Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2025, 20:50
Behavioral task
behavioral1
Sample
27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe
Resource
win7-20241010-en
7 signatures
150 seconds
General
-
Target
27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe
-
Size
335KB
-
MD5
2f47f107a2a7722bbc816168694ad283
-
SHA1
795376aba2adb8c335753ae62064d02408862024
-
SHA256
27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65
-
SHA512
4682ec2838ef227bc0eb323cbfa1bfa203bde5b60af5a56fb18cfebba278a2cb9e9dbc243efd6e7c011f33b06a3856384c58bd31a315dc6c98b280ed8cedd847
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeHB:R4wFHoSHYHUrAwfMp3CDh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1528-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-21-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-26-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1032-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3392-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1160-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4288-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-60-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3544-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3948-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-79-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-84-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1840-93-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/624-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2080-108-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4112-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3276-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4760-128-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4644-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1404-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1572-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/412-155-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/644-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2684-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4596-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-198-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1316-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1052-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2516-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2408-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2540-233-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1956-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/464-260-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1996-273-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1636-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-295-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2188-300-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/516-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2444-331-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/704-334-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-354-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-364-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1732-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2692-395-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/892-404-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4520-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3368-462-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-479-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-538-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/404-597-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1040 9vppj.exe 1116 frlrxrf.exe 4764 bhhtnh.exe 1168 rxrfrfx.exe 1032 9pdpd.exe 3392 thnhbb.exe 3004 dvjdp.exe 4028 9hbhbt.exe 1160 jjpjd.exe 4288 frlxlxr.exe 4040 vppdp.exe 3544 7rrllll.exe 3948 thbthb.exe 3668 jpvpd.exe 4432 frrlfrf.exe 2864 pdpjd.exe 2396 1dvdv.exe 1840 bbhbnn.exe 3956 dpppd.exe 624 7rrfxrx.exe 2080 rrrlffr.exe 4112 jvdvp.exe 3276 3hhthn.exe 4480 nhhthb.exe 4760 jvdvp.exe 4644 3xlxlll.exe 1404 jjdvp.exe 3192 lffrxrx.exe 1572 jdjjv.exe 3288 frxrllf.exe 412 nthhbb.exe 644 rfxxrll.exe 2808 hhhbtt.exe 64 hbthhh.exe 3540 7jdvj.exe 1184 vdjdp.exe 4364 9xrfxrl.exe 1712 httnbt.exe 2740 tnnhbh.exe 400 jdjdv.exe 3448 9rlfrlf.exe 2684 rllffxr.exe 4832 nhhnhb.exe 1744 hnthtn.exe 2420 vpjvd.exe 2236 xllxxll.exe 4596 rllxxrr.exe 1616 bbnhhh.exe 4944 5vjvd.exe 1316 rxxlxrf.exe 1052 nbtthb.exe 4448 3nntnn.exe 4416 vpvdp.exe 4488 7fllffx.exe 2516 bthbnh.exe 2780 1hhtnn.exe 3488 dvjjp.exe 2332 frlrxfx.exe 2408 htbtnn.exe 1168 5vddp.exe 4024 5vvdp.exe 2540 rrrrffl.exe 740 btbttt.exe 1600 5jjdd.exe -
resource yara_rule behavioral2/memory/1528-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b21-3.dat upx behavioral2/memory/1528-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b71-9.dat upx behavioral2/memory/1116-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1040-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b75-12.dat upx behavioral2/memory/1116-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b76-19.dat upx behavioral2/memory/4764-21-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-24.dat upx behavioral2/memory/1168-26-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-29.dat upx behavioral2/memory/1032-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3392-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-34.dat upx behavioral2/files/0x000a000000023b7a-39.dat upx behavioral2/memory/3004-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-44.dat upx behavioral2/memory/4028-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-49.dat upx behavioral2/memory/1160-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-54.dat upx behavioral2/memory/4288-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b7f-58.dat upx behavioral2/memory/4040-60-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b80-64.dat upx behavioral2/memory/3544-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b81-69.dat upx behavioral2/memory/3948-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-74.dat upx behavioral2/files/0x000a000000023b83-78.dat upx behavioral2/memory/4432-79-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b72-82.dat upx behavioral2/memory/2864-84-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-88.dat upx behavioral2/files/0x000a000000023b85-92.dat upx behavioral2/memory/1840-93-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-98.dat upx behavioral2/memory/3956-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-102.dat upx behavioral2/memory/624-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-107.dat upx behavioral2/memory/2080-108-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-112.dat upx behavioral2/memory/4112-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-117.dat upx behavioral2/memory/3276-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-122.dat upx behavioral2/files/0x000a000000023b8b-126.dat upx behavioral2/memory/4760-128-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-131.dat upx behavioral2/memory/4644-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-136.dat upx behavioral2/memory/1404-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-141.dat upx behavioral2/files/0x000a000000023b8f-145.dat upx behavioral2/memory/1572-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-150.dat upx behavioral2/memory/412-155-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-154.dat upx behavioral2/memory/644-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1184-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4364-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7lfrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 1040 1528 27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe 82 PID 1528 wrote to memory of 1040 1528 27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe 82 PID 1528 wrote to memory of 1040 1528 27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe 82 PID 1040 wrote to memory of 1116 1040 9vppj.exe 83 PID 1040 wrote to memory of 1116 1040 9vppj.exe 83 PID 1040 wrote to memory of 1116 1040 9vppj.exe 83 PID 1116 wrote to memory of 4764 1116 frlrxrf.exe 84 PID 1116 wrote to memory of 4764 1116 frlrxrf.exe 84 PID 1116 wrote to memory of 4764 1116 frlrxrf.exe 84 PID 4764 wrote to memory of 1168 4764 bhhtnh.exe 85 PID 4764 wrote to memory of 1168 4764 bhhtnh.exe 85 PID 4764 wrote to memory of 1168 4764 bhhtnh.exe 85 PID 1168 wrote to memory of 1032 1168 rxrfrfx.exe 86 PID 1168 wrote to memory of 1032 1168 rxrfrfx.exe 86 PID 1168 wrote to memory of 1032 1168 rxrfrfx.exe 86 PID 1032 wrote to memory of 3392 1032 9pdpd.exe 87 PID 1032 wrote to memory of 3392 1032 9pdpd.exe 87 PID 1032 wrote to memory of 3392 1032 9pdpd.exe 87 PID 3392 wrote to memory of 3004 3392 thnhbb.exe 88 PID 3392 wrote to memory of 3004 3392 thnhbb.exe 88 PID 3392 wrote to memory of 3004 3392 thnhbb.exe 88 PID 3004 wrote to memory of 4028 3004 dvjdp.exe 89 PID 3004 wrote to memory of 4028 3004 dvjdp.exe 89 PID 3004 wrote to memory of 4028 3004 dvjdp.exe 89 PID 4028 wrote to memory of 1160 4028 9hbhbt.exe 90 PID 4028 wrote to memory of 1160 4028 9hbhbt.exe 90 PID 4028 wrote to memory of 1160 4028 9hbhbt.exe 90 PID 1160 wrote to memory of 4288 1160 jjpjd.exe 91 PID 1160 wrote to memory of 4288 1160 jjpjd.exe 91 PID 1160 wrote to memory of 4288 1160 jjpjd.exe 91 PID 4288 wrote to memory of 4040 4288 frlxlxr.exe 92 PID 4288 wrote to memory of 4040 4288 frlxlxr.exe 92 PID 4288 wrote to memory of 4040 4288 frlxlxr.exe 92 PID 4040 wrote to memory of 3544 4040 vppdp.exe 93 PID 4040 wrote to memory of 3544 4040 vppdp.exe 93 PID 4040 wrote to memory of 3544 4040 vppdp.exe 93 PID 3544 wrote to memory of 3948 3544 7rrllll.exe 94 PID 3544 wrote to memory of 3948 3544 7rrllll.exe 94 PID 3544 wrote to memory of 3948 3544 7rrllll.exe 94 PID 3948 wrote to memory of 3668 3948 thbthb.exe 95 PID 3948 wrote to memory of 3668 3948 thbthb.exe 95 PID 3948 wrote to memory of 3668 3948 thbthb.exe 95 PID 3668 wrote to memory of 4432 3668 jpvpd.exe 96 PID 3668 wrote to memory of 4432 3668 jpvpd.exe 96 PID 3668 wrote to memory of 4432 3668 jpvpd.exe 96 PID 4432 wrote to memory of 2864 4432 frrlfrf.exe 97 PID 4432 wrote to memory of 2864 4432 frrlfrf.exe 97 PID 4432 wrote to memory of 2864 4432 frrlfrf.exe 97 PID 2864 wrote to memory of 2396 2864 pdpjd.exe 98 PID 2864 wrote to memory of 2396 2864 pdpjd.exe 98 PID 2864 wrote to memory of 2396 2864 pdpjd.exe 98 PID 2396 wrote to memory of 1840 2396 1dvdv.exe 99 PID 2396 wrote to memory of 1840 2396 1dvdv.exe 99 PID 2396 wrote to memory of 1840 2396 1dvdv.exe 99 PID 1840 wrote to memory of 3956 1840 bbhbnn.exe 100 PID 1840 wrote to memory of 3956 1840 bbhbnn.exe 100 PID 1840 wrote to memory of 3956 1840 bbhbnn.exe 100 PID 3956 wrote to memory of 624 3956 dpppd.exe 101 PID 3956 wrote to memory of 624 3956 dpppd.exe 101 PID 3956 wrote to memory of 624 3956 dpppd.exe 101 PID 624 wrote to memory of 2080 624 7rrfxrx.exe 102 PID 624 wrote to memory of 2080 624 7rrfxrx.exe 102 PID 624 wrote to memory of 2080 624 7rrfxrx.exe 102 PID 2080 wrote to memory of 4112 2080 rrrlffr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe"C:\Users\Admin\AppData\Local\Temp\27b18a80d30e05cdb4af40d402b77147c4356c22293429bb5d107a9e64abab65.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\9vppj.exec:\9vppj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1040 -
\??\c:\frlrxrf.exec:\frlrxrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116 -
\??\c:\bhhtnh.exec:\bhhtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\rxrfrfx.exec:\rxrfrfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\9pdpd.exec:\9pdpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
\??\c:\thnhbb.exec:\thnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\dvjdp.exec:\dvjdp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\9hbhbt.exec:\9hbhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\jjpjd.exec:\jjpjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160 -
\??\c:\frlxlxr.exec:\frlxlxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
\??\c:\vppdp.exec:\vppdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\7rrllll.exec:\7rrllll.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\thbthb.exec:\thbthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\jpvpd.exec:\jpvpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\frrlfrf.exec:\frrlfrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\pdpjd.exec:\pdpjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\1dvdv.exec:\1dvdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
\??\c:\bbhbnn.exec:\bbhbnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840 -
\??\c:\dpppd.exec:\dpppd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\7rrfxrx.exec:\7rrfxrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
\??\c:\rrrlffr.exec:\rrrlffr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\jvdvp.exec:\jvdvp.exe23⤵
- Executes dropped EXE
PID:4112 -
\??\c:\3hhthn.exec:\3hhthn.exe24⤵
- Executes dropped EXE
PID:3276 -
\??\c:\nhhthb.exec:\nhhthb.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4480 -
\??\c:\jvdvp.exec:\jvdvp.exe26⤵
- Executes dropped EXE
PID:4760 -
\??\c:\3xlxlll.exec:\3xlxlll.exe27⤵
- Executes dropped EXE
PID:4644 -
\??\c:\jjdvp.exec:\jjdvp.exe28⤵
- Executes dropped EXE
PID:1404 -
\??\c:\lffrxrx.exec:\lffrxrx.exe29⤵
- Executes dropped EXE
PID:3192 -
\??\c:\jdjjv.exec:\jdjjv.exe30⤵
- Executes dropped EXE
PID:1572 -
\??\c:\frxrllf.exec:\frxrllf.exe31⤵
- Executes dropped EXE
PID:3288 -
\??\c:\nthhbb.exec:\nthhbb.exe32⤵
- Executes dropped EXE
PID:412 -
\??\c:\rfxxrll.exec:\rfxxrll.exe33⤵
- Executes dropped EXE
PID:644 -
\??\c:\hhhbtt.exec:\hhhbtt.exe34⤵
- Executes dropped EXE
PID:2808 -
\??\c:\hbthhh.exec:\hbthhh.exe35⤵
- Executes dropped EXE
PID:64 -
\??\c:\7jdvj.exec:\7jdvj.exe36⤵
- Executes dropped EXE
PID:3540 -
\??\c:\vdjdp.exec:\vdjdp.exe37⤵
- Executes dropped EXE
PID:1184 -
\??\c:\9xrfxrl.exec:\9xrfxrl.exe38⤵
- Executes dropped EXE
PID:4364 -
\??\c:\httnbt.exec:\httnbt.exe39⤵
- Executes dropped EXE
PID:1712 -
\??\c:\tnnhbh.exec:\tnnhbh.exe40⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jdjdv.exec:\jdjdv.exe41⤵
- Executes dropped EXE
PID:400 -
\??\c:\9rlfrlf.exec:\9rlfrlf.exe42⤵
- Executes dropped EXE
PID:3448 -
\??\c:\rllffxr.exec:\rllffxr.exe43⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nhhnhb.exec:\nhhnhb.exe44⤵
- Executes dropped EXE
PID:4832 -
\??\c:\hnthtn.exec:\hnthtn.exe45⤵
- Executes dropped EXE
PID:1744 -
\??\c:\vpjvd.exec:\vpjvd.exe46⤵
- Executes dropped EXE
PID:2420 -
\??\c:\xllxxll.exec:\xllxxll.exe47⤵
- Executes dropped EXE
PID:2236 -
\??\c:\rllxxrr.exec:\rllxxrr.exe48⤵
- Executes dropped EXE
PID:4596 -
\??\c:\bbnhhh.exec:\bbnhhh.exe49⤵
- Executes dropped EXE
PID:1616 -
\??\c:\5vjvd.exec:\5vjvd.exe50⤵
- Executes dropped EXE
PID:4944 -
\??\c:\rxxlxrf.exec:\rxxlxrf.exe51⤵
- Executes dropped EXE
PID:1316 -
\??\c:\nbtthb.exec:\nbtthb.exe52⤵
- Executes dropped EXE
PID:1052 -
\??\c:\3nntnn.exec:\3nntnn.exe53⤵
- Executes dropped EXE
PID:4448 -
\??\c:\vpvdp.exec:\vpvdp.exe54⤵
- Executes dropped EXE
PID:4416 -
\??\c:\7fllffx.exec:\7fllffx.exe55⤵
- Executes dropped EXE
PID:4488 -
\??\c:\bthbnh.exec:\bthbnh.exe56⤵
- Executes dropped EXE
PID:2516 -
\??\c:\1hhtnn.exec:\1hhtnn.exe57⤵
- Executes dropped EXE
PID:2780 -
\??\c:\dvjjp.exec:\dvjjp.exe58⤵
- Executes dropped EXE
PID:3488 -
\??\c:\frlrxfx.exec:\frlrxfx.exe59⤵
- Executes dropped EXE
PID:2332 -
\??\c:\htbtnn.exec:\htbtnn.exe60⤵
- Executes dropped EXE
PID:2408 -
\??\c:\5vddp.exec:\5vddp.exe61⤵
- Executes dropped EXE
PID:1168 -
\??\c:\5vvdp.exec:\5vvdp.exe62⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rrrrffl.exec:\rrrrffl.exe63⤵
- Executes dropped EXE
PID:2540 -
\??\c:\btbttt.exec:\btbttt.exe64⤵
- Executes dropped EXE
PID:740 -
\??\c:\5jjdd.exec:\5jjdd.exe65⤵
- Executes dropped EXE
PID:1600 -
\??\c:\jvpdj.exec:\jvpdj.exe66⤵PID:1496
-
\??\c:\lflfrrl.exec:\lflfrrl.exe67⤵PID:4028
-
\??\c:\bhhnhb.exec:\bhhnhb.exe68⤵PID:5060
-
\??\c:\htbhtn.exec:\htbhtn.exe69⤵PID:3424
-
\??\c:\dddjv.exec:\dddjv.exe70⤵PID:720
-
\??\c:\xrlxrlf.exec:\xrlxrlf.exe71⤵PID:1956
-
\??\c:\lxlxxrf.exec:\lxlxxrf.exe72⤵PID:4136
-
\??\c:\bntnbh.exec:\bntnbh.exe73⤵PID:1560
-
\??\c:\9jpvj.exec:\9jpvj.exe74⤵PID:2796
-
\??\c:\jjpvp.exec:\jjpvp.exe75⤵PID:464
-
\??\c:\rrxrllf.exec:\rrxrllf.exe76⤵PID:1324
-
\??\c:\nnhbtn.exec:\nnhbtn.exe77⤵PID:4284
-
\??\c:\nhbtnh.exec:\nhbtnh.exe78⤵PID:4520
-
\??\c:\jdpvp.exec:\jdpvp.exe79⤵PID:4108
-
\??\c:\xrffllr.exec:\xrffllr.exe80⤵PID:3196
-
\??\c:\lxrlrlx.exec:\lxrlrlx.exe81⤵PID:1996
-
\??\c:\bttnnh.exec:\bttnnh.exe82⤵PID:1636
-
\??\c:\jvjdj.exec:\jvjdj.exe83⤵PID:3148
-
\??\c:\pdpjj.exec:\pdpjj.exe84⤵PID:1188
-
\??\c:\flrrfxx.exec:\flrrfxx.exe85⤵PID:4768
-
\??\c:\bnbhhh.exec:\bnbhhh.exe86⤵PID:4208
-
\??\c:\nntnhb.exec:\nntnhb.exe87⤵PID:2892
-
\??\c:\9jpjd.exec:\9jpjd.exe88⤵PID:1388
-
\??\c:\5jvpd.exec:\5jvpd.exe89⤵PID:1000
-
\??\c:\xllxlxr.exec:\xllxlxr.exe90⤵PID:3124
-
\??\c:\3nbthh.exec:\3nbthh.exe91⤵PID:2104
-
\??\c:\5bhbbt.exec:\5bhbbt.exe92⤵PID:3280
-
\??\c:\5vpjv.exec:\5vpjv.exe93⤵PID:2188
-
\??\c:\rlrlffl.exec:\rlrlffl.exe94⤵PID:4236
-
\??\c:\1bbbnh.exec:\1bbbnh.exe95⤵PID:4984
-
\??\c:\ntbhtn.exec:\ntbhtn.exe96⤵PID:3672
-
\??\c:\ppvpj.exec:\ppvpj.exe97⤵PID:516
-
\??\c:\5rlxlfr.exec:\5rlxlfr.exe98⤵PID:4244
-
\??\c:\llxrffx.exec:\llxrffx.exe99⤵PID:232
-
\??\c:\5bhhbn.exec:\5bhhbn.exe100⤵PID:4788
-
\??\c:\vdjdp.exec:\vdjdp.exe101⤵PID:760
-
\??\c:\dpppj.exec:\dpppj.exe102⤵PID:1196
-
\??\c:\9lfflrf.exec:\9lfflrf.exe103⤵PID:3316
-
\??\c:\xrrrxrf.exec:\xrrrxrf.exe104⤵PID:4152
-
\??\c:\7thnhn.exec:\7thnhn.exe105⤵PID:1584
-
\??\c:\7bbthb.exec:\7bbthb.exe106⤵PID:2360
-
\??\c:\pjjdp.exec:\pjjdp.exe107⤵PID:2444
-
\??\c:\5xfxxfr.exec:\5xfxxfr.exe108⤵PID:704
-
\??\c:\ntnnnh.exec:\ntnnnh.exe109⤵PID:1712
-
\??\c:\jdddp.exec:\jdddp.exe110⤵PID:1520
-
\??\c:\pddvj.exec:\pddvj.exe111⤵PID:4348
-
\??\c:\flxllrx.exec:\flxllrx.exe112⤵PID:4868
-
\??\c:\hntnhh.exec:\hntnhh.exe113⤵PID:3816
-
\??\c:\djjjv.exec:\djjjv.exe114⤵PID:4928
-
\??\c:\7jdpv.exec:\7jdpv.exe115⤵PID:2144
-
\??\c:\rrrlffx.exec:\rrrlffx.exe116⤵PID:2420
-
\??\c:\btnhtt.exec:\btnhtt.exe117⤵PID:2532
-
\??\c:\5tnhth.exec:\5tnhth.exe118⤵PID:2036
-
\??\c:\jjddv.exec:\jjddv.exe119⤵PID:1616
-
\??\c:\lrxlfxr.exec:\lrxlfxr.exe120⤵PID:3056
-
\??\c:\bhttnn.exec:\bhttnn.exe121⤵PID:4536
-
\??\c:\jdvpj.exec:\jdvpj.exe122⤵PID:2024
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-