Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 05:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe
-
Size
456KB
-
MD5
3ffe60842436bfaf2ed6518cc3168a65
-
SHA1
ca384ddd1b715a366d8586e4147139e289922de8
-
SHA256
feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea
-
SHA512
3aa3437cbb0b124a8224306bce01bdeb85e677f7ca4a5181c85e0e7610d606da529be5886fcc640533d80ac8deec62726c89eee447efbaeabce089e65d2989f7
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4376-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2024-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2104-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4204-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3248-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2576-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4632-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/416-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2088-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4152-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-315-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3232-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1452-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-649-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-676-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-747-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3760-763-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3812-902-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4344-933-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-958-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2168-1218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4416 thhbbb.exe 3492 jdjdj.exe 1256 xrlrlxr.exe 3780 hntttn.exe 2736 pjppv.exe 400 lfxrlfx.exe 2024 1lrlflf.exe 4160 thnhbt.exe 1532 lfxfllr.exe 2712 pjjjp.exe 4432 xxxrrrl.exe 2104 dvpjj.exe 1488 xxlfrff.exe 2300 hnttnn.exe 4848 frxlxrl.exe 4204 ppjvj.exe 2276 fxxrllf.exe 2644 vjjdv.exe 1112 vjvjj.exe 4828 9thtnh.exe 4592 jvvjd.exe 1452 tbhtth.exe 1636 xllxllx.exe 3248 dvvpv.exe 2992 jdvjv.exe 2340 lrfxxfl.exe 4532 nttnbt.exe 952 3jvdv.exe 4172 3pjvj.exe 2964 frllxlf.exe 4916 nbtnbt.exe 3464 rxrrllf.exe 1160 ddjvj.exe 1388 vppdp.exe 1944 tnnhhb.exe 2096 thhbhb.exe 3528 dppdp.exe 2536 fllrxrf.exe 2576 nhtntn.exe 4872 jvvpv.exe 1364 lxfxllf.exe 4256 btbbtt.exe 4632 bhbnbt.exe 1572 pvjvp.exe 2760 nhnbhn.exe 3936 nbhtth.exe 4032 5pvpp.exe 1852 9xrlxrl.exe 416 hnnnhh.exe 4464 hbbnbn.exe 2332 vjjvd.exe 876 rlxrflf.exe 4512 btbtnt.exe 3492 pdvjv.exe 2412 frrfrlx.exe 4560 tbhbnn.exe 2088 rrxrfxx.exe 3928 bntbbb.exe 400 pddvj.exe 4152 frfrfrl.exe 4996 htbtnn.exe 3756 hnntht.exe 5100 jvdpp.exe 1656 rffrfrf.exe -
resource yara_rule behavioral2/memory/4376-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2024-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4204-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3248-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2576-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4632-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/416-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2088-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1452-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-649-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-710-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-747-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3760-763-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3812-902-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 4416 4376 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 82 PID 4376 wrote to memory of 4416 4376 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 82 PID 4376 wrote to memory of 4416 4376 feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe 82 PID 4416 wrote to memory of 3492 4416 thhbbb.exe 83 PID 4416 wrote to memory of 3492 4416 thhbbb.exe 83 PID 4416 wrote to memory of 3492 4416 thhbbb.exe 83 PID 3492 wrote to memory of 1256 3492 jdjdj.exe 84 PID 3492 wrote to memory of 1256 3492 jdjdj.exe 84 PID 3492 wrote to memory of 1256 3492 jdjdj.exe 84 PID 1256 wrote to memory of 3780 1256 xrlrlxr.exe 85 PID 1256 wrote to memory of 3780 1256 xrlrlxr.exe 85 PID 1256 wrote to memory of 3780 1256 xrlrlxr.exe 85 PID 3780 wrote to memory of 2736 3780 hntttn.exe 86 PID 3780 wrote to memory of 2736 3780 hntttn.exe 86 PID 3780 wrote to memory of 2736 3780 hntttn.exe 86 PID 2736 wrote to memory of 400 2736 pjppv.exe 87 PID 2736 wrote to memory of 400 2736 pjppv.exe 87 PID 2736 wrote to memory of 400 2736 pjppv.exe 87 PID 400 wrote to memory of 2024 400 lfxrlfx.exe 88 PID 400 wrote to memory of 2024 400 lfxrlfx.exe 88 PID 400 wrote to memory of 2024 400 lfxrlfx.exe 88 PID 2024 wrote to memory of 4160 2024 1lrlflf.exe 89 PID 2024 wrote to memory of 4160 2024 1lrlflf.exe 89 PID 2024 wrote to memory of 4160 2024 1lrlflf.exe 89 PID 4160 wrote to memory of 1532 4160 thnhbt.exe 90 PID 4160 wrote to memory of 1532 4160 thnhbt.exe 90 PID 4160 wrote to memory of 1532 4160 thnhbt.exe 90 PID 1532 wrote to memory of 2712 1532 lfxfllr.exe 91 PID 1532 wrote to memory of 2712 1532 lfxfllr.exe 91 PID 1532 wrote to memory of 2712 1532 lfxfllr.exe 91 PID 2712 wrote to memory of 4432 2712 pjjjp.exe 92 PID 2712 wrote to memory of 4432 2712 pjjjp.exe 92 PID 2712 wrote to memory of 4432 2712 pjjjp.exe 92 PID 4432 wrote to memory of 2104 4432 xxxrrrl.exe 93 PID 4432 wrote to memory of 2104 4432 xxxrrrl.exe 93 PID 4432 wrote to memory of 2104 4432 xxxrrrl.exe 93 PID 2104 wrote to memory of 1488 2104 dvpjj.exe 94 PID 2104 wrote to memory of 1488 2104 dvpjj.exe 94 PID 2104 wrote to memory of 1488 2104 dvpjj.exe 94 PID 1488 wrote to memory of 2300 1488 xxlfrff.exe 95 PID 1488 wrote to memory of 2300 1488 xxlfrff.exe 95 PID 1488 wrote to memory of 2300 1488 xxlfrff.exe 95 PID 2300 wrote to memory of 4848 2300 hnttnn.exe 96 PID 2300 wrote to memory of 4848 2300 hnttnn.exe 96 PID 2300 wrote to memory of 4848 2300 hnttnn.exe 96 PID 4848 wrote to memory of 4204 4848 frxlxrl.exe 97 PID 4848 wrote to memory of 4204 4848 frxlxrl.exe 97 PID 4848 wrote to memory of 4204 4848 frxlxrl.exe 97 PID 4204 wrote to memory of 2276 4204 ppjvj.exe 98 PID 4204 wrote to memory of 2276 4204 ppjvj.exe 98 PID 4204 wrote to memory of 2276 4204 ppjvj.exe 98 PID 2276 wrote to memory of 2644 2276 fxxrllf.exe 99 PID 2276 wrote to memory of 2644 2276 fxxrllf.exe 99 PID 2276 wrote to memory of 2644 2276 fxxrllf.exe 99 PID 2644 wrote to memory of 1112 2644 vjjdv.exe 100 PID 2644 wrote to memory of 1112 2644 vjjdv.exe 100 PID 2644 wrote to memory of 1112 2644 vjjdv.exe 100 PID 1112 wrote to memory of 4828 1112 vjvjj.exe 101 PID 1112 wrote to memory of 4828 1112 vjvjj.exe 101 PID 1112 wrote to memory of 4828 1112 vjvjj.exe 101 PID 4828 wrote to memory of 4592 4828 9thtnh.exe 102 PID 4828 wrote to memory of 4592 4828 9thtnh.exe 102 PID 4828 wrote to memory of 4592 4828 9thtnh.exe 102 PID 4592 wrote to memory of 1452 4592 jvvjd.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"C:\Users\Admin\AppData\Local\Temp\feed4859ef174d9fd2228e20ba8750985c186d3c92f7e6a99c6b9b479ed9d0ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\thhbbb.exec:\thhbbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\jdjdj.exec:\jdjdj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\xrlrlxr.exec:\xrlrlxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1256 -
\??\c:\hntttn.exec:\hntttn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
\??\c:\pjppv.exec:\pjppv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2736 -
\??\c:\lfxrlfx.exec:\lfxrlfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\1lrlflf.exec:\1lrlflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2024 -
\??\c:\thnhbt.exec:\thnhbt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160 -
\??\c:\lfxfllr.exec:\lfxfllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
\??\c:\pjjjp.exec:\pjjjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4432 -
\??\c:\dvpjj.exec:\dvpjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\xxlfrff.exec:\xxlfrff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\hnttnn.exec:\hnttnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\frxlxrl.exec:\frxlxrl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\ppjvj.exec:\ppjvj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204 -
\??\c:\fxxrllf.exec:\fxxrllf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\vjjdv.exec:\vjjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
\??\c:\vjvjj.exec:\vjvjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
\??\c:\9thtnh.exec:\9thtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\jvvjd.exec:\jvvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\tbhtth.exec:\tbhtth.exe23⤵
- Executes dropped EXE
PID:1452 -
\??\c:\xllxllx.exec:\xllxllx.exe24⤵
- Executes dropped EXE
PID:1636 -
\??\c:\dvvpv.exec:\dvvpv.exe25⤵
- Executes dropped EXE
PID:3248 -
\??\c:\jdvjv.exec:\jdvjv.exe26⤵
- Executes dropped EXE
PID:2992 -
\??\c:\lrfxxfl.exec:\lrfxxfl.exe27⤵
- Executes dropped EXE
PID:2340 -
\??\c:\nttnbt.exec:\nttnbt.exe28⤵
- Executes dropped EXE
PID:4532 -
\??\c:\3jvdv.exec:\3jvdv.exe29⤵
- Executes dropped EXE
PID:952 -
\??\c:\3pjvj.exec:\3pjvj.exe30⤵
- Executes dropped EXE
PID:4172 -
\??\c:\frllxlf.exec:\frllxlf.exe31⤵
- Executes dropped EXE
PID:2964 -
\??\c:\nbtnbt.exec:\nbtnbt.exe32⤵
- Executes dropped EXE
PID:4916 -
\??\c:\rxrrllf.exec:\rxrrllf.exe33⤵
- Executes dropped EXE
PID:3464 -
\??\c:\ddjvj.exec:\ddjvj.exe34⤵
- Executes dropped EXE
PID:1160 -
\??\c:\vppdp.exec:\vppdp.exe35⤵
- Executes dropped EXE
PID:1388 -
\??\c:\tnnhhb.exec:\tnnhhb.exe36⤵
- Executes dropped EXE
PID:1944 -
\??\c:\thhbhb.exec:\thhbhb.exe37⤵
- Executes dropped EXE
PID:2096 -
\??\c:\dppdp.exec:\dppdp.exe38⤵
- Executes dropped EXE
PID:3528 -
\??\c:\fllrxrf.exec:\fllrxrf.exe39⤵
- Executes dropped EXE
PID:2536 -
\??\c:\nhtntn.exec:\nhtntn.exe40⤵
- Executes dropped EXE
PID:2576 -
\??\c:\jvvpv.exec:\jvvpv.exe41⤵
- Executes dropped EXE
PID:4872 -
\??\c:\lxfxllf.exec:\lxfxllf.exe42⤵
- Executes dropped EXE
PID:1364 -
\??\c:\btbbtt.exec:\btbbtt.exe43⤵
- Executes dropped EXE
PID:4256 -
\??\c:\bhbnbt.exec:\bhbnbt.exe44⤵
- Executes dropped EXE
PID:4632 -
\??\c:\pvjvp.exec:\pvjvp.exe45⤵
- Executes dropped EXE
PID:1572 -
\??\c:\nhnbhn.exec:\nhnbhn.exe46⤵
- Executes dropped EXE
PID:2760 -
\??\c:\nbhtth.exec:\nbhtth.exe47⤵
- Executes dropped EXE
PID:3936 -
\??\c:\5pvpp.exec:\5pvpp.exe48⤵
- Executes dropped EXE
PID:4032 -
\??\c:\9xrlxrl.exec:\9xrlxrl.exe49⤵
- Executes dropped EXE
PID:1852 -
\??\c:\hnnnhh.exec:\hnnnhh.exe50⤵
- Executes dropped EXE
PID:416 -
\??\c:\hbbnbn.exec:\hbbnbn.exe51⤵
- Executes dropped EXE
PID:4464 -
\??\c:\vjjvd.exec:\vjjvd.exe52⤵
- Executes dropped EXE
PID:2332 -
\??\c:\rlxrflf.exec:\rlxrflf.exe53⤵
- Executes dropped EXE
PID:876 -
\??\c:\btbtnt.exec:\btbtnt.exe54⤵
- Executes dropped EXE
PID:4512 -
\??\c:\pdvjv.exec:\pdvjv.exe55⤵
- Executes dropped EXE
PID:3492 -
\??\c:\frrfrlx.exec:\frrfrlx.exe56⤵
- Executes dropped EXE
PID:2412 -
\??\c:\tbhbnn.exec:\tbhbnn.exe57⤵
- Executes dropped EXE
PID:4560 -
\??\c:\rrxrfxx.exec:\rrxrfxx.exe58⤵
- Executes dropped EXE
PID:2088 -
\??\c:\bntbbb.exec:\bntbbb.exe59⤵
- Executes dropped EXE
PID:3928 -
\??\c:\pddvj.exec:\pddvj.exe60⤵
- Executes dropped EXE
PID:400 -
\??\c:\frfrfrl.exec:\frfrfrl.exe61⤵
- Executes dropped EXE
PID:4152 -
\??\c:\htbtnn.exec:\htbtnn.exe62⤵
- Executes dropped EXE
PID:4996 -
\??\c:\hnntht.exec:\hnntht.exe63⤵
- Executes dropped EXE
PID:3756 -
\??\c:\jvdpp.exec:\jvdpp.exe64⤵
- Executes dropped EXE
PID:5100 -
\??\c:\rffrfrf.exec:\rffrfrf.exe65⤵
- Executes dropped EXE
PID:1656 -
\??\c:\htnbnb.exec:\htnbnb.exe66⤵PID:3872
-
\??\c:\ttthht.exec:\ttthht.exe67⤵PID:1188
-
\??\c:\jppdv.exec:\jppdv.exe68⤵PID:1936
-
\??\c:\rfrflll.exec:\rfrflll.exe69⤵PID:4268
-
\??\c:\lfrllll.exec:\lfrllll.exe70⤵PID:1152
-
\??\c:\bhthbt.exec:\bhthbt.exe71⤵PID:4012
-
\??\c:\vddpj.exec:\vddpj.exe72⤵PID:1588
-
\??\c:\1ffrlrf.exec:\1ffrlrf.exe73⤵PID:4988
-
\??\c:\nhnbnb.exec:\nhnbnb.exe74⤵PID:112
-
\??\c:\pppjp.exec:\pppjp.exe75⤵PID:1584
-
\??\c:\ddpdv.exec:\ddpdv.exe76⤵PID:3232
-
\??\c:\frxffxl.exec:\frxffxl.exe77⤵PID:1756
-
\??\c:\ttnbnh.exec:\ttnbnh.exe78⤵PID:4868
-
\??\c:\bnnnht.exec:\bnnnht.exe79⤵PID:4120
-
\??\c:\vvdvp.exec:\vvdvp.exe80⤵PID:1112
-
\??\c:\1ffrflx.exec:\1ffrflx.exe81⤵PID:5092
-
\??\c:\tnbnbt.exec:\tnbnbt.exe82⤵PID:3768
-
\??\c:\dvjvv.exec:\dvjvv.exe83⤵PID:2912
-
\??\c:\pddpj.exec:\pddpj.exe84⤵PID:1452
-
\??\c:\frxxllf.exec:\frxxllf.exe85⤵PID:2556
-
\??\c:\rlxrfxr.exec:\rlxrfxr.exe86⤵PID:1004
-
\??\c:\ntbnbn.exec:\ntbnbn.exe87⤵PID:3852
-
\??\c:\7tnbtn.exec:\7tnbtn.exe88⤵PID:1920
-
\??\c:\jjjdp.exec:\jjjdp.exe89⤵PID:2604
-
\??\c:\xrxrrrl.exec:\xrxrrrl.exe90⤵PID:3016
-
\??\c:\nhhbtt.exec:\nhhbtt.exe91⤵PID:4400
-
\??\c:\jvddp.exec:\jvddp.exe92⤵PID:4508
-
\??\c:\3rflxrf.exec:\3rflxrf.exe93⤵PID:3456
-
\??\c:\btthht.exec:\btthht.exe94⤵PID:3108
-
\??\c:\bbhtnh.exec:\bbhtnh.exe95⤵PID:1816
-
\??\c:\jpvjv.exec:\jpvjv.exe96⤵PID:4180
-
\??\c:\rxxlxlx.exec:\rxxlxlx.exe97⤵PID:3080
-
\??\c:\bnbttn.exec:\bnbttn.exe98⤵PID:764
-
\??\c:\jjjdv.exec:\jjjdv.exe99⤵PID:2640
-
\??\c:\1rrfrlx.exec:\1rrfrlx.exe100⤵PID:1748
-
\??\c:\rflfrrl.exec:\rflfrrl.exe101⤵PID:4736
-
\??\c:\thnhbt.exec:\thnhbt.exe102⤵PID:2272
-
\??\c:\jpppp.exec:\jpppp.exe103⤵PID:4356
-
\??\c:\lxfxrll.exec:\lxfxrll.exe104⤵PID:4084
-
\??\c:\lrrfrfr.exec:\lrrfrfr.exe105⤵
- System Location Discovery: System Language Discovery
PID:4104 -
\??\c:\bhnhbb.exec:\bhnhbb.exe106⤵PID:3600
-
\??\c:\3vpdp.exec:\3vpdp.exe107⤵PID:2384
-
\??\c:\5rxrrlf.exec:\5rxrrlf.exe108⤵PID:3236
-
\??\c:\hhhtbt.exec:\hhhtbt.exe109⤵PID:1564
-
\??\c:\nhbnhh.exec:\nhbnhh.exe110⤵PID:3964
-
\??\c:\9jdpd.exec:\9jdpd.exe111⤵PID:1664
-
\??\c:\dppdp.exec:\dppdp.exe112⤵PID:3696
-
\??\c:\rrxrllf.exec:\rrxrllf.exe113⤵PID:1104
-
\??\c:\btbttt.exec:\btbttt.exe114⤵PID:4472
-
\??\c:\dvpdd.exec:\dvpdd.exe115⤵PID:4144
-
\??\c:\frrfrlx.exec:\frrfrlx.exe116⤵PID:5024
-
\??\c:\3ffxrrl.exec:\3ffxrrl.exe117⤵PID:3588
-
\??\c:\btnbnh.exec:\btnbnh.exe118⤵PID:1700
-
\??\c:\9ppjd.exec:\9ppjd.exe119⤵PID:3660
-
\??\c:\fxxrlff.exec:\fxxrlff.exe120⤵
- System Location Discovery: System Language Discovery
PID:1256 -
\??\c:\thbthb.exec:\thbthb.exe121⤵PID:3228
-
\??\c:\3bbntn.exec:\3bbntn.exe122⤵PID:2648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-