Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7.exe
-
Size
454KB
-
MD5
4e08766b377bed8897d4deecfc658a8d
-
SHA1
7fce2db831fc81f669885f59d942542dca05297a
-
SHA256
d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7
-
SHA512
5fd3c2970d3f29dbc692f8d7910720a39cad52ff14eaa1b1521b1f48e9e42114704592d46bf3ecdfb89be20bc7d9f4d3ea8366ace54b94e98f67408531c737c1
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2072-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4100-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1076-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1876-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-51-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2156-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4940-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3520-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/600-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/564-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1772-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-195-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-209-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/972-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3304-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3992-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/984-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2520-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-572-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-646-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1776-665-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3380-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1728-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-734-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4908-939-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-946-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1008-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2072 dddvv.exe 1076 frxrrrr.exe 3900 xrlffff.exe 3420 btttnn.exe 4060 tnhbtt.exe 1876 3jvpj.exe 1600 djppj.exe 368 thtnbb.exe 3724 7xxxrxx.exe 2156 vpppj.exe 3204 nnntnb.exe 3520 htbtnh.exe 4940 fxxxxff.exe 4332 hntnnn.exe 232 rxlflrr.exe 5100 hbbhbb.exe 600 rxffxxx.exe 4744 jvjdv.exe 2536 jvdvv.exe 3188 5xfxxxx.exe 3600 tnhhbb.exe 1784 dpddv.exe 564 3ffflll.exe 4696 9jdjv.exe 3176 dddvj.exe 3664 xlrfxxr.exe 3952 jvdvp.exe 5036 frllxxx.exe 1772 dvppv.exe 3596 jpppj.exe 4672 fxxrllr.exe 1376 hthbbb.exe 400 5pddv.exe 2004 frxxxxx.exe 2936 5pvpp.exe 1788 xrrlffx.exe 4716 3hhbbb.exe 4292 pdpjp.exe 1164 rfrlfff.exe 2372 3hbbtt.exe 3756 vdjdd.exe 4684 lxxxrrr.exe 972 tbnhbb.exe 4228 tbnhbh.exe 412 jjpjj.exe 1712 hnnnbb.exe 2888 nhnhbb.exe 4372 jvppj.exe 1416 fxxrrrr.exe 2008 thbtnn.exe 4824 9pjjd.exe 1724 jppjd.exe 3304 xrrlrxl.exe 4752 tntnnn.exe 4040 nthbbb.exe 3044 vvdvv.exe 2420 xrfrfxr.exe 100 flrrlrl.exe 4704 hbnnhh.exe 2780 ddvjd.exe 312 lfrllll.exe 3028 tntnht.exe 4108 nhhnhn.exe 4592 fxfllff.exe -
resource yara_rule behavioral2/memory/2072-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4100-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1076-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1876-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2156-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3520-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/600-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/564-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3596-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1772-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3304-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4108-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3992-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/984-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2520-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3168-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-572-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-646-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1776-665-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3380-681-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1728-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-734-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-939-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrllfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllxlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5vpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxrlxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3lrxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 2072 4100 d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7.exe 83 PID 4100 wrote to memory of 2072 4100 d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7.exe 83 PID 4100 wrote to memory of 2072 4100 d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7.exe 83 PID 2072 wrote to memory of 1076 2072 dddvv.exe 84 PID 2072 wrote to memory of 1076 2072 dddvv.exe 84 PID 2072 wrote to memory of 1076 2072 dddvv.exe 84 PID 1076 wrote to memory of 3900 1076 frxrrrr.exe 85 PID 1076 wrote to memory of 3900 1076 frxrrrr.exe 85 PID 1076 wrote to memory of 3900 1076 frxrrrr.exe 85 PID 3900 wrote to memory of 3420 3900 xrlffff.exe 86 PID 3900 wrote to memory of 3420 3900 xrlffff.exe 86 PID 3900 wrote to memory of 3420 3900 xrlffff.exe 86 PID 3420 wrote to memory of 4060 3420 btttnn.exe 87 PID 3420 wrote to memory of 4060 3420 btttnn.exe 87 PID 3420 wrote to memory of 4060 3420 btttnn.exe 87 PID 4060 wrote to memory of 1876 4060 tnhbtt.exe 88 PID 4060 wrote to memory of 1876 4060 tnhbtt.exe 88 PID 4060 wrote to memory of 1876 4060 tnhbtt.exe 88 PID 1876 wrote to memory of 1600 1876 3jvpj.exe 89 PID 1876 wrote to memory of 1600 1876 3jvpj.exe 89 PID 1876 wrote to memory of 1600 1876 3jvpj.exe 89 PID 1600 wrote to memory of 368 1600 djppj.exe 90 PID 1600 wrote to memory of 368 1600 djppj.exe 90 PID 1600 wrote to memory of 368 1600 djppj.exe 90 PID 368 wrote to memory of 3724 368 thtnbb.exe 91 PID 368 wrote to memory of 3724 368 thtnbb.exe 91 PID 368 wrote to memory of 3724 368 thtnbb.exe 91 PID 3724 wrote to memory of 2156 3724 7xxxrxx.exe 92 PID 3724 wrote to memory of 2156 3724 7xxxrxx.exe 92 PID 3724 wrote to memory of 2156 3724 7xxxrxx.exe 92 PID 2156 wrote to memory of 3204 2156 vpppj.exe 93 PID 2156 wrote to memory of 3204 2156 vpppj.exe 93 PID 2156 wrote to memory of 3204 2156 vpppj.exe 93 PID 3204 wrote to memory of 3520 3204 nnntnb.exe 94 PID 3204 wrote to memory of 3520 3204 nnntnb.exe 94 PID 3204 wrote to memory of 3520 3204 nnntnb.exe 94 PID 3520 wrote to memory of 4940 3520 htbtnh.exe 95 PID 3520 wrote to memory of 4940 3520 htbtnh.exe 95 PID 3520 wrote to memory of 4940 3520 htbtnh.exe 95 PID 4940 wrote to memory of 4332 4940 fxxxxff.exe 96 PID 4940 wrote to memory of 4332 4940 fxxxxff.exe 96 PID 4940 wrote to memory of 4332 4940 fxxxxff.exe 96 PID 4332 wrote to memory of 232 4332 hntnnn.exe 97 PID 4332 wrote to memory of 232 4332 hntnnn.exe 97 PID 4332 wrote to memory of 232 4332 hntnnn.exe 97 PID 232 wrote to memory of 5100 232 rxlflrr.exe 98 PID 232 wrote to memory of 5100 232 rxlflrr.exe 98 PID 232 wrote to memory of 5100 232 rxlflrr.exe 98 PID 5100 wrote to memory of 600 5100 hbbhbb.exe 99 PID 5100 wrote to memory of 600 5100 hbbhbb.exe 99 PID 5100 wrote to memory of 600 5100 hbbhbb.exe 99 PID 600 wrote to memory of 4744 600 rxffxxx.exe 100 PID 600 wrote to memory of 4744 600 rxffxxx.exe 100 PID 600 wrote to memory of 4744 600 rxffxxx.exe 100 PID 4744 wrote to memory of 2536 4744 jvjdv.exe 101 PID 4744 wrote to memory of 2536 4744 jvjdv.exe 101 PID 4744 wrote to memory of 2536 4744 jvjdv.exe 101 PID 2536 wrote to memory of 3188 2536 jvdvv.exe 102 PID 2536 wrote to memory of 3188 2536 jvdvv.exe 102 PID 2536 wrote to memory of 3188 2536 jvdvv.exe 102 PID 3188 wrote to memory of 3600 3188 5xfxxxx.exe 103 PID 3188 wrote to memory of 3600 3188 5xfxxxx.exe 103 PID 3188 wrote to memory of 3600 3188 5xfxxxx.exe 103 PID 3600 wrote to memory of 1784 3600 tnhhbb.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7.exe"C:\Users\Admin\AppData\Local\Temp\d20cfe8954e52ffc998ed6d731615a19ef9b3d81574120096684c9bd80db5cf7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
\??\c:\dddvv.exec:\dddvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072 -
\??\c:\frxrrrr.exec:\frxrrrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1076 -
\??\c:\xrlffff.exec:\xrlffff.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\btttnn.exec:\btttnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\tnhbtt.exec:\tnhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
\??\c:\3jvpj.exec:\3jvpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1876 -
\??\c:\djppj.exec:\djppj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1600 -
\??\c:\thtnbb.exec:\thtnbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
\??\c:\7xxxrxx.exec:\7xxxrxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
\??\c:\vpppj.exec:\vpppj.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
\??\c:\nnntnb.exec:\nnntnb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\htbtnh.exec:\htbtnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3520 -
\??\c:\fxxxxff.exec:\fxxxxff.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\hntnnn.exec:\hntnnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\rxlflrr.exec:\rxlflrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
\??\c:\hbbhbb.exec:\hbbhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\rxffxxx.exec:\rxffxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\jvjdv.exec:\jvjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\jvdvv.exec:\jvdvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
\??\c:\5xfxxxx.exec:\5xfxxxx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188 -
\??\c:\tnhhbb.exec:\tnhhbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\dpddv.exec:\dpddv.exe23⤵
- Executes dropped EXE
PID:1784 -
\??\c:\3ffflll.exec:\3ffflll.exe24⤵
- Executes dropped EXE
PID:564 -
\??\c:\9jdjv.exec:\9jdjv.exe25⤵
- Executes dropped EXE
PID:4696 -
\??\c:\dddvj.exec:\dddvj.exe26⤵
- Executes dropped EXE
PID:3176 -
\??\c:\xlrfxxr.exec:\xlrfxxr.exe27⤵
- Executes dropped EXE
PID:3664 -
\??\c:\jvdvp.exec:\jvdvp.exe28⤵
- Executes dropped EXE
PID:3952 -
\??\c:\frllxxx.exec:\frllxxx.exe29⤵
- Executes dropped EXE
PID:5036 -
\??\c:\dvppv.exec:\dvppv.exe30⤵
- Executes dropped EXE
PID:1772 -
\??\c:\jpppj.exec:\jpppj.exe31⤵
- Executes dropped EXE
PID:3596 -
\??\c:\fxxrllr.exec:\fxxrllr.exe32⤵
- Executes dropped EXE
PID:4672 -
\??\c:\hthbbb.exec:\hthbbb.exe33⤵
- Executes dropped EXE
PID:1376 -
\??\c:\5pddv.exec:\5pddv.exe34⤵
- Executes dropped EXE
PID:400 -
\??\c:\frxxxxx.exec:\frxxxxx.exe35⤵
- Executes dropped EXE
PID:2004 -
\??\c:\5pvpp.exec:\5pvpp.exe36⤵
- Executes dropped EXE
PID:2936 -
\??\c:\xrrlffx.exec:\xrrlffx.exe37⤵
- Executes dropped EXE
PID:1788 -
\??\c:\3hhbbb.exec:\3hhbbb.exe38⤵
- Executes dropped EXE
PID:4716 -
\??\c:\pdpjp.exec:\pdpjp.exe39⤵
- Executes dropped EXE
PID:4292 -
\??\c:\rfrlfff.exec:\rfrlfff.exe40⤵
- Executes dropped EXE
PID:1164 -
\??\c:\3hbbtt.exec:\3hbbtt.exe41⤵
- Executes dropped EXE
PID:2372 -
\??\c:\vdjdd.exec:\vdjdd.exe42⤵
- Executes dropped EXE
PID:3756 -
\??\c:\lxxxrrr.exec:\lxxxrrr.exe43⤵
- Executes dropped EXE
PID:4684 -
\??\c:\tbnhbb.exec:\tbnhbb.exe44⤵
- Executes dropped EXE
PID:972 -
\??\c:\tbnhbh.exec:\tbnhbh.exe45⤵
- Executes dropped EXE
PID:4228 -
\??\c:\jjpjj.exec:\jjpjj.exe46⤵
- Executes dropped EXE
PID:412 -
\??\c:\hnnnbb.exec:\hnnnbb.exe47⤵
- Executes dropped EXE
PID:1712 -
\??\c:\nhnhbb.exec:\nhnhbb.exe48⤵
- Executes dropped EXE
PID:2888 -
\??\c:\jvppj.exec:\jvppj.exe49⤵
- Executes dropped EXE
PID:4372 -
\??\c:\fxxrrrr.exec:\fxxrrrr.exe50⤵
- Executes dropped EXE
PID:1416 -
\??\c:\thbtnn.exec:\thbtnn.exe51⤵
- Executes dropped EXE
PID:2008 -
\??\c:\9pjjd.exec:\9pjjd.exe52⤵
- Executes dropped EXE
PID:4824 -
\??\c:\jppjd.exec:\jppjd.exe53⤵
- Executes dropped EXE
PID:1724 -
\??\c:\xrrlrxl.exec:\xrrlrxl.exe54⤵
- Executes dropped EXE
PID:3304 -
\??\c:\tntnnn.exec:\tntnnn.exe55⤵
- Executes dropped EXE
PID:4752 -
\??\c:\nthbbb.exec:\nthbbb.exe56⤵
- Executes dropped EXE
PID:4040 -
\??\c:\vvdvv.exec:\vvdvv.exe57⤵
- Executes dropped EXE
PID:3044 -
\??\c:\xrfrfxr.exec:\xrfrfxr.exe58⤵
- Executes dropped EXE
PID:2420 -
\??\c:\flrrlrl.exec:\flrrlrl.exe59⤵
- Executes dropped EXE
PID:100 -
\??\c:\hbnnhh.exec:\hbnnhh.exe60⤵
- Executes dropped EXE
PID:4704 -
\??\c:\ddvjd.exec:\ddvjd.exe61⤵
- Executes dropped EXE
PID:2780 -
\??\c:\lfrllll.exec:\lfrllll.exe62⤵
- Executes dropped EXE
PID:312 -
\??\c:\tntnht.exec:\tntnht.exe63⤵
- Executes dropped EXE
PID:3028 -
\??\c:\nhhnhn.exec:\nhhnhn.exe64⤵
- Executes dropped EXE
PID:4108 -
\??\c:\fxfllff.exec:\fxfllff.exe65⤵
- Executes dropped EXE
PID:4592 -
\??\c:\5nnhbh.exec:\5nnhbh.exe66⤵PID:1288
-
\??\c:\vddvv.exec:\vddvv.exe67⤵PID:3992
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe68⤵PID:4992
-
\??\c:\lrfxrrr.exec:\lrfxrrr.exe69⤵PID:228
-
\??\c:\3thnht.exec:\3thnht.exe70⤵PID:1728
-
\??\c:\dpdvv.exec:\dpdvv.exe71⤵PID:3220
-
\??\c:\ppvpv.exec:\ppvpv.exe72⤵PID:5100
-
\??\c:\xrfflll.exec:\xrfflll.exe73⤵PID:600
-
\??\c:\hbhbbb.exec:\hbhbbb.exe74⤵PID:2028
-
\??\c:\jjjjd.exec:\jjjjd.exe75⤵
- System Location Discovery: System Language Discovery
PID:4756 -
\??\c:\1dvpd.exec:\1dvpd.exe76⤵PID:1900
-
\??\c:\fflfxff.exec:\fflfxff.exe77⤵PID:3656
-
\??\c:\hthbtb.exec:\hthbtb.exe78⤵PID:4380
-
\??\c:\thtnhn.exec:\thtnhn.exe79⤵PID:1840
-
\??\c:\dvppv.exec:\dvppv.exe80⤵PID:1484
-
\??\c:\rrxxrll.exec:\rrxxrll.exe81⤵PID:564
-
\??\c:\nthbbb.exec:\nthbbb.exe82⤵PID:984
-
\??\c:\bbtttb.exec:\bbtttb.exe83⤵PID:1708
-
\??\c:\ffllxxx.exec:\ffllxxx.exe84⤵PID:2876
-
\??\c:\7rrlfff.exec:\7rrlfff.exe85⤵PID:3952
-
\??\c:\bbhnnn.exec:\bbhnnn.exe86⤵PID:1456
-
\??\c:\7vdvp.exec:\7vdvp.exe87⤵PID:2160
-
\??\c:\rrrrllf.exec:\rrrrllf.exe88⤵PID:4560
-
\??\c:\5tbbhh.exec:\5tbbhh.exe89⤵PID:2192
-
\??\c:\jddvv.exec:\jddvv.exe90⤵PID:3080
-
\??\c:\rxffxxx.exec:\rxffxxx.exe91⤵PID:4868
-
\??\c:\lfllfff.exec:\lfllfff.exe92⤵PID:4248
-
\??\c:\hhhhhh.exec:\hhhhhh.exe93⤵PID:2108
-
\??\c:\dvjdd.exec:\dvjdd.exe94⤵PID:2004
-
\??\c:\xxffrxx.exec:\xxffrxx.exe95⤵PID:264
-
\??\c:\7ntnht.exec:\7ntnht.exe96⤵PID:3144
-
\??\c:\3pjpj.exec:\3pjpj.exe97⤵PID:3532
-
\??\c:\lfllrrf.exec:\lfllrrf.exe98⤵PID:2520
-
\??\c:\tbbttt.exec:\tbbttt.exe99⤵PID:4676
-
\??\c:\5ddvp.exec:\5ddvp.exe100⤵PID:5072
-
\??\c:\vjpjd.exec:\vjpjd.exe101⤵PID:2412
-
\??\c:\hbttnt.exec:\hbttnt.exe102⤵PID:2152
-
\??\c:\vvppv.exec:\vvppv.exe103⤵PID:344
-
\??\c:\fxflffx.exec:\fxflffx.exe104⤵PID:4580
-
\??\c:\lfllflx.exec:\lfllflx.exe105⤵PID:1584
-
\??\c:\hbhbtt.exec:\hbhbtt.exe106⤵PID:412
-
\??\c:\1pdvp.exec:\1pdvp.exe107⤵PID:1544
-
\??\c:\dvjjv.exec:\dvjjv.exe108⤵PID:2888
-
\??\c:\fxxrllf.exec:\fxxrllf.exe109⤵PID:4888
-
\??\c:\5hnnhh.exec:\5hnnhh.exe110⤵PID:1460
-
\??\c:\9hbttt.exec:\9hbttt.exe111⤵PID:1996
-
\??\c:\ddvpp.exec:\ddvpp.exe112⤵PID:3168
-
\??\c:\rxffrrl.exec:\rxffrrl.exe113⤵PID:428
-
\??\c:\nhtnnn.exec:\nhtnnn.exe114⤵PID:1004
-
\??\c:\hbhbbb.exec:\hbhbbb.exe115⤵PID:3420
-
\??\c:\ddvvp.exec:\ddvvp.exe116⤵PID:4596
-
\??\c:\5rlfxrr.exec:\5rlfxrr.exe117⤵PID:3044
-
\??\c:\tnbhhb.exec:\tnbhhb.exe118⤵PID:2420
-
\??\c:\htnhbh.exec:\htnhbh.exe119⤵PID:1140
-
\??\c:\vddvv.exec:\vddvv.exe120⤵PID:4704
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe121⤵PID:4924
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-