvvp.exe67⤵PID:824
-
\??\c:\llrrrlf.exec:\llrrrlf.exe68⤵PID:1636
-
\??\c:\lffxxrr.exec:\lffxxrr.exe69⤵PID:1244
-
\??\c:\7nnnnn.exec:\7nnnnn.exe70⤵PID:4724
-
\??\c:\pjvpv.exec:\pjvpv.exe71⤵PID:3948
-
\??\c:\xfllxlx.exec:\xfllxlx.exe72⤵PID:232
-
\??\c:\xrrxxrr.exec:\xrrxxrr.exe73⤵PID:1448
-
\??\c:\5tbtnn.exec:\5tbtnn.exe74⤵PID:2380
-
\??\c:\pdjdv.exec:\pdjdv.exe75⤵PID:5048
-
\??\c:\xlrrxlr.exec:\xlrrxlr.exe76⤵PID:3356
-
\??\c:\9nhhhh.exec:\9nhhhh.exe77⤵PID:2868
-
\??\c:\xrrllll.exec:\xrrllll.exe78⤵PID:1336
-
\??\c:\tbhbtn.exec:\tbhbtn.exe79⤵PID:4548
-
\??\c:\bttnhh.exec:\bttnhh.exe80⤵PID:888
-
\??\c:\jjpdd.exec:\jjpdd.exe81⤵
- System Location Discovery: System Language Discovery
PID:2036 -
\??\c:\llrlrxr.exec:\llrlrxr.exe82⤵PID:1540
-
\??\c:\tnnbtn.exec:\tnnbtn.exe83⤵PID:1236
-
\??\c:\xlrlllf.exec:\xlrlllf.exe84⤵PID:4400
-
\??\c:\lflffff.exec:\lflffff.exe85⤵PID:464
-
\??\c:\5bbttt.exec:\5bbttt.exe86⤵PID:3796
-
\??\c:\vdjdd.exec:\vdjdd.exe87⤵PID:4292
-
\??\c:\5lrlfrf.exec:\5lrlfrf.exe88⤵PID:1268
-
\??\c:\hbnnhh.exec:\hbnnhh.exe89⤵PID:3672
-
\??\c:\ppjdp.exec:\ppjdp.exe90⤵PID:1068
-
\??\c:\flrlffx.exec:\flrlffx.exe91⤵PID:1680
-
\??\c:\ttnhbb.exec:\ttnhbb.exe92⤵PID:1464
-
\??\c:\5jdvp.exec:\5jdvp.exe93⤵PID:1160
-
\??\c:\djpjv.exec:\djpjv.exe94⤵PID:1216
-
\??\c:\llfxxrl.exec:\llfxxrl.exe95⤵PID:1644
-
\??\c:\thnhbt.exec:\thnhbt.exe96⤵PID:3124
-
\??\c:\5bbtnn.exec:\5bbtnn.exe97⤵PID:4984
-
\??\c:\pjdvj.exec:\pjdvj.exe98⤵PID:2848
-
\??\c:\frrlrrl.exec:\frrlrrl.exe99⤵PID:1188
-
\??\c:\ffxxxrx.exec:\ffxxxrx.exe100⤵PID:1016
-
\??\c:\1vddv.exec:\1vddv.exe101⤵PID:1728
-
\??\c:\rrxfxrr.exec:\rrxfxrr.exe102⤵PID:1852
-
\??\c:\hnbthh.exec:\hnbthh.exe103⤵PID:4456
-
\??\c:\pddvv.exec:\pddvv.exe104⤵PID:4304
-
\??\c:\7ppjv.exec:\7ppjv.exe105⤵PID:4104
-
\??\c:\5nhtnn.exec:\5nhtnn.exe106⤵PID:4664
-
\??\c:\pjdvv.exec:\pjdvv.exe107⤵PID:2004
-
\??\c:\5ffrlfr.exec:\5ffrlfr.exe108⤵PID:4132
-
\??\c:\bhhbtt.exec:\bhhbtt.exe109⤵PID:2056
-
\??\c:\dvdvv.exec:\dvdvv.exe110⤵PID:2476
-
\??\c:\xlfrlxl.exec:\xlfrlxl.exe111⤵PID:2688
-
\??\c:\3lxllff.exec:\3lxllff.exe112⤵PID:3800
-
\??\c:\ntbbbb.exec:\ntbbbb.exe113⤵PID:4072
-
\??\c:\ddjjp.exec:\ddjjp.exe114⤵PID:3120
-
\??\c:\xrfxrrf.exec:\xrfxrrf.exe115⤵PID:1564
-
\??\c:\hnhthh.exec:\hnhthh.exe116⤵PID:4388
-
\??\c:\vddvp.exec:\vddvp.exe117⤵PID:4360
-
\??\c:\ffrxfxf.exec:\ffrxfxf.exe118⤵PID:2400
-
\??\c:\9nhbtt.exec:\9nhbtt.exe119⤵PID:1240
-
\??\c:\ddppv.exec:\ddppv.exe120⤵PID:3012
-
\??\c:\rrrfxrl.exec:\rrrfxrl.exe121⤵PID:3080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-