Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 01:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe
-
Size
454KB
-
MD5
125acbacb76419294695bae8cde746de
-
SHA1
240885bf685089b56d5bf32581a3781a2aea2730
-
SHA256
9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc
-
SHA512
a8bfeb3b6acdcf111a097320afdbf6f7c49a19e83014703fe749c5882cb275d382b0835f701b64b5aae0a10b45fcf89f33e2cb7aa235e6bdace79e36513d42c9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeq:q7Tc2NYHUrAwfMp3CDq
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/4028-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4148-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2700-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4556-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1388-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2680-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2788-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2384-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2672-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4392-444-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4396-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-469-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4536-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-643-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2680 fxfxrlf.exe 2036 vpjdv.exe 2264 rrlllrr.exe 1692 tbnhtt.exe 2040 rfllllf.exe 1380 1xfxffx.exe 2464 1tnnhn.exe 4148 rrxxxxr.exe 5020 nhhhbb.exe 628 rrffffx.exe 1248 nbbbtt.exe 4952 vddpj.exe 3964 5ffxrrl.exe 2872 1fxrrrl.exe 112 jjpjd.exe 1800 vpvvp.exe 3636 xfxxrrr.exe 4372 bttthn.exe 4224 pvddj.exe 2384 vdddd.exe 2196 fllxrrl.exe 5048 9hhbbb.exe 2228 dvppp.exe 1016 ddvdv.exe 3568 vvjdd.exe 2700 hnntbh.exe 1356 bhbbtt.exe 4556 vdddv.exe 2208 1hnhbh.exe 1360 vjppj.exe 1556 pvjjj.exe 2212 7rlllll.exe 4388 xrxxrxx.exe 2032 9pvvj.exe 4752 jjppj.exe 2444 rrxxrll.exe 120 tnbtnt.exe 4628 5jvvv.exe 3652 llrlllf.exe 4928 7vppp.exe 3120 dpvvj.exe 3536 xfrxrxf.exe 1152 tthhhh.exe 1944 hthnhh.exe 1388 rrxxrrr.exe 4764 tbnhhh.exe 4392 dvdvp.exe 4724 fflfrxf.exe 3672 bhhhbb.exe 2680 ttnnnn.exe 2176 llrrrxr.exe 2788 xlfffff.exe 4380 thhhhh.exe 2060 vdvjj.exe 2840 xrlfxrl.exe 3252 hnbbbb.exe 3336 jpjjj.exe 2216 1vddd.exe 2484 xxxxrxx.exe 3888 tbbbtt.exe 3428 vdvvp.exe 3452 fffxrrl.exe 3980 tbtnhh.exe 1288 bntnnn.exe -
resource yara_rule behavioral2/memory/4028-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4148-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2700-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4556-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1388-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2680-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2788-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2384-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2672-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4392-444-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4396-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-469-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4536-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-643-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlrlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 2680 4028 9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe 83 PID 4028 wrote to memory of 2680 4028 9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe 83 PID 4028 wrote to memory of 2680 4028 9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe 83 PID 2680 wrote to memory of 2036 2680 fxfxrlf.exe 84 PID 2680 wrote to memory of 2036 2680 fxfxrlf.exe 84 PID 2680 wrote to memory of 2036 2680 fxfxrlf.exe 84 PID 2036 wrote to memory of 2264 2036 vpjdv.exe 85 PID 2036 wrote to memory of 2264 2036 vpjdv.exe 85 PID 2036 wrote to memory of 2264 2036 vpjdv.exe 85 PID 2264 wrote to memory of 1692 2264 rrlllrr.exe 86 PID 2264 wrote to memory of 1692 2264 rrlllrr.exe 86 PID 2264 wrote to memory of 1692 2264 rrlllrr.exe 86 PID 1692 wrote to memory of 2040 1692 tbnhtt.exe 87 PID 1692 wrote to memory of 2040 1692 tbnhtt.exe 87 PID 1692 wrote to memory of 2040 1692 tbnhtt.exe 87 PID 2040 wrote to memory of 1380 2040 rfllllf.exe 88 PID 2040 wrote to memory of 1380 2040 rfllllf.exe 88 PID 2040 wrote to memory of 1380 2040 rfllllf.exe 88 PID 1380 wrote to memory of 2464 1380 1xfxffx.exe 89 PID 1380 wrote to memory of 2464 1380 1xfxffx.exe 89 PID 1380 wrote to memory of 2464 1380 1xfxffx.exe 89 PID 2464 wrote to memory of 4148 2464 1tnnhn.exe 90 PID 2464 wrote to memory of 4148 2464 1tnnhn.exe 90 PID 2464 wrote to memory of 4148 2464 1tnnhn.exe 90 PID 4148 wrote to memory of 5020 4148 rrxxxxr.exe 91 PID 4148 wrote to memory of 5020 4148 rrxxxxr.exe 91 PID 4148 wrote to memory of 5020 4148 rrxxxxr.exe 91 PID 5020 wrote to memory of 628 5020 nhhhbb.exe 92 PID 5020 wrote to memory of 628 5020 nhhhbb.exe 92 PID 5020 wrote to memory of 628 5020 nhhhbb.exe 92 PID 628 wrote to memory of 1248 628 rrffffx.exe 93 PID 628 wrote to memory of 1248 628 rrffffx.exe 93 PID 628 wrote to memory of 1248 628 rrffffx.exe 93 PID 1248 wrote to memory of 4952 1248 nbbbtt.exe 94 PID 1248 wrote to memory of 4952 1248 nbbbtt.exe 94 PID 1248 wrote to memory of 4952 1248 nbbbtt.exe 94 PID 4952 wrote to memory of 3964 4952 vddpj.exe 95 PID 4952 wrote to memory of 3964 4952 vddpj.exe 95 PID 4952 wrote to memory of 3964 4952 vddpj.exe 95 PID 3964 wrote to memory of 2872 3964 5ffxrrl.exe 96 PID 3964 wrote to memory of 2872 3964 5ffxrrl.exe 96 PID 3964 wrote to memory of 2872 3964 5ffxrrl.exe 96 PID 2872 wrote to memory of 112 2872 1fxrrrl.exe 97 PID 2872 wrote to memory of 112 2872 1fxrrrl.exe 97 PID 2872 wrote to memory of 112 2872 1fxrrrl.exe 97 PID 112 wrote to memory of 1800 112 jjpjd.exe 98 PID 112 wrote to memory of 1800 112 jjpjd.exe 98 PID 112 wrote to memory of 1800 112 jjpjd.exe 98 PID 1800 wrote to memory of 3636 1800 vpvvp.exe 99 PID 1800 wrote to memory of 3636 1800 vpvvp.exe 99 PID 1800 wrote to memory of 3636 1800 vpvvp.exe 99 PID 3636 wrote to memory of 4372 3636 xfxxrrr.exe 100 PID 3636 wrote to memory of 4372 3636 xfxxrrr.exe 100 PID 3636 wrote to memory of 4372 3636 xfxxrrr.exe 100 PID 4372 wrote to memory of 4224 4372 bttthn.exe 101 PID 4372 wrote to memory of 4224 4372 bttthn.exe 101 PID 4372 wrote to memory of 4224 4372 bttthn.exe 101 PID 4224 wrote to memory of 2384 4224 pvddj.exe 102 PID 4224 wrote to memory of 2384 4224 pvddj.exe 102 PID 4224 wrote to memory of 2384 4224 pvddj.exe 102 PID 2384 wrote to memory of 2196 2384 vdddd.exe 103 PID 2384 wrote to memory of 2196 2384 vdddd.exe 103 PID 2384 wrote to memory of 2196 2384 vdddd.exe 103 PID 2196 wrote to memory of 5048 2196 fllxrrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe"C:\Users\Admin\AppData\Local\Temp\9de1bf678148219cda08ebc34bd4b69fc9c98c5ac63c0439d08b3d6004d5f8dc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2680 -
\??\c:\vpjdv.exec:\vpjdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\rrlllrr.exec:\rrlllrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\tbnhtt.exec:\tbnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692 -
\??\c:\rfllllf.exec:\rfllllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\1xfxffx.exec:\1xfxffx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\1tnnhn.exec:\1tnnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\rrxxxxr.exec:\rrxxxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\nhhhbb.exec:\nhhhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
\??\c:\rrffffx.exec:\rrffffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\nbbbtt.exec:\nbbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\vddpj.exec:\vddpj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\5ffxrrl.exec:\5ffxrrl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964 -
\??\c:\1fxrrrl.exec:\1fxrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\jjpjd.exec:\jjpjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\vpvvp.exec:\vpvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\xfxxrrr.exec:\xfxxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3636 -
\??\c:\bttthn.exec:\bttthn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\pvddj.exec:\pvddj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\vdddd.exec:\vdddd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\fllxrrl.exec:\fllxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
\??\c:\9hhbbb.exec:\9hhbbb.exe23⤵
- Executes dropped EXE
PID:5048 -
\??\c:\dvppp.exec:\dvppp.exe24⤵
- Executes dropped EXE
PID:2228 -
\??\c:\ddvdv.exec:\ddvdv.exe25⤵
- Executes dropped EXE
PID:1016 -
\??\c:\vvjdd.exec:\vvjdd.exe26⤵
- Executes dropped EXE
PID:3568 -
\??\c:\hnntbh.exec:\hnntbh.exe27⤵
- Executes dropped EXE
PID:2700 -
\??\c:\bhbbtt.exec:\bhbbtt.exe28⤵
- Executes dropped EXE
PID:1356 -
\??\c:\vdddv.exec:\vdddv.exe29⤵
- Executes dropped EXE
PID:4556 -
\??\c:\1hnhbh.exec:\1hnhbh.exe30⤵
- Executes dropped EXE
PID:2208 -
\??\c:\vjppj.exec:\vjppj.exe31⤵
- Executes dropped EXE
PID:1360 -
\??\c:\pvjjj.exec:\pvjjj.exe32⤵
- Executes dropped EXE
PID:1556 -
\??\c:\7rlllll.exec:\7rlllll.exe33⤵
- Executes dropped EXE
PID:2212 -
\??\c:\xrxxrxx.exec:\xrxxrxx.exe34⤵
- Executes dropped EXE
PID:4388 -
\??\c:\9pvvj.exec:\9pvvj.exe35⤵
- Executes dropped EXE
PID:2032 -
\??\c:\jjppj.exec:\jjppj.exe36⤵
- Executes dropped EXE
PID:4752 -
\??\c:\rrxxrll.exec:\rrxxrll.exe37⤵
- Executes dropped EXE
PID:2444 -
\??\c:\tnbtnt.exec:\tnbtnt.exe38⤵
- Executes dropped EXE
PID:120 -
\??\c:\5jvvv.exec:\5jvvv.exe39⤵
- Executes dropped EXE
PID:4628 -
\??\c:\llrlllf.exec:\llrlllf.exe40⤵
- Executes dropped EXE
PID:3652 -
\??\c:\7vppp.exec:\7vppp.exe41⤵
- Executes dropped EXE
PID:4928 -
\??\c:\dpvvj.exec:\dpvvj.exe42⤵
- Executes dropped EXE
PID:3120 -
\??\c:\xfrxrxf.exec:\xfrxrxf.exe43⤵
- Executes dropped EXE
PID:3536 -
\??\c:\tthhhh.exec:\tthhhh.exe44⤵
- Executes dropped EXE
PID:1152 -
\??\c:\hthnhh.exec:\hthnhh.exe45⤵
- Executes dropped EXE
PID:1944 -
\??\c:\rrxxrrr.exec:\rrxxrrr.exe46⤵
- Executes dropped EXE
PID:1388 -
\??\c:\tbnhhh.exec:\tbnhhh.exe47⤵
- Executes dropped EXE
PID:4764 -
\??\c:\dvdvp.exec:\dvdvp.exe48⤵
- Executes dropped EXE
PID:4392 -
\??\c:\fflfrxf.exec:\fflfrxf.exe49⤵
- Executes dropped EXE
PID:4724 -
\??\c:\bhhhbb.exec:\bhhhbb.exe50⤵
- Executes dropped EXE
PID:3672 -
\??\c:\ttnnnn.exec:\ttnnnn.exe51⤵
- Executes dropped EXE
PID:2680 -
\??\c:\llrrrxr.exec:\llrrrxr.exe52⤵
- Executes dropped EXE
PID:2176 -
\??\c:\xlfffff.exec:\xlfffff.exe53⤵
- Executes dropped EXE
PID:2788 -
\??\c:\thhhhh.exec:\thhhhh.exe54⤵
- Executes dropped EXE
PID:4380 -
\??\c:\vdvjj.exec:\vdvjj.exe55⤵
- Executes dropped EXE
PID:2060 -
\??\c:\xrlfxrl.exec:\xrlfxrl.exe56⤵
- Executes dropped EXE
PID:2840 -
\??\c:\hnbbbb.exec:\hnbbbb.exe57⤵
- Executes dropped EXE
PID:3252 -
\??\c:\jpjjj.exec:\jpjjj.exe58⤵
- Executes dropped EXE
PID:3336 -
\??\c:\1vddd.exec:\1vddd.exe59⤵
- Executes dropped EXE
PID:2216 -
\??\c:\xxxxrxx.exec:\xxxxrxx.exe60⤵
- Executes dropped EXE
PID:2484 -
\??\c:\tbbbtt.exec:\tbbbtt.exe61⤵
- Executes dropped EXE
PID:3888 -
\??\c:\vdvvp.exec:\vdvvp.exe62⤵
- Executes dropped EXE
PID:3428 -
\??\c:\fffxrrl.exec:\fffxrrl.exe63⤵
- Executes dropped EXE
PID:3452 -
\??\c:\tbtnhh.exec:\tbtnhh.exe64⤵
- Executes dropped EXE
PID:3980 -
\??\c:\bntnnn.exec:\bntnnn.exe65⤵
- Executes dropped EXE
PID:1288 -
\??\c:\vdpjv.exec:\vdpjv.exe66⤵PID:2620
-
\??\c:\fxfffrr.exec:\fxfffrr.exe67⤵PID:4936
-
\??\c:\hntnnn.exec:\hntnnn.exe68⤵PID:4420
-
\??\c:\pjpjj.exec:\pjpjj.exe69⤵
- System Location Discovery: System Language Discovery
PID:4036 -
\??\c:\7lrrxxl.exec:\7lrrxxl.exe70⤵PID:1532
-
\??\c:\hthbbb.exec:\hthbbb.exe71⤵PID:1800
-
\??\c:\pjpjd.exec:\pjpjd.exe72⤵PID:1376
-
\??\c:\3dvjp.exec:\3dvjp.exe73⤵PID:2684
-
\??\c:\5rxfxxr.exec:\5rxfxxr.exe74⤵PID:2600
-
\??\c:\httnhh.exec:\httnhh.exe75⤵PID:5112
-
\??\c:\dvdvp.exec:\dvdvp.exe76⤵PID:680
-
\??\c:\djddv.exec:\djddv.exe77⤵PID:2384
-
\??\c:\ffxxrrf.exec:\ffxxrrf.exe78⤵PID:5056
-
\??\c:\bntttn.exec:\bntttn.exe79⤵PID:3700
-
\??\c:\vvjdj.exec:\vvjdj.exe80⤵PID:4232
-
\??\c:\3rlfflf.exec:\3rlfflf.exe81⤵PID:2672
-
\??\c:\bhnbbt.exec:\bhnbbt.exe82⤵PID:604
-
\??\c:\hhbbhb.exec:\hhbbhb.exe83⤵PID:2968
-
\??\c:\vvvpd.exec:\vvvpd.exe84⤵PID:3568
-
\??\c:\ffllxxr.exec:\ffllxxr.exe85⤵PID:4772
-
\??\c:\tbbnnt.exec:\tbbnnt.exe86⤵PID:3580
-
\??\c:\bhhhhh.exec:\bhhhhh.exe87⤵PID:704
-
\??\c:\jjdjj.exec:\jjdjj.exe88⤵PID:1976
-
\??\c:\xxxlfrr.exec:\xxxlfrr.exe89⤵PID:2824
-
\??\c:\thnnhh.exec:\thnnhh.exe90⤵PID:4308
-
\??\c:\bbbttt.exec:\bbbttt.exe91⤵PID:1696
-
\??\c:\3vjjj.exec:\3vjjj.exe92⤵PID:3856
-
\??\c:\rxxrfxr.exec:\rxxrfxr.exe93⤵PID:2784
-
\??\c:\nnnhhh.exec:\nnnhhh.exe94⤵PID:2308
-
\??\c:\vjpjd.exec:\vjpjd.exe95⤵PID:2008
-
\??\c:\jvpjv.exec:\jvpjv.exe96⤵PID:4248
-
\??\c:\ffxlfrf.exec:\ffxlfrf.exe97⤵PID:2444
-
\??\c:\nhhbnh.exec:\nhhbnh.exe98⤵PID:120
-
\??\c:\pvdvj.exec:\pvdvj.exe99⤵PID:4628
-
\??\c:\xlfxrfx.exec:\xlfxrfx.exe100⤵PID:2888
-
\??\c:\fxlffff.exec:\fxlffff.exe101⤵PID:3268
-
\??\c:\ttttbh.exec:\ttttbh.exe102⤵PID:4704
-
\??\c:\jdjdv.exec:\jdjdv.exe103⤵PID:4944
-
\??\c:\rrlxlfr.exec:\rrlxlfr.exe104⤵PID:548
-
\??\c:\tttnnh.exec:\tttnnh.exe105⤵PID:2624
-
\??\c:\dpjdd.exec:\dpjdd.exe106⤵PID:3088
-
\??\c:\ddpjd.exec:\ddpjd.exe107⤵PID:4356
-
\??\c:\xrrfxrf.exec:\xrrfxrf.exe108⤵PID:4480
-
\??\c:\bttnhh.exec:\bttnhh.exe109⤵PID:4392
-
\??\c:\dddpp.exec:\dddpp.exe110⤵PID:3316
-
\??\c:\frrfxrx.exec:\frrfxrx.exe111⤵PID:3532
-
\??\c:\hnhnbt.exec:\hnhnbt.exe112⤵PID:2680
-
\??\c:\bnntnh.exec:\bnntnh.exe113⤵PID:4396
-
\??\c:\jvvjv.exec:\jvvjv.exe114⤵PID:2268
-
\??\c:\xlxrllf.exec:\xlxrllf.exe115⤵PID:3644
-
\??\c:\rxrlrrl.exec:\rxrlrrl.exe116⤵PID:4128
-
\??\c:\tntnnn.exec:\tntnnn.exe117⤵PID:4800
-
\??\c:\djjvj.exec:\djjvj.exe118⤵PID:3252
-
\??\c:\7xlrrxr.exec:\7xlrrxr.exe119⤵PID:4504
-
\??\c:\nnnnbb.exec:\nnnnbb.exe120⤵PID:216
-
\??\c:\hbhbbb.exec:\hbhbbb.exe121⤵PID:1256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-