Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df.exe
-
Size
456KB
-
MD5
f8e7ad411fa002796f165e4482761939
-
SHA1
382003c45784eb416fda1bad39ca125a135fa287
-
SHA256
120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df
-
SHA512
c6337175cd7c808ef729205ffa98546f62c8ddafe03e9ef4ccfc17c70998e05d56837c6911bd02d66eefb97400858ebbc69874f6a7d3ac6f904d4483cdc67904
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRA:q7Tc2NYHUrAwfMp3CDRA
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2168-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1840-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1928-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3540-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4008-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2544-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/928-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4664-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1120-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3444-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2500-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3268-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5104-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-455-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-563-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-595-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-706-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-1057-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-1250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3080 bthhbh.exe 216 3ppjd.exe 1868 5rlfrrl.exe 1892 7frlfrx.exe 4520 bbbhth.exe 4024 pvdvp.exe 4368 dddvv.exe 1220 bnbtbb.exe 1452 7lxxffx.exe 4896 hbhtbt.exe 1948 rrrrlfx.exe 3456 dvdvv.exe 2072 rrrrlrr.exe 1840 jvddv.exe 1540 frlfffx.exe 3496 bnbthh.exe 5076 pjvpj.exe 1800 xrllfxx.exe 1928 5jppj.exe 2940 5llfxrl.exe 2664 hhtnhh.exe 3372 1thbbh.exe 4908 dvjvp.exe 2524 lrxrlff.exe 3604 thhbtn.exe 2448 1jjvp.exe 3540 lfxrlfx.exe 1076 9btnhh.exe 4860 7vpjd.exe 1716 bnbbtt.exe 864 djvvj.exe 1940 dvvjd.exe 4684 rxlfxxx.exe 4008 nbbbtn.exe 4316 5djdv.exe 2888 lxfrfxx.exe 1292 hbhbtn.exe 1700 jvpvp.exe 4752 1xxrfxl.exe 2544 1ththn.exe 2212 vjjpd.exe 2912 fxlxrff.exe 2548 tbbbhh.exe 1280 5pjvv.exe 1844 dvvjv.exe 3700 7xxrxxr.exe 4312 bntnnh.exe 1224 9pvjd.exe 4444 xflflfr.exe 4620 tnhbnh.exe 3520 jjpjv.exe 2992 7ffxrrf.exe 928 frfrfxx.exe 1060 5bnbnh.exe 3380 jddpd.exe 1336 rlrffrx.exe 3480 fllxllf.exe 1856 5hhhtt.exe 4664 pvddv.exe 388 9xrlxxr.exe 5040 ttbthb.exe 4820 dppdd.exe 1120 lfflxxr.exe 3892 nhhtnh.exe -
resource yara_rule behavioral2/memory/2168-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1840-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1928-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3540-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4008-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2544-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1844-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/928-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4664-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1120-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3444-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2500-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3268-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5104-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-455-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-563-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-595-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-699-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffrrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfffrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 3080 2168 120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df.exe 82 PID 2168 wrote to memory of 3080 2168 120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df.exe 82 PID 2168 wrote to memory of 3080 2168 120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df.exe 82 PID 3080 wrote to memory of 216 3080 bthhbh.exe 83 PID 3080 wrote to memory of 216 3080 bthhbh.exe 83 PID 3080 wrote to memory of 216 3080 bthhbh.exe 83 PID 216 wrote to memory of 1868 216 3ppjd.exe 84 PID 216 wrote to memory of 1868 216 3ppjd.exe 84 PID 216 wrote to memory of 1868 216 3ppjd.exe 84 PID 1868 wrote to memory of 1892 1868 5rlfrrl.exe 85 PID 1868 wrote to memory of 1892 1868 5rlfrrl.exe 85 PID 1868 wrote to memory of 1892 1868 5rlfrrl.exe 85 PID 1892 wrote to memory of 4520 1892 7frlfrx.exe 86 PID 1892 wrote to memory of 4520 1892 7frlfrx.exe 86 PID 1892 wrote to memory of 4520 1892 7frlfrx.exe 86 PID 4520 wrote to memory of 4024 4520 bbbhth.exe 87 PID 4520 wrote to memory of 4024 4520 bbbhth.exe 87 PID 4520 wrote to memory of 4024 4520 bbbhth.exe 87 PID 4024 wrote to memory of 4368 4024 pvdvp.exe 88 PID 4024 wrote to memory of 4368 4024 pvdvp.exe 88 PID 4024 wrote to memory of 4368 4024 pvdvp.exe 88 PID 4368 wrote to memory of 1220 4368 dddvv.exe 89 PID 4368 wrote to memory of 1220 4368 dddvv.exe 89 PID 4368 wrote to memory of 1220 4368 dddvv.exe 89 PID 1220 wrote to memory of 1452 1220 bnbtbb.exe 90 PID 1220 wrote to memory of 1452 1220 bnbtbb.exe 90 PID 1220 wrote to memory of 1452 1220 bnbtbb.exe 90 PID 1452 wrote to memory of 4896 1452 7lxxffx.exe 91 PID 1452 wrote to memory of 4896 1452 7lxxffx.exe 91 PID 1452 wrote to memory of 4896 1452 7lxxffx.exe 91 PID 4896 wrote to memory of 1948 4896 hbhtbt.exe 92 PID 4896 wrote to memory of 1948 4896 hbhtbt.exe 92 PID 4896 wrote to memory of 1948 4896 hbhtbt.exe 92 PID 1948 wrote to memory of 3456 1948 rrrrlfx.exe 93 PID 1948 wrote to memory of 3456 1948 rrrrlfx.exe 93 PID 1948 wrote to memory of 3456 1948 rrrrlfx.exe 93 PID 3456 wrote to memory of 2072 3456 dvdvv.exe 94 PID 3456 wrote to memory of 2072 3456 dvdvv.exe 94 PID 3456 wrote to memory of 2072 3456 dvdvv.exe 94 PID 2072 wrote to memory of 1840 2072 rrrrlrr.exe 95 PID 2072 wrote to memory of 1840 2072 rrrrlrr.exe 95 PID 2072 wrote to memory of 1840 2072 rrrrlrr.exe 95 PID 1840 wrote to memory of 1540 1840 jvddv.exe 96 PID 1840 wrote to memory of 1540 1840 jvddv.exe 96 PID 1840 wrote to memory of 1540 1840 jvddv.exe 96 PID 1540 wrote to memory of 3496 1540 frlfffx.exe 97 PID 1540 wrote to memory of 3496 1540 frlfffx.exe 97 PID 1540 wrote to memory of 3496 1540 frlfffx.exe 97 PID 3496 wrote to memory of 5076 3496 bnbthh.exe 98 PID 3496 wrote to memory of 5076 3496 bnbthh.exe 98 PID 3496 wrote to memory of 5076 3496 bnbthh.exe 98 PID 5076 wrote to memory of 1800 5076 pjvpj.exe 99 PID 5076 wrote to memory of 1800 5076 pjvpj.exe 99 PID 5076 wrote to memory of 1800 5076 pjvpj.exe 99 PID 1800 wrote to memory of 1928 1800 xrllfxx.exe 100 PID 1800 wrote to memory of 1928 1800 xrllfxx.exe 100 PID 1800 wrote to memory of 1928 1800 xrllfxx.exe 100 PID 1928 wrote to memory of 2940 1928 5jppj.exe 101 PID 1928 wrote to memory of 2940 1928 5jppj.exe 101 PID 1928 wrote to memory of 2940 1928 5jppj.exe 101 PID 2940 wrote to memory of 2664 2940 5llfxrl.exe 102 PID 2940 wrote to memory of 2664 2940 5llfxrl.exe 102 PID 2940 wrote to memory of 2664 2940 5llfxrl.exe 102 PID 2664 wrote to memory of 3372 2664 hhtnhh.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df.exe"C:\Users\Admin\AppData\Local\Temp\120562dc33759c490c2519815324f1404b3aa755dc709607ed9bbae2f44fa6df.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
\??\c:\bthhbh.exec:\bthhbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\3ppjd.exec:\3ppjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\5rlfrrl.exec:\5rlfrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\7frlfrx.exec:\7frlfrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\bbbhth.exec:\bbbhth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520 -
\??\c:\pvdvp.exec:\pvdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\dddvv.exec:\dddvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\bnbtbb.exec:\bnbtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
\??\c:\7lxxffx.exec:\7lxxffx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\hbhtbt.exec:\hbhtbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\rrrrlfx.exec:\rrrrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1948 -
\??\c:\dvdvv.exec:\dvdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\rrrrlrr.exec:\rrrrlrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\jvddv.exec:\jvddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\frlfffx.exec:\frlfffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\bnbthh.exec:\bnbthh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3496 -
\??\c:\pjvpj.exec:\pjvpj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\xrllfxx.exec:\xrllfxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\5jppj.exec:\5jppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\5llfxrl.exec:\5llfxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\hhtnhh.exec:\hhtnhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\1thbbh.exec:\1thbbh.exe23⤵
- Executes dropped EXE
PID:3372 -
\??\c:\dvjvp.exec:\dvjvp.exe24⤵
- Executes dropped EXE
PID:4908 -
\??\c:\lrxrlff.exec:\lrxrlff.exe25⤵
- Executes dropped EXE
PID:2524 -
\??\c:\thhbtn.exec:\thhbtn.exe26⤵
- Executes dropped EXE
PID:3604 -
\??\c:\1jjvp.exec:\1jjvp.exe27⤵
- Executes dropped EXE
PID:2448 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe28⤵
- Executes dropped EXE
PID:3540 -
\??\c:\9btnhh.exec:\9btnhh.exe29⤵
- Executes dropped EXE
PID:1076 -
\??\c:\7vpjd.exec:\7vpjd.exe30⤵
- Executes dropped EXE
PID:4860 -
\??\c:\bnbbtt.exec:\bnbbtt.exe31⤵
- Executes dropped EXE
PID:1716 -
\??\c:\djvvj.exec:\djvvj.exe32⤵
- Executes dropped EXE
PID:864 -
\??\c:\dvvjd.exec:\dvvjd.exe33⤵
- Executes dropped EXE
PID:1940 -
\??\c:\rxlfxxx.exec:\rxlfxxx.exe34⤵
- Executes dropped EXE
PID:4684 -
\??\c:\nbbbtn.exec:\nbbbtn.exe35⤵
- Executes dropped EXE
PID:4008 -
\??\c:\5djdv.exec:\5djdv.exe36⤵
- Executes dropped EXE
PID:4316 -
\??\c:\lxfrfxx.exec:\lxfrfxx.exe37⤵
- Executes dropped EXE
PID:2888 -
\??\c:\hbhbtn.exec:\hbhbtn.exe38⤵
- Executes dropped EXE
PID:1292 -
\??\c:\jvpvp.exec:\jvpvp.exe39⤵
- Executes dropped EXE
PID:1700 -
\??\c:\1xxrfxl.exec:\1xxrfxl.exe40⤵
- Executes dropped EXE
PID:4752 -
\??\c:\1ththn.exec:\1ththn.exe41⤵
- Executes dropped EXE
PID:2544 -
\??\c:\vjjpd.exec:\vjjpd.exe42⤵
- Executes dropped EXE
PID:2212 -
\??\c:\fxlxrff.exec:\fxlxrff.exe43⤵
- Executes dropped EXE
PID:2912 -
\??\c:\tbbbhh.exec:\tbbbhh.exe44⤵
- Executes dropped EXE
PID:2548 -
\??\c:\5pjvv.exec:\5pjvv.exe45⤵
- Executes dropped EXE
PID:1280 -
\??\c:\dvvjv.exec:\dvvjv.exe46⤵
- Executes dropped EXE
PID:1844 -
\??\c:\7xxrxxr.exec:\7xxrxxr.exe47⤵
- Executes dropped EXE
PID:3700 -
\??\c:\bntnnh.exec:\bntnnh.exe48⤵
- Executes dropped EXE
PID:4312 -
\??\c:\9pvjd.exec:\9pvjd.exe49⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xflflfr.exec:\xflflfr.exe50⤵
- Executes dropped EXE
PID:4444 -
\??\c:\tnhbnh.exec:\tnhbnh.exe51⤵
- Executes dropped EXE
PID:4620 -
\??\c:\jjpjv.exec:\jjpjv.exe52⤵
- Executes dropped EXE
PID:3520 -
\??\c:\7ffxrrf.exec:\7ffxrrf.exe53⤵
- Executes dropped EXE
PID:2992 -
\??\c:\frfrfxx.exec:\frfrfxx.exe54⤵
- Executes dropped EXE
PID:928 -
\??\c:\5bnbnh.exec:\5bnbnh.exe55⤵
- Executes dropped EXE
PID:1060 -
\??\c:\jddpd.exec:\jddpd.exe56⤵
- Executes dropped EXE
PID:3380 -
\??\c:\rlrffrx.exec:\rlrffrx.exe57⤵
- Executes dropped EXE
PID:1336 -
\??\c:\fllxllf.exec:\fllxllf.exe58⤵
- Executes dropped EXE
PID:3480 -
\??\c:\5hhhtt.exec:\5hhhtt.exe59⤵
- Executes dropped EXE
PID:1856 -
\??\c:\pvddv.exec:\pvddv.exe60⤵
- Executes dropped EXE
PID:4664 -
\??\c:\9xrlxxr.exec:\9xrlxxr.exe61⤵
- Executes dropped EXE
PID:388 -
\??\c:\ttbthb.exec:\ttbthb.exe62⤵
- Executes dropped EXE
PID:5040 -
\??\c:\dppdd.exec:\dppdd.exe63⤵
- Executes dropped EXE
PID:4820 -
\??\c:\lfflxxr.exec:\lfflxxr.exe64⤵
- Executes dropped EXE
PID:1120 -
\??\c:\nhhtnh.exec:\nhhtnh.exe65⤵
- Executes dropped EXE
PID:3892 -
\??\c:\bhnhtn.exec:\bhnhtn.exe66⤵PID:2244
-
\??\c:\pvjvp.exec:\pvjvp.exe67⤵PID:3444
-
\??\c:\7xxrfll.exec:\7xxrfll.exe68⤵PID:2500
-
\??\c:\tnnhbt.exec:\tnnhbt.exe69⤵PID:2532
-
\??\c:\ntnhtn.exec:\ntnhtn.exe70⤵PID:2344
-
\??\c:\3vpdv.exec:\3vpdv.exe71⤵PID:2200
-
\??\c:\rxfxlrf.exec:\rxfxlrf.exe72⤵PID:1840
-
\??\c:\5ntnnn.exec:\5ntnnn.exe73⤵PID:2528
-
\??\c:\djpjv.exec:\djpjv.exe74⤵PID:3268
-
\??\c:\9rrlfxx.exec:\9rrlfxx.exe75⤵PID:3252
-
\??\c:\rfxlfxr.exec:\rfxlfxr.exe76⤵PID:3676
-
\??\c:\tnthbt.exec:\tnthbt.exe77⤵PID:4800
-
\??\c:\xllfrlf.exec:\xllfrlf.exe78⤵PID:5016
-
\??\c:\bhnhbt.exec:\bhnhbt.exe79⤵PID:1056
-
\??\c:\bhnhtt.exec:\bhnhtt.exe80⤵PID:408
-
\??\c:\vvpjd.exec:\vvpjd.exe81⤵PID:1392
-
\??\c:\lrrlffr.exec:\lrrlffr.exe82⤵PID:1584
-
\??\c:\nbbttn.exec:\nbbttn.exe83⤵PID:1580
-
\??\c:\tthbbt.exec:\tthbbt.exe84⤵PID:2756
-
\??\c:\jpvdd.exec:\jpvdd.exe85⤵PID:2468
-
\??\c:\7lfxrlf.exec:\7lfxrlf.exe86⤵PID:2508
-
\??\c:\bthbhb.exec:\bthbhb.exe87⤵PID:1232
-
\??\c:\tnnhhb.exec:\tnnhhb.exe88⤵PID:2856
-
\??\c:\pdjdd.exec:\pdjdd.exe89⤵PID:1596
-
\??\c:\rxfxllx.exec:\rxfxllx.exe90⤵
- System Location Discovery: System Language Discovery
PID:2220 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe91⤵PID:3188
-
\??\c:\hbnhhh.exec:\hbnhhh.exe92⤵PID:3652
-
\??\c:\pjdvp.exec:\pjdvp.exe93⤵PID:1152
-
\??\c:\xxrrlll.exec:\xxrrlll.exe94⤵PID:1716
-
\??\c:\lrfxlfl.exec:\lrfxlfl.exe95⤵PID:2016
-
\??\c:\hntnhh.exec:\hntnhh.exe96⤵PID:936
-
\??\c:\dppjj.exec:\dppjj.exe97⤵PID:3256
-
\??\c:\llfrfrf.exec:\llfrfrf.exe98⤵PID:1208
-
\??\c:\bhbnbt.exec:\bhbnbt.exe99⤵PID:5104
-
\??\c:\5pjdv.exec:\5pjdv.exe100⤵PID:3944
-
\??\c:\ppvjv.exec:\ppvjv.exe101⤵PID:4784
-
\??\c:\3ffrfxr.exec:\3ffrfxr.exe102⤵PID:1260
-
\??\c:\bnhbtn.exec:\bnhbtn.exe103⤵PID:4796
-
\??\c:\nbtnhh.exec:\nbtnhh.exe104⤵PID:4752
-
\??\c:\vpvjd.exec:\vpvjd.exe105⤵PID:2100
-
\??\c:\flfrlfx.exec:\flfrlfx.exe106⤵PID:2212
-
\??\c:\bbthbh.exec:\bbthbh.exe107⤵PID:2912
-
\??\c:\pdpjj.exec:\pdpjj.exe108⤵PID:1792
-
\??\c:\lffrfxr.exec:\lffrfxr.exe109⤵PID:4284
-
\??\c:\3tbtnb.exec:\3tbtnb.exe110⤵PID:4688
-
\??\c:\vppjv.exec:\vppjv.exe111⤵PID:320
-
\??\c:\fxlfffl.exec:\fxlfffl.exe112⤵PID:4972
-
\??\c:\5rlxrrl.exec:\5rlxrrl.exe113⤵PID:1668
-
\??\c:\hbhnhh.exec:\hbhnhh.exe114⤵PID:2640
-
\??\c:\pjpjj.exec:\pjpjj.exe115⤵PID:1460
-
\??\c:\xxlxllx.exec:\xxlxllx.exe116⤵PID:3980
-
\??\c:\7ffrrrl.exec:\7ffrrrl.exe117⤵PID:1464
-
\??\c:\hhhnhn.exec:\hhhnhn.exe118⤵PID:4492
-
\??\c:\vddvp.exec:\vddvp.exe119⤵PID:1892
-
\??\c:\xlxrlfx.exec:\xlxrlfx.exe120⤵PID:2036
-
\??\c:\xlrffxx.exec:\xlrffxx.exe121⤵PID:636
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-