Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 22:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c.exe
-
Size
453KB
-
MD5
4ec3247ccb526f9aecdc2d4a627a3ddf
-
SHA1
a4137a09d5e726f68a82d4a0bda6fc26824af3cd
-
SHA256
4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c
-
SHA512
bd98e819d0142c9a7087ff29f1e85045c59ef132bfaefb55c161e914447a824cb3a5464ccaad02832077d844bbe4fc99c1a166db9df628ab59e17bee48424f16
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4248-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/60-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1644-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1016-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2360-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3860-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2820-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-353-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3820-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-430-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4468-476-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-492-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3120-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3016-601-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-884-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-999-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-1412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4544 ddjdd.exe 2020 rrxrrrr.exe 4428 nnbbbh.exe 4640 1pddv.exe 3064 vppjd.exe 2184 fxfxrrr.exe 544 hbtbbn.exe 1304 tbhntn.exe 3464 jvpjv.exe 1588 lxrllff.exe 3328 hbhbbt.exe 2820 tnnhbb.exe 4492 vpddd.exe 1388 rfrlllf.exe 2128 xfxlfff.exe 3012 ntbnth.exe 4164 dvjjp.exe 4764 xrxrflf.exe 3860 1rllffx.exe 4508 tntnnn.exe 2868 vjvdd.exe 3576 xrxxrlx.exe 4972 rflrlxr.exe 4864 hnbbnn.exe 1848 djjvv.exe 1236 xxffrxx.exe 4272 rlrlxxr.exe 916 3bbbtt.exe 5112 vpjdj.exe 2428 ddppj.exe 5100 rflfxxr.exe 4968 bbtnht.exe 2360 bbnnnn.exe 3020 ddjjd.exe 1016 rfrrlrf.exe 4716 bbhtbh.exe 1044 dpvdd.exe 2508 jpdvv.exe 4080 rxlfxxx.exe 2272 bnbthh.exe 4000 bbhbbb.exe 4580 vvvvp.exe 4108 rrxxxff.exe 1644 lxllflf.exe 4832 bntnhh.exe 3016 pppdd.exe 60 jjppd.exe 4024 rrxxrrr.exe 2296 hnhhbt.exe 1516 jvjdd.exe 4048 pjdpv.exe 3500 xrrllll.exe 804 ttbbhh.exe 1676 jdpjj.exe 4412 vpddd.exe 4248 lfrrlrr.exe 4812 hbnnhh.exe 4144 bntnhh.exe 1276 pppjj.exe 3408 fxfxlfx.exe 3440 bttbtn.exe 5004 thttnt.exe 3888 5ddvp.exe 4808 rlrxrrl.exe -
resource yara_rule behavioral2/memory/4248-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/60-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1644-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1236-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2868-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3860-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2820-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4584-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-353-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3820-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-430-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-476-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3120-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3016-601-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4468-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-884-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxlfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxlllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4248 wrote to memory of 4544 4248 4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c.exe 84 PID 4248 wrote to memory of 4544 4248 4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c.exe 84 PID 4248 wrote to memory of 4544 4248 4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c.exe 84 PID 4544 wrote to memory of 2020 4544 ddjdd.exe 85 PID 4544 wrote to memory of 2020 4544 ddjdd.exe 85 PID 4544 wrote to memory of 2020 4544 ddjdd.exe 85 PID 2020 wrote to memory of 4428 2020 rrxrrrr.exe 86 PID 2020 wrote to memory of 4428 2020 rrxrrrr.exe 86 PID 2020 wrote to memory of 4428 2020 rrxrrrr.exe 86 PID 4428 wrote to memory of 4640 4428 nnbbbh.exe 87 PID 4428 wrote to memory of 4640 4428 nnbbbh.exe 87 PID 4428 wrote to memory of 4640 4428 nnbbbh.exe 87 PID 4640 wrote to memory of 3064 4640 1pddv.exe 88 PID 4640 wrote to memory of 3064 4640 1pddv.exe 88 PID 4640 wrote to memory of 3064 4640 1pddv.exe 88 PID 3064 wrote to memory of 2184 3064 vppjd.exe 89 PID 3064 wrote to memory of 2184 3064 vppjd.exe 89 PID 3064 wrote to memory of 2184 3064 vppjd.exe 89 PID 2184 wrote to memory of 544 2184 fxfxrrr.exe 90 PID 2184 wrote to memory of 544 2184 fxfxrrr.exe 90 PID 2184 wrote to memory of 544 2184 fxfxrrr.exe 90 PID 544 wrote to memory of 1304 544 hbtbbn.exe 91 PID 544 wrote to memory of 1304 544 hbtbbn.exe 91 PID 544 wrote to memory of 1304 544 hbtbbn.exe 91 PID 1304 wrote to memory of 3464 1304 tbhntn.exe 92 PID 1304 wrote to memory of 3464 1304 tbhntn.exe 92 PID 1304 wrote to memory of 3464 1304 tbhntn.exe 92 PID 3464 wrote to memory of 1588 3464 jvpjv.exe 93 PID 3464 wrote to memory of 1588 3464 jvpjv.exe 93 PID 3464 wrote to memory of 1588 3464 jvpjv.exe 93 PID 1588 wrote to memory of 3328 1588 lxrllff.exe 94 PID 1588 wrote to memory of 3328 1588 lxrllff.exe 94 PID 1588 wrote to memory of 3328 1588 lxrllff.exe 94 PID 3328 wrote to memory of 2820 3328 hbhbbt.exe 95 PID 3328 wrote to memory of 2820 3328 hbhbbt.exe 95 PID 3328 wrote to memory of 2820 3328 hbhbbt.exe 95 PID 2820 wrote to memory of 4492 2820 tnnhbb.exe 96 PID 2820 wrote to memory of 4492 2820 tnnhbb.exe 96 PID 2820 wrote to memory of 4492 2820 tnnhbb.exe 96 PID 4492 wrote to memory of 1388 4492 vpddd.exe 97 PID 4492 wrote to memory of 1388 4492 vpddd.exe 97 PID 4492 wrote to memory of 1388 4492 vpddd.exe 97 PID 1388 wrote to memory of 2128 1388 rfrlllf.exe 98 PID 1388 wrote to memory of 2128 1388 rfrlllf.exe 98 PID 1388 wrote to memory of 2128 1388 rfrlllf.exe 98 PID 2128 wrote to memory of 3012 2128 xfxlfff.exe 99 PID 2128 wrote to memory of 3012 2128 xfxlfff.exe 99 PID 2128 wrote to memory of 3012 2128 xfxlfff.exe 99 PID 3012 wrote to memory of 4164 3012 ntbnth.exe 100 PID 3012 wrote to memory of 4164 3012 ntbnth.exe 100 PID 3012 wrote to memory of 4164 3012 ntbnth.exe 100 PID 4164 wrote to memory of 4764 4164 dvjjp.exe 101 PID 4164 wrote to memory of 4764 4164 dvjjp.exe 101 PID 4164 wrote to memory of 4764 4164 dvjjp.exe 101 PID 4764 wrote to memory of 3860 4764 xrxrflf.exe 102 PID 4764 wrote to memory of 3860 4764 xrxrflf.exe 102 PID 4764 wrote to memory of 3860 4764 xrxrflf.exe 102 PID 3860 wrote to memory of 4508 3860 1rllffx.exe 103 PID 3860 wrote to memory of 4508 3860 1rllffx.exe 103 PID 3860 wrote to memory of 4508 3860 1rllffx.exe 103 PID 4508 wrote to memory of 2868 4508 tntnnn.exe 104 PID 4508 wrote to memory of 2868 4508 tntnnn.exe 104 PID 4508 wrote to memory of 2868 4508 tntnnn.exe 104 PID 2868 wrote to memory of 3576 2868 vjvdd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c.exe"C:\Users\Admin\AppData\Local\Temp\4f6e7c0f8a510edbdd662d290ef1818c85b4f45c84786b8b2b1adfeec8a0874c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
\??\c:\ddjdd.exec:\ddjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\rrxrrrr.exec:\rrxrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\nnbbbh.exec:\nnbbbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\1pddv.exec:\1pddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\vppjd.exec:\vppjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\fxfxrrr.exec:\fxfxrrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2184 -
\??\c:\hbtbbn.exec:\hbtbbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:544 -
\??\c:\tbhntn.exec:\tbhntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
\??\c:\jvpjv.exec:\jvpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\lxrllff.exec:\lxrllff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\hbhbbt.exec:\hbhbbt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3328 -
\??\c:\tnnhbb.exec:\tnnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\vpddd.exec:\vpddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\rfrlllf.exec:\rfrlllf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\xfxlfff.exec:\xfxlfff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
\??\c:\ntbnth.exec:\ntbnth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\dvjjp.exec:\dvjjp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4164 -
\??\c:\xrxrflf.exec:\xrxrflf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\1rllffx.exec:\1rllffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3860 -
\??\c:\tntnnn.exec:\tntnnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\vjvdd.exec:\vjvdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868 -
\??\c:\xrxxrlx.exec:\xrxxrlx.exe23⤵
- Executes dropped EXE
PID:3576 -
\??\c:\rflrlxr.exec:\rflrlxr.exe24⤵
- Executes dropped EXE
PID:4972 -
\??\c:\hnbbnn.exec:\hnbbnn.exe25⤵
- Executes dropped EXE
PID:4864 -
\??\c:\djjvv.exec:\djjvv.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1848 -
\??\c:\xxffrxx.exec:\xxffrxx.exe27⤵
- Executes dropped EXE
PID:1236 -
\??\c:\rlrlxxr.exec:\rlrlxxr.exe28⤵
- Executes dropped EXE
PID:4272 -
\??\c:\3bbbtt.exec:\3bbbtt.exe29⤵
- Executes dropped EXE
PID:916 -
\??\c:\vpjdj.exec:\vpjdj.exe30⤵
- Executes dropped EXE
PID:5112 -
\??\c:\ddppj.exec:\ddppj.exe31⤵
- Executes dropped EXE
PID:2428 -
\??\c:\rflfxxr.exec:\rflfxxr.exe32⤵
- Executes dropped EXE
PID:5100 -
\??\c:\bbtnht.exec:\bbtnht.exe33⤵
- Executes dropped EXE
PID:4968 -
\??\c:\bbnnnn.exec:\bbnnnn.exe34⤵
- Executes dropped EXE
PID:2360 -
\??\c:\ddjjd.exec:\ddjjd.exe35⤵
- Executes dropped EXE
PID:3020 -
\??\c:\rfrrlrf.exec:\rfrrlrf.exe36⤵
- Executes dropped EXE
PID:1016 -
\??\c:\bbhtbh.exec:\bbhtbh.exe37⤵
- Executes dropped EXE
PID:4716 -
\??\c:\dpvdd.exec:\dpvdd.exe38⤵
- Executes dropped EXE
PID:1044 -
\??\c:\jpdvv.exec:\jpdvv.exe39⤵
- Executes dropped EXE
PID:2508 -
\??\c:\rxlfxxx.exec:\rxlfxxx.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4080 -
\??\c:\bnbthh.exec:\bnbthh.exe41⤵
- Executes dropped EXE
PID:2272 -
\??\c:\bbhbbb.exec:\bbhbbb.exe42⤵
- Executes dropped EXE
PID:4000 -
\??\c:\vvvvp.exec:\vvvvp.exe43⤵
- Executes dropped EXE
PID:4580 -
\??\c:\rrxxxff.exec:\rrxxxff.exe44⤵
- Executes dropped EXE
PID:4108 -
\??\c:\lxllflf.exec:\lxllflf.exe45⤵
- Executes dropped EXE
PID:1644 -
\??\c:\bntnhh.exec:\bntnhh.exe46⤵
- Executes dropped EXE
PID:4832 -
\??\c:\pppdd.exec:\pppdd.exe47⤵
- Executes dropped EXE
PID:3016 -
\??\c:\jjppd.exec:\jjppd.exe48⤵
- Executes dropped EXE
PID:60 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe49⤵
- Executes dropped EXE
PID:4024 -
\??\c:\hnhhbt.exec:\hnhhbt.exe50⤵
- Executes dropped EXE
PID:2296 -
\??\c:\jvjdd.exec:\jvjdd.exe51⤵
- Executes dropped EXE
PID:1516 -
\??\c:\pjdpv.exec:\pjdpv.exe52⤵
- Executes dropped EXE
PID:4048 -
\??\c:\xrrllll.exec:\xrrllll.exe53⤵
- Executes dropped EXE
PID:3500 -
\??\c:\ttbbhh.exec:\ttbbhh.exe54⤵
- Executes dropped EXE
PID:804 -
\??\c:\jdpjj.exec:\jdpjj.exe55⤵
- Executes dropped EXE
PID:1676 -
\??\c:\vpddd.exec:\vpddd.exe56⤵
- Executes dropped EXE
PID:4412 -
\??\c:\lfrrlrr.exec:\lfrrlrr.exe57⤵
- Executes dropped EXE
PID:4248 -
\??\c:\hbnnhh.exec:\hbnnhh.exe58⤵
- Executes dropped EXE
PID:4812 -
\??\c:\bntnhh.exec:\bntnhh.exe59⤵
- Executes dropped EXE
PID:4144 -
\??\c:\pppjj.exec:\pppjj.exe60⤵
- Executes dropped EXE
PID:1276 -
\??\c:\fxfxlfx.exec:\fxfxlfx.exe61⤵
- Executes dropped EXE
PID:3408 -
\??\c:\bttbtn.exec:\bttbtn.exe62⤵
- Executes dropped EXE
PID:3440 -
\??\c:\thttnt.exec:\thttnt.exe63⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5ddvp.exec:\5ddvp.exe64⤵
- Executes dropped EXE
PID:3888 -
\??\c:\rlrxrrl.exec:\rlrxrrl.exe65⤵
- Executes dropped EXE
PID:4808 -
\??\c:\rllfffx.exec:\rllfffx.exe66⤵PID:1608
-
\??\c:\nhnhbh.exec:\nhnhbh.exe67⤵PID:4644
-
\??\c:\dvjpj.exec:\dvjpj.exe68⤵PID:2352
-
\??\c:\9rfxfrl.exec:\9rfxfrl.exe69⤵PID:4084
-
\??\c:\llxlxxf.exec:\llxlxxf.exe70⤵PID:2368
-
\??\c:\nntttt.exec:\nntttt.exe71⤵PID:1628
-
\??\c:\jpvvd.exec:\jpvvd.exe72⤵PID:4948
-
\??\c:\bbbbtt.exec:\bbbbtt.exe73⤵PID:2792
-
\??\c:\jdvpd.exec:\jdvpd.exe74⤵PID:2688
-
\??\c:\jjvdd.exec:\jjvdd.exe75⤵PID:4804
-
\??\c:\rxffffx.exec:\rxffffx.exe76⤵PID:444
-
\??\c:\nhhhnn.exec:\nhhhnn.exe77⤵PID:4584
-
\??\c:\vppjd.exec:\vppjd.exe78⤵PID:1032
-
\??\c:\llrlfff.exec:\llrlfff.exe79⤵PID:4816
-
\??\c:\bthhbh.exec:\bthhbh.exe80⤵PID:836
-
\??\c:\vdvdv.exec:\vdvdv.exe81⤵PID:2284
-
\??\c:\jdjvp.exec:\jdjvp.exe82⤵PID:1492
-
\??\c:\frflfll.exec:\frflfll.exe83⤵PID:232
-
\??\c:\nntttt.exec:\nntttt.exe84⤵PID:8
-
\??\c:\tthnnh.exec:\tthnnh.exe85⤵PID:2800
-
\??\c:\1dppp.exec:\1dppp.exe86⤵PID:1724
-
\??\c:\xrrlffx.exec:\xrrlffx.exe87⤵PID:2380
-
\??\c:\hhhnhh.exec:\hhhnhh.exe88⤵PID:1028
-
\??\c:\5bhhbh.exec:\5bhhbh.exe89⤵PID:764
-
\??\c:\5jpjd.exec:\5jpjd.exe90⤵PID:1100
-
\??\c:\frfxrrl.exec:\frfxrrl.exe91⤵PID:2884
-
\??\c:\nbnhhh.exec:\nbnhhh.exe92⤵PID:3652
-
\??\c:\9jpjd.exec:\9jpjd.exe93⤵PID:3700
-
\??\c:\xlxxrrr.exec:\xlxxrrr.exe94⤵PID:872
-
\??\c:\7nnhbb.exec:\7nnhbb.exe95⤵PID:3820
-
\??\c:\pvvvv.exec:\pvvvv.exe96⤵PID:2876
-
\??\c:\xrrlffx.exec:\xrrlffx.exe97⤵PID:1564
-
\??\c:\xrrrlrx.exec:\xrrrlrx.exe98⤵
- System Location Discovery: System Language Discovery
PID:2580 -
\??\c:\tnhbbb.exec:\tnhbbb.exe99⤵PID:2616
-
\??\c:\ppddj.exec:\ppddj.exe100⤵PID:1368
-
\??\c:\1rrrrrr.exec:\1rrrrrr.exe101⤵PID:4024
-
\??\c:\9ntthh.exec:\9ntthh.exe102⤵PID:4092
-
\??\c:\vpppp.exec:\vpppp.exe103⤵PID:2600
-
\??\c:\frxrllf.exec:\frxrllf.exe104⤵PID:2412
-
\??\c:\dvpjp.exec:\dvpjp.exe105⤵PID:4368
-
\??\c:\xxfxrrr.exec:\xxfxrrr.exe106⤵PID:632
-
\??\c:\rfrlffr.exec:\rfrlffr.exe107⤵PID:4280
-
\??\c:\thbntb.exec:\thbntb.exe108⤵PID:4688
-
\??\c:\vvjdd.exec:\vvjdd.exe109⤵PID:1572
-
\??\c:\9ffxrrr.exec:\9ffxrrr.exe110⤵PID:4812
-
\??\c:\bnbbbh.exec:\bnbbbh.exe111⤵PID:4792
-
\??\c:\pjjjj.exec:\pjjjj.exe112⤵PID:476
-
\??\c:\9fflflx.exec:\9fflflx.exe113⤵PID:3604
-
\??\c:\ntbbhn.exec:\ntbbhn.exe114⤵PID:1428
-
\??\c:\vjppd.exec:\vjppd.exe115⤵PID:1328
-
\??\c:\rlrllll.exec:\rlrllll.exe116⤵PID:808
-
\??\c:\bbnnhn.exec:\bbnnhn.exe117⤵PID:4712
-
\??\c:\vjppj.exec:\vjppj.exe118⤵PID:1600
-
\??\c:\rrlfffl.exec:\rrlfffl.exe119⤵PID:4468
-
\??\c:\nnbbtt.exec:\nnbbtt.exe120⤵PID:2524
-
\??\c:\tntnhh.exec:\tntnhh.exe121⤵PID:3592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-