Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 03:38
Behavioral task
behavioral1
Sample
c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161.exe
-
Size
335KB
-
MD5
92268ac5d4ad9953d3ad64c6fec54977
-
SHA1
3baffdf8d0f134a049b0ef1ceaf58a411dd38d9f
-
SHA256
c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161
-
SHA512
9f49c9245046eb0e446b92fbb3b664a21747d5f5df68bc53ab3c994c09fc4b9ce4f87e5e7a28f6973b055205aef06ded86178ba6f3bb18276a1a0c44b9673be6
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRt:R4wFHoSHYHUrAwfMp3CDRt
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1044-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3956-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1488-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3552-35-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1924-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1168-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3092-48-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3812-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-64-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2608-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-88-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2796-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3392-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3060-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1588-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3532-159-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2104-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1152-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1796-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1880-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2696-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/8-199-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/320-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4920-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1504-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4652-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4360-220-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2864-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4620-238-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3592-251-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4512-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1136-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3068-276-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3004-281-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4852-288-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-306-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-311-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4244-318-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4060-335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-342-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1608-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-372-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-381-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4748-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2372-405-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3540-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1856-441-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2172-472-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4128-517-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5004-552-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-745-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/808-970-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4604 llxxrxf.exe 1688 7hnbtt.exe 4620 lxxrlrl.exe 3956 vdpjd.exe 1488 1xfxxff.exe 3552 nhhhht.exe 1168 rxxrrrr.exe 1924 3tbtbb.exe 3092 nhbtbn.exe 3812 vjpvv.exe 3212 nhttbn.exe 5056 tnnhhb.exe 4956 pjjdv.exe 2608 lllfffx.exe 2416 thnbth.exe 1548 dpdvp.exe 4852 fllfrrl.exe 2796 bhnhbb.exe 3392 9bnhnn.exe 796 xxrrrxr.exe 3972 tbbtnh.exe 2172 vjjpp.exe 3060 xrrxrfx.exe 4416 rxffffx.exe 2736 dvpdd.exe 1360 jjvpd.exe 1852 xxlfffx.exe 2340 bttttb.exe 3896 7rxlffr.exe 2440 xxrxlfx.exe 2312 1tthbb.exe 1588 ddvvp.exe 4568 bbhnnh.exe 3532 9btnnn.exe 2104 7djpj.exe 4660 pjpdv.exe 1152 5flxrlf.exe 4128 1xxrrlf.exe 1596 3bttbh.exe 3756 jjpjj.exe 1796 9pdvd.exe 1860 fxfllff.exe 1880 tttnnn.exe 2856 7dvdv.exe 3716 xlffxrl.exe 3676 9xfffff.exe 2696 htttnb.exe 4980 ntbtnh.exe 3560 jdjdv.exe 8 5fffxlr.exe 320 httthb.exe 4920 nhnhnn.exe 1644 3dvjd.exe 3892 hbnhhn.exe 4628 djjdd.exe 1504 jdjvj.exe 4652 rllfxxr.exe 4360 nbbhbt.exe 1660 bbbbtt.exe 4472 dvjjj.exe 2864 5rflrff.exe 2372 9fxrlfx.exe 3928 hbbthn.exe 2640 hbhbbb.exe -
resource yara_rule behavioral2/memory/1044-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b21-3.dat upx behavioral2/memory/1044-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4604-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0033000000023b73-8.dat upx behavioral2/files/0x000a000000023b7e-11.dat upx behavioral2/memory/1688-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4620-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-19.dat upx behavioral2/memory/4620-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-24.dat upx behavioral2/memory/3956-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-29.dat upx behavioral2/memory/1488-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-34.dat upx behavioral2/memory/3552-35-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-39.dat upx behavioral2/memory/1924-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1168-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-46.dat upx behavioral2/memory/3092-48-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-50.dat upx behavioral2/files/0x000a000000023b87-54.dat upx behavioral2/memory/3812-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-59.dat upx behavioral2/files/0x000a000000023b89-63.dat upx behavioral2/memory/5056-64-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-68.dat upx behavioral2/memory/2608-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-72.dat upx behavioral2/files/0x000a000000023b8c-77.dat upx behavioral2/files/0x000a000000023b8d-81.dat upx behavioral2/memory/1548-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b78-86.dat upx behavioral2/memory/4852-88-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-92.dat upx behavioral2/memory/2796-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-96.dat upx behavioral2/memory/3392-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-102.dat upx behavioral2/files/0x000a000000023b91-105.dat upx behavioral2/memory/2172-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-111.dat upx behavioral2/files/0x000a000000023b93-114.dat upx behavioral2/memory/3060-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-119.dat upx behavioral2/files/0x000a000000023b96-123.dat upx behavioral2/files/0x000a000000023b97-127.dat upx behavioral2/memory/1852-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-133.dat upx behavioral2/files/0x000a000000023b99-136.dat upx behavioral2/files/0x000a000000023b9a-140.dat upx behavioral2/memory/2440-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-145.dat upx behavioral2/files/0x000a000000023b9c-149.dat upx behavioral2/memory/4568-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1588-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3532-159-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2104-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4660-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1152-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4128-171-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1796-178-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1880-183-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xlflfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7djpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxxrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hnthb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1044 wrote to memory of 4604 1044 c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161.exe 81 PID 1044 wrote to memory of 4604 1044 c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161.exe 81 PID 1044 wrote to memory of 4604 1044 c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161.exe 81 PID 4604 wrote to memory of 1688 4604 llxxrxf.exe 82 PID 4604 wrote to memory of 1688 4604 llxxrxf.exe 82 PID 4604 wrote to memory of 1688 4604 llxxrxf.exe 82 PID 1688 wrote to memory of 4620 1688 7hnbtt.exe 83 PID 1688 wrote to memory of 4620 1688 7hnbtt.exe 83 PID 1688 wrote to memory of 4620 1688 7hnbtt.exe 83 PID 4620 wrote to memory of 3956 4620 lxxrlrl.exe 84 PID 4620 wrote to memory of 3956 4620 lxxrlrl.exe 84 PID 4620 wrote to memory of 3956 4620 lxxrlrl.exe 84 PID 3956 wrote to memory of 1488 3956 vdpjd.exe 85 PID 3956 wrote to memory of 1488 3956 vdpjd.exe 85 PID 3956 wrote to memory of 1488 3956 vdpjd.exe 85 PID 1488 wrote to memory of 3552 1488 1xfxxff.exe 86 PID 1488 wrote to memory of 3552 1488 1xfxxff.exe 86 PID 1488 wrote to memory of 3552 1488 1xfxxff.exe 86 PID 3552 wrote to memory of 1168 3552 nhhhht.exe 87 PID 3552 wrote to memory of 1168 3552 nhhhht.exe 87 PID 3552 wrote to memory of 1168 3552 nhhhht.exe 87 PID 1168 wrote to memory of 1924 1168 rxxrrrr.exe 88 PID 1168 wrote to memory of 1924 1168 rxxrrrr.exe 88 PID 1168 wrote to memory of 1924 1168 rxxrrrr.exe 88 PID 1924 wrote to memory of 3092 1924 3tbtbb.exe 89 PID 1924 wrote to memory of 3092 1924 3tbtbb.exe 89 PID 1924 wrote to memory of 3092 1924 3tbtbb.exe 89 PID 3092 wrote to memory of 3812 3092 nhbtbn.exe 90 PID 3092 wrote to memory of 3812 3092 nhbtbn.exe 90 PID 3092 wrote to memory of 3812 3092 nhbtbn.exe 90 PID 3812 wrote to memory of 3212 3812 vjpvv.exe 91 PID 3812 wrote to memory of 3212 3812 vjpvv.exe 91 PID 3812 wrote to memory of 3212 3812 vjpvv.exe 91 PID 3212 wrote to memory of 5056 3212 nhttbn.exe 92 PID 3212 wrote to memory of 5056 3212 nhttbn.exe 92 PID 3212 wrote to memory of 5056 3212 nhttbn.exe 92 PID 5056 wrote to memory of 4956 5056 tnnhhb.exe 93 PID 5056 wrote to memory of 4956 5056 tnnhhb.exe 93 PID 5056 wrote to memory of 4956 5056 tnnhhb.exe 93 PID 4956 wrote to memory of 2608 4956 pjjdv.exe 94 PID 4956 wrote to memory of 2608 4956 pjjdv.exe 94 PID 4956 wrote to memory of 2608 4956 pjjdv.exe 94 PID 2608 wrote to memory of 2416 2608 lllfffx.exe 95 PID 2608 wrote to memory of 2416 2608 lllfffx.exe 95 PID 2608 wrote to memory of 2416 2608 lllfffx.exe 95 PID 2416 wrote to memory of 1548 2416 thnbth.exe 96 PID 2416 wrote to memory of 1548 2416 thnbth.exe 96 PID 2416 wrote to memory of 1548 2416 thnbth.exe 96 PID 1548 wrote to memory of 4852 1548 dpdvp.exe 97 PID 1548 wrote to memory of 4852 1548 dpdvp.exe 97 PID 1548 wrote to memory of 4852 1548 dpdvp.exe 97 PID 4852 wrote to memory of 2796 4852 fllfrrl.exe 98 PID 4852 wrote to memory of 2796 4852 fllfrrl.exe 98 PID 4852 wrote to memory of 2796 4852 fllfrrl.exe 98 PID 2796 wrote to memory of 3392 2796 bhnhbb.exe 99 PID 2796 wrote to memory of 3392 2796 bhnhbb.exe 99 PID 2796 wrote to memory of 3392 2796 bhnhbb.exe 99 PID 3392 wrote to memory of 796 3392 9bnhnn.exe 100 PID 3392 wrote to memory of 796 3392 9bnhnn.exe 100 PID 3392 wrote to memory of 796 3392 9bnhnn.exe 100 PID 796 wrote to memory of 3972 796 xxrrrxr.exe 101 PID 796 wrote to memory of 3972 796 xxrrrxr.exe 101 PID 796 wrote to memory of 3972 796 xxrrrxr.exe 101 PID 3972 wrote to memory of 2172 3972 tbbtnh.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161.exe"C:\Users\Admin\AppData\Local\Temp\c6ac3075a86ba33ca902eebdd98cdd910c26f62354e00b3376f8d5daa9758161.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\llxxrxf.exec:\llxxrxf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\7hnbtt.exec:\7hnbtt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
\??\c:\lxxrlrl.exec:\lxxrlrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\vdpjd.exec:\vdpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\1xfxxff.exec:\1xfxxff.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
\??\c:\nhhhht.exec:\nhhhht.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\rxxrrrr.exec:\rxxrrrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\3tbtbb.exec:\3tbtbb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
\??\c:\nhbtbn.exec:\nhbtbn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3092 -
\??\c:\vjpvv.exec:\vjpvv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3812 -
\??\c:\nhttbn.exec:\nhttbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
\??\c:\tnnhhb.exec:\tnnhhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\pjjdv.exec:\pjjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
\??\c:\lllfffx.exec:\lllfffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\thnbth.exec:\thnbth.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
\??\c:\dpdvp.exec:\dpdvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1548 -
\??\c:\fllfrrl.exec:\fllfrrl.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
\??\c:\bhnhbb.exec:\bhnhbb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796 -
\??\c:\9bnhnn.exec:\9bnhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392 -
\??\c:\xxrrrxr.exec:\xxrrrxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:796 -
\??\c:\tbbtnh.exec:\tbbtnh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\vjjpp.exec:\vjjpp.exe23⤵
- Executes dropped EXE
PID:2172 -
\??\c:\xrrxrfx.exec:\xrrxrfx.exe24⤵
- Executes dropped EXE
PID:3060 -
\??\c:\rxffffx.exec:\rxffffx.exe25⤵
- Executes dropped EXE
PID:4416 -
\??\c:\dvpdd.exec:\dvpdd.exe26⤵
- Executes dropped EXE
PID:2736 -
\??\c:\jjvpd.exec:\jjvpd.exe27⤵
- Executes dropped EXE
PID:1360 -
\??\c:\xxlfffx.exec:\xxlfffx.exe28⤵
- Executes dropped EXE
PID:1852 -
\??\c:\bttttb.exec:\bttttb.exe29⤵
- Executes dropped EXE
PID:2340 -
\??\c:\7rxlffr.exec:\7rxlffr.exe30⤵
- Executes dropped EXE
PID:3896 -
\??\c:\xxrxlfx.exec:\xxrxlfx.exe31⤵
- Executes dropped EXE
PID:2440 -
\??\c:\1tthbb.exec:\1tthbb.exe32⤵
- Executes dropped EXE
PID:2312 -
\??\c:\ddvvp.exec:\ddvvp.exe33⤵
- Executes dropped EXE
PID:1588 -
\??\c:\bbhnnh.exec:\bbhnnh.exe34⤵
- Executes dropped EXE
PID:4568 -
\??\c:\9btnnn.exec:\9btnnn.exe35⤵
- Executes dropped EXE
PID:3532 -
\??\c:\7djpj.exec:\7djpj.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
\??\c:\pjpdv.exec:\pjpdv.exe37⤵
- Executes dropped EXE
PID:4660 -
\??\c:\5flxrlf.exec:\5flxrlf.exe38⤵
- Executes dropped EXE
PID:1152 -
\??\c:\1xxrrlf.exec:\1xxrrlf.exe39⤵
- Executes dropped EXE
PID:4128 -
\??\c:\3bttbh.exec:\3bttbh.exe40⤵
- Executes dropped EXE
PID:1596 -
\??\c:\jjpjj.exec:\jjpjj.exe41⤵
- Executes dropped EXE
PID:3756 -
\??\c:\9pdvd.exec:\9pdvd.exe42⤵
- Executes dropped EXE
PID:1796 -
\??\c:\fxfllff.exec:\fxfllff.exe43⤵
- Executes dropped EXE
PID:1860 -
\??\c:\tttnnn.exec:\tttnnn.exe44⤵
- Executes dropped EXE
PID:1880 -
\??\c:\7dvdv.exec:\7dvdv.exe45⤵
- Executes dropped EXE
PID:2856 -
\??\c:\xlffxrl.exec:\xlffxrl.exe46⤵
- Executes dropped EXE
PID:3716 -
\??\c:\9xfffff.exec:\9xfffff.exe47⤵
- Executes dropped EXE
PID:3676 -
\??\c:\htttnb.exec:\htttnb.exe48⤵
- Executes dropped EXE
PID:2696 -
\??\c:\ntbtnh.exec:\ntbtnh.exe49⤵
- Executes dropped EXE
PID:4980 -
\??\c:\jdjdv.exec:\jdjdv.exe50⤵
- Executes dropped EXE
PID:3560 -
\??\c:\5fffxlr.exec:\5fffxlr.exe51⤵
- Executes dropped EXE
PID:8 -
\??\c:\httthb.exec:\httthb.exe52⤵
- Executes dropped EXE
PID:320 -
\??\c:\nhnhnn.exec:\nhnhnn.exe53⤵
- Executes dropped EXE
PID:4920 -
\??\c:\3dvjd.exec:\3dvjd.exe54⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hbnhhn.exec:\hbnhhn.exe55⤵
- Executes dropped EXE
PID:3892 -
\??\c:\djjdd.exec:\djjdd.exe56⤵
- Executes dropped EXE
PID:4628 -
\??\c:\jdjvj.exec:\jdjvj.exe57⤵
- Executes dropped EXE
PID:1504 -
\??\c:\rllfxxr.exec:\rllfxxr.exe58⤵
- Executes dropped EXE
PID:4652 -
\??\c:\nbbhbt.exec:\nbbhbt.exe59⤵
- Executes dropped EXE
PID:4360 -
\??\c:\bbbbtt.exec:\bbbbtt.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
\??\c:\dvjjj.exec:\dvjjj.exe61⤵
- Executes dropped EXE
PID:4472 -
\??\c:\5rflrff.exec:\5rflrff.exe62⤵
- Executes dropped EXE
PID:2864 -
\??\c:\9fxrlfx.exec:\9fxrlfx.exe63⤵
- Executes dropped EXE
PID:2372 -
\??\c:\hbbthn.exec:\hbbthn.exe64⤵
- Executes dropped EXE
PID:3928 -
\??\c:\hbhbbb.exec:\hbhbbb.exe65⤵
- Executes dropped EXE
PID:2640 -
\??\c:\vvdpp.exec:\vvdpp.exe66⤵PID:2996
-
\??\c:\lrrlllf.exec:\lrrlllf.exe67⤵PID:4620
-
\??\c:\nhthtb.exec:\nhthtb.exe68⤵PID:2136
-
\??\c:\tntnnn.exec:\tntnnn.exe69⤵PID:2328
-
\??\c:\pjjdv.exec:\pjjdv.exe70⤵PID:1488
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe71⤵PID:3612
-
\??\c:\hnbtnt.exec:\hnbtnt.exe72⤵PID:5072
-
\??\c:\bttnbb.exec:\bttnbb.exe73⤵PID:3592
-
\??\c:\jvdpj.exec:\jvdpj.exe74⤵PID:1064
-
\??\c:\3rxxrxr.exec:\3rxxrxr.exe75⤵PID:4500
-
\??\c:\frlfxxx.exec:\frlfxxx.exe76⤵PID:1920
-
\??\c:\5bttbb.exec:\5bttbb.exe77⤵PID:3120
-
\??\c:\dvjdj.exec:\dvjdj.exe78⤵PID:3356
-
\??\c:\rxxlxrx.exec:\rxxlxrx.exe79⤵PID:4512
-
\??\c:\lxrlffx.exec:\lxrlffx.exe80⤵PID:2844
-
\??\c:\5ttnnt.exec:\5ttnnt.exe81⤵PID:1136
-
\??\c:\jjpjv.exec:\jjpjv.exe82⤵PID:2676
-
\??\c:\vpvvj.exec:\vpvvj.exe83⤵PID:2596
-
\??\c:\3fxlxxl.exec:\3fxlxxl.exe84⤵PID:3068
-
\??\c:\5bhbhh.exec:\5bhbhh.exe85⤵PID:2564
-
\??\c:\htbttt.exec:\htbttt.exe86⤵PID:3004
-
\??\c:\1pvjd.exec:\1pvjd.exe87⤵PID:432
-
\??\c:\lrrlfll.exec:\lrrlfll.exe88⤵PID:1904
-
\??\c:\fxffxfr.exec:\fxffxfr.exe89⤵PID:4852
-
\??\c:\hnbbhh.exec:\hnbbhh.exe90⤵PID:2728
-
\??\c:\dpvpj.exec:\dpvpj.exe91⤵PID:2796
-
\??\c:\rlflrfl.exec:\rlflrfl.exe92⤵PID:3392
-
\??\c:\rrrxrrl.exec:\rrrxrrl.exe93⤵PID:4300
-
\??\c:\hhhhbb.exec:\hhhhbb.exe94⤵PID:3692
-
\??\c:\5ddjv.exec:\5ddjv.exe95⤵PID:3972
-
\??\c:\rfxlxrl.exec:\rfxlxrl.exe96⤵PID:4000
-
\??\c:\lxfxlfr.exec:\lxfxlfr.exe97⤵PID:2816
-
\??\c:\bnnhbh.exec:\bnnhbh.exe98⤵PID:1444
-
\??\c:\pvdvp.exec:\pvdvp.exe99⤵PID:1592
-
\??\c:\7djdv.exec:\7djdv.exe100⤵PID:2736
-
\??\c:\lfrfllr.exec:\lfrfllr.exe101⤵PID:4060
-
\??\c:\btnnhh.exec:\btnnhh.exe102⤵PID:4244
-
\??\c:\bbbtnh.exec:\bbbtnh.exe103⤵PID:1852
-
\??\c:\vpjdp.exec:\vpjdp.exe104⤵PID:5096
-
\??\c:\3rxlllf.exec:\3rxlllf.exe105⤵PID:3896
-
\??\c:\hhtnhh.exec:\hhtnhh.exe106⤵PID:4088
-
\??\c:\btttnt.exec:\btttnt.exe107⤵PID:4720
-
\??\c:\pjvpd.exec:\pjvpd.exe108⤵PID:4156
-
\??\c:\rrxfxlx.exec:\rrxfxlx.exe109⤵PID:2648
-
\??\c:\1tthtn.exec:\1tthtn.exe110⤵PID:4764
-
\??\c:\1nthbt.exec:\1nthbt.exe111⤵PID:1516
-
\??\c:\vjjdp.exec:\vjjdp.exe112⤵PID:3904
-
\??\c:\xrlrlxr.exec:\xrlrlxr.exe113⤵PID:532
-
\??\c:\lxxfrlx.exec:\lxxfrlx.exe114⤵PID:4648
-
\??\c:\htbtnn.exec:\htbtnn.exe115⤵PID:1456
-
\??\c:\jvjdp.exec:\jvjdp.exe116⤵PID:3660
-
\??\c:\vjjvj.exec:\vjjvj.exe117⤵PID:624
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe118⤵PID:1608
-
\??\c:\tbbthb.exec:\tbbthb.exe119⤵
- System Location Discovery: System Language Discovery
PID:2496 -
\??\c:\1hnbhb.exec:\1hnbhb.exe120⤵PID:1908
-
\??\c:\5vdvj.exec:\5vdvj.exe121⤵PID:1724
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-