Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8.exe
-
Size
453KB
-
MD5
fd8dbb17c599827a6332649f852252ef
-
SHA1
09c8574e07688fec4792a8a4d3b0f1a267a6c555
-
SHA256
1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8
-
SHA512
a35102d5c7522f144754c15393d338839d224ed8ab5b6c30a0965251c07c2be8d28b7b132ad5f1c0f2b120bdaec5623f015a1ce9c4bd0e2d8597932a1e351a17
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe5:q7Tc2NYHUrAwfMp3CD5
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3648-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3452-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-39-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3320-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3316-62-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2676-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4000-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-148-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2992-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3532-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2380-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3196-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3676-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4596-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4276-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/380-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1600-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2996-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-296-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4984-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4316-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1060-170-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2304-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3076-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2092-364-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3972-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4052-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1360-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1512-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3716-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-477-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4588-624-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-653-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-795-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4060-1000-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3852-1173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3768-1391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1624 rrrxlfl.exe 3468 9pdpd.exe 2176 1tntbb.exe 1744 vppdj.exe 4492 vjjvd.exe 3452 djpvj.exe 1080 pjpjj.exe 3320 1hbthb.exe 3316 pdjdv.exe 3528 1xfrxlr.exe 1856 nnnbnh.exe 2676 jvdvj.exe 2588 3rrfrfx.exe 2428 rfflrlr.exe 1540 jpvjj.exe 432 lrxlxlx.exe 1176 fxfrffx.exe 4684 htbnhb.exe 4868 1ppdp.exe 3012 lllrfrf.exe 4000 1ttttn.exe 2304 3bbnnh.exe 1444 7pjvj.exe 5036 rflxrrx.exe 4060 bnhbnb.exe 4340 jddpd.exe 2992 3flfrlf.exe 1060 nhtnhb.exe 5008 dpvvv.exe 4544 ddvvj.exe 3532 lffrfxr.exe 2380 hnnnhh.exe 4648 dpdpj.exe 3196 nbthbt.exe 996 1ttnbb.exe 3660 7vpjd.exe 3756 lfllrxr.exe 4104 xfflxrf.exe 4316 tnnbbt.exe 2008 9nbhtn.exe 5012 5vpdp.exe 3676 ffxlfrl.exe 1940 bbtnbt.exe 4596 3nnbbh.exe 344 5jvjv.exe 2096 7rlxlrf.exe 1084 rlflrff.exe 4924 ththnb.exe 4976 jpjvj.exe 4360 jvpdp.exe 4784 rrxlxrl.exe 4276 bbhbbn.exe 380 9ffrfxl.exe 1656 hnhtnh.exe 1600 nntnhh.exe 4776 jvpjv.exe 1208 1flxllx.exe 4556 bhbnbt.exe 3356 5bbnhb.exe 2996 dvvvj.exe 428 rlfxlxl.exe 1096 lxxrlxr.exe 1916 9tbnbt.exe 4984 hbnbbt.exe -
resource yara_rule behavioral2/memory/3648-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-51-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3320-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3316-62-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2676-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4000-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-148-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2992-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3532-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2380-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3196-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3676-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4596-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4276-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/380-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1600-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2996-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4984-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4316-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1060-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4060-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2304-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1856-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3076-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2092-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3972-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4052-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1360-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1512-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3716-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-477-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4588-624-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-653-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ththnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3hhttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xrfrfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9rlxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1xxlfrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfrlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3648 wrote to memory of 1624 3648 1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8.exe 81 PID 3648 wrote to memory of 1624 3648 1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8.exe 81 PID 3648 wrote to memory of 1624 3648 1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8.exe 81 PID 1624 wrote to memory of 3468 1624 rrrxlfl.exe 82 PID 1624 wrote to memory of 3468 1624 rrrxlfl.exe 82 PID 1624 wrote to memory of 3468 1624 rrrxlfl.exe 82 PID 3468 wrote to memory of 2176 3468 9pdpd.exe 83 PID 3468 wrote to memory of 2176 3468 9pdpd.exe 83 PID 3468 wrote to memory of 2176 3468 9pdpd.exe 83 PID 2176 wrote to memory of 1744 2176 1tntbb.exe 84 PID 2176 wrote to memory of 1744 2176 1tntbb.exe 84 PID 2176 wrote to memory of 1744 2176 1tntbb.exe 84 PID 1744 wrote to memory of 4492 1744 vppdj.exe 85 PID 1744 wrote to memory of 4492 1744 vppdj.exe 85 PID 1744 wrote to memory of 4492 1744 vppdj.exe 85 PID 4492 wrote to memory of 3452 4492 vjjvd.exe 86 PID 4492 wrote to memory of 3452 4492 vjjvd.exe 86 PID 4492 wrote to memory of 3452 4492 vjjvd.exe 86 PID 3452 wrote to memory of 1080 3452 djpvj.exe 87 PID 3452 wrote to memory of 1080 3452 djpvj.exe 87 PID 3452 wrote to memory of 1080 3452 djpvj.exe 87 PID 1080 wrote to memory of 3320 1080 pjpjj.exe 88 PID 1080 wrote to memory of 3320 1080 pjpjj.exe 88 PID 1080 wrote to memory of 3320 1080 pjpjj.exe 88 PID 3320 wrote to memory of 3316 3320 1hbthb.exe 89 PID 3320 wrote to memory of 3316 3320 1hbthb.exe 89 PID 3320 wrote to memory of 3316 3320 1hbthb.exe 89 PID 3316 wrote to memory of 3528 3316 pdjdv.exe 90 PID 3316 wrote to memory of 3528 3316 pdjdv.exe 90 PID 3316 wrote to memory of 3528 3316 pdjdv.exe 90 PID 3528 wrote to memory of 1856 3528 1xfrxlr.exe 91 PID 3528 wrote to memory of 1856 3528 1xfrxlr.exe 91 PID 3528 wrote to memory of 1856 3528 1xfrxlr.exe 91 PID 1856 wrote to memory of 2676 1856 nnnbnh.exe 92 PID 1856 wrote to memory of 2676 1856 nnnbnh.exe 92 PID 1856 wrote to memory of 2676 1856 nnnbnh.exe 92 PID 2676 wrote to memory of 2588 2676 jvdvj.exe 93 PID 2676 wrote to memory of 2588 2676 jvdvj.exe 93 PID 2676 wrote to memory of 2588 2676 jvdvj.exe 93 PID 2588 wrote to memory of 2428 2588 3rrfrfx.exe 94 PID 2588 wrote to memory of 2428 2588 3rrfrfx.exe 94 PID 2588 wrote to memory of 2428 2588 3rrfrfx.exe 94 PID 2428 wrote to memory of 1540 2428 rfflrlr.exe 95 PID 2428 wrote to memory of 1540 2428 rfflrlr.exe 95 PID 2428 wrote to memory of 1540 2428 rfflrlr.exe 95 PID 1540 wrote to memory of 432 1540 jpvjj.exe 96 PID 1540 wrote to memory of 432 1540 jpvjj.exe 96 PID 1540 wrote to memory of 432 1540 jpvjj.exe 96 PID 432 wrote to memory of 1176 432 lrxlxlx.exe 97 PID 432 wrote to memory of 1176 432 lrxlxlx.exe 97 PID 432 wrote to memory of 1176 432 lrxlxlx.exe 97 PID 1176 wrote to memory of 4684 1176 fxfrffx.exe 98 PID 1176 wrote to memory of 4684 1176 fxfrffx.exe 98 PID 1176 wrote to memory of 4684 1176 fxfrffx.exe 98 PID 4684 wrote to memory of 4868 4684 htbnhb.exe 99 PID 4684 wrote to memory of 4868 4684 htbnhb.exe 99 PID 4684 wrote to memory of 4868 4684 htbnhb.exe 99 PID 4868 wrote to memory of 3012 4868 1ppdp.exe 100 PID 4868 wrote to memory of 3012 4868 1ppdp.exe 100 PID 4868 wrote to memory of 3012 4868 1ppdp.exe 100 PID 3012 wrote to memory of 4000 3012 lllrfrf.exe 101 PID 3012 wrote to memory of 4000 3012 lllrfrf.exe 101 PID 3012 wrote to memory of 4000 3012 lllrfrf.exe 101 PID 4000 wrote to memory of 2304 4000 1ttttn.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8.exe"C:\Users\Admin\AppData\Local\Temp\1421136caf0ec438a81b1924e5d24fd84b268a18227ec3217859fc20071d27f8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
\??\c:\rrrxlfl.exec:\rrrxlfl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\9pdpd.exec:\9pdpd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3468 -
\??\c:\1tntbb.exec:\1tntbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\vppdj.exec:\vppdj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1744 -
\??\c:\vjjvd.exec:\vjjvd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492 -
\??\c:\djpvj.exec:\djpvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3452 -
\??\c:\pjpjj.exec:\pjpjj.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\1hbthb.exec:\1hbthb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
\??\c:\pdjdv.exec:\pdjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\1xfrxlr.exec:\1xfrxlr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528 -
\??\c:\nnnbnh.exec:\nnnbnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
\??\c:\jvdvj.exec:\jvdvj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
\??\c:\3rrfrfx.exec:\3rrfrfx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\rfflrlr.exec:\rfflrlr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2428 -
\??\c:\jpvjj.exec:\jpvjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\lrxlxlx.exec:\lrxlxlx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\fxfrffx.exec:\fxfrffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\htbnhb.exec:\htbnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
\??\c:\1ppdp.exec:\1ppdp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
\??\c:\lllrfrf.exec:\lllrfrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
\??\c:\1ttttn.exec:\1ttttn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
\??\c:\3bbnnh.exec:\3bbnnh.exe23⤵
- Executes dropped EXE
PID:2304 -
\??\c:\7pjvj.exec:\7pjvj.exe24⤵
- Executes dropped EXE
PID:1444 -
\??\c:\rflxrrx.exec:\rflxrrx.exe25⤵
- Executes dropped EXE
PID:5036 -
\??\c:\bnhbnb.exec:\bnhbnb.exe26⤵
- Executes dropped EXE
PID:4060 -
\??\c:\jddpd.exec:\jddpd.exe27⤵
- Executes dropped EXE
PID:4340 -
\??\c:\3flfrlf.exec:\3flfrlf.exe28⤵
- Executes dropped EXE
PID:2992 -
\??\c:\nhtnhb.exec:\nhtnhb.exe29⤵
- Executes dropped EXE
PID:1060 -
\??\c:\dpvvv.exec:\dpvvv.exe30⤵
- Executes dropped EXE
PID:5008 -
\??\c:\ddvvj.exec:\ddvvj.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4544 -
\??\c:\lffrfxr.exec:\lffrfxr.exe32⤵
- Executes dropped EXE
PID:3532 -
\??\c:\hnnnhh.exec:\hnnnhh.exe33⤵
- Executes dropped EXE
PID:2380 -
\??\c:\dpdpj.exec:\dpdpj.exe34⤵
- Executes dropped EXE
PID:4648 -
\??\c:\nbthbt.exec:\nbthbt.exe35⤵
- Executes dropped EXE
PID:3196 -
\??\c:\1ttnbb.exec:\1ttnbb.exe36⤵
- Executes dropped EXE
PID:996 -
\??\c:\7vpjd.exec:\7vpjd.exe37⤵
- Executes dropped EXE
PID:3660 -
\??\c:\lfllrxr.exec:\lfllrxr.exe38⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xfflxrf.exec:\xfflxrf.exe39⤵
- Executes dropped EXE
PID:4104 -
\??\c:\tnnbbt.exec:\tnnbbt.exe40⤵
- Executes dropped EXE
PID:4316 -
\??\c:\9nbhtn.exec:\9nbhtn.exe41⤵
- Executes dropped EXE
PID:2008 -
\??\c:\5vpdp.exec:\5vpdp.exe42⤵
- Executes dropped EXE
PID:5012 -
\??\c:\ffxlfrl.exec:\ffxlfrl.exe43⤵
- Executes dropped EXE
PID:3676 -
\??\c:\bbtnbt.exec:\bbtnbt.exe44⤵
- Executes dropped EXE
PID:1940 -
\??\c:\3nnbbh.exec:\3nnbbh.exe45⤵
- Executes dropped EXE
PID:4596 -
\??\c:\5jvjv.exec:\5jvjv.exe46⤵
- Executes dropped EXE
PID:344 -
\??\c:\7rlxlrf.exec:\7rlxlrf.exe47⤵
- Executes dropped EXE
PID:2096 -
\??\c:\rlflrff.exec:\rlflrff.exe48⤵
- Executes dropped EXE
PID:1084 -
\??\c:\ththnb.exec:\ththnb.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4924 -
\??\c:\jpjvj.exec:\jpjvj.exe50⤵
- Executes dropped EXE
PID:4976 -
\??\c:\jvpdp.exec:\jvpdp.exe51⤵
- Executes dropped EXE
PID:4360 -
\??\c:\rrxlxrl.exec:\rrxlxrl.exe52⤵
- Executes dropped EXE
PID:4784 -
\??\c:\bbhbbn.exec:\bbhbbn.exe53⤵
- Executes dropped EXE
PID:4276 -
\??\c:\9ffrfxl.exec:\9ffrfxl.exe54⤵
- Executes dropped EXE
PID:380 -
\??\c:\hnhtnh.exec:\hnhtnh.exe55⤵
- Executes dropped EXE
PID:1656 -
\??\c:\nntnhh.exec:\nntnhh.exe56⤵
- Executes dropped EXE
PID:1600 -
\??\c:\jvpjv.exec:\jvpjv.exe57⤵
- Executes dropped EXE
PID:4776 -
\??\c:\1flxllx.exec:\1flxllx.exe58⤵
- Executes dropped EXE
PID:1208 -
\??\c:\bhbnbt.exec:\bhbnbt.exe59⤵
- Executes dropped EXE
PID:4556 -
\??\c:\5bbnhb.exec:\5bbnhb.exe60⤵
- Executes dropped EXE
PID:3356 -
\??\c:\dvvvj.exec:\dvvvj.exe61⤵
- Executes dropped EXE
PID:2996 -
\??\c:\rlfxlxl.exec:\rlfxlxl.exe62⤵
- Executes dropped EXE
PID:428 -
\??\c:\lxxrlxr.exec:\lxxrlxr.exe63⤵
- Executes dropped EXE
PID:1096 -
\??\c:\9tbnbt.exec:\9tbnbt.exe64⤵
- Executes dropped EXE
PID:1916 -
\??\c:\hbnbbt.exec:\hbnbbt.exe65⤵
- Executes dropped EXE
PID:4984 -
\??\c:\vdjvp.exec:\vdjvp.exe66⤵PID:4780
-
\??\c:\frrfrxr.exec:\frrfrxr.exe67⤵PID:4456
-
\??\c:\nnthth.exec:\nnthth.exe68⤵PID:4536
-
\??\c:\vjdpj.exec:\vjdpj.exe69⤵PID:2612
-
\??\c:\tbhhbt.exec:\tbhhbt.exe70⤵PID:972
-
\??\c:\frrrfrl.exec:\frrrfrl.exe71⤵PID:1732
-
\??\c:\tnbnbh.exec:\tnbnbh.exe72⤵PID:3076
-
\??\c:\rfrfxlf.exec:\rfrfxlf.exe73⤵PID:2900
-
\??\c:\rffrfxl.exec:\rffrfxl.exe74⤵PID:944
-
\??\c:\hnhbhh.exec:\hnhbhh.exe75⤵PID:1540
-
\??\c:\vjjpd.exec:\vjjpd.exe76⤵PID:3760
-
\??\c:\7pddp.exec:\7pddp.exe77⤵PID:1176
-
\??\c:\1vpjv.exec:\1vpjv.exe78⤵PID:3924
-
\??\c:\jvvjp.exec:\jvvjp.exe79⤵PID:1728
-
\??\c:\tbhhhh.exec:\tbhhhh.exe80⤵PID:708
-
\??\c:\pdppd.exec:\pdppd.exe81⤵PID:3580
-
\??\c:\jdvdj.exec:\jdvdj.exe82⤵PID:2840
-
\??\c:\lxlrfxl.exec:\lxlrfxl.exe83⤵PID:2092
-
\??\c:\fxxlxrf.exec:\fxxlxrf.exe84⤵PID:3972
-
\??\c:\htbnhb.exec:\htbnhb.exe85⤵PID:744
-
\??\c:\5ppdv.exec:\5ppdv.exe86⤵PID:5036
-
\??\c:\xxxrffx.exec:\xxxrffx.exe87⤵PID:368
-
\??\c:\1bnhhb.exec:\1bnhhb.exe88⤵PID:2340
-
\??\c:\nhthbt.exec:\nhthbt.exe89⤵PID:4148
-
\??\c:\jvvjv.exec:\jvvjv.exe90⤵PID:4720
-
\??\c:\3xlrfrf.exec:\3xlrfrf.exe91⤵PID:1060
-
\??\c:\frrlfrl.exec:\frrlfrl.exe92⤵PID:4764
-
\??\c:\9btnbt.exec:\9btnbt.exe93⤵PID:4344
-
\??\c:\vdvjp.exec:\vdvjp.exe94⤵PID:4052
-
\??\c:\dddpv.exec:\dddpv.exe95⤵PID:1360
-
\??\c:\3xlxfxl.exec:\3xlxfxl.exe96⤵PID:4012
-
\??\c:\hbhtnh.exec:\hbhtnh.exe97⤵PID:5016
-
\??\c:\dvdpj.exec:\dvdpj.exe98⤵PID:4988
-
\??\c:\pvdpj.exec:\pvdpj.exe99⤵PID:3472
-
\??\c:\lrrlxrl.exec:\lrrlxrl.exe100⤵PID:3948
-
\??\c:\3bhbbt.exec:\3bhbbt.exe101⤵PID:1512
-
\??\c:\tnhbbt.exec:\tnhbbt.exe102⤵PID:1608
-
\??\c:\vjpdv.exec:\vjpdv.exe103⤵PID:1712
-
\??\c:\3xrfrfr.exec:\3xrfrfr.exe104⤵PID:3360
-
\??\c:\tnbnnh.exec:\tnbnnh.exe105⤵PID:3716
-
\??\c:\5pjvp.exec:\5pjvp.exe106⤵
- System Location Discovery: System Language Discovery
PID:2008 -
\??\c:\vpjdj.exec:\vpjdj.exe107⤵PID:1588
-
\??\c:\fxlfxxr.exec:\fxlfxxr.exe108⤵PID:3676
-
\??\c:\hbbnht.exec:\hbbnht.exe109⤵PID:4952
-
\??\c:\9hhnhh.exec:\9hhnhh.exe110⤵PID:8
-
\??\c:\fflfxrr.exec:\fflfxrr.exe111⤵PID:3028
-
\??\c:\1lrfrlx.exec:\1lrfrlx.exe112⤵PID:4900
-
\??\c:\nhttnh.exec:\nhttnh.exe113⤵PID:2468
-
\??\c:\jddvv.exec:\jddvv.exe114⤵PID:3892
-
\??\c:\djpjd.exec:\djpjd.exe115⤵PID:2648
-
\??\c:\rlrllll.exec:\rlrllll.exe116⤵PID:4976
-
\??\c:\tbhhbb.exec:\tbhhbb.exe117⤵PID:832
-
\??\c:\jdjjv.exec:\jdjjv.exe118⤵PID:3940
-
\??\c:\7lffxfx.exec:\7lffxfx.exe119⤵PID:4468
-
\??\c:\lrxrrxx.exec:\lrxrrxx.exe120⤵PID:632
-
\??\c:\bbbbtt.exec:\bbbbtt.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-