Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 00:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe
Resource
win7-20240708-en
windows7-x64
7 signatures
120 seconds
General
-
Target
4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe
-
Size
453KB
-
MD5
4f357b27ab9739ac20f13a0830d31c52
-
SHA1
5f6d2b8a05f929bb2efff8b5fde77407ebc2ad95
-
SHA256
4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549
-
SHA512
4ccce45b677dd8eddaec2e6fac11b9d7bac08936d903c6cc690fd3034ce6263b75f7843e52492d0c9de98b89c7720bb2ce5554d9b36519882d904bc4c74a1dfe
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeo:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4640-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2924-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2160-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3020-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1904-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2580-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1064-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3884-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4248-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2492-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3112-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5012-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-338-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-396-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/784-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-417-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1432-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-488-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-498-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-505-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-512-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1508-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-663-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3628-864-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-883-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-1131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-1279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 hbbhbh.exe 2924 pvpdv.exe 4792 lfllfff.exe 4908 1thhnt.exe 3980 vdvpp.exe 116 hnhbtt.exe 2984 xxrllll.exe 5000 rlrrrrr.exe 2160 bbnhbb.exe 2284 hhbhbh.exe 2616 frrrrxr.exe 556 flllllx.exe 3312 djjjd.exe 2008 jjjjp.exe 4600 9ppvv.exe 1452 fffffff.exe 3012 9nhbtn.exe 2188 dpppp.exe 2464 lflrrrl.exe 3020 3bntnt.exe 4820 rfxxxxr.exe 4644 rxrrrrr.exe 380 dpvdd.exe 1904 ntnhhh.exe 3696 rrrrrrr.exe 4840 9nnntt.exe 1048 xxlxffl.exe 4324 5hbnnh.exe 4884 xxflxxf.exe 3204 jddpv.exe 4968 lflfffx.exe 4668 bnnhhh.exe 4472 vvdjj.exe 2580 bthhbb.exe 1064 rxxxfrl.exe 1520 thtnhh.exe 2792 djppp.exe 2508 nthhbb.exe 3884 thnbtn.exe 2180 ffxxxxf.exe 3888 hhbbtt.exe 1668 jjjjj.exe 2760 rfxfxfx.exe 2036 hhbhhh.exe 3616 vvvjj.exe 4248 lrrrlrl.exe 4860 hntnhh.exe 4336 jdvpj.exe 1624 llfxrlr.exe 3840 hnhnnn.exe 2740 jjpjj.exe 2492 jjvvp.exe 840 ffxrlfr.exe 4024 9hbbhn.exe 2184 pjvjv.exe 3424 xrrfxrf.exe 4424 xxrlrrx.exe 5004 thhnbt.exe 3112 5pjdv.exe 2288 rrrfxfx.exe 1880 ttbttb.exe 5048 jdvdv.exe 2496 fflfrrf.exe 3040 hbbbnn.exe -
resource yara_rule behavioral2/memory/4640-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2924-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2160-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4600-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3012-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1904-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2580-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1064-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3884-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4248-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2184-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3112-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5012-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-338-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-396-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-417-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1432-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-488-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-498-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-505-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-512-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1508-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-644-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-663-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xffxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4640 wrote to memory of 4188 4640 4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe 83 PID 4640 wrote to memory of 4188 4640 4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe 83 PID 4640 wrote to memory of 4188 4640 4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe 83 PID 4188 wrote to memory of 2924 4188 hbbhbh.exe 84 PID 4188 wrote to memory of 2924 4188 hbbhbh.exe 84 PID 4188 wrote to memory of 2924 4188 hbbhbh.exe 84 PID 2924 wrote to memory of 4792 2924 pvpdv.exe 85 PID 2924 wrote to memory of 4792 2924 pvpdv.exe 85 PID 2924 wrote to memory of 4792 2924 pvpdv.exe 85 PID 4792 wrote to memory of 4908 4792 lfllfff.exe 86 PID 4792 wrote to memory of 4908 4792 lfllfff.exe 86 PID 4792 wrote to memory of 4908 4792 lfllfff.exe 86 PID 4908 wrote to memory of 3980 4908 1thhnt.exe 87 PID 4908 wrote to memory of 3980 4908 1thhnt.exe 87 PID 4908 wrote to memory of 3980 4908 1thhnt.exe 87 PID 3980 wrote to memory of 116 3980 vdvpp.exe 88 PID 3980 wrote to memory of 116 3980 vdvpp.exe 88 PID 3980 wrote to memory of 116 3980 vdvpp.exe 88 PID 116 wrote to memory of 2984 116 hnhbtt.exe 89 PID 116 wrote to memory of 2984 116 hnhbtt.exe 89 PID 116 wrote to memory of 2984 116 hnhbtt.exe 89 PID 2984 wrote to memory of 5000 2984 xxrllll.exe 90 PID 2984 wrote to memory of 5000 2984 xxrllll.exe 90 PID 2984 wrote to memory of 5000 2984 xxrllll.exe 90 PID 5000 wrote to memory of 2160 5000 rlrrrrr.exe 91 PID 5000 wrote to memory of 2160 5000 rlrrrrr.exe 91 PID 5000 wrote to memory of 2160 5000 rlrrrrr.exe 91 PID 2160 wrote to memory of 2284 2160 bbnhbb.exe 92 PID 2160 wrote to memory of 2284 2160 bbnhbb.exe 92 PID 2160 wrote to memory of 2284 2160 bbnhbb.exe 92 PID 2284 wrote to memory of 2616 2284 hhbhbh.exe 93 PID 2284 wrote to memory of 2616 2284 hhbhbh.exe 93 PID 2284 wrote to memory of 2616 2284 hhbhbh.exe 93 PID 2616 wrote to memory of 556 2616 frrrrxr.exe 94 PID 2616 wrote to memory of 556 2616 frrrrxr.exe 94 PID 2616 wrote to memory of 556 2616 frrrrxr.exe 94 PID 556 wrote to memory of 3312 556 flllllx.exe 95 PID 556 wrote to memory of 3312 556 flllllx.exe 95 PID 556 wrote to memory of 3312 556 flllllx.exe 95 PID 3312 wrote to memory of 2008 3312 djjjd.exe 96 PID 3312 wrote to memory of 2008 3312 djjjd.exe 96 PID 3312 wrote to memory of 2008 3312 djjjd.exe 96 PID 2008 wrote to memory of 4600 2008 jjjjp.exe 97 PID 2008 wrote to memory of 4600 2008 jjjjp.exe 97 PID 2008 wrote to memory of 4600 2008 jjjjp.exe 97 PID 4600 wrote to memory of 1452 4600 9ppvv.exe 98 PID 4600 wrote to memory of 1452 4600 9ppvv.exe 98 PID 4600 wrote to memory of 1452 4600 9ppvv.exe 98 PID 1452 wrote to memory of 3012 1452 fffffff.exe 99 PID 1452 wrote to memory of 3012 1452 fffffff.exe 99 PID 1452 wrote to memory of 3012 1452 fffffff.exe 99 PID 3012 wrote to memory of 2188 3012 9nhbtn.exe 100 PID 3012 wrote to memory of 2188 3012 9nhbtn.exe 100 PID 3012 wrote to memory of 2188 3012 9nhbtn.exe 100 PID 2188 wrote to memory of 2464 2188 dpppp.exe 101 PID 2188 wrote to memory of 2464 2188 dpppp.exe 101 PID 2188 wrote to memory of 2464 2188 dpppp.exe 101 PID 2464 wrote to memory of 3020 2464 lflrrrl.exe 102 PID 2464 wrote to memory of 3020 2464 lflrrrl.exe 102 PID 2464 wrote to memory of 3020 2464 lflrrrl.exe 102 PID 3020 wrote to memory of 4820 3020 3bntnt.exe 103 PID 3020 wrote to memory of 4820 3020 3bntnt.exe 103 PID 3020 wrote to memory of 4820 3020 3bntnt.exe 103 PID 4820 wrote to memory of 4644 4820 rfxxxxr.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe"C:\Users\Admin\AppData\Local\Temp\4b18b00528d5dcddf75e7d16106a481e5ae075ea41d7a423870df78b4ea34549.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\hbbhbh.exec:\hbbhbh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\pvpdv.exec:\pvpdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\lfllfff.exec:\lfllfff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\1thhnt.exec:\1thhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\vdvpp.exec:\vdvpp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\hnhbtt.exec:\hnhbtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
\??\c:\xxrllll.exec:\xxrllll.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\bbnhbb.exec:\bbnhbb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
\??\c:\hhbhbh.exec:\hhbhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\frrrrxr.exec:\frrrrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\flllllx.exec:\flllllx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\djjjd.exec:\djjjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\jjjjp.exec:\jjjjp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\9ppvv.exec:\9ppvv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600 -
\??\c:\fffffff.exec:\fffffff.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
\??\c:\9nhbtn.exec:\9nhbtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\dpppp.exec:\dpppp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\lflrrrl.exec:\lflrrrl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
\??\c:\3bntnt.exec:\3bntnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020 -
\??\c:\rfxxxxr.exec:\rfxxxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\rxrrrrr.exec:\rxrrrrr.exe23⤵
- Executes dropped EXE
PID:4644 -
\??\c:\dpvdd.exec:\dpvdd.exe24⤵
- Executes dropped EXE
PID:380 -
\??\c:\ntnhhh.exec:\ntnhhh.exe25⤵
- Executes dropped EXE
PID:1904 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe26⤵
- Executes dropped EXE
PID:3696 -
\??\c:\9nnntt.exec:\9nnntt.exe27⤵
- Executes dropped EXE
PID:4840 -
\??\c:\xxlxffl.exec:\xxlxffl.exe28⤵
- Executes dropped EXE
PID:1048 -
\??\c:\5hbnnh.exec:\5hbnnh.exe29⤵
- Executes dropped EXE
PID:4324 -
\??\c:\xxflxxf.exec:\xxflxxf.exe30⤵
- Executes dropped EXE
PID:4884 -
\??\c:\jddpv.exec:\jddpv.exe31⤵
- Executes dropped EXE
PID:3204 -
\??\c:\lflfffx.exec:\lflfffx.exe32⤵
- Executes dropped EXE
PID:4968 -
\??\c:\bnnhhh.exec:\bnnhhh.exe33⤵
- Executes dropped EXE
PID:4668 -
\??\c:\vvdjj.exec:\vvdjj.exe34⤵
- Executes dropped EXE
PID:4472 -
\??\c:\bthhbb.exec:\bthhbb.exe35⤵
- Executes dropped EXE
PID:2580 -
\??\c:\rxxxfrl.exec:\rxxxfrl.exe36⤵
- Executes dropped EXE
PID:1064 -
\??\c:\thtnhh.exec:\thtnhh.exe37⤵
- Executes dropped EXE
PID:1520 -
\??\c:\djppp.exec:\djppp.exe38⤵
- Executes dropped EXE
PID:2792 -
\??\c:\nthhbb.exec:\nthhbb.exe39⤵
- Executes dropped EXE
PID:2508 -
\??\c:\thnbtn.exec:\thnbtn.exe40⤵
- Executes dropped EXE
PID:3884 -
\??\c:\ffxxxxf.exec:\ffxxxxf.exe41⤵
- Executes dropped EXE
PID:2180 -
\??\c:\hhbbtt.exec:\hhbbtt.exe42⤵
- Executes dropped EXE
PID:3888 -
\??\c:\jjjjj.exec:\jjjjj.exe43⤵
- Executes dropped EXE
PID:1668 -
\??\c:\rfxfxfx.exec:\rfxfxfx.exe44⤵
- Executes dropped EXE
PID:2760 -
\??\c:\hhbhhh.exec:\hhbhhh.exe45⤵
- Executes dropped EXE
PID:2036 -
\??\c:\vvvjj.exec:\vvvjj.exe46⤵
- Executes dropped EXE
PID:3616 -
\??\c:\lrrrlrl.exec:\lrrrlrl.exe47⤵
- Executes dropped EXE
PID:4248 -
\??\c:\hntnhh.exec:\hntnhh.exe48⤵
- Executes dropped EXE
PID:4860 -
\??\c:\jdvpj.exec:\jdvpj.exe49⤵
- Executes dropped EXE
PID:4336 -
\??\c:\llfxrlr.exec:\llfxrlr.exe50⤵
- Executes dropped EXE
PID:1624 -
\??\c:\hnhnnn.exec:\hnhnnn.exe51⤵
- Executes dropped EXE
PID:3840 -
\??\c:\jjpjj.exec:\jjpjj.exe52⤵
- Executes dropped EXE
PID:2740 -
\??\c:\jjvvp.exec:\jjvvp.exe53⤵
- Executes dropped EXE
PID:2492 -
\??\c:\ffxrlfr.exec:\ffxrlfr.exe54⤵
- Executes dropped EXE
PID:840 -
\??\c:\9hbbhn.exec:\9hbbhn.exe55⤵
- Executes dropped EXE
PID:4024 -
\??\c:\pjvjv.exec:\pjvjv.exe56⤵
- Executes dropped EXE
PID:2184 -
\??\c:\xrrfxrf.exec:\xrrfxrf.exe57⤵
- Executes dropped EXE
PID:3424 -
\??\c:\xxrlrrx.exec:\xxrlrrx.exe58⤵
- Executes dropped EXE
PID:4424 -
\??\c:\thhnbt.exec:\thhnbt.exe59⤵
- Executes dropped EXE
PID:5004 -
\??\c:\5pjdv.exec:\5pjdv.exe60⤵
- Executes dropped EXE
PID:3112 -
\??\c:\rrrfxfx.exec:\rrrfxfx.exe61⤵
- Executes dropped EXE
PID:2288 -
\??\c:\ttbttb.exec:\ttbttb.exe62⤵
- Executes dropped EXE
PID:1880 -
\??\c:\jdvdv.exec:\jdvdv.exe63⤵
- Executes dropped EXE
PID:5048 -
\??\c:\fflfrrf.exec:\fflfrrf.exe64⤵
- Executes dropped EXE
PID:2496 -
\??\c:\hbbbnn.exec:\hbbbnn.exe65⤵
- Executes dropped EXE
PID:3040 -
\??\c:\ttnhbt.exec:\ttnhbt.exe66⤵PID:4988
-
\??\c:\vjjdd.exec:\vjjdd.exe67⤵PID:388
-
\??\c:\lxrlffx.exec:\lxrlffx.exe68⤵PID:1200
-
\??\c:\9bnbtt.exec:\9bnbtt.exe69⤵PID:2052
-
\??\c:\jdjdd.exec:\jdjdd.exe70⤵PID:3684
-
\??\c:\pdjjd.exec:\pdjjd.exe71⤵PID:4304
-
\??\c:\lfllfxr.exec:\lfllfxr.exe72⤵PID:1980
-
\??\c:\3bthbb.exec:\3bthbb.exe73⤵PID:5012
-
\??\c:\jdvvj.exec:\jdvvj.exe74⤵PID:3008
-
\??\c:\1vdvd.exec:\1vdvd.exe75⤵PID:1472
-
\??\c:\3rxrfxf.exec:\3rxrfxf.exe76⤵PID:4720
-
\??\c:\nnhnhh.exec:\nnhnhh.exe77⤵PID:3788
-
\??\c:\djdjd.exec:\djdjd.exe78⤵PID:3896
-
\??\c:\xrxrrxx.exec:\xrxrrxx.exe79⤵PID:5020
-
\??\c:\btbbbb.exec:\btbbbb.exe80⤵PID:4040
-
\??\c:\vjjdd.exec:\vjjdd.exe81⤵PID:4956
-
\??\c:\7djdd.exec:\7djdd.exe82⤵PID:3492
-
\??\c:\nnnnnn.exec:\nnnnnn.exe83⤵PID:3856
-
\??\c:\tbbbtt.exec:\tbbbtt.exe84⤵PID:4440
-
\??\c:\vvdjd.exec:\vvdjd.exe85⤵PID:404
-
\??\c:\xrrfrlx.exec:\xrrfrlx.exe86⤵PID:3232
-
\??\c:\btbbtb.exec:\btbbtb.exe87⤵PID:4740
-
\??\c:\1jppj.exec:\1jppj.exe88⤵PID:1952
-
\??\c:\flrlfxr.exec:\flrlfxr.exe89⤵PID:1064
-
\??\c:\tbhhtt.exec:\tbhhtt.exe90⤵PID:3792
-
\??\c:\9vvpp.exec:\9vvpp.exe91⤵PID:2792
-
\??\c:\rxxrlll.exec:\rxxrlll.exe92⤵PID:2508
-
\??\c:\flrrrxl.exec:\flrrrxl.exe93⤵PID:4340
-
\??\c:\tbhhbb.exec:\tbhhbb.exe94⤵PID:2424
-
\??\c:\dvddd.exec:\dvddd.exe95⤵PID:2064
-
\??\c:\djjjd.exec:\djjjd.exe96⤵PID:1668
-
\??\c:\5flxrrx.exec:\5flxrrx.exe97⤵PID:784
-
\??\c:\tttnhh.exec:\tttnhh.exe98⤵PID:3280
-
\??\c:\7vjdd.exec:\7vjdd.exe99⤵PID:3308
-
\??\c:\fxxxxff.exec:\fxxxxff.exe100⤵PID:4908
-
\??\c:\btttnt.exec:\btttnt.exe101⤵PID:1052
-
\??\c:\pddvp.exec:\pddvp.exe102⤵PID:2204
-
\??\c:\rxlffxx.exec:\rxlffxx.exe103⤵PID:2612
-
\??\c:\ttttnn.exec:\ttttnn.exe104⤵
- System Location Discovery: System Language Discovery
PID:3268 -
\??\c:\djjdd.exec:\djjdd.exe105⤵PID:3864
-
\??\c:\5jddd.exec:\5jddd.exe106⤵PID:4276
-
\??\c:\5llrlll.exec:\5llrlll.exe107⤵PID:5044
-
\??\c:\xxfffll.exec:\xxfffll.exe108⤵PID:4180
-
\??\c:\hntttt.exec:\hntttt.exe109⤵PID:840
-
\??\c:\ppjjj.exec:\ppjjj.exe110⤵PID:4308
-
\??\c:\lfllffl.exec:\lfllffl.exe111⤵
- System Location Discovery: System Language Discovery
PID:2184 -
\??\c:\bhhbbb.exec:\bhhbbb.exe112⤵PID:2488
-
\??\c:\vpvdv.exec:\vpvdv.exe113⤵PID:4972
-
\??\c:\llxrrrf.exec:\llxrrrf.exe114⤵PID:716
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe115⤵PID:972
-
\??\c:\9tbttt.exec:\9tbttt.exe116⤵PID:1720
-
\??\c:\htnhht.exec:\htnhht.exe117⤵PID:3112
-
\??\c:\djpdp.exec:\djpdp.exe118⤵PID:3360
-
\??\c:\ffxxrxr.exec:\ffxxrxr.exe119⤵PID:3016
-
\??\c:\hhhhhh.exec:\hhhhhh.exe120⤵PID:1432
-
\??\c:\9dvvp.exec:\9dvvp.exe121⤵PID:4752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-