Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 13:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe
-
Size
455KB
-
MD5
40c4b7e83f5fbe81d82a353ae43ab140
-
SHA1
0c33d189a37c5e93e13bcd837da78e44a1cc60c4
-
SHA256
4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289c
-
SHA512
5f78b180f5f95db3d127c4f8bdfbb1da52108758e5d133935a673924c357d0a1fd2f183c9c84698fb9f261f52413497fca4036495cb66d3c27134c526ea27359
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe2:q7Tc2NYHUrAwfMp3CD2
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4304-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2448-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4980-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4600-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1660-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3800-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/448-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2316-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1912-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1516-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5072-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-383-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-479-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-500-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-554-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-558-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-735-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-1038-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2860-1102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-1163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-1474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4980 pdjjp.exe 2448 1ffffll.exe 4600 rflfxrf.exe 4900 vvddd.exe 116 flrlxfx.exe 4048 xlxxxll.exe 1660 5tbthh.exe 3216 xrxrlff.exe 4732 bbthbh.exe 1204 9vpjp.exe 2608 fxlfrrr.exe 1628 nhhhhn.exe 1868 ddppp.exe 3800 rrrrrxf.exe 3024 pvjpd.exe 1364 fffxfff.exe 448 ppvjp.exe 2988 tbbbbh.exe 3092 vdpdv.exe 1236 djppd.exe 1784 ffrllrl.exe 2836 pppdd.exe 372 hhhthb.exe 2384 3vvdd.exe 1912 9jdvj.exe 2316 fxllfrr.exe 3288 dvvvv.exe 4456 bbhhbh.exe 4164 vvdjp.exe 4696 hbnhbh.exe 4584 vdpjj.exe 4380 xlfffrr.exe 4000 9jpvv.exe 1664 7rrxxxf.exe 2184 bnnnnn.exe 2868 pjjvp.exe 4428 xfflrxx.exe 3320 ntntth.exe 1512 ppppp.exe 4808 httbbb.exe 1088 jdjjj.exe 1516 lllflrx.exe 1436 bntttt.exe 3076 bbtttt.exe 2852 pvjpp.exe 3052 tnnntn.exe 1100 3pvvv.exe 4372 5llllrr.exe 3732 bnhbnb.exe 2440 ppjjd.exe 1068 nbnntn.exe 4136 dvpvv.exe 3328 ppvvj.exe 3312 rffffll.exe 4900 bbbbbh.exe 3260 vjjvj.exe 4892 flrrrxx.exe 4048 lrrfxrl.exe 4564 5bhhnt.exe 4496 9dppv.exe 3496 xflllff.exe 5004 bbtnhh.exe 3032 djvpj.exe 2196 rrrrrrx.exe -
resource yara_rule behavioral2/memory/4304-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2448-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4980-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1660-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/448-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2316-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1912-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1516-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5072-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-383-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3200-554-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-558-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-735-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-850-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rrxrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllrxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4304 wrote to memory of 4980 4304 4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe 83 PID 4304 wrote to memory of 4980 4304 4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe 83 PID 4304 wrote to memory of 4980 4304 4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe 83 PID 4980 wrote to memory of 2448 4980 pdjjp.exe 84 PID 4980 wrote to memory of 2448 4980 pdjjp.exe 84 PID 4980 wrote to memory of 2448 4980 pdjjp.exe 84 PID 2448 wrote to memory of 4600 2448 1ffffll.exe 85 PID 2448 wrote to memory of 4600 2448 1ffffll.exe 85 PID 2448 wrote to memory of 4600 2448 1ffffll.exe 85 PID 4600 wrote to memory of 4900 4600 rflfxrf.exe 86 PID 4600 wrote to memory of 4900 4600 rflfxrf.exe 86 PID 4600 wrote to memory of 4900 4600 rflfxrf.exe 86 PID 4900 wrote to memory of 116 4900 vvddd.exe 87 PID 4900 wrote to memory of 116 4900 vvddd.exe 87 PID 4900 wrote to memory of 116 4900 vvddd.exe 87 PID 116 wrote to memory of 4048 116 flrlxfx.exe 88 PID 116 wrote to memory of 4048 116 flrlxfx.exe 88 PID 116 wrote to memory of 4048 116 flrlxfx.exe 88 PID 4048 wrote to memory of 1660 4048 xlxxxll.exe 89 PID 4048 wrote to memory of 1660 4048 xlxxxll.exe 89 PID 4048 wrote to memory of 1660 4048 xlxxxll.exe 89 PID 1660 wrote to memory of 3216 1660 5tbthh.exe 90 PID 1660 wrote to memory of 3216 1660 5tbthh.exe 90 PID 1660 wrote to memory of 3216 1660 5tbthh.exe 90 PID 3216 wrote to memory of 4732 3216 xrxrlff.exe 91 PID 3216 wrote to memory of 4732 3216 xrxrlff.exe 91 PID 3216 wrote to memory of 4732 3216 xrxrlff.exe 91 PID 4732 wrote to memory of 1204 4732 bbthbh.exe 92 PID 4732 wrote to memory of 1204 4732 bbthbh.exe 92 PID 4732 wrote to memory of 1204 4732 bbthbh.exe 92 PID 1204 wrote to memory of 2608 1204 9vpjp.exe 93 PID 1204 wrote to memory of 2608 1204 9vpjp.exe 93 PID 1204 wrote to memory of 2608 1204 9vpjp.exe 93 PID 2608 wrote to memory of 1628 2608 fxlfrrr.exe 94 PID 2608 wrote to memory of 1628 2608 fxlfrrr.exe 94 PID 2608 wrote to memory of 1628 2608 fxlfrrr.exe 94 PID 1628 wrote to memory of 1868 1628 nhhhhn.exe 95 PID 1628 wrote to memory of 1868 1628 nhhhhn.exe 95 PID 1628 wrote to memory of 1868 1628 nhhhhn.exe 95 PID 1868 wrote to memory of 3800 1868 ddppp.exe 96 PID 1868 wrote to memory of 3800 1868 ddppp.exe 96 PID 1868 wrote to memory of 3800 1868 ddppp.exe 96 PID 3800 wrote to memory of 3024 3800 rrrrrxf.exe 97 PID 3800 wrote to memory of 3024 3800 rrrrrxf.exe 97 PID 3800 wrote to memory of 3024 3800 rrrrrxf.exe 97 PID 3024 wrote to memory of 1364 3024 pvjpd.exe 98 PID 3024 wrote to memory of 1364 3024 pvjpd.exe 98 PID 3024 wrote to memory of 1364 3024 pvjpd.exe 98 PID 1364 wrote to memory of 448 1364 fffxfff.exe 99 PID 1364 wrote to memory of 448 1364 fffxfff.exe 99 PID 1364 wrote to memory of 448 1364 fffxfff.exe 99 PID 448 wrote to memory of 2988 448 ppvjp.exe 100 PID 448 wrote to memory of 2988 448 ppvjp.exe 100 PID 448 wrote to memory of 2988 448 ppvjp.exe 100 PID 2988 wrote to memory of 3092 2988 tbbbbh.exe 101 PID 2988 wrote to memory of 3092 2988 tbbbbh.exe 101 PID 2988 wrote to memory of 3092 2988 tbbbbh.exe 101 PID 3092 wrote to memory of 1236 3092 vdpdv.exe 102 PID 3092 wrote to memory of 1236 3092 vdpdv.exe 102 PID 3092 wrote to memory of 1236 3092 vdpdv.exe 102 PID 1236 wrote to memory of 1784 1236 djppd.exe 103 PID 1236 wrote to memory of 1784 1236 djppd.exe 103 PID 1236 wrote to memory of 1784 1236 djppd.exe 103 PID 1784 wrote to memory of 2836 1784 ffrllrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe"C:\Users\Admin\AppData\Local\Temp\4064d1cf818cadb151d68cbd66b2dab2c607dd922a5822840e0df0821cf0289cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
\??\c:\pdjjp.exec:\pdjjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4980 -
\??\c:\1ffffll.exec:\1ffffll.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\rflfxrf.exec:\rflfxrf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\vvddd.exec:\vvddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
\??\c:\flrlxfx.exec:\flrlxfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\xlxxxll.exec:\xlxxxll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\5tbthh.exec:\5tbthh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\xrxrlff.exec:\xrxrlff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
\??\c:\bbthbh.exec:\bbthbh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
\??\c:\9vpjp.exec:\9vpjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\fxlfrrr.exec:\fxlfrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\nhhhhn.exec:\nhhhhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\ddppp.exec:\ddppp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1868 -
\??\c:\rrrrrxf.exec:\rrrrrxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\pvjpd.exec:\pvjpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
\??\c:\fffxfff.exec:\fffxfff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1364 -
\??\c:\ppvjp.exec:\ppvjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
\??\c:\tbbbbh.exec:\tbbbbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\vdpdv.exec:\vdpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\djppd.exec:\djppd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
\??\c:\ffrllrl.exec:\ffrllrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\pppdd.exec:\pppdd.exe23⤵
- Executes dropped EXE
PID:2836 -
\??\c:\hhhthb.exec:\hhhthb.exe24⤵
- Executes dropped EXE
PID:372 -
\??\c:\3vvdd.exec:\3vvdd.exe25⤵
- Executes dropped EXE
PID:2384 -
\??\c:\9jdvj.exec:\9jdvj.exe26⤵
- Executes dropped EXE
PID:1912 -
\??\c:\fxllfrr.exec:\fxllfrr.exe27⤵
- Executes dropped EXE
PID:2316 -
\??\c:\dvvvv.exec:\dvvvv.exe28⤵
- Executes dropped EXE
PID:3288 -
\??\c:\bbhhbh.exec:\bbhhbh.exe29⤵
- Executes dropped EXE
PID:4456 -
\??\c:\vvdjp.exec:\vvdjp.exe30⤵
- Executes dropped EXE
PID:4164 -
\??\c:\hbnhbh.exec:\hbnhbh.exe31⤵
- Executes dropped EXE
PID:4696 -
\??\c:\vdpjj.exec:\vdpjj.exe32⤵
- Executes dropped EXE
PID:4584 -
\??\c:\xlfffrr.exec:\xlfffrr.exe33⤵
- Executes dropped EXE
PID:4380 -
\??\c:\9jpvv.exec:\9jpvv.exe34⤵
- Executes dropped EXE
PID:4000 -
\??\c:\7rrxxxf.exec:\7rrxxxf.exe35⤵
- Executes dropped EXE
PID:1664 -
\??\c:\bnnnnn.exec:\bnnnnn.exe36⤵
- Executes dropped EXE
PID:2184 -
\??\c:\pjjvp.exec:\pjjvp.exe37⤵
- Executes dropped EXE
PID:2868 -
\??\c:\xfflrxx.exec:\xfflrxx.exe38⤵
- Executes dropped EXE
PID:4428 -
\??\c:\ntntth.exec:\ntntth.exe39⤵
- Executes dropped EXE
PID:3320 -
\??\c:\ppppp.exec:\ppppp.exe40⤵
- Executes dropped EXE
PID:1512 -
\??\c:\httbbb.exec:\httbbb.exe41⤵
- Executes dropped EXE
PID:4808 -
\??\c:\jdjjj.exec:\jdjjj.exe42⤵
- Executes dropped EXE
PID:1088 -
\??\c:\lllflrx.exec:\lllflrx.exe43⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bntttt.exec:\bntttt.exe44⤵
- Executes dropped EXE
PID:1436 -
\??\c:\bbtttt.exec:\bbtttt.exe45⤵
- Executes dropped EXE
PID:3076 -
\??\c:\pvjpp.exec:\pvjpp.exe46⤵
- Executes dropped EXE
PID:2852 -
\??\c:\tnnntn.exec:\tnnntn.exe47⤵
- Executes dropped EXE
PID:3052 -
\??\c:\3pvvv.exec:\3pvvv.exe48⤵
- Executes dropped EXE
PID:1100 -
\??\c:\5llllrr.exec:\5llllrr.exe49⤵
- Executes dropped EXE
PID:4372 -
\??\c:\bnhbnb.exec:\bnhbnb.exe50⤵
- Executes dropped EXE
PID:3732 -
\??\c:\ppjjd.exec:\ppjjd.exe51⤵
- Executes dropped EXE
PID:2440 -
\??\c:\nbnntn.exec:\nbnntn.exe52⤵
- Executes dropped EXE
PID:1068 -
\??\c:\dvpvv.exec:\dvpvv.exe53⤵
- Executes dropped EXE
PID:4136 -
\??\c:\ppvvj.exec:\ppvvj.exe54⤵
- Executes dropped EXE
PID:3328 -
\??\c:\rffffll.exec:\rffffll.exe55⤵
- Executes dropped EXE
PID:3312 -
\??\c:\bbbbbh.exec:\bbbbbh.exe56⤵
- Executes dropped EXE
PID:4900 -
\??\c:\vjjvj.exec:\vjjvj.exe57⤵
- Executes dropped EXE
PID:3260 -
\??\c:\flrrrxx.exec:\flrrrxx.exe58⤵
- Executes dropped EXE
PID:4892 -
\??\c:\lrrfxrl.exec:\lrrfxrl.exe59⤵
- Executes dropped EXE
PID:4048 -
\??\c:\5bhhnt.exec:\5bhhnt.exe60⤵
- Executes dropped EXE
PID:4564 -
\??\c:\9dppv.exec:\9dppv.exe61⤵
- Executes dropped EXE
PID:4496 -
\??\c:\xflllff.exec:\xflllff.exe62⤵
- Executes dropped EXE
PID:3496 -
\??\c:\bbtnhh.exec:\bbtnhh.exe63⤵
- Executes dropped EXE
PID:5004 -
\??\c:\djvpj.exec:\djvpj.exe64⤵
- Executes dropped EXE
PID:3032 -
\??\c:\rrrrrrx.exec:\rrrrrrx.exe65⤵
- Executes dropped EXE
PID:2196 -
\??\c:\btthhh.exec:\btthhh.exe66⤵PID:548
-
\??\c:\nhtbbh.exec:\nhtbbh.exe67⤵PID:1932
-
\??\c:\1dvvj.exec:\1dvvj.exe68⤵PID:4040
-
\??\c:\1rrrrxx.exec:\1rrrrxx.exe69⤵PID:2552
-
\??\c:\fllllll.exec:\fllllll.exe70⤵PID:4992
-
\??\c:\5nnttb.exec:\5nnttb.exe71⤵PID:388
-
\??\c:\djppv.exec:\djppv.exe72⤵PID:4736
-
\??\c:\vpdvv.exec:\vpdvv.exe73⤵PID:1988
-
\??\c:\5xxxxxx.exec:\5xxxxxx.exe74⤵PID:1588
-
\??\c:\7nnnnn.exec:\7nnnnn.exe75⤵PID:1380
-
\??\c:\vvvvj.exec:\vvvvj.exe76⤵PID:1500
-
\??\c:\1lrrrxr.exec:\1lrrrxr.exe77⤵PID:1540
-
\??\c:\btnnnh.exec:\btnnnh.exe78⤵PID:4300
-
\??\c:\pvvpp.exec:\pvvpp.exe79⤵PID:4568
-
\??\c:\rxrrlxx.exec:\rxrrlxx.exe80⤵PID:4872
-
\??\c:\hntttb.exec:\hntttb.exe81⤵PID:3584
-
\??\c:\ddvpv.exec:\ddvpv.exe82⤵PID:5036
-
\??\c:\5fxxrff.exec:\5fxxrff.exe83⤵PID:5072
-
\??\c:\nttttb.exec:\nttttb.exe84⤵PID:1964
-
\??\c:\bhbthb.exec:\bhbthb.exe85⤵PID:4528
-
\??\c:\jpppj.exec:\jpppj.exe86⤵PID:924
-
\??\c:\xfxxxff.exec:\xfxxxff.exe87⤵PID:1360
-
\??\c:\7bnntb.exec:\7bnntb.exe88⤵PID:4584
-
\??\c:\pvpvv.exec:\pvpvv.exe89⤵PID:5028
-
\??\c:\lllllff.exec:\lllllff.exe90⤵PID:1684
-
\??\c:\bnnnnt.exec:\bnnnnt.exe91⤵PID:1664
-
\??\c:\bnhhbt.exec:\bnhhbt.exe92⤵PID:4712
-
\??\c:\pvdjp.exec:\pvdjp.exe93⤵PID:2868
-
\??\c:\5rflxlx.exec:\5rflxlx.exe94⤵PID:4428
-
\??\c:\hhnnnt.exec:\hhnnnt.exe95⤵PID:2168
-
\??\c:\hhhntb.exec:\hhhntb.exe96⤵PID:1512
-
\??\c:\9pvvj.exec:\9pvvj.exe97⤵PID:4560
-
\??\c:\xrfllll.exec:\xrfllll.exe98⤵PID:452
-
\??\c:\hnnnht.exec:\hnnnht.exe99⤵PID:1980
-
\??\c:\djddd.exec:\djddd.exe100⤵PID:1416
-
\??\c:\djvdd.exec:\djvdd.exe101⤵PID:2208
-
\??\c:\xfrrffr.exec:\xfrrffr.exe102⤵PID:4492
-
\??\c:\ttbhbh.exec:\ttbhbh.exe103⤵PID:1012
-
\??\c:\1btbbh.exec:\1btbbh.exe104⤵PID:1112
-
\??\c:\vjvvd.exec:\vjvvd.exe105⤵PID:624
-
\??\c:\5fllxfx.exec:\5fllxfx.exe106⤵PID:5116
-
\??\c:\5rrxrxf.exec:\5rrxrxf.exe107⤵
- System Location Discovery: System Language Discovery
PID:4980 -
\??\c:\htbtnn.exec:\htbtnn.exe108⤵PID:4764
-
\??\c:\vppjj.exec:\vppjj.exe109⤵PID:5012
-
\??\c:\xxlllll.exec:\xxlllll.exe110⤵PID:4752
-
\??\c:\5nbbbh.exec:\5nbbbh.exe111⤵PID:4600
-
\??\c:\tbnnhn.exec:\tbnnhn.exe112⤵PID:3808
-
\??\c:\vpddd.exec:\vpddd.exe113⤵PID:1308
-
\??\c:\xxlrxfr.exec:\xxlrxfr.exe114⤵PID:2108
-
\??\c:\ntbttt.exec:\ntbttt.exe115⤵PID:3580
-
\??\c:\ddvvj.exec:\ddvvj.exe116⤵PID:2396
-
\??\c:\fffflrr.exec:\fffflrr.exe117⤵PID:1660
-
\??\c:\nnbttt.exec:\nnbttt.exe118⤵PID:1032
-
\??\c:\1ntttt.exec:\1ntttt.exe119⤵PID:3280
-
\??\c:\vjpjv.exec:\vjpjv.exe120⤵PID:2636
-
\??\c:\fxfrlxl.exec:\fxfrlxl.exe121⤵PID:2352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-