Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 07:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe
-
Size
455KB
-
MD5
dcce3c3520ec8d9d768008b7e0e8697b
-
SHA1
0e5cacaa1bd7f16ac3ff412536bbf9acd50f7863
-
SHA256
b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3
-
SHA512
09259032938bb14a24a6d2b09c37f3e6267d74818999d6c3642bfcc2490c922340bb9221b007394dc1f381a6f0666e4e2e58edb97c3d45e4c22a5645a7cabd85
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTM:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4856-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3876-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2108-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1248-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2784-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2080-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4472-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4920-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1880-154-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1748-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/544-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2188-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3916-253-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2800-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-300-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-310-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1920-314-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-324-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-328-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-360-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1340-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2040-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1336-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4704-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2064-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1160-832-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-893-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2420-972-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-1066-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-1319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3456 xrxxxff.exe 3076 ddjvv.exe 3876 llffrrr.exe 2108 rrfflrx.exe 2384 xrrrlxl.exe 1068 bhbnbn.exe 4932 rxxlxlx.exe 1244 lrxrlll.exe 3916 pppvv.exe 1248 ppppv.exe 4128 rrlflll.exe 948 9dddd.exe 3896 nbnnnt.exe 2264 pvjvp.exe 2660 hbbttb.exe 2784 pvdjj.exe 2080 xlfxxff.exe 3580 ppjjj.exe 2700 tnnnnn.exe 4472 rlrrrff.exe 1072 llrrrrx.exe 4920 9vjpd.exe 1324 9rxfrff.exe 2020 rfxflxf.exe 3436 bhbhtt.exe 1880 jjppv.exe 4584 rxfffll.exe 940 rrxxxxx.exe 4040 xrrlfxx.exe 1748 djppp.exe 1096 bhhhbb.exe 544 pdpjd.exe 2236 thbntt.exe 2208 lfrlrrl.exe 4676 ffrrlrr.exe 4312 ddppp.exe 1668 djddp.exe 4484 7xrlfxr.exe 1696 nnbtnn.exe 1340 jjdvd.exe 2188 fxllllf.exe 5064 bbbbtn.exe 4364 bttnnn.exe 2696 vvvpp.exe 4720 xlxrrll.exe 1268 bnnnnt.exe 4588 hnhnhh.exe 1156 vdjdd.exe 1176 xrxfxxr.exe 3612 5ntnhh.exe 4216 jjjdd.exe 3916 1flfrfx.exe 540 thttbh.exe 4804 djdvp.exe 1348 rlrlffx.exe 2800 htnbbh.exe 2452 hbtntt.exe 2448 vjvpv.exe 3868 flxrlll.exe 5000 bbhhhn.exe 4960 djdjv.exe 1856 lxlllrx.exe 2080 thnhhh.exe 220 bnttth.exe -
resource yara_rule behavioral2/memory/4856-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3876-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2108-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1248-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2784-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2080-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4472-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4920-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1880-154-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1748-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/544-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2188-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3916-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2800-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1920-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-324-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-328-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-360-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-394-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1340-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2040-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1336-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4704-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2064-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-832-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-893-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-972-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrrlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rfxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7thhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3456 4856 b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe 82 PID 4856 wrote to memory of 3456 4856 b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe 82 PID 4856 wrote to memory of 3456 4856 b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe 82 PID 3456 wrote to memory of 3076 3456 xrxxxff.exe 83 PID 3456 wrote to memory of 3076 3456 xrxxxff.exe 83 PID 3456 wrote to memory of 3076 3456 xrxxxff.exe 83 PID 3076 wrote to memory of 3876 3076 ddjvv.exe 84 PID 3076 wrote to memory of 3876 3076 ddjvv.exe 84 PID 3076 wrote to memory of 3876 3076 ddjvv.exe 84 PID 3876 wrote to memory of 2108 3876 llffrrr.exe 85 PID 3876 wrote to memory of 2108 3876 llffrrr.exe 85 PID 3876 wrote to memory of 2108 3876 llffrrr.exe 85 PID 2108 wrote to memory of 2384 2108 rrfflrx.exe 86 PID 2108 wrote to memory of 2384 2108 rrfflrx.exe 86 PID 2108 wrote to memory of 2384 2108 rrfflrx.exe 86 PID 2384 wrote to memory of 1068 2384 xrrrlxl.exe 87 PID 2384 wrote to memory of 1068 2384 xrrrlxl.exe 87 PID 2384 wrote to memory of 1068 2384 xrrrlxl.exe 87 PID 1068 wrote to memory of 4932 1068 bhbnbn.exe 88 PID 1068 wrote to memory of 4932 1068 bhbnbn.exe 88 PID 1068 wrote to memory of 4932 1068 bhbnbn.exe 88 PID 4932 wrote to memory of 1244 4932 rxxlxlx.exe 89 PID 4932 wrote to memory of 1244 4932 rxxlxlx.exe 89 PID 4932 wrote to memory of 1244 4932 rxxlxlx.exe 89 PID 1244 wrote to memory of 3916 1244 lrxrlll.exe 90 PID 1244 wrote to memory of 3916 1244 lrxrlll.exe 90 PID 1244 wrote to memory of 3916 1244 lrxrlll.exe 90 PID 3916 wrote to memory of 1248 3916 pppvv.exe 91 PID 3916 wrote to memory of 1248 3916 pppvv.exe 91 PID 3916 wrote to memory of 1248 3916 pppvv.exe 91 PID 1248 wrote to memory of 4128 1248 ppppv.exe 92 PID 1248 wrote to memory of 4128 1248 ppppv.exe 92 PID 1248 wrote to memory of 4128 1248 ppppv.exe 92 PID 4128 wrote to memory of 948 4128 rrlflll.exe 93 PID 4128 wrote to memory of 948 4128 rrlflll.exe 93 PID 4128 wrote to memory of 948 4128 rrlflll.exe 93 PID 948 wrote to memory of 3896 948 9dddd.exe 94 PID 948 wrote to memory of 3896 948 9dddd.exe 94 PID 948 wrote to memory of 3896 948 9dddd.exe 94 PID 3896 wrote to memory of 2264 3896 nbnnnt.exe 95 PID 3896 wrote to memory of 2264 3896 nbnnnt.exe 95 PID 3896 wrote to memory of 2264 3896 nbnnnt.exe 95 PID 2264 wrote to memory of 2660 2264 pvjvp.exe 96 PID 2264 wrote to memory of 2660 2264 pvjvp.exe 96 PID 2264 wrote to memory of 2660 2264 pvjvp.exe 96 PID 2660 wrote to memory of 2784 2660 hbbttb.exe 97 PID 2660 wrote to memory of 2784 2660 hbbttb.exe 97 PID 2660 wrote to memory of 2784 2660 hbbttb.exe 97 PID 2784 wrote to memory of 2080 2784 pvdjj.exe 98 PID 2784 wrote to memory of 2080 2784 pvdjj.exe 98 PID 2784 wrote to memory of 2080 2784 pvdjj.exe 98 PID 2080 wrote to memory of 3580 2080 xlfxxff.exe 99 PID 2080 wrote to memory of 3580 2080 xlfxxff.exe 99 PID 2080 wrote to memory of 3580 2080 xlfxxff.exe 99 PID 3580 wrote to memory of 2700 3580 ppjjj.exe 100 PID 3580 wrote to memory of 2700 3580 ppjjj.exe 100 PID 3580 wrote to memory of 2700 3580 ppjjj.exe 100 PID 2700 wrote to memory of 4472 2700 tnnnnn.exe 101 PID 2700 wrote to memory of 4472 2700 tnnnnn.exe 101 PID 2700 wrote to memory of 4472 2700 tnnnnn.exe 101 PID 4472 wrote to memory of 1072 4472 rlrrrff.exe 102 PID 4472 wrote to memory of 1072 4472 rlrrrff.exe 102 PID 4472 wrote to memory of 1072 4472 rlrrrff.exe 102 PID 1072 wrote to memory of 4920 1072 llrrrrx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe"C:\Users\Admin\AppData\Local\Temp\b4822a5d544cb210f0e76e01e23f70a9eb16bf5de75b7934a29d254b003e54d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\xrxxxff.exec:\xrxxxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\ddjvv.exec:\ddjvv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3076 -
\??\c:\llffrrr.exec:\llffrrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3876 -
\??\c:\rrfflrx.exec:\rrfflrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
\??\c:\xrrrlxl.exec:\xrrrlxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\bhbnbn.exec:\bhbnbn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\rxxlxlx.exec:\rxxlxlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\lrxrlll.exec:\lrxrlll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\pppvv.exec:\pppvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\ppppv.exec:\ppppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
\??\c:\rrlflll.exec:\rrlflll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\9dddd.exec:\9dddd.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:948 -
\??\c:\nbnnnt.exec:\nbnnnt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\pvjvp.exec:\pvjvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\hbbttb.exec:\hbbttb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\pvdjj.exec:\pvdjj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2784 -
\??\c:\xlfxxff.exec:\xlfxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2080 -
\??\c:\ppjjj.exec:\ppjjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\tnnnnn.exec:\tnnnnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\rlrrrff.exec:\rlrrrff.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\llrrrrx.exec:\llrrrrx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\9vjpd.exec:\9vjpd.exe23⤵
- Executes dropped EXE
PID:4920 -
\??\c:\9rxfrff.exec:\9rxfrff.exe24⤵
- Executes dropped EXE
PID:1324 -
\??\c:\rfxflxf.exec:\rfxflxf.exe25⤵
- Executes dropped EXE
PID:2020 -
\??\c:\bhbhtt.exec:\bhbhtt.exe26⤵
- Executes dropped EXE
PID:3436 -
\??\c:\jjppv.exec:\jjppv.exe27⤵
- Executes dropped EXE
PID:1880 -
\??\c:\rxfffll.exec:\rxfffll.exe28⤵
- Executes dropped EXE
PID:4584 -
\??\c:\rrxxxxx.exec:\rrxxxxx.exe29⤵
- Executes dropped EXE
PID:940 -
\??\c:\xrrlfxx.exec:\xrrlfxx.exe30⤵
- Executes dropped EXE
PID:4040 -
\??\c:\djppp.exec:\djppp.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748 -
\??\c:\bhhhbb.exec:\bhhhbb.exe32⤵
- Executes dropped EXE
PID:1096 -
\??\c:\pdpjd.exec:\pdpjd.exe33⤵
- Executes dropped EXE
PID:544 -
\??\c:\thbntt.exec:\thbntt.exe34⤵
- Executes dropped EXE
PID:2236 -
\??\c:\lfrlrrl.exec:\lfrlrrl.exe35⤵
- Executes dropped EXE
PID:2208 -
\??\c:\ffrrlrr.exec:\ffrrlrr.exe36⤵
- Executes dropped EXE
PID:4676 -
\??\c:\ddppp.exec:\ddppp.exe37⤵
- Executes dropped EXE
PID:4312 -
\??\c:\djddp.exec:\djddp.exe38⤵
- Executes dropped EXE
PID:1668 -
\??\c:\7xrlfxr.exec:\7xrlfxr.exe39⤵
- Executes dropped EXE
PID:4484 -
\??\c:\nnbtnn.exec:\nnbtnn.exe40⤵
- Executes dropped EXE
PID:1696 -
\??\c:\jjdvd.exec:\jjdvd.exe41⤵
- Executes dropped EXE
PID:1340 -
\??\c:\fxllllf.exec:\fxllllf.exe42⤵
- Executes dropped EXE
PID:2188 -
\??\c:\bbbbtn.exec:\bbbbtn.exe43⤵
- Executes dropped EXE
PID:5064 -
\??\c:\bttnnn.exec:\bttnnn.exe44⤵
- Executes dropped EXE
PID:4364 -
\??\c:\vvvpp.exec:\vvvpp.exe45⤵
- Executes dropped EXE
PID:2696 -
\??\c:\xlxrrll.exec:\xlxrrll.exe46⤵
- Executes dropped EXE
PID:4720 -
\??\c:\bnnnnt.exec:\bnnnnt.exe47⤵
- Executes dropped EXE
PID:1268 -
\??\c:\hnhnhh.exec:\hnhnhh.exe48⤵
- Executes dropped EXE
PID:4588 -
\??\c:\vdjdd.exec:\vdjdd.exe49⤵
- Executes dropped EXE
PID:1156 -
\??\c:\xrxfxxr.exec:\xrxfxxr.exe50⤵
- Executes dropped EXE
PID:1176 -
\??\c:\5ntnhh.exec:\5ntnhh.exe51⤵
- Executes dropped EXE
PID:3612 -
\??\c:\jjjdd.exec:\jjjdd.exe52⤵
- Executes dropped EXE
PID:4216 -
\??\c:\1flfrfx.exec:\1flfrfx.exe53⤵
- Executes dropped EXE
PID:3916 -
\??\c:\thttbh.exec:\thttbh.exe54⤵
- Executes dropped EXE
PID:540 -
\??\c:\djdvp.exec:\djdvp.exe55⤵
- Executes dropped EXE
PID:4804 -
\??\c:\rlrlffx.exec:\rlrlffx.exe56⤵
- Executes dropped EXE
PID:1348 -
\??\c:\htnbbh.exec:\htnbbh.exe57⤵
- Executes dropped EXE
PID:2800 -
\??\c:\hbtntt.exec:\hbtntt.exe58⤵
- Executes dropped EXE
PID:2452 -
\??\c:\vjvpv.exec:\vjvpv.exe59⤵
- Executes dropped EXE
PID:2448 -
\??\c:\flxrlll.exec:\flxrlll.exe60⤵
- Executes dropped EXE
PID:3868 -
\??\c:\bbhhhn.exec:\bbhhhn.exe61⤵
- Executes dropped EXE
PID:5000 -
\??\c:\djdjv.exec:\djdjv.exe62⤵
- Executes dropped EXE
PID:4960 -
\??\c:\lxlllrx.exec:\lxlllrx.exe63⤵
- Executes dropped EXE
PID:1856 -
\??\c:\thnhhh.exec:\thnhhh.exe64⤵
- Executes dropped EXE
PID:2080 -
\??\c:\bnttth.exec:\bnttth.exe65⤵
- Executes dropped EXE
PID:220 -
\??\c:\7jvpp.exec:\7jvpp.exe66⤵PID:864
-
\??\c:\lfllllr.exec:\lfllllr.exe67⤵PID:4768
-
\??\c:\3tntnt.exec:\3tntnt.exe68⤵PID:2700
-
\??\c:\1bbbhn.exec:\1bbbhn.exe69⤵PID:5108
-
\??\c:\lllffff.exec:\lllffff.exe70⤵PID:1624
-
\??\c:\lrflflx.exec:\lrflflx.exe71⤵PID:1920
-
\??\c:\nttthn.exec:\nttthn.exe72⤵PID:2372
-
\??\c:\vpddj.exec:\vpddj.exe73⤵PID:3760
-
\??\c:\vdddd.exec:\vdddd.exe74⤵PID:4688
-
\??\c:\flxxxfl.exec:\flxxxfl.exe75⤵PID:2664
-
\??\c:\hhnnhh.exec:\hhnnhh.exe76⤵PID:3964
-
\??\c:\jjvvv.exec:\jjvvv.exe77⤵PID:2060
-
\??\c:\dpdjj.exec:\dpdjj.exe78⤵PID:3000
-
\??\c:\lxrlfll.exec:\lxrlfll.exe79⤵PID:3920
-
\??\c:\3bhnnb.exec:\3bhnnb.exe80⤵PID:4172
-
\??\c:\5pvpj.exec:\5pvpj.exe81⤵PID:2212
-
\??\c:\lrfxxff.exec:\lrfxxff.exe82⤵PID:2712
-
\??\c:\bhnnhn.exec:\bhnnhn.exe83⤵PID:3608
-
\??\c:\ttbbhn.exec:\ttbbhn.exe84⤵PID:1432
-
\??\c:\jvvvp.exec:\jvvvp.exe85⤵PID:2300
-
\??\c:\xxfrrxx.exec:\xxfrrxx.exe86⤵PID:1604
-
\??\c:\tbhhnn.exec:\tbhhnn.exe87⤵PID:3380
-
\??\c:\nbnntb.exec:\nbnntb.exe88⤵PID:4896
-
\??\c:\vpddd.exec:\vpddd.exe89⤵PID:940
-
\??\c:\7frrrxf.exec:\7frrrxf.exe90⤵PID:3160
-
\??\c:\tttbbh.exec:\tttbbh.exe91⤵PID:2608
-
\??\c:\jpddj.exec:\jpddj.exe92⤵PID:2248
-
\??\c:\3xflflr.exec:\3xflflr.exe93⤵PID:1860
-
\??\c:\hbttbh.exec:\hbttbh.exe94⤵PID:2668
-
\??\c:\7pppv.exec:\7pppv.exe95⤵PID:2560
-
\??\c:\rlrxxxl.exec:\rlrxxxl.exe96⤵PID:956
-
\??\c:\tbtbnn.exec:\tbtbnn.exe97⤵PID:3208
-
\??\c:\pdpjd.exec:\pdpjd.exe98⤵
- System Location Discovery: System Language Discovery
PID:3804 -
\??\c:\jpjpv.exec:\jpjpv.exe99⤵PID:3152
-
\??\c:\9nbbbh.exec:\9nbbbh.exe100⤵PID:1384
-
\??\c:\nnttbb.exec:\nnttbb.exe101⤵PID:968
-
\??\c:\dpvpp.exec:\dpvpp.exe102⤵PID:2288
-
\??\c:\fxlllrr.exec:\fxlllrr.exe103⤵PID:2420
-
\??\c:\lrrlrxx.exec:\lrrlrxx.exe104⤵PID:4204
-
\??\c:\1hhttb.exec:\1hhttb.exe105⤵PID:1340
-
\??\c:\pvvpp.exec:\pvvpp.exe106⤵PID:3048
-
\??\c:\9rxflrr.exec:\9rxflrr.exe107⤵PID:224
-
\??\c:\nhbttt.exec:\nhbttt.exe108⤵PID:3184
-
\??\c:\dvjjd.exec:\dvjjd.exe109⤵PID:1440
-
\??\c:\frxfrrx.exec:\frxfrrx.exe110⤵PID:3212
-
\??\c:\hhnthn.exec:\hhnthn.exe111⤵PID:3932
-
\??\c:\hhhhnt.exec:\hhhhnt.exe112⤵PID:4588
-
\??\c:\vdddd.exec:\vdddd.exe113⤵PID:2040
-
\??\c:\rrllflr.exec:\rrllflr.exe114⤵PID:1400
-
\??\c:\bbbbbh.exec:\bbbbbh.exe115⤵PID:3696
-
\??\c:\5dvvj.exec:\5dvvj.exe116⤵PID:3756
-
\??\c:\fxlllrr.exec:\fxlllrr.exe117⤵PID:1248
-
\??\c:\nbhhnt.exec:\nbhhnt.exe118⤵PID:2016
-
\??\c:\jdppp.exec:\jdppp.exe119⤵PID:4372
-
\??\c:\ddjjp.exec:\ddjjp.exe120⤵PID:892
-
\??\c:\llxxxxf.exec:\llxxxxf.exe121⤵PID:3360
-
\??\c:\httnbt.exec:\httnbt.exe122⤵PID:2800
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-