Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe
-
Size
454KB
-
MD5
661ecbdac5ca53caafe72d893d4481ac
-
SHA1
51caeb0c04312b2077710d906d9e885ada34563d
-
SHA256
c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310
-
SHA512
796475a60c6d60a043a3907060e8e79c30ffc5cd124b45849402369615db2e00df994a2a1a1b7d18703aee88e3fc99e792ef6b4f5095502ff04071171aa93af3
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/916-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4212-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2776-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3412-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2124-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2100-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3548-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1284-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3284-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3816-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3296-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3828-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3344-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4240-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-518-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-570-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-586-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-713-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-820-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-989-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1320-1660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3924 hhthbt.exe 3084 lrlffxr.exe 3008 9btnnn.exe 4212 7dddv.exe 4852 jjpjj.exe 4416 xlrlfll.exe 4840 pdpjp.exe 832 llfxxxl.exe 1292 vjpjv.exe 2776 nhbtnn.exe 2400 thbnnn.exe 2412 rffxrrx.exe 348 djjvj.exe 3600 bbhbtt.exe 1956 vjjdp.exe 3816 btbtnn.exe 1456 dvdvd.exe 1548 xrrlffx.exe 4512 tttntt.exe 3296 pddpj.exe 5020 xlxfrlf.exe 1528 lfrlrrr.exe 4980 nhhtbt.exe 1868 nhbnbt.exe 2036 nbhthb.exe 3432 pjjdj.exe 2592 lrxxffl.exe 1508 dddvj.exe 3928 lrxlrlf.exe 400 lxxrfxr.exe 3408 nnnbht.exe 2100 pjdpp.exe 876 rflfxxx.exe 2124 xrlfrrl.exe 2172 nthtnn.exe 3828 7pjjd.exe 4824 7ffxrlx.exe 1628 rlrllll.exe 3376 tnnbnh.exe 3412 vpvpv.exe 4772 xfllxrf.exe 3548 3rxlllf.exe 1656 nththb.exe 3492 vdvjd.exe 812 rllfxrl.exe 2508 3tnhbb.exe 4360 nbbtnh.exe 3196 xrfrrll.exe 548 jddvd.exe 3420 bnnnbt.exe 3084 ffffrlf.exe 1920 5hbnhb.exe 3328 xxrlffx.exe 4392 7xrlffx.exe 2796 vpppj.exe 4044 7jddv.exe 732 fxffxrl.exe 2312 5rrxrlf.exe 4092 nbhhbh.exe 4628 djpdv.exe 4840 7llxrlf.exe 1436 btnnhn.exe 1740 htbttn.exe 4992 jjvpv.exe -
resource yara_rule behavioral2/memory/916-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4212-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2776-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3412-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2124-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2100-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3548-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1284-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3816-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3296-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3828-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3344-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4240-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-518-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-570-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-713-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-820-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-989-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1fxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 916 wrote to memory of 3924 916 c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe 82 PID 916 wrote to memory of 3924 916 c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe 82 PID 916 wrote to memory of 3924 916 c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe 82 PID 3924 wrote to memory of 3084 3924 hhthbt.exe 83 PID 3924 wrote to memory of 3084 3924 hhthbt.exe 83 PID 3924 wrote to memory of 3084 3924 hhthbt.exe 83 PID 3084 wrote to memory of 3008 3084 lrlffxr.exe 84 PID 3084 wrote to memory of 3008 3084 lrlffxr.exe 84 PID 3084 wrote to memory of 3008 3084 lrlffxr.exe 84 PID 3008 wrote to memory of 4212 3008 9btnnn.exe 85 PID 3008 wrote to memory of 4212 3008 9btnnn.exe 85 PID 3008 wrote to memory of 4212 3008 9btnnn.exe 85 PID 4212 wrote to memory of 4852 4212 7dddv.exe 86 PID 4212 wrote to memory of 4852 4212 7dddv.exe 86 PID 4212 wrote to memory of 4852 4212 7dddv.exe 86 PID 4852 wrote to memory of 4416 4852 jjpjj.exe 87 PID 4852 wrote to memory of 4416 4852 jjpjj.exe 87 PID 4852 wrote to memory of 4416 4852 jjpjj.exe 87 PID 4416 wrote to memory of 4840 4416 xlrlfll.exe 88 PID 4416 wrote to memory of 4840 4416 xlrlfll.exe 88 PID 4416 wrote to memory of 4840 4416 xlrlfll.exe 88 PID 4840 wrote to memory of 832 4840 pdpjp.exe 89 PID 4840 wrote to memory of 832 4840 pdpjp.exe 89 PID 4840 wrote to memory of 832 4840 pdpjp.exe 89 PID 832 wrote to memory of 1292 832 llfxxxl.exe 90 PID 832 wrote to memory of 1292 832 llfxxxl.exe 90 PID 832 wrote to memory of 1292 832 llfxxxl.exe 90 PID 1292 wrote to memory of 2776 1292 vjpjv.exe 91 PID 1292 wrote to memory of 2776 1292 vjpjv.exe 91 PID 1292 wrote to memory of 2776 1292 vjpjv.exe 91 PID 2776 wrote to memory of 2400 2776 nhbtnn.exe 92 PID 2776 wrote to memory of 2400 2776 nhbtnn.exe 92 PID 2776 wrote to memory of 2400 2776 nhbtnn.exe 92 PID 2400 wrote to memory of 2412 2400 thbnnn.exe 93 PID 2400 wrote to memory of 2412 2400 thbnnn.exe 93 PID 2400 wrote to memory of 2412 2400 thbnnn.exe 93 PID 2412 wrote to memory of 348 2412 rffxrrx.exe 94 PID 2412 wrote to memory of 348 2412 rffxrrx.exe 94 PID 2412 wrote to memory of 348 2412 rffxrrx.exe 94 PID 348 wrote to memory of 3600 348 djjvj.exe 95 PID 348 wrote to memory of 3600 348 djjvj.exe 95 PID 348 wrote to memory of 3600 348 djjvj.exe 95 PID 3600 wrote to memory of 1956 3600 bbhbtt.exe 96 PID 3600 wrote to memory of 1956 3600 bbhbtt.exe 96 PID 3600 wrote to memory of 1956 3600 bbhbtt.exe 96 PID 1956 wrote to memory of 3816 1956 vjjdp.exe 97 PID 1956 wrote to memory of 3816 1956 vjjdp.exe 97 PID 1956 wrote to memory of 3816 1956 vjjdp.exe 97 PID 3816 wrote to memory of 1456 3816 btbtnn.exe 98 PID 3816 wrote to memory of 1456 3816 btbtnn.exe 98 PID 3816 wrote to memory of 1456 3816 btbtnn.exe 98 PID 1456 wrote to memory of 1548 1456 dvdvd.exe 99 PID 1456 wrote to memory of 1548 1456 dvdvd.exe 99 PID 1456 wrote to memory of 1548 1456 dvdvd.exe 99 PID 1548 wrote to memory of 4512 1548 xrrlffx.exe 100 PID 1548 wrote to memory of 4512 1548 xrrlffx.exe 100 PID 1548 wrote to memory of 4512 1548 xrrlffx.exe 100 PID 4512 wrote to memory of 3296 4512 tttntt.exe 101 PID 4512 wrote to memory of 3296 4512 tttntt.exe 101 PID 4512 wrote to memory of 3296 4512 tttntt.exe 101 PID 3296 wrote to memory of 5020 3296 pddpj.exe 102 PID 3296 wrote to memory of 5020 3296 pddpj.exe 102 PID 3296 wrote to memory of 5020 3296 pddpj.exe 102 PID 5020 wrote to memory of 1528 5020 xlxfrlf.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe"C:\Users\Admin\AppData\Local\Temp\c0d8e124820b7e29932204dd6667ee521064cd17ad8a91bbec9c1c02a4895310.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\hhthbt.exec:\hhthbt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3924 -
\??\c:\lrlffxr.exec:\lrlffxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
\??\c:\9btnnn.exec:\9btnnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
\??\c:\7dddv.exec:\7dddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\jjpjj.exec:\jjpjj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\xlrlfll.exec:\xlrlfll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\pdpjp.exec:\pdpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\llfxxxl.exec:\llfxxxl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
\??\c:\vjpjv.exec:\vjpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292 -
\??\c:\nhbtnn.exec:\nhbtnn.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
\??\c:\thbnnn.exec:\thbnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2400 -
\??\c:\rffxrrx.exec:\rffxrrx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
\??\c:\djjvj.exec:\djjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\bbhbtt.exec:\bbhbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\vjjdp.exec:\vjjdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
\??\c:\btbtnn.exec:\btbtnn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\dvdvd.exec:\dvdvd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\xrrlffx.exec:\xrrlffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\tttntt.exec:\tttntt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\pddpj.exec:\pddpj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\xlxfrlf.exec:\xlxfrlf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\lfrlrrr.exec:\lfrlrrr.exe23⤵
- Executes dropped EXE
PID:1528 -
\??\c:\nhhtbt.exec:\nhhtbt.exe24⤵
- Executes dropped EXE
PID:4980 -
\??\c:\nhbnbt.exec:\nhbnbt.exe25⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nbhthb.exec:\nbhthb.exe26⤵
- Executes dropped EXE
PID:2036 -
\??\c:\pjjdj.exec:\pjjdj.exe27⤵
- Executes dropped EXE
PID:3432 -
\??\c:\lrxxffl.exec:\lrxxffl.exe28⤵
- Executes dropped EXE
PID:2592 -
\??\c:\dddvj.exec:\dddvj.exe29⤵
- Executes dropped EXE
PID:1508 -
\??\c:\lrxlrlf.exec:\lrxlrlf.exe30⤵
- Executes dropped EXE
PID:3928 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe31⤵
- Executes dropped EXE
PID:400 -
\??\c:\nnnbht.exec:\nnnbht.exe32⤵
- Executes dropped EXE
PID:3408 -
\??\c:\pjdpp.exec:\pjdpp.exe33⤵
- Executes dropped EXE
PID:2100 -
\??\c:\rflfxxx.exec:\rflfxxx.exe34⤵
- Executes dropped EXE
PID:876 -
\??\c:\xrlfrrl.exec:\xrlfrrl.exe35⤵
- Executes dropped EXE
PID:2124 -
\??\c:\nthtnn.exec:\nthtnn.exe36⤵
- Executes dropped EXE
PID:2172 -
\??\c:\7pjjd.exec:\7pjjd.exe37⤵
- Executes dropped EXE
PID:3828 -
\??\c:\7ffxrlx.exec:\7ffxrlx.exe38⤵
- Executes dropped EXE
PID:4824 -
\??\c:\rlrllll.exec:\rlrllll.exe39⤵
- Executes dropped EXE
PID:1628 -
\??\c:\tnnbnh.exec:\tnnbnh.exe40⤵
- Executes dropped EXE
PID:3376 -
\??\c:\vpvpv.exec:\vpvpv.exe41⤵
- Executes dropped EXE
PID:3412 -
\??\c:\xfllxrf.exec:\xfllxrf.exe42⤵
- Executes dropped EXE
PID:4772 -
\??\c:\3rxlllf.exec:\3rxlllf.exe43⤵
- Executes dropped EXE
PID:3548 -
\??\c:\nththb.exec:\nththb.exe44⤵
- Executes dropped EXE
PID:1656 -
\??\c:\vdvjd.exec:\vdvjd.exe45⤵
- Executes dropped EXE
PID:3492 -
\??\c:\rllfxrl.exec:\rllfxrl.exe46⤵
- Executes dropped EXE
PID:812 -
\??\c:\3tnhbb.exec:\3tnhbb.exe47⤵
- Executes dropped EXE
PID:2508 -
\??\c:\nbbtnh.exec:\nbbtnh.exe48⤵
- Executes dropped EXE
PID:4360 -
\??\c:\xrfrrll.exec:\xrfrrll.exe49⤵
- Executes dropped EXE
PID:3196 -
\??\c:\jddvd.exec:\jddvd.exe50⤵
- Executes dropped EXE
PID:548 -
\??\c:\bnnnbt.exec:\bnnnbt.exe51⤵
- Executes dropped EXE
PID:3420 -
\??\c:\ffffrlf.exec:\ffffrlf.exe52⤵
- Executes dropped EXE
PID:3084 -
\??\c:\5hbnhb.exec:\5hbnhb.exe53⤵
- Executes dropped EXE
PID:1920 -
\??\c:\xxrlffx.exec:\xxrlffx.exe54⤵
- Executes dropped EXE
PID:3328 -
\??\c:\7xrlffx.exec:\7xrlffx.exe55⤵
- Executes dropped EXE
PID:4392 -
\??\c:\vpppj.exec:\vpppj.exe56⤵
- Executes dropped EXE
PID:2796 -
\??\c:\7jddv.exec:\7jddv.exe57⤵
- Executes dropped EXE
PID:4044 -
\??\c:\fxffxrl.exec:\fxffxrl.exe58⤵
- Executes dropped EXE
PID:732 -
\??\c:\5rrxrlf.exec:\5rrxrlf.exe59⤵
- Executes dropped EXE
PID:2312 -
\??\c:\nbhhbh.exec:\nbhhbh.exe60⤵
- Executes dropped EXE
PID:4092 -
\??\c:\djpdv.exec:\djpdv.exe61⤵
- Executes dropped EXE
PID:4628 -
\??\c:\7llxrlf.exec:\7llxrlf.exe62⤵
- Executes dropped EXE
PID:4840 -
\??\c:\btnnhn.exec:\btnnhn.exe63⤵
- Executes dropped EXE
PID:1436 -
\??\c:\htbttn.exec:\htbttn.exe64⤵
- Executes dropped EXE
PID:1740 -
\??\c:\jjvpv.exec:\jjvpv.exe65⤵
- Executes dropped EXE
PID:4992 -
\??\c:\fxxrllr.exec:\fxxrllr.exe66⤵PID:1284
-
\??\c:\thhtnb.exec:\thhtnb.exe67⤵PID:3340
-
\??\c:\dddvp.exec:\dddvp.exe68⤵PID:2776
-
\??\c:\frfrffx.exec:\frfrffx.exe69⤵PID:4696
-
\??\c:\lfrlffx.exec:\lfrlffx.exe70⤵PID:4996
-
\??\c:\thbthb.exec:\thbthb.exe71⤵PID:5064
-
\??\c:\dvvjv.exec:\dvvjv.exe72⤵PID:3284
-
\??\c:\xllxfxr.exec:\xllxfxr.exe73⤵PID:3092
-
\??\c:\xflxlxl.exec:\xflxlxl.exe74⤵PID:1452
-
\??\c:\bttnbt.exec:\bttnbt.exe75⤵PID:2672
-
\??\c:\pdpdj.exec:\pdpdj.exe76⤵PID:3592
-
\??\c:\5rlxrlf.exec:\5rlxrlf.exe77⤵PID:2108
-
\??\c:\btttnt.exec:\btttnt.exe78⤵PID:2104
-
\??\c:\dvvpd.exec:\dvvpd.exe79⤵PID:3816
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe80⤵PID:1456
-
\??\c:\xrfxfxf.exec:\xrfxfxf.exe81⤵PID:3396
-
\??\c:\7hhtnn.exec:\7hhtnn.exe82⤵PID:5052
-
\??\c:\pvdjv.exec:\pvdjv.exe83⤵PID:3296
-
\??\c:\frrrffx.exec:\frrrffx.exe84⤵PID:2588
-
\??\c:\7hhhtt.exec:\7hhhtt.exe85⤵PID:5044
-
\??\c:\djdvv.exec:\djdvv.exe86⤵PID:4748
-
\??\c:\vdjvp.exec:\vdjvp.exe87⤵PID:624
-
\??\c:\frxrffx.exec:\frxrffx.exe88⤵PID:1868
-
\??\c:\tnthhb.exec:\tnthhb.exe89⤵PID:1592
-
\??\c:\vpppj.exec:\vpppj.exe90⤵PID:3116
-
\??\c:\pppjd.exec:\pppjd.exe91⤵PID:2668
-
\??\c:\5rrlrrl.exec:\5rrlrrl.exe92⤵PID:4596
-
\??\c:\thnhtt.exec:\thnhtt.exe93⤵PID:3468
-
\??\c:\pjdpv.exec:\pjdpv.exe94⤵PID:3848
-
\??\c:\lffrlfr.exec:\lffrlfr.exe95⤵PID:408
-
\??\c:\xxxrfrl.exec:\xxxrfrl.exe96⤵PID:3856
-
\??\c:\nbtttn.exec:\nbtttn.exe97⤵PID:4972
-
\??\c:\5vpdp.exec:\5vpdp.exe98⤵PID:5060
-
\??\c:\rxlxfff.exec:\rxlxfff.exe99⤵PID:3112
-
\??\c:\hbhnhb.exec:\hbhnhb.exe100⤵PID:3948
-
\??\c:\9btnbb.exec:\9btnbb.exe101⤵PID:5024
-
\??\c:\dvdpp.exec:\dvdpp.exe102⤵PID:3828
-
\??\c:\rlflfff.exec:\rlflfff.exe103⤵PID:632
-
\??\c:\thnnhh.exec:\thnnhh.exe104⤵PID:1352
-
\??\c:\djjvv.exec:\djjvv.exe105⤵PID:2972
-
\??\c:\rxrlxff.exec:\rxrlxff.exe106⤵PID:3344
-
\??\c:\7ttntt.exec:\7ttntt.exe107⤵PID:2952
-
\??\c:\thnbnh.exec:\thnbnh.exe108⤵PID:4688
-
\??\c:\pjjvp.exec:\pjjvp.exe109⤵PID:3812
-
\??\c:\rflxlfr.exec:\rflxlfr.exe110⤵PID:1908
-
\??\c:\3llxfrx.exec:\3llxfrx.exe111⤵PID:4692
-
\??\c:\thnnnh.exec:\thnnnh.exe112⤵PID:936
-
\??\c:\9dpjj.exec:\9dpjj.exe113⤵PID:3756
-
\??\c:\pddpd.exec:\pddpd.exe114⤵PID:1916
-
\??\c:\rfflxxl.exec:\rfflxxl.exe115⤵PID:952
-
\??\c:\5hnhhb.exec:\5hnhhb.exe116⤵PID:392
-
\??\c:\jvvvp.exec:\jvvvp.exe117⤵
- System Location Discovery: System Language Discovery
PID:1944 -
\??\c:\3vvpp.exec:\3vvpp.exe118⤵PID:916
-
\??\c:\rrxxlfx.exec:\rrxxlfx.exe119⤵PID:1976
-
\??\c:\hnntnh.exec:\hnntnh.exe120⤵PID:2096
-
\??\c:\pdjjv.exec:\pdjjv.exe121⤵PID:2880
-
\??\c:\jddpd.exec:\jddpd.exe122⤵PID:532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-