Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe
-
Size
456KB
-
MD5
ef605d78c631dabd16caf4ab30a2f35b
-
SHA1
70aadb02d97141f354336789fc56b0d44adcd88a
-
SHA256
06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6
-
SHA512
fe906cccfa82877760b48a394996fa5c04aaf6f6fef0336ef93d5659b545d22f829dd0d52b7c49445e1cc641324e1ed33359f147da86b9a4b514e5f88eba1a28
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRS:q7Tc2NYHUrAwfMp3CDRS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4804-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/748-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2416-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4804-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4112-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4376-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2780-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3108-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4192-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3732-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4108-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2016-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/612-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3332-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1088-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2076-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4288-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2412-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3728-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4816-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1552-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1276-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-359-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3564-367-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4368-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2028-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-409-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3804-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-573-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-604-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-638-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-847-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-938-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-991-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4804 vvpjj.exe 2416 xfffxxr.exe 4516 ntthbb.exe 4088 pvddv.exe 516 lxxxrrx.exe 4112 lxxxrxx.exe 4376 hthntb.exe 4816 rlxrfxr.exe 3612 1tntnb.exe 2780 ffrrrxf.exe 3108 bbhbtn.exe 2136 fxrllff.exe 1132 lllllll.exe 4192 7bhbbb.exe 2464 vvdvv.exe 2432 thhbtn.exe 3088 3bttnt.exe 4128 ffxlffx.exe 2244 xllffxr.exe 3732 bntttn.exe 2624 ffffxff.exe 2156 nthbtt.exe 4108 vjdvp.exe 1056 ffxrlxr.exe 4452 vppjj.exe 2016 rflfxrr.exe 4320 jvddv.exe 4116 1xfxllf.exe 612 pvddj.exe 3332 ppddp.exe 2372 llfxrrf.exe 3752 xxxffxf.exe 1088 7dvvp.exe 2076 xxxxlfx.exe 4828 xrxrrll.exe 5080 xrxrllf.exe 2984 thtnhh.exe 4860 jvvvv.exe 2664 1frlxfr.exe 4616 xllffrf.exe 4808 hhhhht.exe 4764 jjjdj.exe 4288 djpjd.exe 1732 xxllrrx.exe 1000 tnbthb.exe 4864 dpjjd.exe 2412 fxxrrrr.exe 1960 ttbtnt.exe 1164 bbbttt.exe 1028 dpjdv.exe 3728 3rrrlrl.exe 2420 7hnhbb.exe 536 9pvpj.exe 2724 vppjd.exe 3012 xrxllll.exe 3916 thnnhn.exe 4816 vpppd.exe 2052 vppjd.exe 2240 7rxrrrr.exe 2548 nnthnn.exe 1968 vpvpd.exe 4072 llrxflr.exe 4688 5hhhbb.exe 3668 3dvpj.exe -
resource yara_rule behavioral2/memory/4804-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/748-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2416-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4112-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4376-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2780-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3108-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4192-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3732-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2016-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/612-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3332-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1088-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2076-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2412-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3728-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4816-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1552-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1276-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-359-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3564-367-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4368-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2028-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3804-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-573-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-604-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-638-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-676-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-788-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7vvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 748 wrote to memory of 4804 748 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 82 PID 748 wrote to memory of 4804 748 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 82 PID 748 wrote to memory of 4804 748 06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe 82 PID 4804 wrote to memory of 2416 4804 vvpjj.exe 83 PID 4804 wrote to memory of 2416 4804 vvpjj.exe 83 PID 4804 wrote to memory of 2416 4804 vvpjj.exe 83 PID 2416 wrote to memory of 4516 2416 xfffxxr.exe 84 PID 2416 wrote to memory of 4516 2416 xfffxxr.exe 84 PID 2416 wrote to memory of 4516 2416 xfffxxr.exe 84 PID 4516 wrote to memory of 4088 4516 ntthbb.exe 85 PID 4516 wrote to memory of 4088 4516 ntthbb.exe 85 PID 4516 wrote to memory of 4088 4516 ntthbb.exe 85 PID 4088 wrote to memory of 516 4088 pvddv.exe 86 PID 4088 wrote to memory of 516 4088 pvddv.exe 86 PID 4088 wrote to memory of 516 4088 pvddv.exe 86 PID 516 wrote to memory of 4112 516 lxxxrrx.exe 87 PID 516 wrote to memory of 4112 516 lxxxrrx.exe 87 PID 516 wrote to memory of 4112 516 lxxxrrx.exe 87 PID 4112 wrote to memory of 4376 4112 lxxxrxx.exe 88 PID 4112 wrote to memory of 4376 4112 lxxxrxx.exe 88 PID 4112 wrote to memory of 4376 4112 lxxxrxx.exe 88 PID 4376 wrote to memory of 4816 4376 hthntb.exe 89 PID 4376 wrote to memory of 4816 4376 hthntb.exe 89 PID 4376 wrote to memory of 4816 4376 hthntb.exe 89 PID 4816 wrote to memory of 3612 4816 rlxrfxr.exe 90 PID 4816 wrote to memory of 3612 4816 rlxrfxr.exe 90 PID 4816 wrote to memory of 3612 4816 rlxrfxr.exe 90 PID 3612 wrote to memory of 2780 3612 1tntnb.exe 91 PID 3612 wrote to memory of 2780 3612 1tntnb.exe 91 PID 3612 wrote to memory of 2780 3612 1tntnb.exe 91 PID 2780 wrote to memory of 3108 2780 ffrrrxf.exe 92 PID 2780 wrote to memory of 3108 2780 ffrrrxf.exe 92 PID 2780 wrote to memory of 3108 2780 ffrrrxf.exe 92 PID 3108 wrote to memory of 2136 3108 bbhbtn.exe 93 PID 3108 wrote to memory of 2136 3108 bbhbtn.exe 93 PID 3108 wrote to memory of 2136 3108 bbhbtn.exe 93 PID 2136 wrote to memory of 1132 2136 fxrllff.exe 94 PID 2136 wrote to memory of 1132 2136 fxrllff.exe 94 PID 2136 wrote to memory of 1132 2136 fxrllff.exe 94 PID 1132 wrote to memory of 4192 1132 lllllll.exe 95 PID 1132 wrote to memory of 4192 1132 lllllll.exe 95 PID 1132 wrote to memory of 4192 1132 lllllll.exe 95 PID 4192 wrote to memory of 2464 4192 7bhbbb.exe 96 PID 4192 wrote to memory of 2464 4192 7bhbbb.exe 96 PID 4192 wrote to memory of 2464 4192 7bhbbb.exe 96 PID 2464 wrote to memory of 2432 2464 vvdvv.exe 97 PID 2464 wrote to memory of 2432 2464 vvdvv.exe 97 PID 2464 wrote to memory of 2432 2464 vvdvv.exe 97 PID 2432 wrote to memory of 3088 2432 thhbtn.exe 98 PID 2432 wrote to memory of 3088 2432 thhbtn.exe 98 PID 2432 wrote to memory of 3088 2432 thhbtn.exe 98 PID 3088 wrote to memory of 4128 3088 3bttnt.exe 99 PID 3088 wrote to memory of 4128 3088 3bttnt.exe 99 PID 3088 wrote to memory of 4128 3088 3bttnt.exe 99 PID 4128 wrote to memory of 2244 4128 ffxlffx.exe 100 PID 4128 wrote to memory of 2244 4128 ffxlffx.exe 100 PID 4128 wrote to memory of 2244 4128 ffxlffx.exe 100 PID 2244 wrote to memory of 3732 2244 xllffxr.exe 101 PID 2244 wrote to memory of 3732 2244 xllffxr.exe 101 PID 2244 wrote to memory of 3732 2244 xllffxr.exe 101 PID 3732 wrote to memory of 2624 3732 bntttn.exe 102 PID 3732 wrote to memory of 2624 3732 bntttn.exe 102 PID 3732 wrote to memory of 2624 3732 bntttn.exe 102 PID 2624 wrote to memory of 2156 2624 ffffxff.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe"C:\Users\Admin\AppData\Local\Temp\06ce0a4723aea353ca28112322d9733caaaea946b51c8683221ac636a57a83f6.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
\??\c:\vvpjj.exec:\vvpjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
\??\c:\xfffxxr.exec:\xfffxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\ntthbb.exec:\ntthbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
\??\c:\pvddv.exec:\pvddv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\lxxxrrx.exec:\lxxxrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\lxxxrxx.exec:\lxxxrxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
\??\c:\hthntb.exec:\hthntb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376 -
\??\c:\rlxrfxr.exec:\rlxrfxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
\??\c:\1tntnb.exec:\1tntnb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
\??\c:\ffrrrxf.exec:\ffrrrxf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
\??\c:\bbhbtn.exec:\bbhbtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\fxrllff.exec:\fxrllff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
\??\c:\lllllll.exec:\lllllll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
\??\c:\7bhbbb.exec:\7bhbbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192 -
\??\c:\vvdvv.exec:\vvdvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\thhbtn.exec:\thhbtn.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\3bttnt.exec:\3bttnt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
\??\c:\ffxlffx.exec:\ffxlffx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\xllffxr.exec:\xllffxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
\??\c:\bntttn.exec:\bntttn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732 -
\??\c:\ffffxff.exec:\ffffxff.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624 -
\??\c:\nthbtt.exec:\nthbtt.exe23⤵
- Executes dropped EXE
PID:2156 -
\??\c:\vjdvp.exec:\vjdvp.exe24⤵
- Executes dropped EXE
PID:4108 -
\??\c:\ffxrlxr.exec:\ffxrlxr.exe25⤵
- Executes dropped EXE
PID:1056 -
\??\c:\vppjj.exec:\vppjj.exe26⤵
- Executes dropped EXE
PID:4452 -
\??\c:\rflfxrr.exec:\rflfxrr.exe27⤵
- Executes dropped EXE
PID:2016 -
\??\c:\jvddv.exec:\jvddv.exe28⤵
- Executes dropped EXE
PID:4320 -
\??\c:\1xfxllf.exec:\1xfxllf.exe29⤵
- Executes dropped EXE
PID:4116 -
\??\c:\pvddj.exec:\pvddj.exe30⤵
- Executes dropped EXE
PID:612 -
\??\c:\ppddp.exec:\ppddp.exe31⤵
- Executes dropped EXE
PID:3332 -
\??\c:\llfxrrf.exec:\llfxrrf.exe32⤵
- Executes dropped EXE
PID:2372 -
\??\c:\xxxffxf.exec:\xxxffxf.exe33⤵
- Executes dropped EXE
PID:3752 -
\??\c:\7dvvp.exec:\7dvvp.exe34⤵
- Executes dropped EXE
PID:1088 -
\??\c:\xxxxlfx.exec:\xxxxlfx.exe35⤵
- Executes dropped EXE
PID:2076 -
\??\c:\xrxrrll.exec:\xrxrrll.exe36⤵
- Executes dropped EXE
PID:4828 -
\??\c:\xrxrllf.exec:\xrxrllf.exe37⤵
- Executes dropped EXE
PID:5080 -
\??\c:\thtnhh.exec:\thtnhh.exe38⤵
- Executes dropped EXE
PID:2984 -
\??\c:\jvvvv.exec:\jvvvv.exe39⤵
- Executes dropped EXE
PID:4860 -
\??\c:\1frlxfr.exec:\1frlxfr.exe40⤵
- Executes dropped EXE
PID:2664 -
\??\c:\xllffrf.exec:\xllffrf.exe41⤵
- Executes dropped EXE
PID:4616 -
\??\c:\hhhhht.exec:\hhhhht.exe42⤵
- Executes dropped EXE
PID:4808 -
\??\c:\jjjdj.exec:\jjjdj.exe43⤵
- Executes dropped EXE
PID:4764 -
\??\c:\djpjd.exec:\djpjd.exe44⤵
- Executes dropped EXE
PID:4288 -
\??\c:\xxllrrx.exec:\xxllrrx.exe45⤵
- Executes dropped EXE
PID:1732 -
\??\c:\tnbthb.exec:\tnbthb.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000 -
\??\c:\dpjjd.exec:\dpjjd.exe47⤵
- Executes dropped EXE
PID:4864 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe48⤵
- Executes dropped EXE
PID:2412 -
\??\c:\ttbtnt.exec:\ttbtnt.exe49⤵
- Executes dropped EXE
PID:1960 -
\??\c:\bbbttt.exec:\bbbttt.exe50⤵
- Executes dropped EXE
PID:1164 -
\??\c:\dpjdv.exec:\dpjdv.exe51⤵
- Executes dropped EXE
PID:1028 -
\??\c:\3rrrlrl.exec:\3rrrlrl.exe52⤵
- Executes dropped EXE
PID:3728 -
\??\c:\7hnhbb.exec:\7hnhbb.exe53⤵
- Executes dropped EXE
PID:2420 -
\??\c:\9pvpj.exec:\9pvpj.exe54⤵
- Executes dropped EXE
PID:536 -
\??\c:\vppjd.exec:\vppjd.exe55⤵
- Executes dropped EXE
PID:2724 -
\??\c:\xrxllll.exec:\xrxllll.exe56⤵
- Executes dropped EXE
PID:3012 -
\??\c:\thnnhn.exec:\thnnhn.exe57⤵
- Executes dropped EXE
PID:3916 -
\??\c:\vpppd.exec:\vpppd.exe58⤵
- Executes dropped EXE
PID:4816 -
\??\c:\vppjd.exec:\vppjd.exe59⤵
- Executes dropped EXE
PID:2052 -
\??\c:\7rxrrrr.exec:\7rxrrrr.exe60⤵
- Executes dropped EXE
PID:2240 -
\??\c:\nnthnn.exec:\nnthnn.exe61⤵
- Executes dropped EXE
PID:2548 -
\??\c:\vpvpd.exec:\vpvpd.exe62⤵
- Executes dropped EXE
PID:1968 -
\??\c:\llrxflr.exec:\llrxflr.exe63⤵
- Executes dropped EXE
PID:4072 -
\??\c:\5hhhbb.exec:\5hhhbb.exe64⤵
- Executes dropped EXE
PID:4688 -
\??\c:\3dvpj.exec:\3dvpj.exe65⤵
- Executes dropped EXE
PID:3668 -
\??\c:\llrxllr.exec:\llrxllr.exe66⤵PID:1816
-
\??\c:\lllllll.exec:\lllllll.exe67⤵PID:724
-
\??\c:\hnnnnn.exec:\hnnnnn.exe68⤵PID:2060
-
\??\c:\jvvpp.exec:\jvvpp.exe69⤵PID:1336
-
\??\c:\5frrlll.exec:\5frrlll.exe70⤵PID:784
-
\??\c:\hbhhhh.exec:\hbhhhh.exe71⤵PID:1552
-
\??\c:\jvjjd.exec:\jvjjd.exe72⤵PID:1784
-
\??\c:\rrrllll.exec:\rrrllll.exe73⤵PID:2472
-
\??\c:\xlrrlll.exec:\xlrrlll.exe74⤵PID:2756
-
\??\c:\bttnnn.exec:\bttnnn.exe75⤵PID:1076
-
\??\c:\jpvvp.exec:\jpvvp.exe76⤵PID:900
-
\??\c:\pdjvp.exec:\pdjvp.exe77⤵PID:2396
-
\??\c:\xxlfxxr.exec:\xxlfxxr.exe78⤵PID:3092
-
\??\c:\htthbb.exec:\htthbb.exe79⤵PID:1276
-
\??\c:\pjppd.exec:\pjppd.exe80⤵PID:5112
-
\??\c:\xlxxrrl.exec:\xlxxrrl.exe81⤵PID:4868
-
\??\c:\hhnhbb.exec:\hhnhbb.exe82⤵PID:2196
-
\??\c:\hhhhbb.exec:\hhhhbb.exe83⤵PID:1204
-
\??\c:\9jjdd.exec:\9jjdd.exe84⤵PID:3564
-
\??\c:\fxlffrl.exec:\fxlffrl.exe85⤵PID:1764
-
\??\c:\btbtnn.exec:\btbtnn.exe86⤵PID:3512
-
\??\c:\pppdj.exec:\pppdj.exe87⤵PID:1772
-
\??\c:\rrfflfr.exec:\rrfflfr.exe88⤵PID:2552
-
\??\c:\hnbttt.exec:\hnbttt.exe89⤵PID:3968
-
\??\c:\5bnhbt.exec:\5bnhbt.exe90⤵PID:1852
-
\??\c:\9pvvp.exec:\9pvvp.exe91⤵PID:4772
-
\??\c:\lflfxrl.exec:\lflfxrl.exe92⤵PID:4368
-
\??\c:\bbhbhb.exec:\bbhbhb.exe93⤵PID:2024
-
\??\c:\bbnnnn.exec:\bbnnnn.exe94⤵PID:2028
-
\??\c:\dvpjd.exec:\dvpjd.exe95⤵PID:1992
-
\??\c:\xrlflfl.exec:\xrlflfl.exe96⤵PID:1120
-
\??\c:\bnbttt.exec:\bnbttt.exe97⤵PID:3064
-
\??\c:\nbhnhb.exec:\nbhnhb.exe98⤵PID:3460
-
\??\c:\pjjjd.exec:\pjjjd.exe99⤵PID:4808
-
\??\c:\lfrllll.exec:\lfrllll.exe100⤵PID:4764
-
\??\c:\lllllll.exec:\lllllll.exe101⤵PID:808
-
\??\c:\ttnnnh.exec:\ttnnnh.exe102⤵PID:1732
-
\??\c:\vjppj.exec:\vjppj.exe103⤵PID:4552
-
\??\c:\flrrxxr.exec:\flrrxxr.exe104⤵PID:2400
-
\??\c:\nhnnhb.exec:\nhnnhb.exe105⤵PID:4084
-
\??\c:\btbbbb.exec:\btbbbb.exe106⤵PID:3024
-
\??\c:\djjdj.exec:\djjdj.exe107⤵PID:4416
-
\??\c:\xrllffx.exec:\xrllffx.exe108⤵PID:2968
-
\??\c:\bbhbbt.exec:\bbhbbt.exe109⤵PID:5116
-
\??\c:\vppdv.exec:\vppdv.exe110⤵PID:516
-
\??\c:\xfffxxx.exec:\xfffxxx.exe111⤵PID:1272
-
\??\c:\bntnhh.exec:\bntnhh.exe112⤵PID:4872
-
\??\c:\dpddd.exec:\dpddd.exe113⤵PID:4444
-
\??\c:\dvdvj.exec:\dvdvj.exe114⤵PID:212
-
\??\c:\fllfffx.exec:\fllfffx.exe115⤵PID:3616
-
\??\c:\5tthhn.exec:\5tthhn.exe116⤵PID:2868
-
\??\c:\pjdjp.exec:\pjdjp.exe117⤵PID:4932
-
\??\c:\dvjdp.exec:\dvjdp.exe118⤵PID:2556
-
\??\c:\rlffxxr.exec:\rlffxxr.exe119⤵PID:3108
-
\??\c:\tnbtnn.exec:\tnbtnn.exe120⤵PID:2520
-
\??\c:\3jjdd.exec:\3jjdd.exe121⤵PID:2136
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-