Analysis
-
max time kernel
120s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/08/2024, 06:56
Behavioral task
behavioral1
Sample
97070f456d6acb0eca7fe28c8f39b0d0N.exe
Resource
win7-20240705-en
6 signatures
120 seconds
General
-
Target
97070f456d6acb0eca7fe28c8f39b0d0N.exe
-
Size
230KB
-
MD5
97070f456d6acb0eca7fe28c8f39b0d0
-
SHA1
43f7067ee0ccc1f6dd73d8c0995fba2154d22d2e
-
SHA256
fdc31efee5c2ae6026c7e3a35b37522de0c1ff69c1e8c164e62df92f54ee7d6d
-
SHA512
e84724c65dbc4872ab0eaba9866b7f2f85b55c68d35db6d3960e335c3944360eecd0d69d7b9de1744518b894ee1a0b280488b4c8998a9aef34b25bea2817b073
-
SSDEEP
6144:Jcm4FmowdHoS3dGmS4Z1hraHcpOaKHpaztyzl+SQ:T4wFHoS3dJS4ZzeFaKHpCcg
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3652-6-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1108-8-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4876-20-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1148-13-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3252-29-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2360-37-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/532-36-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/620-44-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2140-48-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/888-59-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/712-71-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2628-76-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3420-84-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4276-90-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4276-93-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3148-99-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4560-110-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2600-115-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/5112-120-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1428-146-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3528-165-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1568-180-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2324-181-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4336-192-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4584-196-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4456-200-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4640-210-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1080-214-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2876-218-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4748-225-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2732-235-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/5016-249-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/776-253-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3540-260-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/5084-271-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4732-277-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4560-284-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4600-300-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1196-304-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4848-324-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1044-346-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1108-353-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2512-357-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2668-370-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2888-402-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2820-406-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4672-413-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1656-420-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2612-430-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3064-434-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3672-447-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1192-481-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1936-533-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/3912-540-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1244-577-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4148-599-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1872-666-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/432-685-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4848-740-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4232-772-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4752-884-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/4588-981-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/1912-1030-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon behavioral2/memory/2932-1076-0x0000000000400000-0x0000000000435000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1108 frfrrff.exe 1148 ttbbtn.exe 4876 nhbttb.exe 3252 vppjd.exe 532 ppppj.exe 2360 xxfxrxr.exe 620 hhnnhn.exe 2140 djpjj.exe 888 jjpjp.exe 2208 bnbttt.exe 712 pvjjd.exe 2628 5flxxlr.exe 3420 hthhbb.exe 3168 vjpjd.exe 4276 rfffllf.exe 3148 tnhnhh.exe 3916 pjvpp.exe 4560 lrrrxll.exe 2600 3htnhn.exe 5112 9pdvp.exe 1244 lxfxllf.exe 1196 ttnnhh.exe 4248 7vvvp.exe 1644 ddjdv.exe 1428 hbbthh.exe 2336 jvddp.exe 768 7vdvj.exe 1868 fxlfrrx.exe 3528 nbnnnn.exe 3280 9hnhtt.exe 1568 vvvvp.exe 2324 flrrfxx.exe 2280 frrrlll.exe 4336 btbbtb.exe 4584 3pdvv.exe 4456 3rxrlrl.exe 1148 ntbtnn.exe 4264 bbbhbh.exe 4640 dppjd.exe 1080 xlxfxxx.exe 2876 bnnnnn.exe 4284 ddddd.exe 4748 vdvvj.exe 1412 lrxxrrr.exe 4832 9fxxffl.exe 2732 nbnhbt.exe 3432 3ddvv.exe 1984 7jvpj.exe 948 lfllffx.exe 5016 hhnnht.exe 776 htbbbt.exe 4380 dpvpp.exe 3540 dppjv.exe 3232 lllffxr.exe 3620 rxxfxxr.exe 5084 nthbtt.exe 3492 hbtbnn.exe 4732 ppjjd.exe 2796 rlrlfff.exe 4560 frxxxxr.exe 972 nhnnht.exe 1256 nbhhbh.exe 4428 vvddp.exe 3156 xffrfrx.exe -
resource yara_rule behavioral2/memory/3652-0-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/3652-6-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/1108-8-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x0009000000023451-4.dat upx behavioral2/files/0x000a000000023494-11.dat upx behavioral2/memory/4876-20-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000700000002349c-17.dat upx behavioral2/memory/1148-13-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000700000002349d-22.dat upx behavioral2/files/0x000700000002349e-27.dat upx behavioral2/memory/3252-29-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x000700000002349f-33.dat upx behavioral2/memory/2360-37-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/532-36-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234a0-41.dat upx behavioral2/memory/620-44-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234a1-46.dat upx behavioral2/memory/2140-48-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234a3-52.dat upx behavioral2/files/0x00070000000234a4-57.dat upx behavioral2/memory/888-59-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234a5-63.dat upx behavioral2/files/0x00070000000234a6-70.dat upx behavioral2/memory/712-71-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234a7-74.dat upx behavioral2/memory/3420-78-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/2628-76-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234a8-81.dat upx behavioral2/memory/3420-84-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234a9-87.dat upx behavioral2/memory/4276-90-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234aa-94.dat upx behavioral2/memory/4276-93-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234ab-98.dat upx behavioral2/memory/3148-99-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234ac-104.dat upx behavioral2/files/0x00070000000234ad-108.dat upx behavioral2/memory/4560-110-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/2600-115-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234ae-113.dat upx behavioral2/files/0x000a000000023499-121.dat upx behavioral2/memory/5112-120-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234af-127.dat upx behavioral2/files/0x00070000000234b0-130.dat upx behavioral2/files/0x00070000000234b1-136.dat upx behavioral2/files/0x00070000000234b2-140.dat upx behavioral2/memory/1428-146-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234b3-147.dat upx behavioral2/files/0x00070000000234b4-151.dat upx behavioral2/files/0x00070000000234b6-156.dat upx behavioral2/files/0x00070000000234b7-161.dat upx behavioral2/memory/3528-165-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234b8-167.dat upx behavioral2/files/0x00070000000234b9-173.dat upx behavioral2/memory/1568-180-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/files/0x00070000000234ba-178.dat upx behavioral2/memory/2324-181-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4336-188-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4336-192-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4584-196-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4456-200-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/4640-210-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/1080-214-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral2/memory/2876-218-0x0000000000400000-0x0000000000435000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbbtnt.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3652 wrote to memory of 1108 3652 97070f456d6acb0eca7fe28c8f39b0d0N.exe 84 PID 3652 wrote to memory of 1108 3652 97070f456d6acb0eca7fe28c8f39b0d0N.exe 84 PID 3652 wrote to memory of 1108 3652 97070f456d6acb0eca7fe28c8f39b0d0N.exe 84 PID 1108 wrote to memory of 1148 1108 frfrrff.exe 85 PID 1108 wrote to memory of 1148 1108 frfrrff.exe 85 PID 1108 wrote to memory of 1148 1108 frfrrff.exe 85 PID 1148 wrote to memory of 4876 1148 ttbbtn.exe 86 PID 1148 wrote to memory of 4876 1148 ttbbtn.exe 86 PID 1148 wrote to memory of 4876 1148 ttbbtn.exe 86 PID 4876 wrote to memory of 3252 4876 nhbttb.exe 87 PID 4876 wrote to memory of 3252 4876 nhbttb.exe 87 PID 4876 wrote to memory of 3252 4876 nhbttb.exe 87 PID 3252 wrote to memory of 532 3252 vppjd.exe 88 PID 3252 wrote to memory of 532 3252 vppjd.exe 88 PID 3252 wrote to memory of 532 3252 vppjd.exe 88 PID 532 wrote to memory of 2360 532 ppppj.exe 89 PID 532 wrote to memory of 2360 532 ppppj.exe 89 PID 532 wrote to memory of 2360 532 ppppj.exe 89 PID 2360 wrote to memory of 620 2360 xxfxrxr.exe 90 PID 2360 wrote to memory of 620 2360 xxfxrxr.exe 90 PID 2360 wrote to memory of 620 2360 xxfxrxr.exe 90 PID 620 wrote to memory of 2140 620 hhnnhn.exe 91 PID 620 wrote to memory of 2140 620 hhnnhn.exe 91 PID 620 wrote to memory of 2140 620 hhnnhn.exe 91 PID 2140 wrote to memory of 888 2140 djpjj.exe 92 PID 2140 wrote to memory of 888 2140 djpjj.exe 92 PID 2140 wrote to memory of 888 2140 djpjj.exe 92 PID 888 wrote to memory of 2208 888 jjpjp.exe 94 PID 888 wrote to memory of 2208 888 jjpjp.exe 94 PID 888 wrote to memory of 2208 888 jjpjp.exe 94 PID 2208 wrote to memory of 712 2208 bnbttt.exe 95 PID 2208 wrote to memory of 712 2208 bnbttt.exe 95 PID 2208 wrote to memory of 712 2208 bnbttt.exe 95 PID 712 wrote to memory of 2628 712 pvjjd.exe 96 PID 712 wrote to memory of 2628 712 pvjjd.exe 96 PID 712 wrote to memory of 2628 712 pvjjd.exe 96 PID 2628 wrote to memory of 3420 2628 5flxxlr.exe 97 PID 2628 wrote to memory of 3420 2628 5flxxlr.exe 97 PID 2628 wrote to memory of 3420 2628 5flxxlr.exe 97 PID 3420 wrote to memory of 3168 3420 hthhbb.exe 99 PID 3420 wrote to memory of 3168 3420 hthhbb.exe 99 PID 3420 wrote to memory of 3168 3420 hthhbb.exe 99 PID 3168 wrote to memory of 4276 3168 vjpjd.exe 100 PID 3168 wrote to memory of 4276 3168 vjpjd.exe 100 PID 3168 wrote to memory of 4276 3168 vjpjd.exe 100 PID 4276 wrote to memory of 3148 4276 rfffllf.exe 101 PID 4276 wrote to memory of 3148 4276 rfffllf.exe 101 PID 4276 wrote to memory of 3148 4276 rfffllf.exe 101 PID 3148 wrote to memory of 3916 3148 tnhnhh.exe 102 PID 3148 wrote to memory of 3916 3148 tnhnhh.exe 102 PID 3148 wrote to memory of 3916 3148 tnhnhh.exe 102 PID 3916 wrote to memory of 4560 3916 pjvpp.exe 103 PID 3916 wrote to memory of 4560 3916 pjvpp.exe 103 PID 3916 wrote to memory of 4560 3916 pjvpp.exe 103 PID 4560 wrote to memory of 2600 4560 lrrrxll.exe 105 PID 4560 wrote to memory of 2600 4560 lrrrxll.exe 105 PID 4560 wrote to memory of 2600 4560 lrrrxll.exe 105 PID 2600 wrote to memory of 5112 2600 3htnhn.exe 106 PID 2600 wrote to memory of 5112 2600 3htnhn.exe 106 PID 2600 wrote to memory of 5112 2600 3htnhn.exe 106 PID 5112 wrote to memory of 1244 5112 9pdvp.exe 107 PID 5112 wrote to memory of 1244 5112 9pdvp.exe 107 PID 5112 wrote to memory of 1244 5112 9pdvp.exe 107 PID 1244 wrote to memory of 1196 1244 lxfxllf.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\97070f456d6acb0eca7fe28c8f39b0d0N.exe"C:\Users\Admin\AppData\Local\Temp\97070f456d6acb0eca7fe28c8f39b0d0N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\frfrrff.exec:\frfrrff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1108 -
\??\c:\ttbbtn.exec:\ttbbtn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
\??\c:\nhbttb.exec:\nhbttb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\vppjd.exec:\vppjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
\??\c:\ppppj.exec:\ppppj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:532 -
\??\c:\xxfxrxr.exec:\xxfxrxr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
\??\c:\hhnnhn.exec:\hhnnhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:620 -
\??\c:\djpjj.exec:\djpjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\jjpjp.exec:\jjpjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888 -
\??\c:\bnbttt.exec:\bnbttt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\pvjjd.exec:\pvjjd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
\??\c:\5flxxlr.exec:\5flxxlr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\hthhbb.exec:\hthhbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
\??\c:\vjpjd.exec:\vjpjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168 -
\??\c:\rfffllf.exec:\rfffllf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
\??\c:\tnhnhh.exec:\tnhnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\pjvpp.exec:\pjvpp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3916 -
\??\c:\lrrrxll.exec:\lrrrxll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4560 -
\??\c:\3htnhn.exec:\3htnhn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\9pdvp.exec:\9pdvp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\lxfxllf.exec:\lxfxllf.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1244 -
\??\c:\ttnnhh.exec:\ttnnhh.exe23⤵
- Executes dropped EXE
PID:1196 -
\??\c:\7vvvp.exec:\7vvvp.exe24⤵
- Executes dropped EXE
PID:4248 -
\??\c:\ddjdv.exec:\ddjdv.exe25⤵
- Executes dropped EXE
PID:1644 -
\??\c:\hbbthh.exec:\hbbthh.exe26⤵
- Executes dropped EXE
PID:1428 -
\??\c:\jvddp.exec:\jvddp.exe27⤵
- Executes dropped EXE
PID:2336 -
\??\c:\7vdvj.exec:\7vdvj.exe28⤵
- Executes dropped EXE
PID:768 -
\??\c:\fxlfrrx.exec:\fxlfrrx.exe29⤵
- Executes dropped EXE
PID:1868 -
\??\c:\nbnnnn.exec:\nbnnnn.exe30⤵
- Executes dropped EXE
PID:3528 -
\??\c:\9hnhtt.exec:\9hnhtt.exe31⤵
- Executes dropped EXE
PID:3280 -
\??\c:\vvvvp.exec:\vvvvp.exe32⤵
- Executes dropped EXE
PID:1568 -
\??\c:\flrrfxx.exec:\flrrfxx.exe33⤵
- Executes dropped EXE
PID:2324 -
\??\c:\frrrlll.exec:\frrrlll.exe34⤵
- Executes dropped EXE
PID:2280 -
\??\c:\btbbtb.exec:\btbbtb.exe35⤵
- Executes dropped EXE
PID:4336 -
\??\c:\3pdvv.exec:\3pdvv.exe36⤵
- Executes dropped EXE
PID:4584 -
\??\c:\3rxrlrl.exec:\3rxrlrl.exe37⤵
- Executes dropped EXE
PID:4456 -
\??\c:\ntbtnn.exec:\ntbtnn.exe38⤵
- Executes dropped EXE
PID:1148 -
\??\c:\bbbhbh.exec:\bbbhbh.exe39⤵
- Executes dropped EXE
PID:4264 -
\??\c:\dppjd.exec:\dppjd.exe40⤵
- Executes dropped EXE
PID:4640 -
\??\c:\xlxfxxx.exec:\xlxfxxx.exe41⤵
- Executes dropped EXE
PID:1080 -
\??\c:\bnnnnn.exec:\bnnnnn.exe42⤵
- Executes dropped EXE
PID:2876 -
\??\c:\ddddd.exec:\ddddd.exe43⤵
- Executes dropped EXE
PID:4284 -
\??\c:\vdvvj.exec:\vdvvj.exe44⤵
- Executes dropped EXE
PID:4748 -
\??\c:\lrxxrrr.exec:\lrxxrrr.exe45⤵
- Executes dropped EXE
PID:1412 -
\??\c:\9fxxffl.exec:\9fxxffl.exe46⤵
- Executes dropped EXE
PID:4832 -
\??\c:\nbnhbt.exec:\nbnhbt.exe47⤵
- Executes dropped EXE
PID:2732 -
\??\c:\3ddvv.exec:\3ddvv.exe48⤵
- Executes dropped EXE
PID:3432 -
\??\c:\7jvpj.exec:\7jvpj.exe49⤵
- Executes dropped EXE
PID:1984 -
\??\c:\lfllffx.exec:\lfllffx.exe50⤵
- Executes dropped EXE
PID:948 -
\??\c:\hhnnht.exec:\hhnnht.exe51⤵
- Executes dropped EXE
PID:5016 -
\??\c:\htbbbt.exec:\htbbbt.exe52⤵
- Executes dropped EXE
PID:776 -
\??\c:\dpvpp.exec:\dpvpp.exe53⤵
- Executes dropped EXE
PID:4380 -
\??\c:\dppjv.exec:\dppjv.exe54⤵
- Executes dropped EXE
PID:3540 -
\??\c:\lllffxr.exec:\lllffxr.exe55⤵
- Executes dropped EXE
PID:3232 -
\??\c:\rxxfxxr.exec:\rxxfxxr.exe56⤵
- Executes dropped EXE
PID:3620 -
\??\c:\nthbtt.exec:\nthbtt.exe57⤵
- Executes dropped EXE
PID:5084 -
\??\c:\hbtbnn.exec:\hbtbnn.exe58⤵
- Executes dropped EXE
PID:3492 -
\??\c:\ppjjd.exec:\ppjjd.exe59⤵
- Executes dropped EXE
PID:4732 -
\??\c:\rlrlfff.exec:\rlrlfff.exe60⤵
- Executes dropped EXE
PID:2796 -
\??\c:\frxxxxr.exec:\frxxxxr.exe61⤵
- Executes dropped EXE
PID:4560 -
\??\c:\nhnnht.exec:\nhnnht.exe62⤵
- Executes dropped EXE
PID:972 -
\??\c:\nbhhbh.exec:\nbhhbh.exe63⤵
- Executes dropped EXE
PID:1256 -
\??\c:\vvddp.exec:\vvddp.exe64⤵
- Executes dropped EXE
PID:4428 -
\??\c:\xffrfrx.exec:\xffrfrx.exe65⤵
- Executes dropped EXE
PID:3156 -
\??\c:\7lrfxrx.exec:\7lrfxrx.exe66⤵PID:4600
-
\??\c:\9thhhh.exec:\9thhhh.exe67⤵PID:1196
-
\??\c:\vpvpj.exec:\vpvpj.exe68⤵PID:4248
-
\??\c:\hbhbhn.exec:\hbhbhn.exe69⤵PID:2320
-
\??\c:\bntnbb.exec:\bntnbb.exe70⤵PID:464
-
\??\c:\vpdvp.exec:\vpdvp.exe71⤵PID:1176
-
\??\c:\llxxxfr.exec:\llxxxfr.exe72⤵PID:3184
-
\??\c:\tnhhbb.exec:\tnhhbb.exe73⤵PID:4848
-
\??\c:\vppvp.exec:\vppvp.exe74⤵PID:4936
-
\??\c:\ppjjv.exec:\ppjjv.exe75⤵PID:4536
-
\??\c:\9ffxrxr.exec:\9ffxrxr.exe76⤵PID:4752
-
\??\c:\ffllrrx.exec:\ffllrrx.exe77⤵PID:3584
-
\??\c:\bttnbt.exec:\bttnbt.exe78⤵PID:1084
-
\??\c:\pvvjv.exec:\pvvjv.exe79⤵PID:2292
-
\??\c:\fxrlllr.exec:\fxrlllr.exe80⤵PID:1044
-
\??\c:\fxrxffr.exec:\fxrxffr.exe81⤵PID:916
-
\??\c:\hbbttt.exec:\hbbttt.exe82⤵PID:1108
-
\??\c:\ddvpj.exec:\ddvpj.exe83⤵PID:2512
-
\??\c:\1pjdp.exec:\1pjdp.exe84⤵PID:4872
-
\??\c:\xlrlllf.exec:\xlrlllf.exe85⤵PID:3364
-
\??\c:\bbthnb.exec:\bbthnb.exe86⤵PID:4292
-
\??\c:\9nttnn.exec:\9nttnn.exe87⤵PID:2668
-
\??\c:\pjdvv.exec:\pjdvv.exe88⤵PID:808
-
\??\c:\dvpjv.exec:\dvpjv.exe89⤵PID:1500
-
\??\c:\9lrlffx.exec:\9lrlffx.exe90⤵PID:4748
-
\??\c:\tnhhbb.exec:\tnhhbb.exe91⤵PID:1412
-
\??\c:\tnnhbh.exec:\tnnhbh.exe92⤵PID:3464
-
\??\c:\vdvpd.exec:\vdvpd.exe93⤵PID:1300
-
\??\c:\pjdvd.exec:\pjdvd.exe94⤵PID:2000
-
\??\c:\rrrxlrr.exec:\rrrxlrr.exe95⤵PID:2404
-
\??\c:\nbhhhh.exec:\nbhhhh.exe96⤵PID:3484
-
\??\c:\vvdjd.exec:\vvdjd.exe97⤵PID:2888
-
\??\c:\ffxxrrl.exec:\ffxxrrl.exe98⤵PID:2820
-
\??\c:\flrlffx.exec:\flrlffx.exe99⤵PID:3168
-
\??\c:\tthbhb.exec:\tthbhb.exe100⤵PID:4672
-
\??\c:\dddvv.exec:\dddvv.exe101⤵PID:4440
-
\??\c:\xrrlllf.exec:\xrrlllf.exe102⤵PID:1656
-
\??\c:\bnnbtt.exec:\bnnbtt.exe103⤵PID:3356
-
\??\c:\3bntnt.exec:\3bntnt.exe104⤵PID:4888
-
\??\c:\vdjdp.exec:\vdjdp.exe105⤵PID:2612
-
\??\c:\lffxllf.exec:\lffxllf.exe106⤵PID:3064
-
\??\c:\nnhbtt.exec:\nnhbtt.exe107⤵PID:1256
-
\??\c:\bntnhb.exec:\bntnhb.exe108⤵
- System Location Discovery: System Language Discovery
PID:4576 -
\??\c:\pjppj.exec:\pjppj.exe109⤵PID:1184
-
\??\c:\rrxxffr.exec:\rrxxffr.exe110⤵PID:3672
-
\??\c:\flxrrlx.exec:\flxrrlx.exe111⤵PID:1196
-
\??\c:\btthnh.exec:\btthnh.exe112⤵PID:1744
-
\??\c:\djjvj.exec:\djjvj.exe113⤵PID:392
-
\??\c:\pppjv.exec:\pppjv.exe114⤵PID:4028
-
\??\c:\5rxllll.exec:\5rxllll.exe115⤵PID:2964
-
\??\c:\fflxrlx.exec:\fflxrlx.exe116⤵PID:3600
-
\??\c:\3hhhtn.exec:\3hhhtn.exe117⤵PID:3028
-
\??\c:\tbtthh.exec:\tbtthh.exe118⤵PID:4800
-
\??\c:\jvdvd.exec:\jvdvd.exe119⤵PID:4936
-
\??\c:\vdjdp.exec:\vdjdp.exe120⤵PID:4536
-
\??\c:\9fxlfxr.exec:\9fxlfxr.exe121⤵PID:1192
-
\??\c:\xfrlxrl.exec:\xfrlxrl.exe122⤵PID:2616
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-