Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 23:44
Behavioral task
behavioral1
Sample
91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
General
-
Target
91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11.exe
-
Size
126KB
-
MD5
32e21ef7ad24d5c20d6312c1c5b6d771
-
SHA1
c00a42c402dd4c29a5f1b62e85da7959810d847e
-
SHA256
91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11
-
SHA512
16ee05c1d0ace474d918e3ff3249df75ec89e821ef913153d151ddb4c720740cf6a58ec4c2f8e3683422b98abd8c96e0cb1a3dbe255a6d7b1cc8bbb428c08d04
-
SSDEEP
3072:ohOmTsF93UYfwC6GIoutX8KiUcPB77k9YFvjB:ocm4FmowdHoSHqPkYFbB
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4272-3-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/884-13-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3196-16-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1176-24-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2132-28-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3840-33-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3948-40-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1148-44-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2124-51-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3412-56-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1156-62-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4560-69-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1992-75-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2560-77-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1992-81-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3480-88-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3704-95-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2316-99-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1660-111-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4572-127-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1720-133-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/936-138-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4844-148-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4480-169-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3952-168-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/824-178-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4276-185-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4772-192-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4384-196-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4304-212-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1772-222-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4960-229-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2400-233-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3840-235-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4992-241-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2124-251-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4812-255-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4796-259-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3476-271-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4820-281-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3752-285-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4380-292-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2376-306-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3940-310-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2476-345-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1188-346-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/532-371-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3872-406-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2484-410-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/5020-420-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/748-436-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3064-461-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1700-468-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4852-472-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3312-486-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1008-504-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4756-520-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4552-560-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/2884-564-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/1888-589-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4132-602-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4800-750-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/4992-841-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon behavioral2/memory/3496-1029-0x0000000000400000-0x000000000043B000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 884 fffxxxx.exe 3196 nntntt.exe 1176 1djdd.exe 2132 xrfxllr.exe 3840 lfxrxxx.exe 3948 jdvpv.exe 1148 fxfxrrl.exe 2124 rxxrllf.exe 3412 hhthnh.exe 1156 1jpjd.exe 4560 lxfxrxr.exe 2560 ntnhnb.exe 1992 7hhhbb.exe 3480 jdddv.exe 3704 btnnht.exe 2316 7djdv.exe 4716 1llrlll.exe 1660 ffxrrll.exe 2040 nbthtb.exe 2292 jpppp.exe 4572 rllfxrl.exe 1720 7fxxxfr.exe 936 ttnhbt.exe 3060 jdjjd.exe 4844 fxlfrlf.exe 5084 nbhbtn.exe 1652 7ppdv.exe 3952 pddjv.exe 4480 bnhtnh.exe 824 bnnhhb.exe 4276 9jddv.exe 4588 hbbbhb.exe 4772 7bnhhh.exe 4384 vpvpj.exe 5116 pjjdv.exe 2860 fxllrrl.exe 220 3rxrllf.exe 1132 nhbtnn.exe 4304 nttthh.exe 4676 jdvpj.exe 3608 5pvvp.exe 1772 xlfxrlr.exe 1216 xrflrlr.exe 4960 hnbnhb.exe 2400 hnbtnh.exe 3840 pdvpj.exe 4992 xffxrlf.exe 1148 9xlrlfx.exe 4256 tntbbh.exe 2124 pjjdv.exe 4812 dddvp.exe 4796 frlfxxr.exe 3972 nnbnbh.exe 456 thtnth.exe 4072 jdvpp.exe 3476 pjppv.exe 2616 lfxfxfx.exe 724 flffflx.exe 4820 ntbnnh.exe 3752 pdjvv.exe 3704 ppjpp.exe 4380 rfrrfrl.exe 3064 nhtnbt.exe 3548 nbthnh.exe -
resource yara_rule behavioral2/memory/4272-0-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4272-3-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00080000000234b6-4.dat upx behavioral2/memory/884-6-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00080000000234b9-9.dat upx behavioral2/memory/884-13-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234bd-12.dat upx behavioral2/memory/3196-16-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234bf-21.dat upx behavioral2/memory/1176-24-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c0-27.dat upx behavioral2/memory/2132-28-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3840-33-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c1-32.dat upx behavioral2/files/0x00070000000234c2-37.dat upx behavioral2/memory/3948-40-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c3-42.dat upx behavioral2/memory/1148-44-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c4-48.dat upx behavioral2/memory/2124-51-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c5-54.dat upx behavioral2/memory/3412-56-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c6-60.dat upx behavioral2/memory/1156-62-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4560-69-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2560-71-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c7-67.dat upx behavioral2/files/0x00070000000234c8-73.dat upx behavioral2/memory/1992-75-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2560-77-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234c9-82.dat upx behavioral2/memory/1992-81-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234ca-86.dat upx behavioral2/memory/3480-88-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234cb-93.dat upx behavioral2/memory/3704-95-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/2316-99-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234cc-100.dat upx behavioral2/files/0x00070000000234cd-104.dat upx behavioral2/memory/1660-111-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234ce-112.dat upx behavioral2/files/0x00070000000234cf-115.dat upx behavioral2/files/0x00070000000234d1-121.dat upx behavioral2/files/0x00070000000234d2-125.dat upx behavioral2/memory/4572-127-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234d3-131.dat upx behavioral2/memory/1720-133-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/936-138-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234d4-140.dat upx behavioral2/files/0x00070000000234d5-145.dat upx behavioral2/memory/4844-148-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234d6-155.dat upx behavioral2/files/0x00080000000234ba-151.dat upx behavioral2/files/0x00070000000234d7-159.dat upx behavioral2/files/0x00070000000234d8-164.dat upx behavioral2/memory/4480-169-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/3952-168-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234d9-171.dat upx behavioral2/files/0x00070000000234da-176.dat upx behavioral2/memory/824-178-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4276-185-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/files/0x00070000000234db-182.dat upx behavioral2/memory/4772-192-0x0000000000400000-0x000000000043B000-memory.dmp upx behavioral2/memory/4384-196-0x0000000000400000-0x000000000043B000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrrflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 884 4272 91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11.exe 86 PID 4272 wrote to memory of 884 4272 91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11.exe 86 PID 4272 wrote to memory of 884 4272 91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11.exe 86 PID 884 wrote to memory of 3196 884 fffxxxx.exe 87 PID 884 wrote to memory of 3196 884 fffxxxx.exe 87 PID 884 wrote to memory of 3196 884 fffxxxx.exe 87 PID 3196 wrote to memory of 1176 3196 nntntt.exe 88 PID 3196 wrote to memory of 1176 3196 nntntt.exe 88 PID 3196 wrote to memory of 1176 3196 nntntt.exe 88 PID 1176 wrote to memory of 2132 1176 1djdd.exe 89 PID 1176 wrote to memory of 2132 1176 1djdd.exe 89 PID 1176 wrote to memory of 2132 1176 1djdd.exe 89 PID 2132 wrote to memory of 3840 2132 xrfxllr.exe 90 PID 2132 wrote to memory of 3840 2132 xrfxllr.exe 90 PID 2132 wrote to memory of 3840 2132 xrfxllr.exe 90 PID 3840 wrote to memory of 3948 3840 lfxrxxx.exe 91 PID 3840 wrote to memory of 3948 3840 lfxrxxx.exe 91 PID 3840 wrote to memory of 3948 3840 lfxrxxx.exe 91 PID 3948 wrote to memory of 1148 3948 jdvpv.exe 92 PID 3948 wrote to memory of 1148 3948 jdvpv.exe 92 PID 3948 wrote to memory of 1148 3948 jdvpv.exe 92 PID 1148 wrote to memory of 2124 1148 fxfxrrl.exe 93 PID 1148 wrote to memory of 2124 1148 fxfxrrl.exe 93 PID 1148 wrote to memory of 2124 1148 fxfxrrl.exe 93 PID 2124 wrote to memory of 3412 2124 rxxrllf.exe 95 PID 2124 wrote to memory of 3412 2124 rxxrllf.exe 95 PID 2124 wrote to memory of 3412 2124 rxxrllf.exe 95 PID 3412 wrote to memory of 1156 3412 hhthnh.exe 96 PID 3412 wrote to memory of 1156 3412 hhthnh.exe 96 PID 3412 wrote to memory of 1156 3412 hhthnh.exe 96 PID 1156 wrote to memory of 4560 1156 1jpjd.exe 97 PID 1156 wrote to memory of 4560 1156 1jpjd.exe 97 PID 1156 wrote to memory of 4560 1156 1jpjd.exe 97 PID 4560 wrote to memory of 2560 4560 lxfxrxr.exe 98 PID 4560 wrote to memory of 2560 4560 lxfxrxr.exe 98 PID 4560 wrote to memory of 2560 4560 lxfxrxr.exe 98 PID 2560 wrote to memory of 1992 2560 ntnhnb.exe 99 PID 2560 wrote to memory of 1992 2560 ntnhnb.exe 99 PID 2560 wrote to memory of 1992 2560 ntnhnb.exe 99 PID 1992 wrote to memory of 3480 1992 7hhhbb.exe 100 PID 1992 wrote to memory of 3480 1992 7hhhbb.exe 100 PID 1992 wrote to memory of 3480 1992 7hhhbb.exe 100 PID 3480 wrote to memory of 3704 3480 jdddv.exe 101 PID 3480 wrote to memory of 3704 3480 jdddv.exe 101 PID 3480 wrote to memory of 3704 3480 jdddv.exe 101 PID 3704 wrote to memory of 2316 3704 btnnht.exe 103 PID 3704 wrote to memory of 2316 3704 btnnht.exe 103 PID 3704 wrote to memory of 2316 3704 btnnht.exe 103 PID 2316 wrote to memory of 4716 2316 7djdv.exe 104 PID 2316 wrote to memory of 4716 2316 7djdv.exe 104 PID 2316 wrote to memory of 4716 2316 7djdv.exe 104 PID 4716 wrote to memory of 1660 4716 1llrlll.exe 105 PID 4716 wrote to memory of 1660 4716 1llrlll.exe 105 PID 4716 wrote to memory of 1660 4716 1llrlll.exe 105 PID 1660 wrote to memory of 2040 1660 ffxrrll.exe 106 PID 1660 wrote to memory of 2040 1660 ffxrrll.exe 106 PID 1660 wrote to memory of 2040 1660 ffxrrll.exe 106 PID 2040 wrote to memory of 2292 2040 nbthtb.exe 107 PID 2040 wrote to memory of 2292 2040 nbthtb.exe 107 PID 2040 wrote to memory of 2292 2040 nbthtb.exe 107 PID 2292 wrote to memory of 4572 2292 jpppp.exe 108 PID 2292 wrote to memory of 4572 2292 jpppp.exe 108 PID 2292 wrote to memory of 4572 2292 jpppp.exe 108 PID 4572 wrote to memory of 1720 4572 rllfxrl.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11.exe"C:\Users\Admin\AppData\Local\Temp\91dbf9e6fa04c54fb811b4980414c15fd5727b9b055a844cf8e4f3d6cd7b5e11.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\fffxxxx.exec:\fffxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\nntntt.exec:\nntntt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3196 -
\??\c:\1djdd.exec:\1djdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\xrfxllr.exec:\xrfxllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
\??\c:\lfxrxxx.exec:\lfxrxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\jdvpv.exec:\jdvpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\rxxrllf.exec:\rxxrllf.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\hhthnh.exec:\hhthnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\1jpjd.exec:\1jpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\lxfxrxr.exec:\lxfxrxr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\ntnhnb.exec:\ntnhnb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
\??\c:\7hhhbb.exec:\7hhhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\jdddv.exec:\jdddv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\btnnht.exec:\btnnht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\7djdv.exec:\7djdv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\1llrlll.exec:\1llrlll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
\??\c:\ffxrrll.exec:\ffxrrll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1660 -
\??\c:\nbthtb.exec:\nbthtb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\jpppp.exec:\jpppp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2292 -
\??\c:\rllfxrl.exec:\rllfxrl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\7fxxxfr.exec:\7fxxxfr.exe23⤵
- Executes dropped EXE
PID:1720 -
\??\c:\ttnhbt.exec:\ttnhbt.exe24⤵
- Executes dropped EXE
PID:936 -
\??\c:\jdjjd.exec:\jdjjd.exe25⤵
- Executes dropped EXE
PID:3060 -
\??\c:\fxlfrlf.exec:\fxlfrlf.exe26⤵
- Executes dropped EXE
PID:4844 -
\??\c:\nbhbtn.exec:\nbhbtn.exe27⤵
- Executes dropped EXE
PID:5084 -
\??\c:\7ppdv.exec:\7ppdv.exe28⤵
- Executes dropped EXE
PID:1652 -
\??\c:\pddjv.exec:\pddjv.exe29⤵
- Executes dropped EXE
PID:3952 -
\??\c:\bnhtnh.exec:\bnhtnh.exe30⤵
- Executes dropped EXE
PID:4480 -
\??\c:\bnnhhb.exec:\bnnhhb.exe31⤵
- Executes dropped EXE
PID:824 -
\??\c:\9jddv.exec:\9jddv.exe32⤵
- Executes dropped EXE
PID:4276 -
\??\c:\hbbbhb.exec:\hbbbhb.exe33⤵
- Executes dropped EXE
PID:4588 -
\??\c:\7bnhhh.exec:\7bnhhh.exe34⤵
- Executes dropped EXE
PID:4772 -
\??\c:\vpvpj.exec:\vpvpj.exe35⤵
- Executes dropped EXE
PID:4384 -
\??\c:\pjjdv.exec:\pjjdv.exe36⤵
- Executes dropped EXE
PID:5116 -
\??\c:\fxllrrl.exec:\fxllrrl.exe37⤵
- Executes dropped EXE
PID:2860 -
\??\c:\3rxrllf.exec:\3rxrllf.exe38⤵
- Executes dropped EXE
PID:220 -
\??\c:\nhbtnn.exec:\nhbtnn.exe39⤵
- Executes dropped EXE
PID:1132 -
\??\c:\nttthh.exec:\nttthh.exe40⤵
- Executes dropped EXE
PID:4304 -
\??\c:\jdvpj.exec:\jdvpj.exe41⤵
- Executes dropped EXE
PID:4676 -
\??\c:\5pvvp.exec:\5pvvp.exe42⤵
- Executes dropped EXE
PID:3608 -
\??\c:\xlfxrlr.exec:\xlfxrlr.exe43⤵
- Executes dropped EXE
PID:1772 -
\??\c:\xrflrlr.exec:\xrflrlr.exe44⤵
- Executes dropped EXE
PID:1216 -
\??\c:\hnbnhb.exec:\hnbnhb.exe45⤵
- Executes dropped EXE
PID:4960 -
\??\c:\hnbtnh.exec:\hnbtnh.exe46⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pdvpj.exec:\pdvpj.exe47⤵
- Executes dropped EXE
PID:3840 -
\??\c:\xffxrlf.exec:\xffxrlf.exe48⤵
- Executes dropped EXE
PID:4992 -
\??\c:\9xlrlfx.exec:\9xlrlfx.exe49⤵
- Executes dropped EXE
PID:1148 -
\??\c:\tntbbh.exec:\tntbbh.exe50⤵
- Executes dropped EXE
PID:4256 -
\??\c:\pjjdv.exec:\pjjdv.exe51⤵
- Executes dropped EXE
PID:2124 -
\??\c:\dddvp.exec:\dddvp.exe52⤵
- Executes dropped EXE
PID:4812 -
\??\c:\frlfxxr.exec:\frlfxxr.exe53⤵
- Executes dropped EXE
PID:4796 -
\??\c:\nnbnbh.exec:\nnbnbh.exe54⤵
- Executes dropped EXE
PID:3972 -
\??\c:\thtnth.exec:\thtnth.exe55⤵
- Executes dropped EXE
PID:456 -
\??\c:\jdvpp.exec:\jdvpp.exe56⤵
- Executes dropped EXE
PID:4072 -
\??\c:\pjppv.exec:\pjppv.exe57⤵
- Executes dropped EXE
PID:3476 -
\??\c:\lfxfxfx.exec:\lfxfxfx.exe58⤵
- Executes dropped EXE
PID:2616 -
\??\c:\flffflx.exec:\flffflx.exe59⤵
- Executes dropped EXE
PID:724 -
\??\c:\ntbnnh.exec:\ntbnnh.exe60⤵
- Executes dropped EXE
PID:4820 -
\??\c:\pdjvv.exec:\pdjvv.exe61⤵
- Executes dropped EXE
PID:3752 -
\??\c:\ppjpp.exec:\ppjpp.exe62⤵
- Executes dropped EXE
PID:3704 -
\??\c:\rfrrfrl.exec:\rfrrfrl.exe63⤵
- Executes dropped EXE
PID:4380 -
\??\c:\nhtnbt.exec:\nhtnbt.exe64⤵
- Executes dropped EXE
PID:3064 -
\??\c:\nbthnh.exec:\nbthnh.exe65⤵
- Executes dropped EXE
PID:3548 -
\??\c:\jpjvp.exec:\jpjvp.exe66⤵PID:1700
-
\??\c:\dpjvp.exec:\dpjvp.exe67⤵PID:2376
-
\??\c:\lxrllfx.exec:\lxrllfx.exe68⤵PID:3940
-
\??\c:\nnbthb.exec:\nnbthb.exe69⤵PID:1848
-
\??\c:\jjjvj.exec:\jjjvj.exe70⤵PID:1188
-
\??\c:\3ddvj.exec:\3ddvj.exe71⤵PID:2448
-
\??\c:\ffrrxxr.exec:\ffrrxxr.exe72⤵PID:4740
-
\??\c:\tbbbnh.exec:\tbbbnh.exe73⤵PID:3980
-
\??\c:\rxlfrrr.exec:\rxlfrrr.exe74⤵PID:1304
-
\??\c:\lfrfflr.exec:\lfrfflr.exe75⤵PID:1984
-
\??\c:\nbbbtt.exec:\nbbbtt.exe76⤵PID:1540
-
\??\c:\pppjd.exec:\pppjd.exe77⤵PID:944
-
\??\c:\xflllrf.exec:\xflllrf.exe78⤵PID:5060
-
\??\c:\nhnnhn.exec:\nhnnhn.exe79⤵PID:2476
-
\??\c:\nnnhtn.exec:\nnnhtn.exe80⤵PID:2180
-
\??\c:\djpdd.exec:\djpdd.exe81⤵PID:5100
-
\??\c:\frrfxxr.exec:\frrfxxr.exe82⤵PID:3456
-
\??\c:\rrrrrrl.exec:\rrrrrrl.exe83⤵PID:4516
-
\??\c:\hhttnn.exec:\hhttnn.exe84⤵PID:3372
-
\??\c:\htbnbh.exec:\htbnbh.exe85⤵PID:3648
-
\??\c:\jvpjv.exec:\jvpjv.exe86⤵PID:2176
-
\??\c:\frrrrll.exec:\frrrrll.exe87⤵PID:532
-
\??\c:\ntnhtn.exec:\ntnhtn.exe88⤵PID:4292
-
\??\c:\bbtthh.exec:\bbtthh.exe89⤵PID:1132
-
\??\c:\7jpdp.exec:\7jpdp.exe90⤵PID:1956
-
\??\c:\xxrlfrr.exec:\xxrlfrr.exe91⤵PID:4676
-
\??\c:\btntbt.exec:\btntbt.exe92⤵PID:3608
-
\??\c:\vpddv.exec:\vpddv.exe93⤵PID:3024
-
\??\c:\vjdvv.exec:\vjdvv.exe94⤵PID:1216
-
\??\c:\xfllxlr.exec:\xfllxlr.exe95⤵PID:2456
-
\??\c:\tbbtbh.exec:\tbbtbh.exe96⤵PID:4104
-
\??\c:\nhbhhh.exec:\nhbhhh.exe97⤵PID:4488
-
\??\c:\ddvjv.exec:\ddvjv.exe98⤵PID:3872
-
\??\c:\3fxrfxx.exec:\3fxrfxx.exe99⤵PID:2484
-
\??\c:\lfffrlx.exec:\lfffrlx.exe100⤵PID:3588
-
\??\c:\hhbthh.exec:\hhbthh.exe101⤵PID:2884
-
\??\c:\jppjv.exec:\jppjv.exe102⤵PID:5020
-
\??\c:\dpjdv.exec:\dpjdv.exe103⤵PID:1432
-
\??\c:\fffxxxr.exec:\fffxxxr.exe104⤵PID:2440
-
\??\c:\rllfxxr.exec:\rllfxxr.exe105⤵PID:4020
-
\??\c:\bttntn.exec:\bttntn.exe106⤵PID:2080
-
\??\c:\dvvjd.exec:\dvvjd.exe107⤵PID:748
-
\??\c:\jddvp.exec:\jddvp.exe108⤵PID:1864
-
\??\c:\fxxxrrr.exec:\fxxxrrr.exe109⤵PID:2828
-
\??\c:\nhbtnh.exec:\nhbtnh.exe110⤵PID:728
-
\??\c:\vddvp.exec:\vddvp.exe111⤵PID:3788
-
\??\c:\jddpj.exec:\jddpj.exe112⤵PID:4332
-
\??\c:\lfrrrxf.exec:\lfrrrxf.exe113⤵PID:3496
-
\??\c:\5hhhnt.exec:\5hhhnt.exe114⤵PID:4716
-
\??\c:\3rfrfff.exec:\3rfrfff.exe115⤵PID:3064
-
\??\c:\hhhbbn.exec:\hhhbbn.exe116⤵PID:3548
-
\??\c:\nnbnbb.exec:\nnbnbb.exe117⤵PID:1700
-
\??\c:\jppvp.exec:\jppvp.exe118⤵PID:4852
-
\??\c:\dvvpp.exec:\dvvpp.exe119⤵
- System Location Discovery: System Language Discovery
PID:2640 -
\??\c:\frllfff.exec:\frllfff.exe120⤵PID:1408
-
\??\c:\xlllfxx.exec:\xlllfxx.exe121⤵PID:1196
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-