Analysis
-
max time kernel
120s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 21:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe
-
Size
454KB
-
MD5
0b078ebacccd07d787dbd40129f6ff72
-
SHA1
5a338e27970c3d7c9a47bd6a6ea281eee5e94e95
-
SHA256
4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3
-
SHA512
7be103f8ae92e0e721c948a00884d583a90481997d52856482dd184878c521e57f67433854d932a113b732cc08e541d037e4550cd9776202851db12b76f93a7f
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe4:q7Tc2NYHUrAwfMp3CD4
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/3444-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4620-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2708-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1556-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3960-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5028-304-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4844-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4948-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/964-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3640-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2364-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-325-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2184-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1924-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-222-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3824-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/468-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-78-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-480-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3484-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-639-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2396-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3608-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2868-1029-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4620 xrffxxx.exe 3092 3tbttb.exe 936 pppjv.exe 2456 htbtnn.exe 4904 pjdpj.exe 1856 dvpdv.exe 3888 llllfff.exe 2832 htbhbb.exe 3196 ppjdv.exe 4700 jdpjp.exe 4848 fxxrlfx.exe 4768 bbttnn.exe 808 9vvvp.exe 4208 rffxlfx.exe 4512 rlfxxxl.exe 3556 xxxxlrl.exe 4348 rxxrlfx.exe 2604 dvdjj.exe 2708 7pvpj.exe 4628 7rxfxrx.exe 1500 7nhhbh.exe 468 djpjd.exe 1556 jppjv.exe 1216 bhbbbb.exe 3372 7nnhnn.exe 1708 fxlrrrl.exe 3984 hbtnnn.exe 3628 1vvjd.exe 2944 3ppjv.exe 5008 1rrrfxr.exe 3040 bnhbtn.exe 4340 bnbthn.exe 3824 9jpdp.exe 4648 xxrlxxl.exe 224 nhhhbn.exe 948 hthnbt.exe 3216 jpvdp.exe 3588 rxxlxlf.exe 1396 xffrrxx.exe 1384 9tthtt.exe 4824 3pjdp.exe 3052 rllfxxl.exe 2624 flrlffx.exe 3220 httnhh.exe 1860 dpvjv.exe 3960 xlrlfxr.exe 184 rlfrfrf.exe 3736 hhtthh.exe 2052 djjvd.exe 1004 5flxrlx.exe 3996 fxfrlfl.exe 5044 tnhbtt.exe 2704 ppvpd.exe 4860 5ddjd.exe 3608 lrrlxxr.exe 1924 3hnbbt.exe 936 htnntn.exe 3840 5pvpd.exe 1796 rfrrrrx.exe 4712 frfxrxx.exe 3056 bthbtn.exe 1156 jvpvp.exe 4936 jdvvj.exe 1648 fxrlflf.exe -
resource yara_rule behavioral2/memory/3444-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4620-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3092-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2708-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3960-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4844-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4948-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/736-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/964-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3640-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2364-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1924-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3608-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3824-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/468-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2396-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3484-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-639-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnntn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxlxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbtbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djjvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bnnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxlllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3444 wrote to memory of 4620 3444 4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe 84 PID 3444 wrote to memory of 4620 3444 4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe 84 PID 3444 wrote to memory of 4620 3444 4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe 84 PID 4620 wrote to memory of 3092 4620 xrffxxx.exe 85 PID 4620 wrote to memory of 3092 4620 xrffxxx.exe 85 PID 4620 wrote to memory of 3092 4620 xrffxxx.exe 85 PID 3092 wrote to memory of 936 3092 3tbttb.exe 140 PID 3092 wrote to memory of 936 3092 3tbttb.exe 140 PID 3092 wrote to memory of 936 3092 3tbttb.exe 140 PID 936 wrote to memory of 2456 936 pppjv.exe 87 PID 936 wrote to memory of 2456 936 pppjv.exe 87 PID 936 wrote to memory of 2456 936 pppjv.exe 87 PID 2456 wrote to memory of 4904 2456 htbtnn.exe 88 PID 2456 wrote to memory of 4904 2456 htbtnn.exe 88 PID 2456 wrote to memory of 4904 2456 htbtnn.exe 88 PID 4904 wrote to memory of 1856 4904 pjdpj.exe 89 PID 4904 wrote to memory of 1856 4904 pjdpj.exe 89 PID 4904 wrote to memory of 1856 4904 pjdpj.exe 89 PID 1856 wrote to memory of 3888 1856 dvpdv.exe 90 PID 1856 wrote to memory of 3888 1856 dvpdv.exe 90 PID 1856 wrote to memory of 3888 1856 dvpdv.exe 90 PID 3888 wrote to memory of 2832 3888 llllfff.exe 91 PID 3888 wrote to memory of 2832 3888 llllfff.exe 91 PID 3888 wrote to memory of 2832 3888 llllfff.exe 91 PID 2832 wrote to memory of 3196 2832 htbhbb.exe 92 PID 2832 wrote to memory of 3196 2832 htbhbb.exe 92 PID 2832 wrote to memory of 3196 2832 htbhbb.exe 92 PID 3196 wrote to memory of 4700 3196 ppjdv.exe 93 PID 3196 wrote to memory of 4700 3196 ppjdv.exe 93 PID 3196 wrote to memory of 4700 3196 ppjdv.exe 93 PID 4700 wrote to memory of 4848 4700 jdpjp.exe 94 PID 4700 wrote to memory of 4848 4700 jdpjp.exe 94 PID 4700 wrote to memory of 4848 4700 jdpjp.exe 94 PID 4848 wrote to memory of 4768 4848 fxxrlfx.exe 95 PID 4848 wrote to memory of 4768 4848 fxxrlfx.exe 95 PID 4848 wrote to memory of 4768 4848 fxxrlfx.exe 95 PID 4768 wrote to memory of 808 4768 bbttnn.exe 96 PID 4768 wrote to memory of 808 4768 bbttnn.exe 96 PID 4768 wrote to memory of 808 4768 bbttnn.exe 96 PID 808 wrote to memory of 4208 808 9vvvp.exe 97 PID 808 wrote to memory of 4208 808 9vvvp.exe 97 PID 808 wrote to memory of 4208 808 9vvvp.exe 97 PID 4208 wrote to memory of 4512 4208 rffxlfx.exe 98 PID 4208 wrote to memory of 4512 4208 rffxlfx.exe 98 PID 4208 wrote to memory of 4512 4208 rffxlfx.exe 98 PID 4512 wrote to memory of 3556 4512 rlfxxxl.exe 99 PID 4512 wrote to memory of 3556 4512 rlfxxxl.exe 99 PID 4512 wrote to memory of 3556 4512 rlfxxxl.exe 99 PID 3556 wrote to memory of 4348 3556 xxxxlrl.exe 100 PID 3556 wrote to memory of 4348 3556 xxxxlrl.exe 100 PID 3556 wrote to memory of 4348 3556 xxxxlrl.exe 100 PID 4348 wrote to memory of 2604 4348 rxxrlfx.exe 101 PID 4348 wrote to memory of 2604 4348 rxxrlfx.exe 101 PID 4348 wrote to memory of 2604 4348 rxxrlfx.exe 101 PID 2604 wrote to memory of 2708 2604 dvdjj.exe 102 PID 2604 wrote to memory of 2708 2604 dvdjj.exe 102 PID 2604 wrote to memory of 2708 2604 dvdjj.exe 102 PID 2708 wrote to memory of 4628 2708 7pvpj.exe 103 PID 2708 wrote to memory of 4628 2708 7pvpj.exe 103 PID 2708 wrote to memory of 4628 2708 7pvpj.exe 103 PID 4628 wrote to memory of 1500 4628 7rxfxrx.exe 104 PID 4628 wrote to memory of 1500 4628 7rxfxrx.exe 104 PID 4628 wrote to memory of 1500 4628 7rxfxrx.exe 104 PID 1500 wrote to memory of 468 1500 7nhhbh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe"C:\Users\Admin\AppData\Local\Temp\4774cfef21ad142cf345438ef1feb500216a958ac7d2f11fe0b88abfb69386d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3444 -
\??\c:\xrffxxx.exec:\xrffxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\3tbttb.exec:\3tbttb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\pppjv.exec:\pppjv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\htbtnn.exec:\htbtnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\pjdpj.exec:\pjdpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\dvpdv.exec:\dvpdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\llllfff.exec:\llllfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\htbhbb.exec:\htbhbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832 -
\??\c:\ppjdv.exec:\ppjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\jdpjp.exec:\jdpjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\bbttnn.exec:\bbttnn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\9vvvp.exec:\9vvvp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\rffxlfx.exec:\rffxlfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\rlfxxxl.exec:\rlfxxxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\xxxxlrl.exec:\xxxxlrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\dvdjj.exec:\dvdjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\7pvpj.exec:\7pvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\7rxfxrx.exec:\7rxfxrx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\7nhhbh.exec:\7nhhbh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500 -
\??\c:\djpjd.exec:\djpjd.exe23⤵
- Executes dropped EXE
PID:468 -
\??\c:\jppjv.exec:\jppjv.exe24⤵
- Executes dropped EXE
PID:1556 -
\??\c:\bhbbbb.exec:\bhbbbb.exe25⤵
- Executes dropped EXE
PID:1216 -
\??\c:\7nnhnn.exec:\7nnhnn.exe26⤵
- Executes dropped EXE
PID:3372 -
\??\c:\fxlrrrl.exec:\fxlrrrl.exe27⤵
- Executes dropped EXE
PID:1708 -
\??\c:\hbtnnn.exec:\hbtnnn.exe28⤵
- Executes dropped EXE
PID:3984 -
\??\c:\1vvjd.exec:\1vvjd.exe29⤵
- Executes dropped EXE
PID:3628 -
\??\c:\3ppjv.exec:\3ppjv.exe30⤵
- Executes dropped EXE
PID:2944 -
\??\c:\1rrrfxr.exec:\1rrrfxr.exe31⤵
- Executes dropped EXE
PID:5008 -
\??\c:\bnhbtn.exec:\bnhbtn.exe32⤵
- Executes dropped EXE
PID:3040 -
\??\c:\bnbthn.exec:\bnbthn.exe33⤵
- Executes dropped EXE
PID:4340 -
\??\c:\9jpdp.exec:\9jpdp.exe34⤵
- Executes dropped EXE
PID:3824 -
\??\c:\xxrlxxl.exec:\xxrlxxl.exe35⤵
- Executes dropped EXE
PID:4648 -
\??\c:\nhhhbn.exec:\nhhhbn.exe36⤵
- Executes dropped EXE
PID:224 -
\??\c:\hthnbt.exec:\hthnbt.exe37⤵
- Executes dropped EXE
PID:948 -
\??\c:\jpvdp.exec:\jpvdp.exe38⤵
- Executes dropped EXE
PID:3216 -
\??\c:\rxxlxlf.exec:\rxxlxlf.exe39⤵
- Executes dropped EXE
PID:3588 -
\??\c:\xffrrxx.exec:\xffrrxx.exe40⤵
- Executes dropped EXE
PID:1396 -
\??\c:\9tthtt.exec:\9tthtt.exe41⤵
- Executes dropped EXE
PID:1384 -
\??\c:\3pjdp.exec:\3pjdp.exe42⤵
- Executes dropped EXE
PID:4824 -
\??\c:\rllfxxl.exec:\rllfxxl.exe43⤵
- Executes dropped EXE
PID:3052 -
\??\c:\flrlffx.exec:\flrlffx.exe44⤵
- Executes dropped EXE
PID:2624 -
\??\c:\httnhh.exec:\httnhh.exe45⤵
- Executes dropped EXE
PID:3220 -
\??\c:\dpvjv.exec:\dpvjv.exe46⤵
- Executes dropped EXE
PID:1860 -
\??\c:\xlrlfxr.exec:\xlrlfxr.exe47⤵
- Executes dropped EXE
PID:3960 -
\??\c:\rlfrfrf.exec:\rlfrfrf.exe48⤵
- Executes dropped EXE
PID:184 -
\??\c:\hhtthh.exec:\hhtthh.exe49⤵
- Executes dropped EXE
PID:3736 -
\??\c:\djjvd.exec:\djjvd.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
\??\c:\5flxrlx.exec:\5flxrlx.exe51⤵
- Executes dropped EXE
PID:1004 -
\??\c:\fxfrlfl.exec:\fxfrlfl.exe52⤵
- Executes dropped EXE
PID:3996 -
\??\c:\tnhbtt.exec:\tnhbtt.exe53⤵
- Executes dropped EXE
PID:5044 -
\??\c:\ppvpd.exec:\ppvpd.exe54⤵
- Executes dropped EXE
PID:2704 -
\??\c:\5ddjd.exec:\5ddjd.exe55⤵
- Executes dropped EXE
PID:4860 -
\??\c:\lrrlxxr.exec:\lrrlxxr.exe56⤵
- Executes dropped EXE
PID:3608 -
\??\c:\3hnbbt.exec:\3hnbbt.exe57⤵
- Executes dropped EXE
PID:1924 -
\??\c:\htnntn.exec:\htnntn.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
\??\c:\5pvpd.exec:\5pvpd.exe59⤵
- Executes dropped EXE
PID:3840 -
\??\c:\rfrrrrx.exec:\rfrrrrx.exe60⤵
- Executes dropped EXE
PID:1796 -
\??\c:\frfxrxx.exec:\frfxrxx.exe61⤵
- Executes dropped EXE
PID:4712 -
\??\c:\bthbtn.exec:\bthbtn.exe62⤵
- Executes dropped EXE
PID:3056 -
\??\c:\jvpvp.exec:\jvpvp.exe63⤵
- Executes dropped EXE
PID:1156 -
\??\c:\jdvvj.exec:\jdvvj.exe64⤵
- Executes dropped EXE
PID:4936 -
\??\c:\fxrlflf.exec:\fxrlflf.exe65⤵
- Executes dropped EXE
PID:1648 -
\??\c:\tntnnn.exec:\tntnnn.exe66⤵PID:5028
-
\??\c:\5djdv.exec:\5djdv.exe67⤵PID:4844
-
\??\c:\5vpjd.exec:\5vpjd.exe68⤵PID:2184
-
\??\c:\fflfxxr.exec:\fflfxxr.exe69⤵PID:2396
-
\??\c:\7tbtbb.exec:\7tbtbb.exe70⤵PID:980
-
\??\c:\nnnntt.exec:\nnnntt.exe71⤵PID:808
-
\??\c:\djjdv.exec:\djjdv.exe72⤵PID:400
-
\??\c:\vvvvp.exec:\vvvvp.exe73⤵PID:1268
-
\??\c:\5rlfffx.exec:\5rlfffx.exe74⤵PID:3928
-
\??\c:\hnthbb.exec:\hnthbb.exe75⤵PID:4892
-
\??\c:\nnhtnt.exec:\nnhtnt.exe76⤵PID:4436
-
\??\c:\7dddd.exec:\7dddd.exe77⤵PID:1088
-
\??\c:\rfrlfff.exec:\rfrlfff.exe78⤵PID:4948
-
\??\c:\xxfxrrx.exec:\xxfxrrx.exe79⤵
- System Location Discovery: System Language Discovery
PID:2940 -
\??\c:\bnnhhh.exec:\bnnhhh.exe80⤵PID:4172
-
\??\c:\5nnhhh.exec:\5nnhhh.exe81⤵PID:736
-
\??\c:\pvdvd.exec:\pvdvd.exe82⤵PID:4780
-
\??\c:\xfxxllf.exec:\xfxxllf.exe83⤵PID:3720
-
\??\c:\5fxrrrr.exec:\5fxrrrr.exe84⤵PID:2552
-
\??\c:\hhhbbb.exec:\hhhbbb.exe85⤵
- System Location Discovery: System Language Discovery
PID:2936 -
\??\c:\djpjp.exec:\djpjp.exe86⤵PID:3372
-
\??\c:\vpdpd.exec:\vpdpd.exe87⤵PID:1676
-
\??\c:\frxrlff.exec:\frxrlff.exe88⤵PID:2232
-
\??\c:\7thbbb.exec:\7thbbb.exe89⤵PID:3540
-
\??\c:\5tbtbb.exec:\5tbtbb.exe90⤵PID:4652
-
\??\c:\jjdvp.exec:\jjdvp.exe91⤵PID:2364
-
\??\c:\5vvpp.exec:\5vvpp.exe92⤵PID:1472
-
\??\c:\lxfrlrl.exec:\lxfrlrl.exe93⤵PID:3532
-
\??\c:\fxxrrlf.exec:\fxxrrlf.exe94⤵PID:4340
-
\??\c:\5ntnhh.exec:\5ntnhh.exe95⤵PID:3824
-
\??\c:\7dpjd.exec:\7dpjd.exe96⤵PID:3744
-
\??\c:\jjjdd.exec:\jjjdd.exe97⤵PID:224
-
\??\c:\xrrrlll.exec:\xrrrlll.exe98⤵PID:628
-
\??\c:\1rlllff.exec:\1rlllff.exe99⤵PID:4588
-
\??\c:\hhhbnn.exec:\hhhbnn.exe100⤵PID:3216
-
\??\c:\bnhhbb.exec:\bnhhbb.exe101⤵PID:964
-
\??\c:\3vvvp.exec:\3vvvp.exe102⤵PID:3640
-
\??\c:\lfxxrll.exec:\lfxxrll.exe103⤵PID:952
-
\??\c:\frfxxxf.exec:\frfxxxf.exe104⤵PID:2112
-
\??\c:\bbhbhh.exec:\bbhbhh.exe105⤵PID:4140
-
\??\c:\pjpjj.exec:\pjpjj.exe106⤵PID:1660
-
\??\c:\ddvpp.exec:\ddvpp.exe107⤵PID:2624
-
\??\c:\rllfxxr.exec:\rllfxxr.exe108⤵PID:2236
-
\??\c:\tnnnhh.exec:\tnnnhh.exe109⤵PID:4900
-
\??\c:\hhhbtn.exec:\hhhbtn.exe110⤵PID:4644
-
\??\c:\5vjdj.exec:\5vjdj.exe111⤵PID:4968
-
\??\c:\xfrlllr.exec:\xfrlllr.exe112⤵PID:2328
-
\??\c:\htbttt.exec:\htbttt.exe113⤵PID:5016
-
\??\c:\dvdvv.exec:\dvdvv.exe114⤵PID:2052
-
\??\c:\3lrlffx.exec:\3lrlffx.exe115⤵PID:2860
-
\??\c:\7bbtnt.exec:\7bbtnt.exe116⤵PID:3996
-
\??\c:\7pjpj.exec:\7pjpj.exe117⤵PID:4476
-
\??\c:\7xxrrxr.exec:\7xxrrxr.exe118⤵PID:2704
-
\??\c:\tbnhhn.exec:\tbnhhn.exe119⤵PID:2148
-
\??\c:\tnnhnb.exec:\tnnhnb.exe120⤵PID:3608
-
\??\c:\rlrllxx.exec:\rlrllxx.exe121⤵PID:4896
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-