Analysis
-
max time kernel
120s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92N.exe
-
Size
456KB
-
MD5
f75791a8e8a07cf043a05ca9929e6040
-
SHA1
b55a46b4aa86c5d91f9846d19e952058b949351b
-
SHA256
172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92
-
SHA512
8f5e4815b91e97d856901bd4456124b674d107e3d9a4e355b63ad3b1e2db58276c6a2dcdce1f0e40934590f9492c2bcf178764bbe76257a5e767b357a829a1fd
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbelE:q7Tc2NYHUrAwfMp3CDK
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4640-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3704-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3096-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1640-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4080-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5048-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1192-134-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4164-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1676-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1040-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3276-295-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-299-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3152-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2060-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3464-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/844-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4260-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4784-464-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-475-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1984-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-495-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4072-580-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-593-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-657-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-727-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2320-895-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-1447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-1454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4652-1644-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-1919-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4188 9rlxrrl.exe 8 vdpdv.exe 4936 5lxxxxx.exe 3704 lrrrlxr.exe 3096 rrlfxrl.exe 1624 llrfxxr.exe 4672 tbbbtt.exe 4260 pdjvv.exe 1628 rlllllf.exe 1640 tnnhhh.exe 868 hbbbbh.exe 4080 hnnhbt.exe 2872 fflfxxr.exe 5048 xlrrlll.exe 4092 rxrfxlf.exe 4168 nhnhbt.exe 3880 dpppd.exe 4824 llxxrrl.exe 1512 bntnhn.exe 548 tbhbhh.exe 1860 ddddv.exe 1192 nnnnnn.exe 4632 vppjd.exe 4164 rllffll.exe 432 nbthtn.exe 4520 5vdvv.exe 2888 nntntn.exe 4892 xrrllll.exe 1604 hntbbb.exe 4904 fxxrrxr.exe 3492 nhnhhh.exe 5088 vvjvv.exe 2552 bhnntt.exe 404 vpvvv.exe 920 rffflll.exe 1252 5bnnhh.exe 464 xxfrlxx.exe 1020 nnnhhh.exe 2376 jjpjj.exe 1484 lffxxxx.exe 4356 7thbhh.exe 3652 3ttttt.exe 1676 xxxrlfx.exe 4188 3nhtnh.exe 2944 pjddd.exe 3280 lxxrfxr.exe 3480 tnttnn.exe 2932 jdvjv.exe 2936 pdddv.exe 2212 ffxrllf.exe 1624 httttt.exe 4296 7jjvv.exe 1040 lxfxrrl.exe 4864 1xrlxrl.exe 2284 tbbnhb.exe 3424 jjddv.exe 716 rrlrxrx.exe 4172 tnhtnn.exe 1720 vppjj.exe 1880 lfxlffx.exe 1544 tnnhhh.exe 3996 nttnnn.exe 3276 dppdv.exe 4768 frrfffl.exe -
resource yara_rule behavioral2/memory/4640-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3704-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3096-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1640-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4080-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5048-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1192-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4164-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1676-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1040-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3276-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3152-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2060-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3464-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/844-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4652-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4260-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4784-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-475-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1984-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-495-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4072-580-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-657-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-727-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-833-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2320-895-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1380-1070-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnntth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrlxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4640 wrote to memory of 4188 4640 172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92N.exe 83 PID 4640 wrote to memory of 4188 4640 172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92N.exe 83 PID 4640 wrote to memory of 4188 4640 172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92N.exe 83 PID 4188 wrote to memory of 8 4188 9rlxrrl.exe 84 PID 4188 wrote to memory of 8 4188 9rlxrrl.exe 84 PID 4188 wrote to memory of 8 4188 9rlxrrl.exe 84 PID 8 wrote to memory of 4936 8 vdpdv.exe 85 PID 8 wrote to memory of 4936 8 vdpdv.exe 85 PID 8 wrote to memory of 4936 8 vdpdv.exe 85 PID 4936 wrote to memory of 3704 4936 5lxxxxx.exe 86 PID 4936 wrote to memory of 3704 4936 5lxxxxx.exe 86 PID 4936 wrote to memory of 3704 4936 5lxxxxx.exe 86 PID 3704 wrote to memory of 3096 3704 lrrrlxr.exe 87 PID 3704 wrote to memory of 3096 3704 lrrrlxr.exe 87 PID 3704 wrote to memory of 3096 3704 lrrrlxr.exe 87 PID 3096 wrote to memory of 1624 3096 rrlfxrl.exe 88 PID 3096 wrote to memory of 1624 3096 rrlfxrl.exe 88 PID 3096 wrote to memory of 1624 3096 rrlfxrl.exe 88 PID 1624 wrote to memory of 4672 1624 llrfxxr.exe 89 PID 1624 wrote to memory of 4672 1624 llrfxxr.exe 89 PID 1624 wrote to memory of 4672 1624 llrfxxr.exe 89 PID 4672 wrote to memory of 4260 4672 tbbbtt.exe 90 PID 4672 wrote to memory of 4260 4672 tbbbtt.exe 90 PID 4672 wrote to memory of 4260 4672 tbbbtt.exe 90 PID 4260 wrote to memory of 1628 4260 pdjvv.exe 91 PID 4260 wrote to memory of 1628 4260 pdjvv.exe 91 PID 4260 wrote to memory of 1628 4260 pdjvv.exe 91 PID 1628 wrote to memory of 1640 1628 rlllllf.exe 92 PID 1628 wrote to memory of 1640 1628 rlllllf.exe 92 PID 1628 wrote to memory of 1640 1628 rlllllf.exe 92 PID 1640 wrote to memory of 868 1640 tnnhhh.exe 93 PID 1640 wrote to memory of 868 1640 tnnhhh.exe 93 PID 1640 wrote to memory of 868 1640 tnnhhh.exe 93 PID 868 wrote to memory of 4080 868 hbbbbh.exe 94 PID 868 wrote to memory of 4080 868 hbbbbh.exe 94 PID 868 wrote to memory of 4080 868 hbbbbh.exe 94 PID 4080 wrote to memory of 2872 4080 hnnhbt.exe 95 PID 4080 wrote to memory of 2872 4080 hnnhbt.exe 95 PID 4080 wrote to memory of 2872 4080 hnnhbt.exe 95 PID 2872 wrote to memory of 5048 2872 fflfxxr.exe 96 PID 2872 wrote to memory of 5048 2872 fflfxxr.exe 96 PID 2872 wrote to memory of 5048 2872 fflfxxr.exe 96 PID 5048 wrote to memory of 4092 5048 xlrrlll.exe 97 PID 5048 wrote to memory of 4092 5048 xlrrlll.exe 97 PID 5048 wrote to memory of 4092 5048 xlrrlll.exe 97 PID 4092 wrote to memory of 4168 4092 rxrfxlf.exe 98 PID 4092 wrote to memory of 4168 4092 rxrfxlf.exe 98 PID 4092 wrote to memory of 4168 4092 rxrfxlf.exe 98 PID 4168 wrote to memory of 3880 4168 nhnhbt.exe 99 PID 4168 wrote to memory of 3880 4168 nhnhbt.exe 99 PID 4168 wrote to memory of 3880 4168 nhnhbt.exe 99 PID 3880 wrote to memory of 4824 3880 dpppd.exe 100 PID 3880 wrote to memory of 4824 3880 dpppd.exe 100 PID 3880 wrote to memory of 4824 3880 dpppd.exe 100 PID 4824 wrote to memory of 1512 4824 llxxrrl.exe 101 PID 4824 wrote to memory of 1512 4824 llxxrrl.exe 101 PID 4824 wrote to memory of 1512 4824 llxxrrl.exe 101 PID 1512 wrote to memory of 548 1512 bntnhn.exe 102 PID 1512 wrote to memory of 548 1512 bntnhn.exe 102 PID 1512 wrote to memory of 548 1512 bntnhn.exe 102 PID 548 wrote to memory of 1860 548 tbhbhh.exe 103 PID 548 wrote to memory of 1860 548 tbhbhh.exe 103 PID 548 wrote to memory of 1860 548 tbhbhh.exe 103 PID 1860 wrote to memory of 1192 1860 ddddv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92N.exe"C:\Users\Admin\AppData\Local\Temp\172334f9b71887cb1978a65a1390c1cba6dd5838d493e41fb7912ddbaba1ef92N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\9rlxrrl.exec:\9rlxrrl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\vdpdv.exec:\vdpdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\5lxxxxx.exec:\5lxxxxx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4936 -
\??\c:\lrrrlxr.exec:\lrrrlxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3704 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
\??\c:\llrfxxr.exec:\llrfxxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\tbbbtt.exec:\tbbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\pdjvv.exec:\pdjvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260 -
\??\c:\rlllllf.exec:\rlllllf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1628 -
\??\c:\tnnhhh.exec:\tnnhhh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640 -
\??\c:\hbbbbh.exec:\hbbbbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\hnnhbt.exec:\hnnhbt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\fflfxxr.exec:\fflfxxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
\??\c:\xlrrlll.exec:\xlrrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
\??\c:\rxrfxlf.exec:\rxrfxlf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092 -
\??\c:\nhnhbt.exec:\nhnhbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4168 -
\??\c:\dpppd.exec:\dpppd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\llxxrrl.exec:\llxxrrl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\bntnhn.exec:\bntnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
\??\c:\tbhbhh.exec:\tbhbhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\ddddv.exec:\ddddv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\nnnnnn.exec:\nnnnnn.exe23⤵
- Executes dropped EXE
PID:1192 -
\??\c:\vppjd.exec:\vppjd.exe24⤵
- Executes dropped EXE
PID:4632 -
\??\c:\rllffll.exec:\rllffll.exe25⤵
- Executes dropped EXE
PID:4164 -
\??\c:\nbthtn.exec:\nbthtn.exe26⤵
- Executes dropped EXE
PID:432 -
\??\c:\5vdvv.exec:\5vdvv.exe27⤵
- Executes dropped EXE
PID:4520 -
\??\c:\nntntn.exec:\nntntn.exe28⤵
- Executes dropped EXE
PID:2888 -
\??\c:\xrrllll.exec:\xrrllll.exe29⤵
- Executes dropped EXE
PID:4892 -
\??\c:\hntbbb.exec:\hntbbb.exe30⤵
- Executes dropped EXE
PID:1604 -
\??\c:\fxxrrxr.exec:\fxxrrxr.exe31⤵
- Executes dropped EXE
PID:4904 -
\??\c:\nhnhhh.exec:\nhnhhh.exe32⤵
- Executes dropped EXE
PID:3492 -
\??\c:\vvjvv.exec:\vvjvv.exe33⤵
- Executes dropped EXE
PID:5088 -
\??\c:\bhnntt.exec:\bhnntt.exe34⤵
- Executes dropped EXE
PID:2552 -
\??\c:\vpvvv.exec:\vpvvv.exe35⤵
- Executes dropped EXE
PID:404 -
\??\c:\rffflll.exec:\rffflll.exe36⤵
- Executes dropped EXE
PID:920 -
\??\c:\5bnnhh.exec:\5bnnhh.exe37⤵
- Executes dropped EXE
PID:1252 -
\??\c:\xxfrlxx.exec:\xxfrlxx.exe38⤵
- Executes dropped EXE
PID:464 -
\??\c:\nnnhhh.exec:\nnnhhh.exe39⤵
- Executes dropped EXE
PID:1020 -
\??\c:\jjpjj.exec:\jjpjj.exe40⤵
- Executes dropped EXE
PID:2376 -
\??\c:\lffxxxx.exec:\lffxxxx.exe41⤵
- Executes dropped EXE
PID:1484 -
\??\c:\7thbhh.exec:\7thbhh.exe42⤵
- Executes dropped EXE
PID:4356 -
\??\c:\3ttttt.exec:\3ttttt.exe43⤵
- Executes dropped EXE
PID:3652 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe44⤵
- Executes dropped EXE
PID:1676 -
\??\c:\3nhtnh.exec:\3nhtnh.exe45⤵
- Executes dropped EXE
PID:4188 -
\??\c:\pjddd.exec:\pjddd.exe46⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lxxrfxr.exec:\lxxrfxr.exe47⤵
- Executes dropped EXE
PID:3280 -
\??\c:\tnttnn.exec:\tnttnn.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480 -
\??\c:\jdvjv.exec:\jdvjv.exe49⤵
- Executes dropped EXE
PID:2932 -
\??\c:\pdddv.exec:\pdddv.exe50⤵
- Executes dropped EXE
PID:2936 -
\??\c:\ffxrllf.exec:\ffxrllf.exe51⤵
- Executes dropped EXE
PID:2212 -
\??\c:\httttt.exec:\httttt.exe52⤵
- Executes dropped EXE
PID:1624 -
\??\c:\7jjvv.exec:\7jjvv.exe53⤵
- Executes dropped EXE
PID:4296 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe54⤵
- Executes dropped EXE
PID:1040 -
\??\c:\1xrlxrl.exec:\1xrlxrl.exe55⤵
- Executes dropped EXE
PID:4864 -
\??\c:\tbbnhb.exec:\tbbnhb.exe56⤵
- Executes dropped EXE
PID:2284 -
\??\c:\jjddv.exec:\jjddv.exe57⤵
- Executes dropped EXE
PID:3424 -
\??\c:\rrlrxrx.exec:\rrlrxrx.exe58⤵
- Executes dropped EXE
PID:716 -
\??\c:\tnhtnn.exec:\tnhtnn.exe59⤵
- Executes dropped EXE
PID:4172 -
\??\c:\vppjj.exec:\vppjj.exe60⤵
- Executes dropped EXE
PID:1720 -
\??\c:\lfxlffx.exec:\lfxlffx.exe61⤵
- Executes dropped EXE
PID:1880 -
\??\c:\tnnhhh.exec:\tnnhhh.exe62⤵
- Executes dropped EXE
PID:1544 -
\??\c:\nttnnn.exec:\nttnnn.exe63⤵
- Executes dropped EXE
PID:3996 -
\??\c:\dppdv.exec:\dppdv.exe64⤵
- Executes dropped EXE
PID:3276 -
\??\c:\frrfffl.exec:\frrfffl.exe65⤵
- Executes dropped EXE
PID:4768 -
\??\c:\3bhbbb.exec:\3bhbbb.exe66⤵PID:2988
-
\??\c:\vvjjj.exec:\vvjjj.exe67⤵PID:112
-
\??\c:\lflffxx.exec:\lflffxx.exe68⤵PID:3684
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe69⤵PID:3152
-
\??\c:\jjdvj.exec:\jjdvj.exe70⤵PID:2060
-
\??\c:\pjjjv.exec:\pjjjv.exe71⤵PID:1284
-
\??\c:\rxxrlrl.exec:\rxxrlrl.exe72⤵PID:2584
-
\??\c:\bbhnnt.exec:\bbhnnt.exe73⤵PID:3008
-
\??\c:\dppdj.exec:\dppdj.exe74⤵PID:2964
-
\??\c:\flfxxlf.exec:\flfxxlf.exe75⤵PID:4720
-
\??\c:\1rrxffr.exec:\1rrxffr.exe76⤵PID:1700
-
\??\c:\1hbbtt.exec:\1hbbtt.exe77⤵PID:3464
-
\??\c:\jjjjd.exec:\jjjjd.exe78⤵PID:2888
-
\??\c:\fllxfxl.exec:\fllxfxl.exe79⤵PID:4884
-
\??\c:\bhhtnh.exec:\bhhtnh.exe80⤵PID:3204
-
\??\c:\5dvpd.exec:\5dvpd.exe81⤵PID:4996
-
\??\c:\1vvpj.exec:\1vvpj.exe82⤵PID:3640
-
\??\c:\xrxxrrr.exec:\xrxxrrr.exe83⤵PID:844
-
\??\c:\3llxxff.exec:\3llxxff.exe84⤵PID:2624
-
\??\c:\5hnnhh.exec:\5hnnhh.exe85⤵PID:4944
-
\??\c:\3pjvp.exec:\3pjvp.exe86⤵PID:2384
-
\??\c:\dddvp.exec:\dddvp.exe87⤵PID:3060
-
\??\c:\frxrrrl.exec:\frxrrrl.exe88⤵PID:4500
-
\??\c:\llfxxxx.exec:\llfxxxx.exe89⤵PID:5044
-
\??\c:\thhbtt.exec:\thhbtt.exe90⤵PID:4652
-
\??\c:\ddddd.exec:\ddddd.exe91⤵PID:1760
-
\??\c:\xrlfrrr.exec:\xrlfrrr.exe92⤵PID:4396
-
\??\c:\xlfxrrl.exec:\xlfxrrl.exe93⤵PID:4344
-
\??\c:\tnbbtt.exec:\tnbbtt.exe94⤵PID:4540
-
\??\c:\7jjjd.exec:\7jjjd.exe95⤵PID:4640
-
\??\c:\7pjjd.exec:\7pjjd.exe96⤵PID:2404
-
\??\c:\lxxlxxl.exec:\lxxlxxl.exe97⤵PID:3980
-
\??\c:\nnnnhh.exec:\nnnnhh.exe98⤵PID:3308
-
\??\c:\ntbbbt.exec:\ntbbbt.exe99⤵PID:3620
-
\??\c:\jppvp.exec:\jppvp.exe100⤵PID:3704
-
\??\c:\1xxxrrl.exec:\1xxxrrl.exe101⤵PID:116
-
\??\c:\nhbtnh.exec:\nhbtnh.exe102⤵PID:3024
-
\??\c:\btttnn.exec:\btttnn.exe103⤵PID:2984
-
\??\c:\vvddj.exec:\vvddj.exe104⤵PID:5000
-
\??\c:\fllxxxf.exec:\fllxxxf.exe105⤵PID:5084
-
\??\c:\nbbttt.exec:\nbbttt.exe106⤵PID:1196
-
\??\c:\1tthbt.exec:\1tthbt.exe107⤵PID:4260
-
\??\c:\vvppp.exec:\vvppp.exe108⤵PID:1900
-
\??\c:\llxrllr.exec:\llxrllr.exe109⤵PID:3956
-
\??\c:\hhttbh.exec:\hhttbh.exe110⤵PID:1692
-
\??\c:\vdppp.exec:\vdppp.exe111⤵PID:976
-
\??\c:\ffrlllf.exec:\ffrlllf.exe112⤵PID:5008
-
\??\c:\1hnntt.exec:\1hnntt.exe113⤵PID:868
-
\??\c:\1pdvj.exec:\1pdvj.exe114⤵PID:2012
-
\??\c:\jppjd.exec:\jppjd.exe115⤵PID:1720
-
\??\c:\1lfrlfx.exec:\1lfrlfx.exe116⤵PID:4784
-
\??\c:\nnnhhh.exec:\nnnhhh.exe117⤵PID:1416
-
\??\c:\hnhbbb.exec:\hnhbbb.exe118⤵PID:4752
-
\??\c:\dpvpp.exec:\dpvpp.exe119⤵PID:880
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe120⤵PID:392
-
\??\c:\rfrlffx.exec:\rfrlffx.exe121⤵PID:4168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-