Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 22:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe
-
Size
452KB
-
MD5
bd5f899c7b74ff1b9f1e2ac928f43181
-
SHA1
89608414370638927d5ef841fffdec184746d8a5
-
SHA256
4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646
-
SHA512
520d834259bbf2950ed8116aa0cf9c4dfe82ed132564eb00ad74295357bcfde575f44258d1c6a4046604c219d82d5af497059aa529b1c8da5fbfb6445e4b8051
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe6:q7Tc2NYHUrAwfMp3CD6
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/872-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3236-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2340-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4452-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2816-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3224-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1092-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3448-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-321-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1036-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5016-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/832-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3924-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-438-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/708-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-456-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/460-466-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-556-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-748-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1052-1241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-1266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-1918-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 676 7xxxxfx.exe 4564 jvjjj.exe 444 7jvvv.exe 2376 3nhbtt.exe 2820 pvjdd.exe 3932 hhbbbt.exe 660 pjppp.exe 2980 7xfffrr.exe 4912 nnbhth.exe 2576 rxlllll.exe 1896 bnhntt.exe 2988 llffrrf.exe 1940 3ddvp.exe 4588 xllllxx.exe 3972 nhtttt.exe 3604 9jjjj.exe 3236 5rxlffx.exe 3996 bnbbbn.exe 2340 ppvvd.exe 4452 1httbh.exe 2704 dvpvj.exe 1804 rrrlfxr.exe 4288 3dppp.exe 3984 pjddd.exe 2416 flfrfxf.exe 1180 bbhbhh.exe 2776 ffrrxfl.exe 1644 bhbhbh.exe 4564 vvddd.exe 1868 djdpv.exe 1396 3tbttt.exe 2732 jvvpj.exe 2444 xxfllxx.exe 1952 jjvvv.exe 2816 btttnn.exe 2876 djdjj.exe 1928 3bbbbh.exe 3224 lxflrrf.exe 2920 bhbntn.exe 1332 jjvpp.exe 4656 9llrrff.exe 3568 tbhnnt.exe 1864 jpjpv.exe 3972 llxfrxf.exe 4856 dvppp.exe 3704 tbhhnn.exe 3248 pjjjj.exe 1932 fflxxxx.exe 4616 bhbbhh.exe 2032 dddvd.exe 2340 7fflllr.exe 2724 1nnnnn.exe 448 dvdvd.exe 568 frlxfrf.exe 3468 ddjvj.exe 4652 lrfxlrf.exe 1092 bbbhbh.exe 3448 vddpp.exe 1496 xxlllfl.exe 2436 tnbhhh.exe 3668 3ppvv.exe 2700 rlrrfxx.exe 4456 fxlllxx.exe 4636 bbbhtb.exe -
resource yara_rule behavioral2/memory/872-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3236-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2340-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4452-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2816-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3224-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1092-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3448-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1824-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1036-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5016-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/832-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3924-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-438-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/708-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-456-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/460-466-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-556-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-560-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1httbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrrlfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 872 wrote to memory of 676 872 4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe 84 PID 872 wrote to memory of 676 872 4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe 84 PID 872 wrote to memory of 676 872 4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe 84 PID 676 wrote to memory of 4564 676 7xxxxfx.exe 85 PID 676 wrote to memory of 4564 676 7xxxxfx.exe 85 PID 676 wrote to memory of 4564 676 7xxxxfx.exe 85 PID 4564 wrote to memory of 444 4564 jvjjj.exe 86 PID 4564 wrote to memory of 444 4564 jvjjj.exe 86 PID 4564 wrote to memory of 444 4564 jvjjj.exe 86 PID 444 wrote to memory of 2376 444 7jvvv.exe 87 PID 444 wrote to memory of 2376 444 7jvvv.exe 87 PID 444 wrote to memory of 2376 444 7jvvv.exe 87 PID 2376 wrote to memory of 2820 2376 3nhbtt.exe 88 PID 2376 wrote to memory of 2820 2376 3nhbtt.exe 88 PID 2376 wrote to memory of 2820 2376 3nhbtt.exe 88 PID 2820 wrote to memory of 3932 2820 pvjdd.exe 89 PID 2820 wrote to memory of 3932 2820 pvjdd.exe 89 PID 2820 wrote to memory of 3932 2820 pvjdd.exe 89 PID 3932 wrote to memory of 660 3932 hhbbbt.exe 90 PID 3932 wrote to memory of 660 3932 hhbbbt.exe 90 PID 3932 wrote to memory of 660 3932 hhbbbt.exe 90 PID 660 wrote to memory of 2980 660 pjppp.exe 91 PID 660 wrote to memory of 2980 660 pjppp.exe 91 PID 660 wrote to memory of 2980 660 pjppp.exe 91 PID 2980 wrote to memory of 4912 2980 7xfffrr.exe 92 PID 2980 wrote to memory of 4912 2980 7xfffrr.exe 92 PID 2980 wrote to memory of 4912 2980 7xfffrr.exe 92 PID 4912 wrote to memory of 2576 4912 nnbhth.exe 94 PID 4912 wrote to memory of 2576 4912 nnbhth.exe 94 PID 4912 wrote to memory of 2576 4912 nnbhth.exe 94 PID 2576 wrote to memory of 1896 2576 rxlllll.exe 95 PID 2576 wrote to memory of 1896 2576 rxlllll.exe 95 PID 2576 wrote to memory of 1896 2576 rxlllll.exe 95 PID 1896 wrote to memory of 2988 1896 bnhntt.exe 96 PID 1896 wrote to memory of 2988 1896 bnhntt.exe 96 PID 1896 wrote to memory of 2988 1896 bnhntt.exe 96 PID 2988 wrote to memory of 1940 2988 llffrrf.exe 97 PID 2988 wrote to memory of 1940 2988 llffrrf.exe 97 PID 2988 wrote to memory of 1940 2988 llffrrf.exe 97 PID 1940 wrote to memory of 4588 1940 3ddvp.exe 98 PID 1940 wrote to memory of 4588 1940 3ddvp.exe 98 PID 1940 wrote to memory of 4588 1940 3ddvp.exe 98 PID 4588 wrote to memory of 3972 4588 xllllxx.exe 99 PID 4588 wrote to memory of 3972 4588 xllllxx.exe 99 PID 4588 wrote to memory of 3972 4588 xllllxx.exe 99 PID 3972 wrote to memory of 3604 3972 nhtttt.exe 101 PID 3972 wrote to memory of 3604 3972 nhtttt.exe 101 PID 3972 wrote to memory of 3604 3972 nhtttt.exe 101 PID 3604 wrote to memory of 3236 3604 9jjjj.exe 102 PID 3604 wrote to memory of 3236 3604 9jjjj.exe 102 PID 3604 wrote to memory of 3236 3604 9jjjj.exe 102 PID 3236 wrote to memory of 3996 3236 5rxlffx.exe 103 PID 3236 wrote to memory of 3996 3236 5rxlffx.exe 103 PID 3236 wrote to memory of 3996 3236 5rxlffx.exe 103 PID 3996 wrote to memory of 2340 3996 bnbbbn.exe 104 PID 3996 wrote to memory of 2340 3996 bnbbbn.exe 104 PID 3996 wrote to memory of 2340 3996 bnbbbn.exe 104 PID 2340 wrote to memory of 4452 2340 ppvvd.exe 106 PID 2340 wrote to memory of 4452 2340 ppvvd.exe 106 PID 2340 wrote to memory of 4452 2340 ppvvd.exe 106 PID 4452 wrote to memory of 2704 4452 1httbh.exe 107 PID 4452 wrote to memory of 2704 4452 1httbh.exe 107 PID 4452 wrote to memory of 2704 4452 1httbh.exe 107 PID 2704 wrote to memory of 1804 2704 dvpvj.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe"C:\Users\Admin\AppData\Local\Temp\4a79648c7dfe90a42048d6ebf3da1b2e635b0c6a4f7b314e113c814bc0334646.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:872 -
\??\c:\7xxxxfx.exec:\7xxxxfx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\jvjjj.exec:\jvjjj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4564 -
\??\c:\7jvvv.exec:\7jvvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\3nhbtt.exec:\3nhbtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2376 -
\??\c:\pvjdd.exec:\pvjdd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\hhbbbt.exec:\hhbbbt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\pjppp.exec:\pjppp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
\??\c:\7xfffrr.exec:\7xfffrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
\??\c:\nnbhth.exec:\nnbhth.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
\??\c:\rxlllll.exec:\rxlllll.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
\??\c:\bnhntt.exec:\bnhntt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\llffrrf.exec:\llffrrf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\3ddvp.exec:\3ddvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\xllllxx.exec:\xllllxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
\??\c:\nhtttt.exec:\nhtttt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\9jjjj.exec:\9jjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\5rxlffx.exec:\5rxlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
\??\c:\bnbbbn.exec:\bnbbbn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\ppvvd.exec:\ppvvd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
\??\c:\1httbh.exec:\1httbh.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\dvpvj.exec:\dvpvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe23⤵
- Executes dropped EXE
PID:1804 -
\??\c:\3dppp.exec:\3dppp.exe24⤵
- Executes dropped EXE
PID:4288 -
\??\c:\pjddd.exec:\pjddd.exe25⤵
- Executes dropped EXE
PID:3984 -
\??\c:\flfrfxf.exec:\flfrfxf.exe26⤵
- Executes dropped EXE
PID:2416 -
\??\c:\bbhbhh.exec:\bbhbhh.exe27⤵
- Executes dropped EXE
PID:1180 -
\??\c:\djdvj.exec:\djdvj.exe28⤵PID:224
-
\??\c:\ffrrxfl.exec:\ffrrxfl.exe29⤵
- Executes dropped EXE
PID:2776 -
\??\c:\bhbhbh.exec:\bhbhbh.exe30⤵
- Executes dropped EXE
PID:1644 -
\??\c:\vvddd.exec:\vvddd.exe31⤵
- Executes dropped EXE
PID:4564 -
\??\c:\djdpv.exec:\djdpv.exe32⤵
- Executes dropped EXE
PID:1868 -
\??\c:\3tbttt.exec:\3tbttt.exe33⤵
- Executes dropped EXE
PID:1396 -
\??\c:\jvvpj.exec:\jvvpj.exe34⤵
- Executes dropped EXE
PID:2732 -
\??\c:\xxfllxx.exec:\xxfllxx.exe35⤵
- Executes dropped EXE
PID:2444 -
\??\c:\jjvvv.exec:\jjvvv.exe36⤵
- Executes dropped EXE
PID:1952 -
\??\c:\btttnn.exec:\btttnn.exe37⤵
- Executes dropped EXE
PID:2816 -
\??\c:\djdjj.exec:\djdjj.exe38⤵
- Executes dropped EXE
PID:2876 -
\??\c:\3bbbbh.exec:\3bbbbh.exe39⤵
- Executes dropped EXE
PID:1928 -
\??\c:\lxflrrf.exec:\lxflrrf.exe40⤵
- Executes dropped EXE
PID:3224 -
\??\c:\bhbntn.exec:\bhbntn.exe41⤵
- Executes dropped EXE
PID:2920 -
\??\c:\jjvpp.exec:\jjvpp.exe42⤵
- Executes dropped EXE
PID:1332 -
\??\c:\9llrrff.exec:\9llrrff.exe43⤵
- Executes dropped EXE
PID:4656 -
\??\c:\tbhnnt.exec:\tbhnnt.exe44⤵
- Executes dropped EXE
PID:3568 -
\??\c:\jpjpv.exec:\jpjpv.exe45⤵
- Executes dropped EXE
PID:1864 -
\??\c:\llxfrxf.exec:\llxfrxf.exe46⤵
- Executes dropped EXE
PID:3972 -
\??\c:\dvppp.exec:\dvppp.exe47⤵
- Executes dropped EXE
PID:4856 -
\??\c:\tbhhnn.exec:\tbhhnn.exe48⤵
- Executes dropped EXE
PID:3704 -
\??\c:\pjjjj.exec:\pjjjj.exe49⤵
- Executes dropped EXE
PID:3248 -
\??\c:\fflxxxx.exec:\fflxxxx.exe50⤵
- Executes dropped EXE
PID:1932 -
\??\c:\bhbbhh.exec:\bhbbhh.exe51⤵
- Executes dropped EXE
PID:4616 -
\??\c:\dddvd.exec:\dddvd.exe52⤵
- Executes dropped EXE
PID:2032 -
\??\c:\7fflllr.exec:\7fflllr.exe53⤵
- Executes dropped EXE
PID:2340 -
\??\c:\1nnnnn.exec:\1nnnnn.exe54⤵
- Executes dropped EXE
PID:2724 -
\??\c:\dvdvd.exec:\dvdvd.exe55⤵
- Executes dropped EXE
PID:448 -
\??\c:\frlxfrf.exec:\frlxfrf.exe56⤵
- Executes dropped EXE
PID:568 -
\??\c:\ddjvj.exec:\ddjvj.exe57⤵
- Executes dropped EXE
PID:3468 -
\??\c:\lrfxlrf.exec:\lrfxlrf.exe58⤵
- Executes dropped EXE
PID:4652 -
\??\c:\bbbhbh.exec:\bbbhbh.exe59⤵
- Executes dropped EXE
PID:1092 -
\??\c:\vddpp.exec:\vddpp.exe60⤵
- Executes dropped EXE
PID:3448 -
\??\c:\xxlllfl.exec:\xxlllfl.exe61⤵
- Executes dropped EXE
PID:1496 -
\??\c:\tnbhhh.exec:\tnbhhh.exe62⤵
- Executes dropped EXE
PID:2436 -
\??\c:\3ppvv.exec:\3ppvv.exe63⤵
- Executes dropped EXE
PID:3668 -
\??\c:\rlrrfxx.exec:\rlrrfxx.exe64⤵
- Executes dropped EXE
PID:2700 -
\??\c:\fxlllxx.exec:\fxlllxx.exe65⤵
- Executes dropped EXE
PID:4456 -
\??\c:\bbbhtb.exec:\bbbhtb.exe66⤵
- Executes dropped EXE
PID:4636 -
\??\c:\vpjjp.exec:\vpjjp.exe67⤵PID:1824
-
\??\c:\fxxxxfl.exec:\fxxxxfl.exe68⤵PID:2344
-
\??\c:\nnttnt.exec:\nnttnt.exe69⤵PID:5040
-
\??\c:\pvjvp.exec:\pvjvp.exe70⤵PID:512
-
\??\c:\frflllf.exec:\frflllf.exe71⤵PID:540
-
\??\c:\ppppp.exec:\ppppp.exe72⤵PID:4120
-
\??\c:\thnhhh.exec:\thnhhh.exe73⤵PID:5084
-
\??\c:\vjdpv.exec:\vjdpv.exe74⤵PID:2096
-
\??\c:\llllfll.exec:\llllfll.exe75⤵PID:1540
-
\??\c:\nbnnhn.exec:\nbnnhn.exe76⤵PID:2980
-
\??\c:\rlrllll.exec:\rlrllll.exe77⤵PID:1036
-
\??\c:\hhnnhh.exec:\hhnnhh.exe78⤵PID:4072
-
\??\c:\frxllll.exec:\frxllll.exe79⤵PID:2876
-
\??\c:\nbnhhh.exec:\nbnhhh.exe80⤵PID:1792
-
\??\c:\jjjdv.exec:\jjjdv.exe81⤵PID:3196
-
\??\c:\ffxxxlf.exec:\ffxxxlf.exe82⤵PID:5016
-
\??\c:\tbhhtt.exec:\tbhhtt.exe83⤵PID:2920
-
\??\c:\1vdvv.exec:\1vdvv.exe84⤵PID:3016
-
\??\c:\rrfrffx.exec:\rrfrffx.exe85⤵PID:4656
-
\??\c:\lllfffl.exec:\lllfffl.exe86⤵PID:4144
-
\??\c:\hhbbnh.exec:\hhbbnh.exe87⤵PID:5112
-
\??\c:\jpjpp.exec:\jpjpp.exe88⤵PID:436
-
\??\c:\vjvvj.exec:\vjvvj.exe89⤵PID:876
-
\??\c:\5rllxff.exec:\5rllxff.exe90⤵PID:1560
-
\??\c:\7nnntb.exec:\7nnntb.exe91⤵PID:3392
-
\??\c:\djppv.exec:\djppv.exe92⤵PID:2260
-
\??\c:\1flrlll.exec:\1flrlll.exe93⤵PID:4224
-
\??\c:\ntbtnt.exec:\ntbtnt.exe94⤵PID:384
-
\??\c:\9jpjv.exec:\9jpjv.exe95⤵PID:3876
-
\??\c:\rxxxxxx.exec:\rxxxxxx.exe96⤵PID:996
-
\??\c:\hbbhht.exec:\hbbhht.exe97⤵PID:832
-
\??\c:\vddjd.exec:\vddjd.exe98⤵PID:2716
-
\??\c:\hbhbbb.exec:\hbhbbb.exe99⤵PID:3848
-
\??\c:\dvvvj.exec:\dvvvj.exe100⤵PID:2704
-
\??\c:\lfrlllf.exec:\lfrlllf.exe101⤵PID:2200
-
\??\c:\httnnh.exec:\httnnh.exe102⤵PID:3924
-
\??\c:\jdvvj.exec:\jdvvj.exe103⤵PID:1936
-
\??\c:\lxrfflr.exec:\lxrfflr.exe104⤵PID:5068
-
\??\c:\tttnbh.exec:\tttnbh.exe105⤵PID:2268
-
\??\c:\jdjjp.exec:\jdjjp.exe106⤵PID:4680
-
\??\c:\rrrrlrf.exec:\rrrrlrf.exe107⤵PID:2604
-
\??\c:\htbbbt.exec:\htbbbt.exe108⤵PID:3552
-
\??\c:\vdpdj.exec:\vdpdj.exe109⤵PID:2880
-
\??\c:\rllllrl.exec:\rllllrl.exe110⤵PID:708
-
\??\c:\tttttt.exec:\tttttt.exe111⤵PID:2560
-
\??\c:\pjjvv.exec:\pjjvv.exe112⤵PID:676
-
\??\c:\rllfffl.exec:\rllfffl.exe113⤵PID:2344
-
\??\c:\nttnbt.exec:\nttnbt.exe114⤵PID:460
-
\??\c:\vvddd.exec:\vvddd.exe115⤵PID:4516
-
\??\c:\lfrrlfl.exec:\lfrrlfl.exe116⤵
- System Location Discovery: System Language Discovery
PID:1852 -
\??\c:\3nntth.exec:\3nntth.exe117⤵PID:3444
-
\??\c:\vpvpp.exec:\vpvpp.exe118⤵PID:4328
-
\??\c:\lxfllff.exec:\lxfllff.exe119⤵PID:1072
-
\??\c:\btttbh.exec:\btttbh.exe120⤵PID:2788
-
\??\c:\dvpdd.exec:\dvpdd.exe121⤵PID:2500
-
\??\c:\frlxxrl.exec:\frlxxrl.exe122⤵PID:2412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-