Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 09:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d.exe
-
Size
453KB
-
MD5
e3bacbfd49b1ccfb9c388fbb5cdd1de4
-
SHA1
e99e7fe32b47c8c2239098a93443d4623cf743af
-
SHA256
91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d
-
SHA512
1d288512794c64798035df638f4fe411d6239a223c27ebe2fe1949814ac776dbbf9f79c2d9dff88d2b7159e7dca5b785b5b97cb93104a18486d9949d4b293ebf
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbew:q7Tc2NYHUrAwfMp3CDw
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/916-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4896-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/944-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3476-23-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1000-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4900-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1352-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1632-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/528-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-282-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2352-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4516-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-412-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-458-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3156-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-529-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/872-598-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4440-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1648-678-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-751-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4732-896-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4048-927-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-1087-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-1354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-1801-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4044 7ddjj.exe 916 rxrxrxl.exe 3476 tbhhhh.exe 2936 vvvvp.exe 1632 xxrrrrr.exe 1932 tnnhth.exe 4896 xxrrxxr.exe 412 hhtnnt.exe 5096 pdpjv.exe 1056 xxxrrrr.exe 4512 ppdvd.exe 5064 bttnhb.exe 4548 vdppv.exe 1996 rrrlfxr.exe 640 pvjdj.exe 944 lfrlfxx.exe 4012 bthbhb.exe 3616 fllxfrr.exe 3436 nnnnnt.exe 1544 dpjvp.exe 2296 hnhhbt.exe 4712 ppjdj.exe 4488 llrxxxr.exe 700 jpvpd.exe 1588 rxfflfl.exe 2600 bhhtnb.exe 4524 lxrlfrx.exe 1000 nhtnbh.exe 4900 lrxrfrf.exe 1352 ttbnbt.exe 3464 3fxflrf.exe 380 ppjjv.exe 3176 9nnnth.exe 912 9pjjj.exe 2540 5fllflf.exe 3968 dvjdv.exe 448 rflrrxx.exe 4832 nthnhb.exe 540 xlxrrll.exe 5076 dpdvv.exe 3480 rllllrf.exe 3796 xrfffll.exe 3528 bhbbtb.exe 4300 1jjjd.exe 3896 rxxxlll.exe 3092 tbtnhh.exe 1632 pppdd.exe 4032 rrrrrrr.exe 3832 tttttn.exe 1476 9vpvv.exe 4856 flrfxrr.exe 516 bbhnhn.exe 528 5jjjj.exe 1056 lrrlxlf.exe 4728 nttttn.exe 1676 7djdv.exe 4228 lrrrrrr.exe 5064 5ttttb.exe 3152 hbttnh.exe 3156 xflllll.exe 4464 bbtnbt.exe 2488 jjddp.exe 3028 lrrflrf.exe 3292 bbhhhn.exe -
resource yara_rule behavioral2/memory/3148-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/916-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4896-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/944-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3476-23-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1000-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4900-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1352-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1632-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/528-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2352-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4516-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-412-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-458-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3156-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-529-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/872-598-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4440-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1648-678-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-751-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4732-896-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4048-927-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bnttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrxffrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9ffllrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttnbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntttnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3148 wrote to memory of 4044 3148 91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d.exe 83 PID 3148 wrote to memory of 4044 3148 91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d.exe 83 PID 3148 wrote to memory of 4044 3148 91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d.exe 83 PID 4044 wrote to memory of 916 4044 7ddjj.exe 84 PID 4044 wrote to memory of 916 4044 7ddjj.exe 84 PID 4044 wrote to memory of 916 4044 7ddjj.exe 84 PID 916 wrote to memory of 3476 916 rxrxrxl.exe 85 PID 916 wrote to memory of 3476 916 rxrxrxl.exe 85 PID 916 wrote to memory of 3476 916 rxrxrxl.exe 85 PID 3476 wrote to memory of 2936 3476 tbhhhh.exe 86 PID 3476 wrote to memory of 2936 3476 tbhhhh.exe 86 PID 3476 wrote to memory of 2936 3476 tbhhhh.exe 86 PID 2936 wrote to memory of 1632 2936 vvvvp.exe 87 PID 2936 wrote to memory of 1632 2936 vvvvp.exe 87 PID 2936 wrote to memory of 1632 2936 vvvvp.exe 87 PID 1632 wrote to memory of 1932 1632 xxrrrrr.exe 88 PID 1632 wrote to memory of 1932 1632 xxrrrrr.exe 88 PID 1632 wrote to memory of 1932 1632 xxrrrrr.exe 88 PID 1932 wrote to memory of 4896 1932 tnnhth.exe 89 PID 1932 wrote to memory of 4896 1932 tnnhth.exe 89 PID 1932 wrote to memory of 4896 1932 tnnhth.exe 89 PID 4896 wrote to memory of 412 4896 xxrrxxr.exe 90 PID 4896 wrote to memory of 412 4896 xxrrxxr.exe 90 PID 4896 wrote to memory of 412 4896 xxrrxxr.exe 90 PID 412 wrote to memory of 5096 412 hhtnnt.exe 91 PID 412 wrote to memory of 5096 412 hhtnnt.exe 91 PID 412 wrote to memory of 5096 412 hhtnnt.exe 91 PID 5096 wrote to memory of 1056 5096 pdpjv.exe 92 PID 5096 wrote to memory of 1056 5096 pdpjv.exe 92 PID 5096 wrote to memory of 1056 5096 pdpjv.exe 92 PID 1056 wrote to memory of 4512 1056 xxxrrrr.exe 93 PID 1056 wrote to memory of 4512 1056 xxxrrrr.exe 93 PID 1056 wrote to memory of 4512 1056 xxxrrrr.exe 93 PID 4512 wrote to memory of 5064 4512 ppdvd.exe 94 PID 4512 wrote to memory of 5064 4512 ppdvd.exe 94 PID 4512 wrote to memory of 5064 4512 ppdvd.exe 94 PID 5064 wrote to memory of 4548 5064 bttnhb.exe 95 PID 5064 wrote to memory of 4548 5064 bttnhb.exe 95 PID 5064 wrote to memory of 4548 5064 bttnhb.exe 95 PID 4548 wrote to memory of 1996 4548 vdppv.exe 96 PID 4548 wrote to memory of 1996 4548 vdppv.exe 96 PID 4548 wrote to memory of 1996 4548 vdppv.exe 96 PID 1996 wrote to memory of 640 1996 rrrlfxr.exe 97 PID 1996 wrote to memory of 640 1996 rrrlfxr.exe 97 PID 1996 wrote to memory of 640 1996 rrrlfxr.exe 97 PID 640 wrote to memory of 944 640 pvjdj.exe 98 PID 640 wrote to memory of 944 640 pvjdj.exe 98 PID 640 wrote to memory of 944 640 pvjdj.exe 98 PID 944 wrote to memory of 4012 944 lfrlfxx.exe 99 PID 944 wrote to memory of 4012 944 lfrlfxx.exe 99 PID 944 wrote to memory of 4012 944 lfrlfxx.exe 99 PID 4012 wrote to memory of 3616 4012 bthbhb.exe 100 PID 4012 wrote to memory of 3616 4012 bthbhb.exe 100 PID 4012 wrote to memory of 3616 4012 bthbhb.exe 100 PID 3616 wrote to memory of 3436 3616 fllxfrr.exe 101 PID 3616 wrote to memory of 3436 3616 fllxfrr.exe 101 PID 3616 wrote to memory of 3436 3616 fllxfrr.exe 101 PID 3436 wrote to memory of 1544 3436 nnnnnt.exe 102 PID 3436 wrote to memory of 1544 3436 nnnnnt.exe 102 PID 3436 wrote to memory of 1544 3436 nnnnnt.exe 102 PID 1544 wrote to memory of 2296 1544 dpjvp.exe 103 PID 1544 wrote to memory of 2296 1544 dpjvp.exe 103 PID 1544 wrote to memory of 2296 1544 dpjvp.exe 103 PID 2296 wrote to memory of 4712 2296 hnhhbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d.exe"C:\Users\Admin\AppData\Local\Temp\91f6a9d8543e60b7631a0d5e61e69b8120a4ed754c1d10085a66eac463c5cd3d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\7ddjj.exec:\7ddjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
\??\c:\rxrxrxl.exec:\rxrxrxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:916 -
\??\c:\tbhhhh.exec:\tbhhhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476 -
\??\c:\vvvvp.exec:\vvvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\xxrrrrr.exec:\xxrrrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
\??\c:\tnnhth.exec:\tnnhth.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\xxrrxxr.exec:\xxrrxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4896 -
\??\c:\hhtnnt.exec:\hhtnnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\pdpjv.exec:\pdpjv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5096 -
\??\c:\xxxrrrr.exec:\xxxrrrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\ppdvd.exec:\ppdvd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\bttnhb.exec:\bttnhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\vdppv.exec:\vdppv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\rrrlfxr.exec:\rrrlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
\??\c:\pvjdj.exec:\pvjdj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\lfrlfxx.exec:\lfrlfxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\bthbhb.exec:\bthbhb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
\??\c:\fllxfrr.exec:\fllxfrr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\nnnnnt.exec:\nnnnnt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\dpjvp.exec:\dpjvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\hnhhbt.exec:\hnhhbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2296 -
\??\c:\ppjdj.exec:\ppjdj.exe23⤵
- Executes dropped EXE
PID:4712 -
\??\c:\llrxxxr.exec:\llrxxxr.exe24⤵
- Executes dropped EXE
PID:4488 -
\??\c:\jpvpd.exec:\jpvpd.exe25⤵
- Executes dropped EXE
PID:700 -
\??\c:\rxfflfl.exec:\rxfflfl.exe26⤵
- Executes dropped EXE
PID:1588 -
\??\c:\bhhtnb.exec:\bhhtnb.exe27⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lxrlfrx.exec:\lxrlfrx.exe28⤵
- Executes dropped EXE
PID:4524 -
\??\c:\nhtnbh.exec:\nhtnbh.exe29⤵
- Executes dropped EXE
PID:1000 -
\??\c:\lrxrfrf.exec:\lrxrfrf.exe30⤵
- Executes dropped EXE
PID:4900 -
\??\c:\ttbnbt.exec:\ttbnbt.exe31⤵
- Executes dropped EXE
PID:1352 -
\??\c:\3fxflrf.exec:\3fxflrf.exe32⤵
- Executes dropped EXE
PID:3464 -
\??\c:\ppjjv.exec:\ppjjv.exe33⤵
- Executes dropped EXE
PID:380 -
\??\c:\9nnnth.exec:\9nnnth.exe34⤵
- Executes dropped EXE
PID:3176 -
\??\c:\9pjjj.exec:\9pjjj.exe35⤵
- Executes dropped EXE
PID:912 -
\??\c:\5fllflf.exec:\5fllflf.exe36⤵
- Executes dropped EXE
PID:2540 -
\??\c:\dvjdv.exec:\dvjdv.exe37⤵
- Executes dropped EXE
PID:3968 -
\??\c:\rflrrxx.exec:\rflrrxx.exe38⤵
- Executes dropped EXE
PID:448 -
\??\c:\nthnhb.exec:\nthnhb.exe39⤵
- Executes dropped EXE
PID:4832 -
\??\c:\xlxrrll.exec:\xlxrrll.exe40⤵
- Executes dropped EXE
PID:540 -
\??\c:\bbbhbh.exec:\bbbhbh.exe41⤵PID:4596
-
\??\c:\dpdvv.exec:\dpdvv.exe42⤵
- Executes dropped EXE
PID:5076 -
\??\c:\rllllrf.exec:\rllllrf.exe43⤵
- Executes dropped EXE
PID:3480 -
\??\c:\xrfffll.exec:\xrfffll.exe44⤵
- Executes dropped EXE
PID:3796 -
\??\c:\bhbbtb.exec:\bhbbtb.exe45⤵
- Executes dropped EXE
PID:3528 -
\??\c:\1jjjd.exec:\1jjjd.exe46⤵
- Executes dropped EXE
PID:4300 -
\??\c:\rxxxlll.exec:\rxxxlll.exe47⤵
- Executes dropped EXE
PID:3896 -
\??\c:\tbtnhh.exec:\tbtnhh.exe48⤵
- Executes dropped EXE
PID:3092 -
\??\c:\pppdd.exec:\pppdd.exe49⤵
- Executes dropped EXE
PID:1632 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe50⤵
- Executes dropped EXE
PID:4032 -
\??\c:\tttttn.exec:\tttttn.exe51⤵
- Executes dropped EXE
PID:3832 -
\??\c:\9vpvv.exec:\9vpvv.exe52⤵
- Executes dropped EXE
PID:1476 -
\??\c:\flrfxrr.exec:\flrfxrr.exe53⤵
- Executes dropped EXE
PID:4856 -
\??\c:\bbhnhn.exec:\bbhnhn.exe54⤵
- Executes dropped EXE
PID:516 -
\??\c:\5jjjj.exec:\5jjjj.exe55⤵
- Executes dropped EXE
PID:528 -
\??\c:\lrrlxlf.exec:\lrrlxlf.exe56⤵
- Executes dropped EXE
PID:1056 -
\??\c:\nttttn.exec:\nttttn.exe57⤵
- Executes dropped EXE
PID:4728 -
\??\c:\7djdv.exec:\7djdv.exe58⤵
- Executes dropped EXE
PID:1676 -
\??\c:\lrrrrrr.exec:\lrrrrrr.exe59⤵
- Executes dropped EXE
PID:4228 -
\??\c:\5ttttb.exec:\5ttttb.exe60⤵
- Executes dropped EXE
PID:5064 -
\??\c:\hbttnh.exec:\hbttnh.exe61⤵
- Executes dropped EXE
PID:3152 -
\??\c:\xflllll.exec:\xflllll.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3156 -
\??\c:\bbtnbt.exec:\bbtnbt.exe63⤵
- Executes dropped EXE
PID:4464 -
\??\c:\jjddp.exec:\jjddp.exe64⤵
- Executes dropped EXE
PID:2488 -
\??\c:\lrrflrf.exec:\lrrflrf.exe65⤵
- Executes dropped EXE
PID:3028 -
\??\c:\bbhhhn.exec:\bbhhhn.exe66⤵
- Executes dropped EXE
PID:3292 -
\??\c:\jjppv.exec:\jjppv.exe67⤵PID:4012
-
\??\c:\5flfffl.exec:\5flfffl.exe68⤵PID:5080
-
\??\c:\rffrrfx.exec:\rffrrfx.exe69⤵PID:4448
-
\??\c:\pjvpp.exec:\pjvpp.exe70⤵PID:1828
-
\??\c:\ddppv.exec:\ddppv.exe71⤵PID:2260
-
\??\c:\xllfffr.exec:\xllfffr.exe72⤵PID:3424
-
\??\c:\hhbbbb.exec:\hhbbbb.exe73⤵PID:2328
-
\??\c:\jdpjd.exec:\jdpjd.exe74⤵PID:1704
-
\??\c:\llrrllx.exec:\llrrllx.exe75⤵PID:4652
-
\??\c:\tntnnn.exec:\tntnnn.exe76⤵PID:4036
-
\??\c:\hbhhbb.exec:\hbhhbb.exe77⤵PID:2340
-
\??\c:\vdppv.exec:\vdppv.exe78⤵PID:2352
-
\??\c:\1fxrrrr.exec:\1fxrrrr.exe79⤵PID:4488
-
\??\c:\xrxlxxx.exec:\xrxlxxx.exe80⤵PID:4108
-
\??\c:\nhnhhh.exec:\nhnhhh.exe81⤵PID:700
-
\??\c:\vvdvv.exec:\vvdvv.exe82⤵PID:3396
-
\??\c:\fllfrrl.exec:\fllfrrl.exe83⤵PID:4556
-
\??\c:\9lrlflf.exec:\9lrlflf.exe84⤵PID:2176
-
\??\c:\hhbthh.exec:\hhbthh.exe85⤵PID:4780
-
\??\c:\pvjjp.exec:\pvjjp.exe86⤵PID:848
-
\??\c:\vpppj.exec:\vpppj.exe87⤵PID:3336
-
\??\c:\xlfxrlf.exec:\xlfxrlf.exe88⤵PID:5112
-
\??\c:\nthhnn.exec:\nthhnn.exe89⤵PID:3856
-
\??\c:\pjpjv.exec:\pjpjv.exe90⤵PID:4516
-
\??\c:\vvpjd.exec:\vvpjd.exe91⤵PID:1732
-
\??\c:\rlrrllf.exec:\rlrrllf.exe92⤵PID:4844
-
\??\c:\7nnnnt.exec:\7nnnnt.exe93⤵PID:512
-
\??\c:\dvpdp.exec:\dvpdp.exe94⤵PID:5068
-
\??\c:\xxxlllr.exec:\xxxlllr.exe95⤵PID:852
-
\??\c:\fxfxrrr.exec:\fxfxrrr.exe96⤵PID:1140
-
\??\c:\nbhbbh.exec:\nbhbbh.exe97⤵PID:656
-
\??\c:\vpdjj.exec:\vpdjj.exe98⤵PID:1228
-
\??\c:\xffffff.exec:\xffffff.exe99⤵PID:3460
-
\??\c:\hbbnhn.exec:\hbbnhn.exe100⤵PID:4416
-
\??\c:\5djjj.exec:\5djjj.exe101⤵PID:532
-
\??\c:\xxfxfff.exec:\xxfxfff.exe102⤵PID:4088
-
\??\c:\bnbnhn.exec:\bnbnhn.exe103⤵PID:3512
-
\??\c:\nnbbbb.exec:\nnbbbb.exe104⤵PID:644
-
\??\c:\vvdvv.exec:\vvdvv.exe105⤵PID:916
-
\??\c:\fxllfrx.exec:\fxllfrx.exe106⤵PID:2360
-
\??\c:\bnbtnn.exec:\bnbtnn.exe107⤵PID:788
-
\??\c:\nnntnb.exec:\nnntnb.exe108⤵PID:2200
-
\??\c:\ppjvj.exec:\ppjvj.exe109⤵PID:440
-
\??\c:\lllfrll.exec:\lllfrll.exe110⤵PID:3824
-
\??\c:\nnthbt.exec:\nnthbt.exe111⤵PID:4688
-
\??\c:\jjjdd.exec:\jjjdd.exe112⤵PID:2052
-
\??\c:\xrffxxx.exec:\xrffxxx.exe113⤵PID:2676
-
\??\c:\hhnbbb.exec:\hhnbbb.exe114⤵PID:3112
-
\??\c:\hnnnnb.exec:\hnnnnb.exe115⤵PID:4008
-
\??\c:\dpdjp.exec:\dpdjp.exe116⤵PID:3756
-
\??\c:\fxrffll.exec:\fxrffll.exe117⤵PID:5096
-
\??\c:\xxllrrl.exec:\xxllrrl.exe118⤵PID:112
-
\??\c:\hbnnhh.exec:\hbnnhh.exe119⤵PID:2636
-
\??\c:\pjpjj.exec:\pjpjj.exe120⤵PID:464
-
\??\c:\rxxllrx.exec:\rxxllrx.exe121⤵PID:2652
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-