Analysis
-
max time kernel
119s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 14:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a.exe
-
Size
454KB
-
MD5
8ef2ac3e2a8babf115fd372864b2324b
-
SHA1
bf8e7c9ba77e06070b55c32afc28fee8303ec65a
-
SHA256
441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a
-
SHA512
90b0704d32705e112f66a4cbb1a75b1442b760a72e25048b6b6d73b5a97ee7ac5798c81b32be26cd14c6216b9a54ef8fee687e79b0014a6c317709d95794ba21
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeF:q7Tc2NYHUrAwfMp3CDF
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3800-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/600-9-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3920-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4604-22-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1788-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/444-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/208-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3948-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3568-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-93-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/432-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-141-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1176-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2200-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/488-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1484-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1864-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4144-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2724-234-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1868-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-254-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1252-258-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3660-265-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2896-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-294-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1532-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4736-363-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-377-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2768-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2540-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3936-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2664-465-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2212-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2564-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-560-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-600-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1188-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4264-617-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3544-671-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-681-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-915-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-1217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-1284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 600 ppvpp.exe 3920 5xxrfff.exe 4604 nhtttn.exe 3544 ntbbbb.exe 1788 rflxxlr.exe 1668 bnthtn.exe 444 rrrlxrf.exe 1892 nhhbnh.exe 208 ppvpd.exe 1056 dpddv.exe 2920 3nttnt.exe 3948 rrrlfff.exe 3568 tbtttt.exe 4932 rlrlfxr.exe 4740 3xxrllr.exe 432 nnhbbt.exe 2712 ppvpp.exe 4992 dvdvv.exe 2504 rrrrllf.exe 1484 thhhbh.exe 1156 jvvvv.exe 3940 jvvpp.exe 2388 lflrrlf.exe 4736 1ntnhh.exe 1176 hhtnbb.exe 2200 pdjdd.exe 488 hbbbtn.exe 3384 jjpjp.exe 3556 fxxxrxr.exe 4912 5bnhhh.exe 4032 pdjjj.exe 1440 hhhbbb.exe 1224 rrxrxxr.exe 3476 3tnbnn.exe 4244 vppjd.exe 1864 fxrrfxr.exe 3432 flfxrll.exe 4144 pvpjv.exe 4264 dppjv.exe 3140 xxxlxxl.exe 1272 7tbtnh.exe 4064 7pvjv.exe 3856 xlfrfxl.exe 700 7btnhb.exe 1132 bnnhtn.exe 2724 xrxlrlf.exe 3648 1hnbhh.exe 4672 7hnbnh.exe 4332 vddvp.exe 1868 lrfxlfl.exe 3800 llffrlf.exe 2668 tttnbt.exe 1252 9djdv.exe 2164 lxxlffr.exe 3660 bnnhbt.exe 3544 ddjvv.exe 2976 9xxlffr.exe 4748 flrfrlx.exe 2896 bnthbt.exe 3124 dvvdv.exe 3956 1rrfrrl.exe 532 hbhtnn.exe 2784 3ttnhh.exe 2988 5vjvp.exe -
resource yara_rule behavioral2/memory/3800-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/600-9-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3920-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4604-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1788-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/444-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3948-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3568-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1176-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2200-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/488-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1864-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4144-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2724-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1868-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1252-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3660-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2896-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-294-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1532-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4736-363-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5084-377-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2768-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2540-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3936-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2664-465-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2212-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2564-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1484-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-560-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-600-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1188-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4264-617-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2360-618-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-637-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3544-671-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-681-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btttth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bbttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nhbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1hbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 600 3800 441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a.exe 84 PID 3800 wrote to memory of 600 3800 441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a.exe 84 PID 3800 wrote to memory of 600 3800 441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a.exe 84 PID 600 wrote to memory of 3920 600 ppvpp.exe 85 PID 600 wrote to memory of 3920 600 ppvpp.exe 85 PID 600 wrote to memory of 3920 600 ppvpp.exe 85 PID 3920 wrote to memory of 4604 3920 5xxrfff.exe 86 PID 3920 wrote to memory of 4604 3920 5xxrfff.exe 86 PID 3920 wrote to memory of 4604 3920 5xxrfff.exe 86 PID 4604 wrote to memory of 3544 4604 nhtttn.exe 87 PID 4604 wrote to memory of 3544 4604 nhtttn.exe 87 PID 4604 wrote to memory of 3544 4604 nhtttn.exe 87 PID 3544 wrote to memory of 1788 3544 ntbbbb.exe 88 PID 3544 wrote to memory of 1788 3544 ntbbbb.exe 88 PID 3544 wrote to memory of 1788 3544 ntbbbb.exe 88 PID 1788 wrote to memory of 1668 1788 rflxxlr.exe 89 PID 1788 wrote to memory of 1668 1788 rflxxlr.exe 89 PID 1788 wrote to memory of 1668 1788 rflxxlr.exe 89 PID 1668 wrote to memory of 444 1668 bnthtn.exe 90 PID 1668 wrote to memory of 444 1668 bnthtn.exe 90 PID 1668 wrote to memory of 444 1668 bnthtn.exe 90 PID 444 wrote to memory of 1892 444 rrrlxrf.exe 91 PID 444 wrote to memory of 1892 444 rrrlxrf.exe 91 PID 444 wrote to memory of 1892 444 rrrlxrf.exe 91 PID 1892 wrote to memory of 208 1892 nhhbnh.exe 92 PID 1892 wrote to memory of 208 1892 nhhbnh.exe 92 PID 1892 wrote to memory of 208 1892 nhhbnh.exe 92 PID 208 wrote to memory of 1056 208 ppvpd.exe 93 PID 208 wrote to memory of 1056 208 ppvpd.exe 93 PID 208 wrote to memory of 1056 208 ppvpd.exe 93 PID 1056 wrote to memory of 2920 1056 dpddv.exe 94 PID 1056 wrote to memory of 2920 1056 dpddv.exe 94 PID 1056 wrote to memory of 2920 1056 dpddv.exe 94 PID 2920 wrote to memory of 3948 2920 3nttnt.exe 95 PID 2920 wrote to memory of 3948 2920 3nttnt.exe 95 PID 2920 wrote to memory of 3948 2920 3nttnt.exe 95 PID 3948 wrote to memory of 3568 3948 rrrlfff.exe 96 PID 3948 wrote to memory of 3568 3948 rrrlfff.exe 96 PID 3948 wrote to memory of 3568 3948 rrrlfff.exe 96 PID 3568 wrote to memory of 4932 3568 tbtttt.exe 97 PID 3568 wrote to memory of 4932 3568 tbtttt.exe 97 PID 3568 wrote to memory of 4932 3568 tbtttt.exe 97 PID 4932 wrote to memory of 4740 4932 rlrlfxr.exe 98 PID 4932 wrote to memory of 4740 4932 rlrlfxr.exe 98 PID 4932 wrote to memory of 4740 4932 rlrlfxr.exe 98 PID 4740 wrote to memory of 432 4740 3xxrllr.exe 99 PID 4740 wrote to memory of 432 4740 3xxrllr.exe 99 PID 4740 wrote to memory of 432 4740 3xxrllr.exe 99 PID 432 wrote to memory of 2712 432 nnhbbt.exe 100 PID 432 wrote to memory of 2712 432 nnhbbt.exe 100 PID 432 wrote to memory of 2712 432 nnhbbt.exe 100 PID 2712 wrote to memory of 4992 2712 ppvpp.exe 101 PID 2712 wrote to memory of 4992 2712 ppvpp.exe 101 PID 2712 wrote to memory of 4992 2712 ppvpp.exe 101 PID 4992 wrote to memory of 2504 4992 dvdvv.exe 102 PID 4992 wrote to memory of 2504 4992 dvdvv.exe 102 PID 4992 wrote to memory of 2504 4992 dvdvv.exe 102 PID 2504 wrote to memory of 1484 2504 rrrrllf.exe 103 PID 2504 wrote to memory of 1484 2504 rrrrllf.exe 103 PID 2504 wrote to memory of 1484 2504 rrrrllf.exe 103 PID 1484 wrote to memory of 1156 1484 thhhbh.exe 104 PID 1484 wrote to memory of 1156 1484 thhhbh.exe 104 PID 1484 wrote to memory of 1156 1484 thhhbh.exe 104 PID 1156 wrote to memory of 3940 1156 jvvvv.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a.exe"C:\Users\Admin\AppData\Local\Temp\441b63be97cc325c88cb5a47340b8c34069699bc23728b042186bb063954002a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3800 -
\??\c:\ppvpp.exec:\ppvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
\??\c:\5xxrfff.exec:\5xxrfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
\??\c:\nhtttn.exec:\nhtttn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\ntbbbb.exec:\ntbbbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3544 -
\??\c:\rflxxlr.exec:\rflxxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
\??\c:\bnthtn.exec:\bnthtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
\??\c:\rrrlxrf.exec:\rrrlxrf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:444 -
\??\c:\nhhbnh.exec:\nhhbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\ppvpd.exec:\ppvpd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208 -
\??\c:\dpddv.exec:\dpddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\3nttnt.exec:\3nttnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\rrrlfff.exec:\rrrlfff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\tbtttt.exec:\tbtttt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
\??\c:\rlrlfxr.exec:\rlrlfxr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\3xxrllr.exec:\3xxrllr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\nnhbbt.exec:\nnhbbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:432 -
\??\c:\ppvpp.exec:\ppvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
\??\c:\dvdvv.exec:\dvdvv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\rrrrllf.exec:\rrrrllf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\thhhbh.exec:\thhhbh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
\??\c:\jvvvv.exec:\jvvvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
\??\c:\jvvpp.exec:\jvvpp.exe23⤵
- Executes dropped EXE
PID:3940 -
\??\c:\lflrrlf.exec:\lflrrlf.exe24⤵
- Executes dropped EXE
PID:2388 -
\??\c:\1ntnhh.exec:\1ntnhh.exe25⤵
- Executes dropped EXE
PID:4736 -
\??\c:\hhtnbb.exec:\hhtnbb.exe26⤵
- Executes dropped EXE
PID:1176 -
\??\c:\pdjdd.exec:\pdjdd.exe27⤵
- Executes dropped EXE
PID:2200 -
\??\c:\hbbbtn.exec:\hbbbtn.exe28⤵
- Executes dropped EXE
PID:488 -
\??\c:\jjpjp.exec:\jjpjp.exe29⤵
- Executes dropped EXE
PID:3384 -
\??\c:\fxxxrxr.exec:\fxxxrxr.exe30⤵
- Executes dropped EXE
PID:3556 -
\??\c:\5bnhhh.exec:\5bnhhh.exe31⤵
- Executes dropped EXE
PID:4912 -
\??\c:\pdjjj.exec:\pdjjj.exe32⤵
- Executes dropped EXE
PID:4032 -
\??\c:\hhhbbb.exec:\hhhbbb.exe33⤵
- Executes dropped EXE
PID:1440 -
\??\c:\rrxrxxr.exec:\rrxrxxr.exe34⤵
- Executes dropped EXE
PID:1224 -
\??\c:\3tnbnn.exec:\3tnbnn.exe35⤵
- Executes dropped EXE
PID:3476 -
\??\c:\vppjd.exec:\vppjd.exe36⤵
- Executes dropped EXE
PID:4244 -
\??\c:\fxrrfxr.exec:\fxrrfxr.exe37⤵
- Executes dropped EXE
PID:1864 -
\??\c:\flfxrll.exec:\flfxrll.exe38⤵
- Executes dropped EXE
PID:3432 -
\??\c:\pvpjv.exec:\pvpjv.exe39⤵
- Executes dropped EXE
PID:4144 -
\??\c:\dppjv.exec:\dppjv.exe40⤵
- Executes dropped EXE
PID:4264 -
\??\c:\xxxlxxl.exec:\xxxlxxl.exe41⤵
- Executes dropped EXE
PID:3140 -
\??\c:\7tbtnh.exec:\7tbtnh.exe42⤵
- Executes dropped EXE
PID:1272 -
\??\c:\7pvjv.exec:\7pvjv.exe43⤵
- Executes dropped EXE
PID:4064 -
\??\c:\xlfrfxl.exec:\xlfrfxl.exe44⤵
- Executes dropped EXE
PID:3856 -
\??\c:\7btnhb.exec:\7btnhb.exe45⤵
- Executes dropped EXE
PID:700 -
\??\c:\bnnhtn.exec:\bnnhtn.exe46⤵
- Executes dropped EXE
PID:1132 -
\??\c:\xrxlrlf.exec:\xrxlrlf.exe47⤵
- Executes dropped EXE
PID:2724 -
\??\c:\1hnbhh.exec:\1hnbhh.exe48⤵
- Executes dropped EXE
PID:3648 -
\??\c:\7hnbnh.exec:\7hnbnh.exe49⤵
- Executes dropped EXE
PID:4672 -
\??\c:\vddvp.exec:\vddvp.exe50⤵
- Executes dropped EXE
PID:4332 -
\??\c:\lrfxlfl.exec:\lrfxlfl.exe51⤵
- Executes dropped EXE
PID:1868 -
\??\c:\llffrlf.exec:\llffrlf.exe52⤵
- Executes dropped EXE
PID:3800 -
\??\c:\tttnbt.exec:\tttnbt.exe53⤵
- Executes dropped EXE
PID:2668 -
\??\c:\9djdv.exec:\9djdv.exe54⤵
- Executes dropped EXE
PID:1252 -
\??\c:\lxxlffr.exec:\lxxlffr.exe55⤵
- Executes dropped EXE
PID:2164 -
\??\c:\bnnhbt.exec:\bnnhbt.exe56⤵
- Executes dropped EXE
PID:3660 -
\??\c:\ddjvv.exec:\ddjvv.exe57⤵
- Executes dropped EXE
PID:3544 -
\??\c:\9xxlffr.exec:\9xxlffr.exe58⤵
- Executes dropped EXE
PID:2976 -
\??\c:\flrfrlx.exec:\flrfrlx.exe59⤵
- Executes dropped EXE
PID:4748 -
\??\c:\bnthbt.exec:\bnthbt.exe60⤵
- Executes dropped EXE
PID:2896 -
\??\c:\dvvdv.exec:\dvvdv.exe61⤵
- Executes dropped EXE
PID:3124 -
\??\c:\1rrfrrl.exec:\1rrfrrl.exe62⤵
- Executes dropped EXE
PID:3956 -
\??\c:\hbhtnn.exec:\hbhtnn.exe63⤵
- Executes dropped EXE
PID:532 -
\??\c:\3ttnhh.exec:\3ttnhh.exe64⤵
- Executes dropped EXE
PID:2784 -
\??\c:\5vjvp.exec:\5vjvp.exe65⤵
- Executes dropped EXE
PID:2988 -
\??\c:\xxrlxfx.exec:\xxrlxfx.exe66⤵PID:2296
-
\??\c:\btbttn.exec:\btbttn.exe67⤵PID:2212
-
\??\c:\htnhtt.exec:\htnhtt.exe68⤵PID:1036
-
\??\c:\vpjjj.exec:\vpjjj.exe69⤵PID:2332
-
\??\c:\9rlfrlx.exec:\9rlfrlx.exe70⤵PID:4700
-
\??\c:\lxrfxrr.exec:\lxrfxrr.exe71⤵PID:516
-
\??\c:\hbnbhb.exec:\hbnbhb.exe72⤵PID:2648
-
\??\c:\pjjjv.exec:\pjjjv.exe73⤵PID:2344
-
\??\c:\ddjvv.exec:\ddjvv.exe74⤵PID:1380
-
\??\c:\rrxxlfr.exec:\rrxxlfr.exe75⤵PID:1568
-
\??\c:\btnbtn.exec:\btnbtn.exe76⤵PID:1532
-
\??\c:\tbthbt.exec:\tbthbt.exe77⤵PID:1424
-
\??\c:\7ddvp.exec:\7ddvp.exe78⤵PID:3024
-
\??\c:\1lfrffr.exec:\1lfrffr.exe79⤵PID:1680
-
\??\c:\hnhbth.exec:\hnhbth.exe80⤵PID:5072
-
\??\c:\bnhbnn.exec:\bnhbnn.exe81⤵PID:2220
-
\??\c:\jpvpj.exec:\jpvpj.exe82⤵PID:5108
-
\??\c:\rlfrrlx.exec:\rlfrrlx.exe83⤵PID:816
-
\??\c:\tntthb.exec:\tntthb.exe84⤵PID:2172
-
\??\c:\htbnhb.exec:\htbnhb.exe85⤵PID:388
-
\??\c:\dvjdp.exec:\dvjdp.exe86⤵PID:4736
-
\??\c:\5rxrlll.exec:\5rxrlll.exe87⤵PID:3004
-
\??\c:\rfffxrl.exec:\rfffxrl.exe88⤵PID:4056
-
\??\c:\nbhttt.exec:\nbhttt.exe89⤵PID:4860
-
\??\c:\dvvpp.exec:\dvvpp.exe90⤵PID:5084
-
\??\c:\rxrrxrf.exec:\rxrrxrf.exe91⤵PID:716
-
\??\c:\hnhnnh.exec:\hnhnnh.exe92⤵PID:2064
-
\??\c:\vjvdv.exec:\vjvdv.exe93⤵PID:5116
-
\??\c:\xllfrlf.exec:\xllfrlf.exe94⤵PID:2768
-
\??\c:\hhhhbb.exec:\hhhhbb.exe95⤵PID:2752
-
\??\c:\jjpdp.exec:\jjpdp.exe96⤵PID:3584
-
\??\c:\xlfrfff.exec:\xlfrfff.exe97⤵PID:3280
-
\??\c:\nnbhht.exec:\nnbhht.exe98⤵PID:1840
-
\??\c:\hbhhbb.exec:\hbhhbb.exe99⤵PID:4784
-
\??\c:\ppvvv.exec:\ppvvv.exe100⤵
- System Location Discovery: System Language Discovery
PID:1696 -
\??\c:\1lfrffx.exec:\1lfrffx.exe101⤵PID:4488
-
\??\c:\nhnhbt.exec:\nhnhbt.exe102⤵PID:4684
-
\??\c:\7bhbbn.exec:\7bhbbn.exe103⤵PID:3412
-
\??\c:\7pdvd.exec:\7pdvd.exe104⤵PID:1316
-
\??\c:\lffrllf.exec:\lffrllf.exe105⤵PID:4880
-
\??\c:\tththt.exec:\tththt.exe106⤵PID:436
-
\??\c:\pjjvj.exec:\pjjvj.exe107⤵PID:5028
-
\??\c:\lrllfxx.exec:\lrllfxx.exe108⤵PID:2412
-
\??\c:\9bhhbb.exec:\9bhhbb.exe109⤵PID:2540
-
\??\c:\3thbtb.exec:\3thbtb.exe110⤵PID:3936
-
\??\c:\vjvpp.exec:\vjvpp.exe111⤵PID:3604
-
\??\c:\rlfxxxx.exec:\rlfxxxx.exe112⤵PID:1684
-
\??\c:\nbhbtt.exec:\nbhbtt.exe113⤵PID:4324
-
\??\c:\hhnthn.exec:\hhnthn.exe114⤵PID:1768
-
\??\c:\rlfrllx.exec:\rlfrllx.exe115⤵PID:4920
-
\??\c:\lfrlrrl.exec:\lfrlrrl.exe116⤵PID:3020
-
\??\c:\ttbbtt.exec:\ttbbtt.exe117⤵PID:2668
-
\??\c:\vvjjd.exec:\vvjjd.exe118⤵PID:2664
-
\??\c:\flrlfxr.exec:\flrlfxr.exe119⤵PID:4604
-
\??\c:\tttthb.exec:\tttthb.exe120⤵PID:3660
-
\??\c:\1pjjd.exec:\1pjjd.exe121⤵PID:1920
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-