Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
120 seconds
General
-
Target
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe
-
Size
455KB
-
MD5
b02d0f5dbca4b4a74000cc28ff1a8c2f
-
SHA1
6febccd3d37816c5f48aab0399f2a9ea2302d2fe
-
SHA256
c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209
-
SHA512
bbf03096c35eca93a9b9a3239ee19cc8d2ca525e991158aa65b19631cd15a1988f4c1ade992eeb6c6afb4cbaa46841f936677fac57bd42ee8f87d612ada9cfb5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRV:q7Tc2NYHUrAwfMp3CDRV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4916-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2740-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1604-57-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1492-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-275-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2608-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/760-311-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2908-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2864-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4444-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4320-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3708-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/912-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4560-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3872-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3480-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2020-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1380-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2512-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-443-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/224-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1124-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3512-552-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2000-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-626-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-682-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-714-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-790-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-951-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3012-1187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3200-1209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1380 5djjd.exe 5080 ppppv.exe 4416 fxxrllf.exe 4348 1flffrr.exe 1968 nbbntt.exe 2020 1vjjv.exe 4644 lrllllf.exe 2740 7xflxff.exe 1604 5tttnt.exe 512 vpvdv.exe 184 vvppj.exe 3480 xflfllr.exe 3872 tntnbh.exe 1884 hbhhhh.exe 4360 vpvpj.exe 2296 xlxxrlf.exe 2908 rrrrlll.exe 1140 tntbbh.exe 4088 7vvpj.exe 2660 jpddp.exe 4908 5xxxrrl.exe 4560 llxrrll.exe 4476 5btnhh.exe 4896 vjddd.exe 2936 jpvpj.exe 4120 xlxlffx.exe 2792 3hbnhb.exe 1684 5bbtnt.exe 1012 jpddp.exe 912 rlfxrrl.exe 5060 rlrxrrr.exe 5040 7hhbtt.exe 3708 jvdvv.exe 3972 dvdvv.exe 2628 xfffxxr.exe 1124 nnnhbt.exe 1492 tnhbhb.exe 1476 jpvpj.exe 4528 9dvpj.exe 668 rlllfff.exe 2704 hnhbnh.exe 4756 5pjdv.exe 3216 7vdvd.exe 544 9xxlffx.exe 4132 1hhnnn.exe 208 nhhhhh.exe 4324 9vvpp.exe 2992 pppvp.exe 4884 xffxlll.exe 4320 bhhhbb.exe 3012 bbnnhn.exe 1968 pvdjp.exe 2020 xfrrrrr.exe 1504 9rllxfx.exe 4444 ttbtnn.exe 852 pdjjd.exe 4700 jddjd.exe 792 3fffxxr.exe 2864 btbttt.exe 4648 nhnbbb.exe 2804 jjvvp.exe 2144 frxrxrx.exe 1892 fllfxxr.exe 2756 bhbttt.exe -
resource yara_rule behavioral2/memory/4916-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2740-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1604-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2608-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/760-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2908-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2864-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4444-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4320-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3708-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/912-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4560-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3872-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3480-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2020-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2512-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-443-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/224-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1124-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3512-552-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2000-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-626-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-682-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-714-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-790-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2168-911-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-951-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrllfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnthbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3thhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7rlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flflllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4916 wrote to memory of 1380 4916 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 83 PID 4916 wrote to memory of 1380 4916 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 83 PID 4916 wrote to memory of 1380 4916 c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe 83 PID 1380 wrote to memory of 5080 1380 5djjd.exe 84 PID 1380 wrote to memory of 5080 1380 5djjd.exe 84 PID 1380 wrote to memory of 5080 1380 5djjd.exe 84 PID 5080 wrote to memory of 4416 5080 ppppv.exe 85 PID 5080 wrote to memory of 4416 5080 ppppv.exe 85 PID 5080 wrote to memory of 4416 5080 ppppv.exe 85 PID 4416 wrote to memory of 4348 4416 fxxrllf.exe 86 PID 4416 wrote to memory of 4348 4416 fxxrllf.exe 86 PID 4416 wrote to memory of 4348 4416 fxxrllf.exe 86 PID 4348 wrote to memory of 1968 4348 1flffrr.exe 87 PID 4348 wrote to memory of 1968 4348 1flffrr.exe 87 PID 4348 wrote to memory of 1968 4348 1flffrr.exe 87 PID 1968 wrote to memory of 2020 1968 nbbntt.exe 135 PID 1968 wrote to memory of 2020 1968 nbbntt.exe 135 PID 1968 wrote to memory of 2020 1968 nbbntt.exe 135 PID 2020 wrote to memory of 4644 2020 1vjjv.exe 89 PID 2020 wrote to memory of 4644 2020 1vjjv.exe 89 PID 2020 wrote to memory of 4644 2020 1vjjv.exe 89 PID 4644 wrote to memory of 2740 4644 lrllllf.exe 90 PID 4644 wrote to memory of 2740 4644 lrllllf.exe 90 PID 4644 wrote to memory of 2740 4644 lrllllf.exe 90 PID 2740 wrote to memory of 1604 2740 7xflxff.exe 91 PID 2740 wrote to memory of 1604 2740 7xflxff.exe 91 PID 2740 wrote to memory of 1604 2740 7xflxff.exe 91 PID 1604 wrote to memory of 512 1604 5tttnt.exe 92 PID 1604 wrote to memory of 512 1604 5tttnt.exe 92 PID 1604 wrote to memory of 512 1604 5tttnt.exe 92 PID 512 wrote to memory of 184 512 vpvdv.exe 93 PID 512 wrote to memory of 184 512 vpvdv.exe 93 PID 512 wrote to memory of 184 512 vpvdv.exe 93 PID 184 wrote to memory of 3480 184 vvppj.exe 94 PID 184 wrote to memory of 3480 184 vvppj.exe 94 PID 184 wrote to memory of 3480 184 vvppj.exe 94 PID 3480 wrote to memory of 3872 3480 xflfllr.exe 95 PID 3480 wrote to memory of 3872 3480 xflfllr.exe 95 PID 3480 wrote to memory of 3872 3480 xflfllr.exe 95 PID 3872 wrote to memory of 1884 3872 tntnbh.exe 96 PID 3872 wrote to memory of 1884 3872 tntnbh.exe 96 PID 3872 wrote to memory of 1884 3872 tntnbh.exe 96 PID 1884 wrote to memory of 4360 1884 hbhhhh.exe 97 PID 1884 wrote to memory of 4360 1884 hbhhhh.exe 97 PID 1884 wrote to memory of 4360 1884 hbhhhh.exe 97 PID 4360 wrote to memory of 2296 4360 vpvpj.exe 98 PID 4360 wrote to memory of 2296 4360 vpvpj.exe 98 PID 4360 wrote to memory of 2296 4360 vpvpj.exe 98 PID 2296 wrote to memory of 2908 2296 xlxxrlf.exe 99 PID 2296 wrote to memory of 2908 2296 xlxxrlf.exe 99 PID 2296 wrote to memory of 2908 2296 xlxxrlf.exe 99 PID 2908 wrote to memory of 1140 2908 rrrrlll.exe 100 PID 2908 wrote to memory of 1140 2908 rrrrlll.exe 100 PID 2908 wrote to memory of 1140 2908 rrrrlll.exe 100 PID 1140 wrote to memory of 4088 1140 tntbbh.exe 101 PID 1140 wrote to memory of 4088 1140 tntbbh.exe 101 PID 1140 wrote to memory of 4088 1140 tntbbh.exe 101 PID 4088 wrote to memory of 2660 4088 7vvpj.exe 102 PID 4088 wrote to memory of 2660 4088 7vvpj.exe 102 PID 4088 wrote to memory of 2660 4088 7vvpj.exe 102 PID 2660 wrote to memory of 4908 2660 jpddp.exe 103 PID 2660 wrote to memory of 4908 2660 jpddp.exe 103 PID 2660 wrote to memory of 4908 2660 jpddp.exe 103 PID 4908 wrote to memory of 4560 4908 5xxxrrl.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"C:\Users\Admin\AppData\Local\Temp\c6e4a665068fc7c5d2d7f47f8af5644b270b6c1db69a00b77af4de8d43813209.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\5djjd.exec:\5djjd.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
\??\c:\ppppv.exec:\ppppv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\fxxrllf.exec:\fxxrllf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\1flffrr.exec:\1flffrr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\nbbntt.exec:\nbbntt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\1vjjv.exec:\1vjjv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020 -
\??\c:\lrllllf.exec:\lrllllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\7xflxff.exec:\7xflxff.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\5tttnt.exec:\5tttnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\vpvdv.exec:\vpvdv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
\??\c:\vvppj.exec:\vvppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:184 -
\??\c:\xflfllr.exec:\xflfllr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\tntnbh.exec:\tntnbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\hbhhhh.exec:\hbhhhh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1884 -
\??\c:\vpvpj.exec:\vpvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\xlxxrlf.exec:\xlxxrlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\rrrrlll.exec:\rrrrlll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
\??\c:\tntbbh.exec:\tntbbh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\7vvpj.exec:\7vvpj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\jpddp.exec:\jpddp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\5xxxrrl.exec:\5xxxrrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908 -
\??\c:\llxrrll.exec:\llxrrll.exe23⤵
- Executes dropped EXE
PID:4560 -
\??\c:\5btnhh.exec:\5btnhh.exe24⤵
- Executes dropped EXE
PID:4476 -
\??\c:\vjddd.exec:\vjddd.exe25⤵
- Executes dropped EXE
PID:4896 -
\??\c:\jpvpj.exec:\jpvpj.exe26⤵
- Executes dropped EXE
PID:2936 -
\??\c:\xlxlffx.exec:\xlxlffx.exe27⤵
- Executes dropped EXE
PID:4120 -
\??\c:\3hbnhb.exec:\3hbnhb.exe28⤵
- Executes dropped EXE
PID:2792 -
\??\c:\5bbtnt.exec:\5bbtnt.exe29⤵
- Executes dropped EXE
PID:1684 -
\??\c:\jpddp.exec:\jpddp.exe30⤵
- Executes dropped EXE
PID:1012 -
\??\c:\rlfxrrl.exec:\rlfxrrl.exe31⤵
- Executes dropped EXE
PID:912 -
\??\c:\rlrxrrr.exec:\rlrxrrr.exe32⤵
- Executes dropped EXE
PID:5060 -
\??\c:\7hhbtt.exec:\7hhbtt.exe33⤵
- Executes dropped EXE
PID:5040 -
\??\c:\jvdvv.exec:\jvdvv.exe34⤵
- Executes dropped EXE
PID:3708 -
\??\c:\dvdvv.exec:\dvdvv.exe35⤵
- Executes dropped EXE
PID:3972 -
\??\c:\xfffxxr.exec:\xfffxxr.exe36⤵
- Executes dropped EXE
PID:2628 -
\??\c:\nnnhbt.exec:\nnnhbt.exe37⤵
- Executes dropped EXE
PID:1124 -
\??\c:\tnhbhb.exec:\tnhbhb.exe38⤵
- Executes dropped EXE
PID:1492 -
\??\c:\jpvpj.exec:\jpvpj.exe39⤵
- Executes dropped EXE
PID:1476 -
\??\c:\9dvpj.exec:\9dvpj.exe40⤵
- Executes dropped EXE
PID:4528 -
\??\c:\rlllfff.exec:\rlllfff.exe41⤵
- Executes dropped EXE
PID:668 -
\??\c:\hnhbnh.exec:\hnhbnh.exe42⤵
- Executes dropped EXE
PID:2704 -
\??\c:\5pjdv.exec:\5pjdv.exe43⤵
- Executes dropped EXE
PID:4756 -
\??\c:\7vdvd.exec:\7vdvd.exe44⤵
- Executes dropped EXE
PID:3216 -
\??\c:\9xxlffx.exec:\9xxlffx.exe45⤵
- Executes dropped EXE
PID:544 -
\??\c:\1hhnnn.exec:\1hhnnn.exe46⤵
- Executes dropped EXE
PID:4132 -
\??\c:\nhhhhh.exec:\nhhhhh.exe47⤵
- Executes dropped EXE
PID:208 -
\??\c:\9vvpp.exec:\9vvpp.exe48⤵
- Executes dropped EXE
PID:4324 -
\??\c:\pppvp.exec:\pppvp.exe49⤵
- Executes dropped EXE
PID:2992 -
\??\c:\xffxlll.exec:\xffxlll.exe50⤵
- Executes dropped EXE
PID:4884 -
\??\c:\bhhhbb.exec:\bhhhbb.exe51⤵
- Executes dropped EXE
PID:4320 -
\??\c:\bbnnhn.exec:\bbnnhn.exe52⤵
- Executes dropped EXE
PID:3012 -
\??\c:\pvdjp.exec:\pvdjp.exe53⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xfrrrrr.exec:\xfrrrrr.exe54⤵
- Executes dropped EXE
PID:2020 -
\??\c:\9rllxfx.exec:\9rllxfx.exe55⤵
- Executes dropped EXE
PID:1504 -
\??\c:\ttbtnn.exec:\ttbtnn.exe56⤵
- Executes dropped EXE
PID:4444 -
\??\c:\pdjjd.exec:\pdjjd.exe57⤵
- Executes dropped EXE
PID:852 -
\??\c:\jddjd.exec:\jddjd.exe58⤵
- Executes dropped EXE
PID:4700 -
\??\c:\3fffxxr.exec:\3fffxxr.exe59⤵
- Executes dropped EXE
PID:792 -
\??\c:\btbttt.exec:\btbttt.exe60⤵
- Executes dropped EXE
PID:2864 -
\??\c:\nhnbbb.exec:\nhnbbb.exe61⤵
- Executes dropped EXE
PID:4648 -
\??\c:\jjvvp.exec:\jjvvp.exe62⤵
- Executes dropped EXE
PID:2804 -
\??\c:\frxrxrx.exec:\frxrxrx.exe63⤵
- Executes dropped EXE
PID:2144 -
\??\c:\fllfxxr.exec:\fllfxxr.exe64⤵
- Executes dropped EXE
PID:1892 -
\??\c:\bhbttt.exec:\bhbttt.exe65⤵
- Executes dropped EXE
PID:2756 -
\??\c:\ddjpj.exec:\ddjpj.exe66⤵PID:2908
-
\??\c:\7djdd.exec:\7djdd.exe67⤵PID:5072
-
\??\c:\lrrfxlf.exec:\lrrfxlf.exe68⤵PID:4872
-
\??\c:\nnhhbb.exec:\nnhhbb.exe69⤵PID:760
-
\??\c:\nnthbb.exec:\nnthbb.exe70⤵
- System Location Discovery: System Language Discovery
PID:4784 -
\??\c:\ppppj.exec:\ppppj.exe71⤵PID:3232
-
\??\c:\ddpjp.exec:\ddpjp.exe72⤵PID:2608
-
\??\c:\9lxrxxx.exec:\9lxrxxx.exe73⤵PID:4160
-
\??\c:\5hnnnn.exec:\5hnnnn.exe74⤵PID:4588
-
\??\c:\9jvvp.exec:\9jvvp.exe75⤵PID:2936
-
\??\c:\pvdvp.exec:\pvdvp.exe76⤵PID:5032
-
\??\c:\lrxxffl.exec:\lrxxffl.exe77⤵PID:2180
-
\??\c:\lxfxrrl.exec:\lxfxrrl.exe78⤵PID:2244
-
\??\c:\ntnntn.exec:\ntnntn.exe79⤵PID:3052
-
\??\c:\vdddj.exec:\vdddj.exe80⤵PID:2712
-
\??\c:\xlflllf.exec:\xlflllf.exe81⤵PID:3184
-
\??\c:\tntthb.exec:\tntthb.exe82⤵PID:3196
-
\??\c:\9pvdd.exec:\9pvdd.exe83⤵PID:3500
-
\??\c:\5fxxxxx.exec:\5fxxxxx.exe84⤵PID:3424
-
\??\c:\hhhbtt.exec:\hhhbtt.exe85⤵PID:4904
-
\??\c:\pvvpj.exec:\pvvpj.exe86⤵PID:4528
-
\??\c:\5ffxfrr.exec:\5ffxfrr.exe87⤵PID:3604
-
\??\c:\5hhbbn.exec:\5hhbbn.exe88⤵PID:4860
-
\??\c:\bhnntt.exec:\bhnntt.exe89⤵PID:4548
-
\??\c:\9vvpp.exec:\9vvpp.exe90⤵PID:3020
-
\??\c:\lflrrxx.exec:\lflrrxx.exe91⤵PID:544
-
\??\c:\hnttnn.exec:\hnttnn.exe92⤵PID:208
-
\??\c:\ddpjp.exec:\ddpjp.exe93⤵PID:2512
-
\??\c:\pvdjd.exec:\pvdjd.exe94⤵PID:2420
-
\??\c:\rrxxxfx.exec:\rrxxxfx.exe95⤵PID:3264
-
\??\c:\5tbttt.exec:\5tbttt.exe96⤵PID:2504
-
\??\c:\nnttbb.exec:\nnttbb.exe97⤵PID:1968
-
\??\c:\ppppj.exec:\ppppj.exe98⤵PID:4440
-
\??\c:\rlxxxfl.exec:\rlxxxfl.exe99⤵PID:624
-
\??\c:\hnbbhh.exec:\hnbbhh.exe100⤵PID:628
-
\??\c:\nntnhh.exec:\nntnhh.exe101⤵PID:3476
-
\??\c:\jvddv.exec:\jvddv.exe102⤵PID:380
-
\??\c:\frxrrrl.exec:\frxrrrl.exe103⤵PID:4332
-
\??\c:\lrllfff.exec:\lrllfff.exe104⤵PID:3376
-
\??\c:\hnnnhn.exec:\hnnnhn.exe105⤵PID:4964
-
\??\c:\pvjdv.exec:\pvjdv.exe106⤵PID:3752
-
\??\c:\rfffflf.exec:\rfffflf.exe107⤵PID:2024
-
\??\c:\ddjjp.exec:\ddjjp.exe108⤵PID:3692
-
\??\c:\rfxrllf.exec:\rfxrllf.exe109⤵PID:4384
-
\??\c:\bhbthn.exec:\bhbthn.exe110⤵PID:4436
-
\??\c:\tbbtnh.exec:\tbbtnh.exe111⤵PID:4420
-
\??\c:\ddvpj.exec:\ddvpj.exe112⤵PID:4872
-
\??\c:\nnhnhh.exec:\nnhnhh.exe113⤵PID:3808
-
\??\c:\nntnnn.exec:\nntnnn.exe114⤵PID:4488
-
\??\c:\xxrrrrl.exec:\xxrrrrl.exe115⤵PID:1088
-
\??\c:\bbttnn.exec:\bbttnn.exe116⤵PID:1140
-
\??\c:\nnhtbb.exec:\nnhtbb.exe117⤵PID:5096
-
\??\c:\1dpjd.exec:\1dpjd.exe118⤵PID:4816
-
\??\c:\lxxxrff.exec:\lxxxrff.exe119⤵PID:3140
-
\??\c:\ntnhbb.exec:\ntnhbb.exe120⤵PID:2192
-
\??\c:\5jdvd.exec:\5jdvd.exe121⤵PID:1176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-