Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 02:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30cN.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30cN.exe
-
Size
456KB
-
MD5
cda80708b9e86fc9463d251970cc4640
-
SHA1
1017bf88044459a00eaa827bac148b1b8958972c
-
SHA256
991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30c
-
SHA512
64735fcb47d704ed080746883ba0012fa5eef889c219bef60f70a08479fa972acfe7c4caca23d9797dd847c3e334c2ff560b9222da12f91ddfc2f1d86ef6662a
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeY:q7Tc2NYHUrAwfMp3CDY
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 62 IoCs
resource yara_rule behavioral2/memory/2708-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2960-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/428-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/820-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4456-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4544-86-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3288-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/536-111-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-124-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3492-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1256-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1884-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3280-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4716-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2460-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2840-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5076-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1756-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/776-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2208-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3648-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-399-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-434-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-441-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/616-491-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-510-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1488-521-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3324-525-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-634-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3000-686-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1244-741-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-1032-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3456-1054-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 428 1jpdj.exe 2840 9lrlllx.exe 2432 3bbbhh.exe 2960 5jvvp.exe 4828 ppvpj.exe 2308 rlxlflx.exe 3888 hhttbb.exe 820 bhhbhb.exe 4976 3ppjj.exe 4456 vjpjd.exe 2096 ntbtnh.exe 1760 rxfxxxr.exe 4544 tbbnbt.exe 632 bttnnh.exe 5088 vjpjj.exe 1952 vvdjp.exe 3288 lrrfrlx.exe 4020 dvvjv.exe 536 thntth.exe 3324 7bbnbt.exe 3492 dppdp.exe 628 lxrlfxx.exe 4916 jpvpp.exe 2640 rxrrfxl.exe 1420 dvdpd.exe 2508 fxrfrlx.exe 1256 jvpdp.exe 2376 djjdv.exe 1884 lrfrlfr.exe 3280 htbbtb.exe 1436 flrfrll.exe 8 ttthth.exe 4172 bnhthb.exe 4716 lxrfrfx.exe 4832 rflfffr.exe 2304 tbbnnb.exe 3604 jppjj.exe 2460 fxxlxxl.exe 5092 htnhtn.exe 1660 7vjdp.exe 4348 frllxlx.exe 3972 thhbtt.exe 4604 hbtnbh.exe 4408 vdddj.exe 3588 xxxlfrl.exe 2456 nttbnb.exe 884 ddpvj.exe 2840 xxxfxfx.exe 5076 fxfxfxl.exe 4288 ttbtnn.exe 748 pppdp.exe 3652 rrfrlfx.exe 1612 3tnnnn.exe 760 djpdj.exe 2732 xxxlxrf.exe 5008 7ttnbt.exe 3672 nbttnb.exe 4556 vvvjv.exe 3456 fxrfrlx.exe 2468 3btnnh.exe 2096 3hhthb.exe 1756 lrfxllf.exe 776 tbbnbt.exe 2208 tnnhbt.exe -
resource yara_rule behavioral2/memory/2708-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2960-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/428-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/820-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4456-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4544-86-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3288-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/536-111-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3492-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1256-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1884-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3280-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4716-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2460-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2840-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5076-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3456-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1756-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/776-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2208-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3648-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-364-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-399-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-434-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-441-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/616-491-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-510-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1488-521-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3324-525-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3452-593-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-634-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3000-686-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1244-741-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-1032-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xfxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9vvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffllffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrrflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtntt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2708 wrote to memory of 428 2708 991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30cN.exe 82 PID 2708 wrote to memory of 428 2708 991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30cN.exe 82 PID 2708 wrote to memory of 428 2708 991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30cN.exe 82 PID 428 wrote to memory of 2840 428 1jpdj.exe 83 PID 428 wrote to memory of 2840 428 1jpdj.exe 83 PID 428 wrote to memory of 2840 428 1jpdj.exe 83 PID 2840 wrote to memory of 2432 2840 9lrlllx.exe 84 PID 2840 wrote to memory of 2432 2840 9lrlllx.exe 84 PID 2840 wrote to memory of 2432 2840 9lrlllx.exe 84 PID 2432 wrote to memory of 2960 2432 3bbbhh.exe 85 PID 2432 wrote to memory of 2960 2432 3bbbhh.exe 85 PID 2432 wrote to memory of 2960 2432 3bbbhh.exe 85 PID 2960 wrote to memory of 4828 2960 5jvvp.exe 86 PID 2960 wrote to memory of 4828 2960 5jvvp.exe 86 PID 2960 wrote to memory of 4828 2960 5jvvp.exe 86 PID 4828 wrote to memory of 2308 4828 ppvpj.exe 87 PID 4828 wrote to memory of 2308 4828 ppvpj.exe 87 PID 4828 wrote to memory of 2308 4828 ppvpj.exe 87 PID 2308 wrote to memory of 3888 2308 rlxlflx.exe 88 PID 2308 wrote to memory of 3888 2308 rlxlflx.exe 88 PID 2308 wrote to memory of 3888 2308 rlxlflx.exe 88 PID 3888 wrote to memory of 820 3888 hhttbb.exe 89 PID 3888 wrote to memory of 820 3888 hhttbb.exe 89 PID 3888 wrote to memory of 820 3888 hhttbb.exe 89 PID 820 wrote to memory of 4976 820 bhhbhb.exe 90 PID 820 wrote to memory of 4976 820 bhhbhb.exe 90 PID 820 wrote to memory of 4976 820 bhhbhb.exe 90 PID 4976 wrote to memory of 4456 4976 3ppjj.exe 91 PID 4976 wrote to memory of 4456 4976 3ppjj.exe 91 PID 4976 wrote to memory of 4456 4976 3ppjj.exe 91 PID 4456 wrote to memory of 2096 4456 vjpjd.exe 92 PID 4456 wrote to memory of 2096 4456 vjpjd.exe 92 PID 4456 wrote to memory of 2096 4456 vjpjd.exe 92 PID 2096 wrote to memory of 1760 2096 ntbtnh.exe 93 PID 2096 wrote to memory of 1760 2096 ntbtnh.exe 93 PID 2096 wrote to memory of 1760 2096 ntbtnh.exe 93 PID 1760 wrote to memory of 4544 1760 rxfxxxr.exe 94 PID 1760 wrote to memory of 4544 1760 rxfxxxr.exe 94 PID 1760 wrote to memory of 4544 1760 rxfxxxr.exe 94 PID 4544 wrote to memory of 632 4544 tbbnbt.exe 95 PID 4544 wrote to memory of 632 4544 tbbnbt.exe 95 PID 4544 wrote to memory of 632 4544 tbbnbt.exe 95 PID 632 wrote to memory of 5088 632 bttnnh.exe 96 PID 632 wrote to memory of 5088 632 bttnnh.exe 96 PID 632 wrote to memory of 5088 632 bttnnh.exe 96 PID 5088 wrote to memory of 1952 5088 vjpjj.exe 97 PID 5088 wrote to memory of 1952 5088 vjpjj.exe 97 PID 5088 wrote to memory of 1952 5088 vjpjj.exe 97 PID 1952 wrote to memory of 3288 1952 vvdjp.exe 98 PID 1952 wrote to memory of 3288 1952 vvdjp.exe 98 PID 1952 wrote to memory of 3288 1952 vvdjp.exe 98 PID 3288 wrote to memory of 4020 3288 lrrfrlx.exe 99 PID 3288 wrote to memory of 4020 3288 lrrfrlx.exe 99 PID 3288 wrote to memory of 4020 3288 lrrfrlx.exe 99 PID 4020 wrote to memory of 536 4020 dvvjv.exe 100 PID 4020 wrote to memory of 536 4020 dvvjv.exe 100 PID 4020 wrote to memory of 536 4020 dvvjv.exe 100 PID 536 wrote to memory of 3324 536 thntth.exe 101 PID 536 wrote to memory of 3324 536 thntth.exe 101 PID 536 wrote to memory of 3324 536 thntth.exe 101 PID 3324 wrote to memory of 3492 3324 7bbnbt.exe 102 PID 3324 wrote to memory of 3492 3324 7bbnbt.exe 102 PID 3324 wrote to memory of 3492 3324 7bbnbt.exe 102 PID 3492 wrote to memory of 628 3492 dppdp.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30cN.exe"C:\Users\Admin\AppData\Local\Temp\991b9595b3b73c344647c3ad30389bb49b5573ba8edd8a9c5297bda44e63d30cN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\1jpdj.exec:\1jpdj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428 -
\??\c:\9lrlllx.exec:\9lrlllx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
\??\c:\3bbbhh.exec:\3bbbhh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
\??\c:\5jvvp.exec:\5jvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\ppvpj.exec:\ppvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
\??\c:\rlxlflx.exec:\rlxlflx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\hhttbb.exec:\hhttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\bhhbhb.exec:\bhhbhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820 -
\??\c:\3ppjj.exec:\3ppjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\vjpjd.exec:\vjpjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\ntbtnh.exec:\ntbtnh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096 -
\??\c:\rxfxxxr.exec:\rxfxxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1760 -
\??\c:\tbbnbt.exec:\tbbnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
\??\c:\bttnnh.exec:\bttnnh.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\vjpjj.exec:\vjpjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\vvdjp.exec:\vvdjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\lrrfrlx.exec:\lrrfrlx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\dvvjv.exec:\dvvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
\??\c:\thntth.exec:\thntth.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\7bbnbt.exec:\7bbnbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
\??\c:\dppdp.exec:\dppdp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3492 -
\??\c:\lxrlfxx.exec:\lxrlfxx.exe23⤵
- Executes dropped EXE
PID:628 -
\??\c:\jpvpp.exec:\jpvpp.exe24⤵
- Executes dropped EXE
PID:4916 -
\??\c:\rxrrfxl.exec:\rxrrfxl.exe25⤵
- Executes dropped EXE
PID:2640 -
\??\c:\dvdpd.exec:\dvdpd.exe26⤵
- Executes dropped EXE
PID:1420 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe27⤵
- Executes dropped EXE
PID:2508 -
\??\c:\jvpdp.exec:\jvpdp.exe28⤵
- Executes dropped EXE
PID:1256 -
\??\c:\djjdv.exec:\djjdv.exe29⤵
- Executes dropped EXE
PID:2376 -
\??\c:\lrfrlfr.exec:\lrfrlfr.exe30⤵
- Executes dropped EXE
PID:1884 -
\??\c:\htbbtb.exec:\htbbtb.exe31⤵
- Executes dropped EXE
PID:3280 -
\??\c:\flrfrll.exec:\flrfrll.exe32⤵
- Executes dropped EXE
PID:1436 -
\??\c:\ttthth.exec:\ttthth.exe33⤵
- Executes dropped EXE
PID:8 -
\??\c:\bnhthb.exec:\bnhthb.exe34⤵
- Executes dropped EXE
PID:4172 -
\??\c:\lxrfrfx.exec:\lxrfrfx.exe35⤵
- Executes dropped EXE
PID:4716 -
\??\c:\rflfffr.exec:\rflfffr.exe36⤵
- Executes dropped EXE
PID:4832 -
\??\c:\tbbnnb.exec:\tbbnnb.exe37⤵
- Executes dropped EXE
PID:2304 -
\??\c:\jppjj.exec:\jppjj.exe38⤵
- Executes dropped EXE
PID:3604 -
\??\c:\fxxlxxl.exec:\fxxlxxl.exe39⤵
- Executes dropped EXE
PID:2460 -
\??\c:\htnhtn.exec:\htnhtn.exe40⤵
- Executes dropped EXE
PID:5092 -
\??\c:\7vjdp.exec:\7vjdp.exe41⤵
- Executes dropped EXE
PID:1660 -
\??\c:\frllxlx.exec:\frllxlx.exe42⤵
- Executes dropped EXE
PID:4348 -
\??\c:\thhbtt.exec:\thhbtt.exe43⤵
- Executes dropped EXE
PID:3972 -
\??\c:\hbtnbh.exec:\hbtnbh.exe44⤵
- Executes dropped EXE
PID:4604 -
\??\c:\vdddj.exec:\vdddj.exe45⤵
- Executes dropped EXE
PID:4408 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe46⤵
- Executes dropped EXE
PID:3588 -
\??\c:\nttbnb.exec:\nttbnb.exe47⤵
- Executes dropped EXE
PID:2456 -
\??\c:\ddpvj.exec:\ddpvj.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
\??\c:\xxxfxfx.exec:\xxxfxfx.exe49⤵
- Executes dropped EXE
PID:2840 -
\??\c:\fxfxfxl.exec:\fxfxfxl.exe50⤵
- Executes dropped EXE
PID:5076 -
\??\c:\ttbtnn.exec:\ttbtnn.exe51⤵
- Executes dropped EXE
PID:4288 -
\??\c:\pppdp.exec:\pppdp.exe52⤵
- Executes dropped EXE
PID:748 -
\??\c:\rrfrlfx.exec:\rrfrlfx.exe53⤵
- Executes dropped EXE
PID:3652 -
\??\c:\3tnnnn.exec:\3tnnnn.exe54⤵
- Executes dropped EXE
PID:1612 -
\??\c:\djpdj.exec:\djpdj.exe55⤵
- Executes dropped EXE
PID:760 -
\??\c:\xxxlxrf.exec:\xxxlxrf.exe56⤵
- Executes dropped EXE
PID:2732 -
\??\c:\7ttnbt.exec:\7ttnbt.exe57⤵
- Executes dropped EXE
PID:5008 -
\??\c:\nbttnb.exec:\nbttnb.exe58⤵
- Executes dropped EXE
PID:3672 -
\??\c:\vvvjv.exec:\vvvjv.exe59⤵
- Executes dropped EXE
PID:4556 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe60⤵
- Executes dropped EXE
PID:3456 -
\??\c:\3btnnh.exec:\3btnnh.exe61⤵
- Executes dropped EXE
PID:2468 -
\??\c:\3hhthb.exec:\3hhthb.exe62⤵
- Executes dropped EXE
PID:2096 -
\??\c:\lrfxllf.exec:\lrfxllf.exe63⤵
- Executes dropped EXE
PID:1756 -
\??\c:\tbbnbt.exec:\tbbnbt.exe64⤵
- Executes dropped EXE
PID:776 -
\??\c:\tnnhbt.exec:\tnnhbt.exe65⤵
- Executes dropped EXE
PID:2208 -
\??\c:\xlfrrrl.exec:\xlfrrrl.exe66⤵PID:1184
-
\??\c:\rllxrlf.exec:\rllxrlf.exe67⤵PID:876
-
\??\c:\5tbnhn.exec:\5tbnhn.exe68⤵PID:3712
-
\??\c:\pdppd.exec:\pdppd.exe69⤵PID:3648
-
\??\c:\llrfrrl.exec:\llrfrrl.exe70⤵PID:1492
-
\??\c:\tnnhhb.exec:\tnnhhb.exe71⤵PID:3288
-
\??\c:\jpdvj.exec:\jpdvj.exe72⤵PID:4048
-
\??\c:\lffxlfx.exec:\lffxlfx.exe73⤵PID:1828
-
\??\c:\9hbbnn.exec:\9hbbnn.exe74⤵PID:5072
-
\??\c:\jvpdp.exec:\jvpdp.exe75⤵PID:3088
-
\??\c:\djjvd.exec:\djjvd.exe76⤵PID:3324
-
\??\c:\lrxxrll.exec:\lrxxrll.exe77⤵PID:1196
-
\??\c:\tbbnbn.exec:\tbbnbn.exe78⤵PID:1504
-
\??\c:\nbhbnn.exec:\nbhbnn.exe79⤵PID:4432
-
\??\c:\jdvjj.exec:\jdvjj.exe80⤵PID:4564
-
\??\c:\rxlxrlx.exec:\rxlxrlx.exe81⤵PID:3800
-
\??\c:\tnnbnh.exec:\tnnbnh.exe82⤵PID:4188
-
\??\c:\jvdvp.exec:\jvdvp.exe83⤵PID:3136
-
\??\c:\9pvpp.exec:\9pvpp.exe84⤵PID:4484
-
\??\c:\fxrlffx.exec:\fxrlffx.exe85⤵PID:2400
-
\??\c:\tntnnh.exec:\tntnnh.exe86⤵PID:4872
-
\??\c:\tntntt.exec:\tntntt.exe87⤵PID:1752
-
\??\c:\lffxrrf.exec:\lffxrrf.exe88⤵PID:2412
-
\??\c:\xlrrrlf.exec:\xlrrrlf.exe89⤵PID:3188
-
\??\c:\tbhtnn.exec:\tbhtnn.exe90⤵PID:1456
-
\??\c:\dvvpd.exec:\dvvpd.exe91⤵PID:792
-
\??\c:\jvvpd.exec:\jvvpd.exe92⤵PID:2124
-
\??\c:\xfxrlff.exec:\xfxrlff.exe93⤵PID:4816
-
\??\c:\bttnhh.exec:\bttnhh.exe94⤵PID:4496
-
\??\c:\7dvdv.exec:\7dvdv.exe95⤵PID:1788
-
\??\c:\vdpjd.exec:\vdpjd.exe96⤵PID:2796
-
\??\c:\xlrlxxr.exec:\xlrlxxr.exe97⤵PID:2408
-
\??\c:\hhtnhb.exec:\hhtnhb.exe98⤵PID:1208
-
\??\c:\thnhtt.exec:\thnhtt.exe99⤵PID:2020
-
\??\c:\jdjjp.exec:\jdjjp.exe100⤵PID:2988
-
\??\c:\rflffxx.exec:\rflffxx.exe101⤵PID:4212
-
\??\c:\9hhbtt.exec:\9hhbtt.exe102⤵PID:1720
-
\??\c:\hhhbtt.exec:\hhhbtt.exe103⤵PID:3696
-
\??\c:\dpvvp.exec:\dpvvp.exe104⤵PID:4540
-
\??\c:\fxlxrlf.exec:\fxlxrlf.exe105⤵PID:2444
-
\??\c:\9nnhtt.exec:\9nnhtt.exe106⤵PID:4572
-
\??\c:\dvpjd.exec:\dvpjd.exe107⤵PID:1248
-
\??\c:\jvdvp.exec:\jvdvp.exe108⤵PID:2588
-
\??\c:\xfxflll.exec:\xfxflll.exe109⤵PID:2960
-
\??\c:\bntnnn.exec:\bntnnn.exe110⤵PID:4828
-
\??\c:\vvjdd.exec:\vvjdd.exe111⤵PID:220
-
\??\c:\3fxrlll.exec:\3fxrlll.exe112⤵PID:1540
-
\??\c:\lrxrllx.exec:\lrxrllx.exe113⤵PID:2360
-
\??\c:\hhbtth.exec:\hhbtth.exe114⤵PID:2624
-
\??\c:\vdjdv.exec:\vdjdv.exe115⤵PID:1320
-
\??\c:\rllfrrl.exec:\rllfrrl.exe116⤵PID:3216
-
\??\c:\xrxrlfl.exec:\xrxrlfl.exe117⤵PID:3496
-
\??\c:\bttnbn.exec:\bttnbn.exe118⤵PID:3204
-
\??\c:\jjpjp.exec:\jjpjp.exe119⤵PID:1924
-
\??\c:\5xxrxfx.exec:\5xxrxfx.exe120⤵PID:1148
-
\??\c:\rfffxxr.exec:\rfffxxr.exe121⤵PID:4464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-