Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 23:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3N.exe
-
Size
453KB
-
MD5
e44b459164d3a0f7498cb2e83b259ac0
-
SHA1
0ba7f546e4eb1597278493dce6eaff8746fa2fb8
-
SHA256
820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3
-
SHA512
5cfa5ce53373e91966fbb1bcf4e914307f09260b1aa0a4f9ecc10be427b9e4eac3de23fa7d94d3f4a3bdb2e508eae288bd1a93cf4f1d4a1c2366dea528630b5e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeC:q7Tc2NYHUrAwfMp3CDC
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2444-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1524-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4280-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5068-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3348-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1104-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2900-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1396-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-416-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2844-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-590-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-622-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-655-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-782-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1844-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1740-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-1055-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-1292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-1759-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2264 xfxxxxr.exe 820 tnbbbt.exe 2464 thnttt.exe 2060 djjdd.exe 3088 rfrrrxx.exe 1368 thbbbb.exe 1396 bnbtnn.exe 5076 vjppj.exe 4256 lrxxxxx.exe 628 lflffff.exe 1748 hnhhbh.exe 3580 vdjdd.exe 3028 vjdjj.exe 4692 frrrxxl.exe 1876 ntnhhh.exe 2900 vdjjj.exe 5060 xxxrrrl.exe 1104 1lxxflr.exe 3348 nnbbbb.exe 4060 jjpjj.exe 4584 dpvpj.exe 952 3lrrrrx.exe 1288 5hhhnt.exe 4316 vjvvv.exe 5068 xrfrlfr.exe 4280 flrrrrr.exe 1376 bbbbbb.exe 960 vpdjj.exe 2684 pdvdd.exe 4100 fflllrr.exe 3968 bnhbtb.exe 3944 vjvvp.exe 4856 9jdjj.exe 4836 fxrxxff.exe 4328 bhthbb.exe 3760 hthbbh.exe 224 jpjdd.exe 1412 lxxxrrr.exe 2160 nhhbtb.exe 1968 dppjj.exe 2816 vpdjp.exe 4652 ffxrflr.exe 3424 tnnnnh.exe 4348 pjppp.exe 2704 jpvjj.exe 1932 7lrrrfx.exe 1636 bttnhh.exe 716 nhnnhh.exe 4260 vvjpj.exe 184 xxrxrlx.exe 1892 thnnnt.exe 3648 hbhbbt.exe 4300 7pvvd.exe 5080 rlrrlrr.exe 2128 nnttbh.exe 5020 nntbbb.exe 5088 jdjpj.exe 208 lllrrrr.exe 2104 rlxxxff.exe 4352 hhtbbb.exe 1744 vjdvj.exe 2840 xrrrlff.exe 4636 rrrxxxf.exe 396 hbhhbh.exe -
resource yara_rule behavioral2/memory/2444-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1524-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4352-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4280-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5068-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1104-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2900-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1396-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4832-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-416-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2844-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-590-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-622-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3800-648-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-655-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-782-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrrrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxlrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffxrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtnnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2264 2444 820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3N.exe 83 PID 2444 wrote to memory of 2264 2444 820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3N.exe 83 PID 2444 wrote to memory of 2264 2444 820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3N.exe 83 PID 2264 wrote to memory of 820 2264 xfxxxxr.exe 84 PID 2264 wrote to memory of 820 2264 xfxxxxr.exe 84 PID 2264 wrote to memory of 820 2264 xfxxxxr.exe 84 PID 820 wrote to memory of 2464 820 tnbbbt.exe 85 PID 820 wrote to memory of 2464 820 tnbbbt.exe 85 PID 820 wrote to memory of 2464 820 tnbbbt.exe 85 PID 2464 wrote to memory of 2060 2464 thnttt.exe 86 PID 2464 wrote to memory of 2060 2464 thnttt.exe 86 PID 2464 wrote to memory of 2060 2464 thnttt.exe 86 PID 2060 wrote to memory of 3088 2060 djjdd.exe 87 PID 2060 wrote to memory of 3088 2060 djjdd.exe 87 PID 2060 wrote to memory of 3088 2060 djjdd.exe 87 PID 3088 wrote to memory of 1368 3088 rfrrrxx.exe 88 PID 3088 wrote to memory of 1368 3088 rfrrrxx.exe 88 PID 3088 wrote to memory of 1368 3088 rfrrrxx.exe 88 PID 1368 wrote to memory of 1396 1368 thbbbb.exe 89 PID 1368 wrote to memory of 1396 1368 thbbbb.exe 89 PID 1368 wrote to memory of 1396 1368 thbbbb.exe 89 PID 1396 wrote to memory of 5076 1396 bnbtnn.exe 90 PID 1396 wrote to memory of 5076 1396 bnbtnn.exe 90 PID 1396 wrote to memory of 5076 1396 bnbtnn.exe 90 PID 5076 wrote to memory of 4256 5076 vjppj.exe 91 PID 5076 wrote to memory of 4256 5076 vjppj.exe 91 PID 5076 wrote to memory of 4256 5076 vjppj.exe 91 PID 4256 wrote to memory of 628 4256 lrxxxxx.exe 92 PID 4256 wrote to memory of 628 4256 lrxxxxx.exe 92 PID 4256 wrote to memory of 628 4256 lrxxxxx.exe 92 PID 628 wrote to memory of 1748 628 lflffff.exe 93 PID 628 wrote to memory of 1748 628 lflffff.exe 93 PID 628 wrote to memory of 1748 628 lflffff.exe 93 PID 1748 wrote to memory of 3580 1748 hnhhbh.exe 94 PID 1748 wrote to memory of 3580 1748 hnhhbh.exe 94 PID 1748 wrote to memory of 3580 1748 hnhhbh.exe 94 PID 3580 wrote to memory of 3028 3580 vdjdd.exe 95 PID 3580 wrote to memory of 3028 3580 vdjdd.exe 95 PID 3580 wrote to memory of 3028 3580 vdjdd.exe 95 PID 3028 wrote to memory of 4692 3028 vjdjj.exe 96 PID 3028 wrote to memory of 4692 3028 vjdjj.exe 96 PID 3028 wrote to memory of 4692 3028 vjdjj.exe 96 PID 4692 wrote to memory of 1876 4692 frrrxxl.exe 97 PID 4692 wrote to memory of 1876 4692 frrrxxl.exe 97 PID 4692 wrote to memory of 1876 4692 frrrxxl.exe 97 PID 1876 wrote to memory of 2900 1876 ntnhhh.exe 98 PID 1876 wrote to memory of 2900 1876 ntnhhh.exe 98 PID 1876 wrote to memory of 2900 1876 ntnhhh.exe 98 PID 2900 wrote to memory of 5060 2900 vdjjj.exe 99 PID 2900 wrote to memory of 5060 2900 vdjjj.exe 99 PID 2900 wrote to memory of 5060 2900 vdjjj.exe 99 PID 5060 wrote to memory of 1104 5060 xxxrrrl.exe 100 PID 5060 wrote to memory of 1104 5060 xxxrrrl.exe 100 PID 5060 wrote to memory of 1104 5060 xxxrrrl.exe 100 PID 1104 wrote to memory of 3348 1104 1lxxflr.exe 101 PID 1104 wrote to memory of 3348 1104 1lxxflr.exe 101 PID 1104 wrote to memory of 3348 1104 1lxxflr.exe 101 PID 3348 wrote to memory of 4060 3348 nnbbbb.exe 155 PID 3348 wrote to memory of 4060 3348 nnbbbb.exe 155 PID 3348 wrote to memory of 4060 3348 nnbbbb.exe 155 PID 4060 wrote to memory of 4584 4060 jjpjj.exe 103 PID 4060 wrote to memory of 4584 4060 jjpjj.exe 103 PID 4060 wrote to memory of 4584 4060 jjpjj.exe 103 PID 4584 wrote to memory of 952 4584 dpvpj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3N.exe"C:\Users\Admin\AppData\Local\Temp\820520ebcf298ee8fbbf7fe70af95378eceff21ae6bd857b2e272e11bbf7c4e3N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\xfxxxxr.exec:\xfxxxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\tnbbbt.exec:\tnbbbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\thnttt.exec:\thnttt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\djjdd.exec:\djjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2060 -
\??\c:\rfrrrxx.exec:\rfrrrxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\thbbbb.exec:\thbbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
\??\c:\bnbtnn.exec:\bnbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1396 -
\??\c:\vjppj.exec:\vjppj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\lrxxxxx.exec:\lrxxxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\lflffff.exec:\lflffff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\hnhhbh.exec:\hnhhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
\??\c:\vdjdd.exec:\vdjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\vjdjj.exec:\vjdjj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\frrrxxl.exec:\frrrxxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\ntnhhh.exec:\ntnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\vdjjj.exec:\vdjjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5060 -
\??\c:\1lxxflr.exec:\1lxxflr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
\??\c:\nnbbbb.exec:\nnbbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
\??\c:\jjpjj.exec:\jjpjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\dpvpj.exec:\dpvpj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
\??\c:\3lrrrrx.exec:\3lrrrrx.exe23⤵
- Executes dropped EXE
PID:952 -
\??\c:\5hhhnt.exec:\5hhhnt.exe24⤵
- Executes dropped EXE
PID:1288 -
\??\c:\vjvvv.exec:\vjvvv.exe25⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xrfrlfr.exec:\xrfrlfr.exe26⤵
- Executes dropped EXE
PID:5068 -
\??\c:\flrrrrr.exec:\flrrrrr.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4280 -
\??\c:\bbbbbb.exec:\bbbbbb.exe28⤵
- Executes dropped EXE
PID:1376 -
\??\c:\vpdjj.exec:\vpdjj.exe29⤵
- Executes dropped EXE
PID:960 -
\??\c:\pdvdd.exec:\pdvdd.exe30⤵
- Executes dropped EXE
PID:2684 -
\??\c:\fflllrr.exec:\fflllrr.exe31⤵
- Executes dropped EXE
PID:4100 -
\??\c:\bnhbtb.exec:\bnhbtb.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968 -
\??\c:\vjvvp.exec:\vjvvp.exe33⤵
- Executes dropped EXE
PID:3944 -
\??\c:\9jdjj.exec:\9jdjj.exe34⤵
- Executes dropped EXE
PID:4856 -
\??\c:\fxrxxff.exec:\fxrxxff.exe35⤵
- Executes dropped EXE
PID:4836 -
\??\c:\bhthbb.exec:\bhthbb.exe36⤵
- Executes dropped EXE
PID:4328 -
\??\c:\hthbbh.exec:\hthbbh.exe37⤵
- Executes dropped EXE
PID:3760 -
\??\c:\jpjdd.exec:\jpjdd.exe38⤵
- Executes dropped EXE
PID:224 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe39⤵
- Executes dropped EXE
PID:1412 -
\??\c:\nhhbtb.exec:\nhhbtb.exe40⤵
- Executes dropped EXE
PID:2160 -
\??\c:\dppjj.exec:\dppjj.exe41⤵
- Executes dropped EXE
PID:1968 -
\??\c:\vpdjp.exec:\vpdjp.exe42⤵
- Executes dropped EXE
PID:2816 -
\??\c:\ffxrflr.exec:\ffxrflr.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4652 -
\??\c:\tnnnnh.exec:\tnnnnh.exe44⤵
- Executes dropped EXE
PID:3424 -
\??\c:\pjppp.exec:\pjppp.exe45⤵
- Executes dropped EXE
PID:4348 -
\??\c:\jpvjj.exec:\jpvjj.exe46⤵
- Executes dropped EXE
PID:2704 -
\??\c:\7lrrrfx.exec:\7lrrrfx.exe47⤵
- Executes dropped EXE
PID:1932 -
\??\c:\bttnhh.exec:\bttnhh.exe48⤵
- Executes dropped EXE
PID:1636 -
\??\c:\nhnnhh.exec:\nhnnhh.exe49⤵
- Executes dropped EXE
PID:716 -
\??\c:\vvjpj.exec:\vvjpj.exe50⤵
- Executes dropped EXE
PID:4260 -
\??\c:\xxrxrlx.exec:\xxrxrlx.exe51⤵
- Executes dropped EXE
PID:184 -
\??\c:\thnnnt.exec:\thnnnt.exe52⤵
- Executes dropped EXE
PID:1892 -
\??\c:\hbhbbt.exec:\hbhbbt.exe53⤵
- Executes dropped EXE
PID:3648 -
\??\c:\7pvvd.exec:\7pvvd.exe54⤵
- Executes dropped EXE
PID:4300 -
\??\c:\rlrrlrr.exec:\rlrrlrr.exe55⤵
- Executes dropped EXE
PID:5080 -
\??\c:\nnttbh.exec:\nnttbh.exe56⤵
- Executes dropped EXE
PID:2128 -
\??\c:\nntbbb.exec:\nntbbb.exe57⤵
- Executes dropped EXE
PID:5020 -
\??\c:\jdjpj.exec:\jdjpj.exe58⤵
- Executes dropped EXE
PID:5088 -
\??\c:\lllrrrr.exec:\lllrrrr.exe59⤵
- Executes dropped EXE
PID:208 -
\??\c:\rlxxxff.exec:\rlxxxff.exe60⤵
- Executes dropped EXE
PID:2104 -
\??\c:\hhtbbb.exec:\hhtbbb.exe61⤵
- Executes dropped EXE
PID:4352 -
\??\c:\vjdvj.exec:\vjdvj.exe62⤵
- Executes dropped EXE
PID:1744 -
\??\c:\xrrrlff.exec:\xrrrlff.exe63⤵
- Executes dropped EXE
PID:2840 -
\??\c:\rrrxxxf.exec:\rrrxxxf.exe64⤵
- Executes dropped EXE
PID:4636 -
\??\c:\hbhhbh.exec:\hbhhbh.exe65⤵
- Executes dropped EXE
PID:396 -
\??\c:\dpvpp.exec:\dpvpp.exe66⤵PID:1176
-
\??\c:\1rxrflr.exec:\1rxrflr.exe67⤵PID:1772
-
\??\c:\rfrrrrr.exec:\rfrrrrr.exe68⤵PID:4168
-
\??\c:\nbhhbb.exec:\nbhhbb.exe69⤵PID:2448
-
\??\c:\vjvpd.exec:\vjvpd.exe70⤵PID:1524
-
\??\c:\xxlfllf.exec:\xxlfllf.exe71⤵PID:3856
-
\??\c:\lxllfff.exec:\lxllfff.exe72⤵PID:8
-
\??\c:\hhnnnt.exec:\hhnnnt.exe73⤵PID:5012
-
\??\c:\vpvvp.exec:\vpvvp.exe74⤵PID:4060
-
\??\c:\rlxxrxx.exec:\rlxxrxx.exe75⤵PID:4796
-
\??\c:\3rrllrl.exec:\3rrllrl.exe76⤵PID:2248
-
\??\c:\thnhhn.exec:\thnhhn.exe77⤵PID:3156
-
\??\c:\dvppd.exec:\dvppd.exe78⤵PID:4992
-
\??\c:\rffxxxx.exec:\rffxxxx.exe79⤵PID:5068
-
\??\c:\bttnnn.exec:\bttnnn.exe80⤵PID:1112
-
\??\c:\5bhbnn.exec:\5bhbnn.exe81⤵PID:2008
-
\??\c:\ppppp.exec:\ppppp.exe82⤵PID:2324
-
\??\c:\lrlfflf.exec:\lrlfflf.exe83⤵PID:4268
-
\??\c:\hthhhh.exec:\hthhhh.exe84⤵PID:4292
-
\??\c:\vpdpj.exec:\vpdpj.exe85⤵PID:3944
-
\??\c:\xrllrrl.exec:\xrllrrl.exe86⤵PID:4024
-
\??\c:\bhnnnn.exec:\bhnnnn.exe87⤵PID:5056
-
\??\c:\btbttb.exec:\btbttb.exe88⤵PID:1924
-
\??\c:\pvjjv.exec:\pvjjv.exe89⤵PID:3384
-
\??\c:\lxllllf.exec:\lxllllf.exe90⤵PID:5096
-
\??\c:\bnnhhh.exec:\bnnhhh.exe91⤵PID:4308
-
\??\c:\hbbhhb.exec:\hbbhhb.exe92⤵PID:4832
-
\??\c:\rxfrxxf.exec:\rxfrxxf.exe93⤵PID:688
-
\??\c:\ntbbhn.exec:\ntbbhn.exe94⤵PID:2664
-
\??\c:\vjddd.exec:\vjddd.exe95⤵PID:740
-
\??\c:\xxllffr.exec:\xxllffr.exe96⤵PID:2904
-
\??\c:\llflrxx.exec:\llflrxx.exe97⤵PID:5000
-
\??\c:\pdjdd.exec:\pdjdd.exe98⤵PID:1068
-
\??\c:\nttttn.exec:\nttttn.exe99⤵PID:5004
-
\??\c:\ppjvv.exec:\ppjvv.exe100⤵PID:2980
-
\??\c:\lfrrxxl.exec:\lfrrxxl.exe101⤵PID:2756
-
\??\c:\tnbnth.exec:\tnbnth.exe102⤵PID:3952
-
\??\c:\rxxrrrr.exec:\rxxrrrr.exe103⤵PID:3008
-
\??\c:\bbhhhh.exec:\bbhhhh.exe104⤵PID:2340
-
\??\c:\dpdjd.exec:\dpdjd.exe105⤵PID:1404
-
\??\c:\jjjvd.exec:\jjjvd.exe106⤵PID:1120
-
\??\c:\5bnthb.exec:\5bnthb.exe107⤵PID:1848
-
\??\c:\dpdjv.exec:\dpdjv.exe108⤵PID:2588
-
\??\c:\lrlfffx.exec:\lrlfffx.exe109⤵PID:4896
-
\??\c:\tnnhnn.exec:\tnnhnn.exe110⤵PID:1532
-
\??\c:\pjvvv.exec:\pjvvv.exe111⤵PID:208
-
\??\c:\9rlrrxr.exec:\9rlrrxr.exe112⤵PID:1016
-
\??\c:\ppddd.exec:\ppddd.exe113⤵PID:3936
-
\??\c:\rlxrrxx.exec:\rlxrrxx.exe114⤵PID:3000
-
\??\c:\thhtnh.exec:\thhtnh.exe115⤵PID:556
-
\??\c:\jvdjj.exec:\jvdjj.exe116⤵PID:220
-
\??\c:\llfxfrr.exec:\llfxfrr.exe117⤵PID:2156
-
\??\c:\tnnnnn.exec:\tnnnnn.exe118⤵PID:3520
-
\??\c:\vvvjp.exec:\vvvjp.exe119⤵
- System Location Discovery: System Language Discovery
PID:2460 -
\??\c:\rrxxfff.exec:\rrxxfff.exe120⤵PID:1176
-
\??\c:\ddddd.exec:\ddddd.exe121⤵PID:4768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-