Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/12/2024, 22:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4.exe
-
Size
456KB
-
MD5
9e997de85bc422a882fb6acd44f5d572
-
SHA1
6820f45ba36948050e8925359b4743c1ffdc64e0
-
SHA256
457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4
-
SHA512
ac96ba1f7e3633bfb38e597819b9e74bdedb66bc0ad07b1d067995fde25f459bf89ae3605a819e125c9d2e07503c574d715e21c54f3d59c40812e6490ad46d29
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRIG:q7Tc2NYHUrAwfMp3CDRT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4960-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/952-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4480-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1496-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3752-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2764-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/816-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/988-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/636-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1736-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-394-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-414-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-478-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-494-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-538-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-577-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-608-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1220-717-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-757-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-860-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 952 fxxxrrr.exe 2564 hbhhbb.exe 3144 pjjjd.exe 4480 flrlxxl.exe 4112 llxrxxl.exe 3580 3lxxxxf.exe 4128 bnhnnb.exe 1496 hhtnnt.exe 3176 ddjjd.exe 2676 lllllrr.exe 3396 9pdjv.exe 3752 nhntbh.exe 2960 dpddv.exe 5080 9xlllrr.exe 416 lrffxxf.exe 1952 3rrxxlr.exe 2764 bhbhtt.exe 3972 ffxxlrf.exe 1192 bbhhnn.exe 3664 ppjdj.exe 2284 ffxlxrx.exe 1464 ddddd.exe 5040 lrxxxxx.exe 2528 nhbhhn.exe 1248 htnnnt.exe 1088 xrfrlff.exe 2684 bnbbbh.exe 1500 bthhhn.exe 2540 hbbbbh.exe 4048 vdvvd.exe 2460 ffxfrff.exe 964 7hnnbn.exe 2356 5ffllll.exe 1104 nhtbtb.exe 4020 vdvpp.exe 4576 xlrllll.exe 816 7nhbtt.exe 2108 pjvpp.exe 2964 lfxrrrr.exe 1180 3bttnn.exe 4544 vpvvp.exe 3084 dpvpp.exe 1828 lfllflf.exe 4288 nthhbb.exe 5088 1pjjd.exe 988 9lllflf.exe 4032 rlllllf.exe 228 ntnhbh.exe 1792 dvdvp.exe 1568 rxllxrl.exe 4500 hthbtn.exe 4172 ddvvv.exe 2560 vvddv.exe 4388 xlrrfff.exe 952 ttnnbt.exe 3688 ddjjp.exe 3232 fxlfxrr.exe 2784 7nnntb.exe 1388 vvppv.exe 4480 vvvpv.exe 3228 flfffff.exe 3852 hbntbh.exe 3580 jdjjj.exe 2396 9llxxxr.exe -
resource yara_rule behavioral2/memory/4960-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/952-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4480-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1496-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3752-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2764-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/816-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/988-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3852-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/636-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1736-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-414-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-462-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-478-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-494-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-577-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-608-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1220-717-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-757-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrxrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrfrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxlxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4960 wrote to memory of 952 4960 457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4.exe 82 PID 4960 wrote to memory of 952 4960 457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4.exe 82 PID 4960 wrote to memory of 952 4960 457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4.exe 82 PID 952 wrote to memory of 2564 952 fxxxrrr.exe 83 PID 952 wrote to memory of 2564 952 fxxxrrr.exe 83 PID 952 wrote to memory of 2564 952 fxxxrrr.exe 83 PID 2564 wrote to memory of 3144 2564 hbhhbb.exe 84 PID 2564 wrote to memory of 3144 2564 hbhhbb.exe 84 PID 2564 wrote to memory of 3144 2564 hbhhbb.exe 84 PID 3144 wrote to memory of 4480 3144 pjjjd.exe 85 PID 3144 wrote to memory of 4480 3144 pjjjd.exe 85 PID 3144 wrote to memory of 4480 3144 pjjjd.exe 85 PID 4480 wrote to memory of 4112 4480 flrlxxl.exe 86 PID 4480 wrote to memory of 4112 4480 flrlxxl.exe 86 PID 4480 wrote to memory of 4112 4480 flrlxxl.exe 86 PID 4112 wrote to memory of 3580 4112 llxrxxl.exe 87 PID 4112 wrote to memory of 3580 4112 llxrxxl.exe 87 PID 4112 wrote to memory of 3580 4112 llxrxxl.exe 87 PID 3580 wrote to memory of 4128 3580 3lxxxxf.exe 88 PID 3580 wrote to memory of 4128 3580 3lxxxxf.exe 88 PID 3580 wrote to memory of 4128 3580 3lxxxxf.exe 88 PID 4128 wrote to memory of 1496 4128 bnhnnb.exe 89 PID 4128 wrote to memory of 1496 4128 bnhnnb.exe 89 PID 4128 wrote to memory of 1496 4128 bnhnnb.exe 89 PID 1496 wrote to memory of 3176 1496 hhtnnt.exe 90 PID 1496 wrote to memory of 3176 1496 hhtnnt.exe 90 PID 1496 wrote to memory of 3176 1496 hhtnnt.exe 90 PID 3176 wrote to memory of 2676 3176 ddjjd.exe 91 PID 3176 wrote to memory of 2676 3176 ddjjd.exe 91 PID 3176 wrote to memory of 2676 3176 ddjjd.exe 91 PID 2676 wrote to memory of 3396 2676 lllllrr.exe 92 PID 2676 wrote to memory of 3396 2676 lllllrr.exe 92 PID 2676 wrote to memory of 3396 2676 lllllrr.exe 92 PID 3396 wrote to memory of 3752 3396 9pdjv.exe 93 PID 3396 wrote to memory of 3752 3396 9pdjv.exe 93 PID 3396 wrote to memory of 3752 3396 9pdjv.exe 93 PID 3752 wrote to memory of 2960 3752 nhntbh.exe 94 PID 3752 wrote to memory of 2960 3752 nhntbh.exe 94 PID 3752 wrote to memory of 2960 3752 nhntbh.exe 94 PID 2960 wrote to memory of 5080 2960 dpddv.exe 95 PID 2960 wrote to memory of 5080 2960 dpddv.exe 95 PID 2960 wrote to memory of 5080 2960 dpddv.exe 95 PID 5080 wrote to memory of 416 5080 9xlllrr.exe 96 PID 5080 wrote to memory of 416 5080 9xlllrr.exe 96 PID 5080 wrote to memory of 416 5080 9xlllrr.exe 96 PID 416 wrote to memory of 1952 416 lrffxxf.exe 97 PID 416 wrote to memory of 1952 416 lrffxxf.exe 97 PID 416 wrote to memory of 1952 416 lrffxxf.exe 97 PID 1952 wrote to memory of 2764 1952 3rrxxlr.exe 98 PID 1952 wrote to memory of 2764 1952 3rrxxlr.exe 98 PID 1952 wrote to memory of 2764 1952 3rrxxlr.exe 98 PID 2764 wrote to memory of 3972 2764 bhbhtt.exe 99 PID 2764 wrote to memory of 3972 2764 bhbhtt.exe 99 PID 2764 wrote to memory of 3972 2764 bhbhtt.exe 99 PID 3972 wrote to memory of 1192 3972 ffxxlrf.exe 100 PID 3972 wrote to memory of 1192 3972 ffxxlrf.exe 100 PID 3972 wrote to memory of 1192 3972 ffxxlrf.exe 100 PID 1192 wrote to memory of 3664 1192 bbhhnn.exe 101 PID 1192 wrote to memory of 3664 1192 bbhhnn.exe 101 PID 1192 wrote to memory of 3664 1192 bbhhnn.exe 101 PID 3664 wrote to memory of 2284 3664 ppjdj.exe 102 PID 3664 wrote to memory of 2284 3664 ppjdj.exe 102 PID 3664 wrote to memory of 2284 3664 ppjdj.exe 102 PID 2284 wrote to memory of 1464 2284 ffxlxrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4.exe"C:\Users\Admin\AppData\Local\Temp\457de13af9918e8e0006744d8b91c4c6072d31698d95878ec6936ce32e4a58c4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:952 -
\??\c:\hbhhbb.exec:\hbhhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2564 -
\??\c:\pjjjd.exec:\pjjjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\flrlxxl.exec:\flrlxxl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480 -
\??\c:\llxrxxl.exec:\llxrxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\3lxxxxf.exec:\3lxxxxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\bnhnnb.exec:\bnhnnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\hhtnnt.exec:\hhtnnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\ddjjd.exec:\ddjjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
\??\c:\lllllrr.exec:\lllllrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\9pdjv.exec:\9pdjv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\nhntbh.exec:\nhntbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\dpddv.exec:\dpddv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\9xlllrr.exec:\9xlllrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\lrffxxf.exec:\lrffxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416 -
\??\c:\3rrxxlr.exec:\3rrxxlr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\bhbhtt.exec:\bhbhtt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
\??\c:\ffxxlrf.exec:\ffxxlrf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\bbhhnn.exec:\bbhhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1192 -
\??\c:\ppjdj.exec:\ppjdj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\ffxlxrx.exec:\ffxlxrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\ddddd.exec:\ddddd.exe23⤵
- Executes dropped EXE
PID:1464 -
\??\c:\lrxxxxx.exec:\lrxxxxx.exe24⤵
- Executes dropped EXE
PID:5040 -
\??\c:\nhbhhn.exec:\nhbhhn.exe25⤵
- Executes dropped EXE
PID:2528 -
\??\c:\htnnnt.exec:\htnnnt.exe26⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xrfrlff.exec:\xrfrlff.exe27⤵
- Executes dropped EXE
PID:1088 -
\??\c:\bnbbbh.exec:\bnbbbh.exe28⤵
- Executes dropped EXE
PID:2684 -
\??\c:\bthhhn.exec:\bthhhn.exe29⤵
- Executes dropped EXE
PID:1500 -
\??\c:\hbbbbh.exec:\hbbbbh.exe30⤵
- Executes dropped EXE
PID:2540 -
\??\c:\vdvvd.exec:\vdvvd.exe31⤵
- Executes dropped EXE
PID:4048 -
\??\c:\ffxfrff.exec:\ffxfrff.exe32⤵
- Executes dropped EXE
PID:2460 -
\??\c:\7hnnbn.exec:\7hnnbn.exe33⤵
- Executes dropped EXE
PID:964 -
\??\c:\5ffllll.exec:\5ffllll.exe34⤵
- Executes dropped EXE
PID:2356 -
\??\c:\nhtbtb.exec:\nhtbtb.exe35⤵
- Executes dropped EXE
PID:1104 -
\??\c:\vdvpp.exec:\vdvpp.exe36⤵
- Executes dropped EXE
PID:4020 -
\??\c:\xlrllll.exec:\xlrllll.exe37⤵
- Executes dropped EXE
PID:4576 -
\??\c:\7nhbtt.exec:\7nhbtt.exe38⤵
- Executes dropped EXE
PID:816 -
\??\c:\pjvpp.exec:\pjvpp.exe39⤵
- Executes dropped EXE
PID:2108 -
\??\c:\lfxrrrr.exec:\lfxrrrr.exe40⤵
- Executes dropped EXE
PID:2964 -
\??\c:\3bttnn.exec:\3bttnn.exe41⤵
- Executes dropped EXE
PID:1180 -
\??\c:\vpvvp.exec:\vpvvp.exe42⤵
- Executes dropped EXE
PID:4544 -
\??\c:\dpvpp.exec:\dpvpp.exe43⤵
- Executes dropped EXE
PID:3084 -
\??\c:\lfllflf.exec:\lfllflf.exe44⤵
- Executes dropped EXE
PID:1828 -
\??\c:\nthhbb.exec:\nthhbb.exe45⤵
- Executes dropped EXE
PID:4288 -
\??\c:\1pjjd.exec:\1pjjd.exe46⤵
- Executes dropped EXE
PID:5088 -
\??\c:\9lllflf.exec:\9lllflf.exe47⤵
- Executes dropped EXE
PID:988 -
\??\c:\rlllllf.exec:\rlllllf.exe48⤵
- Executes dropped EXE
PID:4032 -
\??\c:\ntnhbh.exec:\ntnhbh.exe49⤵
- Executes dropped EXE
PID:228 -
\??\c:\dvdvp.exec:\dvdvp.exe50⤵
- Executes dropped EXE
PID:1792 -
\??\c:\rxllxrl.exec:\rxllxrl.exe51⤵
- Executes dropped EXE
PID:1568 -
\??\c:\hthbtn.exec:\hthbtn.exe52⤵
- Executes dropped EXE
PID:4500 -
\??\c:\ddvvv.exec:\ddvvv.exe53⤵
- Executes dropped EXE
PID:4172 -
\??\c:\vvddv.exec:\vvddv.exe54⤵
- Executes dropped EXE
PID:2560 -
\??\c:\xlrrfff.exec:\xlrrfff.exe55⤵
- Executes dropped EXE
PID:4388 -
\??\c:\ttnnbt.exec:\ttnnbt.exe56⤵
- Executes dropped EXE
PID:952 -
\??\c:\ddjjp.exec:\ddjjp.exe57⤵
- Executes dropped EXE
PID:3688 -
\??\c:\fxlfxrr.exec:\fxlfxrr.exe58⤵
- Executes dropped EXE
PID:3232 -
\??\c:\7nnntb.exec:\7nnntb.exe59⤵
- Executes dropped EXE
PID:2784 -
\??\c:\vvppv.exec:\vvppv.exe60⤵
- Executes dropped EXE
PID:1388 -
\??\c:\vvvpv.exec:\vvvpv.exe61⤵
- Executes dropped EXE
PID:4480 -
\??\c:\flfffff.exec:\flfffff.exe62⤵
- Executes dropped EXE
PID:3228 -
\??\c:\hbntbh.exec:\hbntbh.exe63⤵
- Executes dropped EXE
PID:3852 -
\??\c:\jdjjj.exec:\jdjjj.exe64⤵
- Executes dropped EXE
PID:3580 -
\??\c:\9llxxxr.exec:\9llxxxr.exe65⤵
- Executes dropped EXE
PID:2396 -
\??\c:\ntthtn.exec:\ntthtn.exe66⤵PID:3912
-
\??\c:\nntnhh.exec:\nntnhh.exe67⤵PID:2992
-
\??\c:\pjvvp.exec:\pjvvp.exe68⤵PID:764
-
\??\c:\rllfrxr.exec:\rllfrxr.exe69⤵PID:2916
-
\??\c:\3tbtnn.exec:\3tbtnn.exe70⤵PID:2876
-
\??\c:\dpjdj.exec:\dpjdj.exe71⤵PID:2928
-
\??\c:\rllfrrl.exec:\rllfrrl.exe72⤵PID:4484
-
\??\c:\tttttn.exec:\tttttn.exe73⤵PID:244
-
\??\c:\hhnhbb.exec:\hhnhbb.exe74⤵PID:636
-
\??\c:\1pvpj.exec:\1pvpj.exe75⤵PID:4496
-
\??\c:\lrffxxx.exec:\lrffxxx.exe76⤵PID:5080
-
\??\c:\bthbbt.exec:\bthbbt.exe77⤵PID:2280
-
\??\c:\jvjjv.exec:\jvjjv.exe78⤵PID:1736
-
\??\c:\frxrrrf.exec:\frxrrrf.exe79⤵PID:5100
-
\??\c:\ttnbtt.exec:\ttnbtt.exe80⤵PID:3292
-
\??\c:\vvvpp.exec:\vvvpp.exe81⤵PID:4964
-
\??\c:\vvvjp.exec:\vvvjp.exe82⤵PID:3264
-
\??\c:\xlrllrr.exec:\xlrllrr.exe83⤵PID:3016
-
\??\c:\3hhbtt.exec:\3hhbtt.exe84⤵PID:3780
-
\??\c:\tnhbhb.exec:\tnhbhb.exe85⤵PID:1904
-
\??\c:\dpvpv.exec:\dpvpv.exe86⤵PID:732
-
\??\c:\rxxlllf.exec:\rxxlllf.exe87⤵PID:2532
-
\??\c:\xlrlllf.exec:\xlrlllf.exe88⤵PID:2068
-
\??\c:\7nntnn.exec:\7nntnn.exe89⤵PID:5040
-
\??\c:\7jpjj.exec:\7jpjj.exe90⤵PID:2972
-
\??\c:\llxlffx.exec:\llxlffx.exe91⤵PID:1784
-
\??\c:\xxllrrf.exec:\xxllrrf.exe92⤵PID:2392
-
\??\c:\nhnhbh.exec:\nhnhbh.exe93⤵PID:2692
-
\??\c:\1bttnb.exec:\1bttnb.exe94⤵PID:2684
-
\??\c:\dvjdv.exec:\dvjdv.exe95⤵PID:4232
-
\??\c:\rllfrff.exec:\rllfrff.exe96⤵PID:3572
-
\??\c:\nhnhhb.exec:\nhnhhb.exe97⤵PID:3592
-
\??\c:\bhhbtn.exec:\bhhbtn.exe98⤵PID:3528
-
\??\c:\pjppj.exec:\pjppj.exe99⤵PID:980
-
\??\c:\rllfxrr.exec:\rllfxrr.exe100⤵PID:2364
-
\??\c:\bbnntb.exec:\bbnntb.exe101⤵PID:2356
-
\??\c:\3dddv.exec:\3dddv.exe102⤵PID:3984
-
\??\c:\pdvvp.exec:\pdvvp.exe103⤵PID:3152
-
\??\c:\5llllrr.exec:\5llllrr.exe104⤵PID:5008
-
\??\c:\bnbbbn.exec:\bnbbbn.exe105⤵PID:1272
-
\??\c:\hhtntt.exec:\hhtntt.exe106⤵PID:3756
-
\??\c:\ppppj.exec:\ppppj.exe107⤵PID:2836
-
\??\c:\xlxrlrr.exec:\xlxrlrr.exe108⤵PID:3936
-
\??\c:\nhbbth.exec:\nhbbth.exe109⤵PID:4660
-
\??\c:\ttbttb.exec:\ttbttb.exe110⤵PID:4452
-
\??\c:\1pvpp.exec:\1pvpp.exe111⤵
- System Location Discovery: System Language Discovery
PID:4928 -
\??\c:\xrrrlff.exec:\xrrrlff.exe112⤵PID:5084
-
\??\c:\5lxlxlx.exec:\5lxlxlx.exe113⤵PID:4400
-
\??\c:\tbhbtn.exec:\tbhbtn.exe114⤵PID:988
-
\??\c:\dddpd.exec:\dddpd.exe115⤵PID:4028
-
\??\c:\5fxrxxr.exec:\5fxrxxr.exe116⤵PID:4420
-
\??\c:\nttnnn.exec:\nttnnn.exe117⤵PID:5092
-
\??\c:\pdpdp.exec:\pdpdp.exe118⤵PID:4932
-
\??\c:\rlxrfrl.exec:\rlxrfrl.exe119⤵PID:4344
-
\??\c:\fxxflrf.exec:\fxxflrf.exe120⤵PID:4332
-
\??\c:\hthbbt.exec:\hthbbt.exe121⤵PID:708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-