Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 12:24
Static task
static1
Behavioral task
behavioral1
Sample
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
Resource
win7-20240903-en
General
-
Target
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
-
Size
333KB
-
MD5
6f15a34ff2f291fbdbb06cda86083060
-
SHA1
1b9e7e4b967d1791dd54b7b983f9c29b1c30933b
-
SHA256
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fc
-
SHA512
341ba223867983230a2809cbead9fe7406bd2d6e8c83d228ef565b088f0d0ef3f39adc2c797994929348162ef348f84d904af8ae0b3e0efad2e6fc1249dfed2b
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhq:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTa
Malware Config
Signatures
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/320-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3840-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-37-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2392-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2964-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-149-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1952-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2484-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-172-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-181-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1132-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/592-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2496-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-230-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1376-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1628-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1948-302-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/388-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4952-335-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1936-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-362-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3572-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4524-392-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3008-403-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3360-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3516-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/212-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2128-493-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-543-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4172-562-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3060-756-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-808-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-1007-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-1152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4656 nntnnh.exe 4476 5ffxrrl.exe 1376 hbnhbb.exe 3840 vvdvd.exe 1084 xrxlflr.exe 3792 pjdvp.exe 4508 bbhhhn.exe 228 jvvpj.exe 3064 7hhtnn.exe 4688 jddvp.exe 4548 7xlffff.exe 2392 hnnhhh.exe 2236 nbnhbt.exe 1860 thhbhb.exe 2964 rfxrrrf.exe 8 tthbbb.exe 3032 vpjdv.exe 4180 bhbthb.exe 4712 pjpjp.exe 4372 fxxrffr.exe 2660 btbnnn.exe 4828 xxlxrrl.exe 1820 bbtnnt.exe 5004 pppdv.exe 1300 3llffxf.exe 1952 3nnhtt.exe 2484 vpjdp.exe 740 vvdvp.exe 4928 9djvj.exe 3200 rxxrlfx.exe 1724 tntbnt.exe 5096 pdpjd.exe 1132 hhbhbb.exe 592 9jpjj.exe 2620 xflxrlf.exe 1680 lfrrrrf.exe 3724 jvjdv.exe 2496 lxfrrlx.exe 4496 3fxfxxx.exe 2736 nnbtbb.exe 456 ddjjp.exe 1932 xrxlffx.exe 2712 jddvp.exe 1376 1xfxxxf.exe 948 tbbnhh.exe 4632 dvvpj.exe 1432 fxrllff.exe 3792 lfrrllf.exe 116 bhhbnn.exe 3636 ppdvv.exe 228 dpvpj.exe 5044 lxfxrlf.exe 912 bhnntt.exe 4996 hbnhtt.exe 3740 vjjdv.exe 532 xllfxxr.exe 1344 ttnbbb.exe 2392 ddddd.exe 2224 frxrlfx.exe 4276 7llfxrl.exe 1628 3bhtnn.exe 1860 5tbttt.exe 2964 djppp.exe 1948 rfxrlfx.exe -
resource yara_rule behavioral2/memory/320-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3840-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-37-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3792-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2392-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2964-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1952-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2484-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1132-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/592-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2496-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1376-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1628-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1948-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/388-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1936-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3572-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4524-392-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3008-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3516-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/212-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2128-493-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-543-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4172-562-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3060-756-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfflflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bnnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1thbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9hnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5rxfxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rffxlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 320 wrote to memory of 4656 320 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 84 PID 320 wrote to memory of 4656 320 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 84 PID 320 wrote to memory of 4656 320 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 84 PID 4656 wrote to memory of 4476 4656 nntnnh.exe 85 PID 4656 wrote to memory of 4476 4656 nntnnh.exe 85 PID 4656 wrote to memory of 4476 4656 nntnnh.exe 85 PID 4476 wrote to memory of 1376 4476 5ffxrrl.exe 86 PID 4476 wrote to memory of 1376 4476 5ffxrrl.exe 86 PID 4476 wrote to memory of 1376 4476 5ffxrrl.exe 86 PID 1376 wrote to memory of 3840 1376 hbnhbb.exe 87 PID 1376 wrote to memory of 3840 1376 hbnhbb.exe 87 PID 1376 wrote to memory of 3840 1376 hbnhbb.exe 87 PID 3840 wrote to memory of 1084 3840 vvdvd.exe 89 PID 3840 wrote to memory of 1084 3840 vvdvd.exe 89 PID 3840 wrote to memory of 1084 3840 vvdvd.exe 89 PID 1084 wrote to memory of 3792 1084 xrxlflr.exe 90 PID 1084 wrote to memory of 3792 1084 xrxlflr.exe 90 PID 1084 wrote to memory of 3792 1084 xrxlflr.exe 90 PID 3792 wrote to memory of 4508 3792 pjdvp.exe 92 PID 3792 wrote to memory of 4508 3792 pjdvp.exe 92 PID 3792 wrote to memory of 4508 3792 pjdvp.exe 92 PID 4508 wrote to memory of 228 4508 bbhhhn.exe 93 PID 4508 wrote to memory of 228 4508 bbhhhn.exe 93 PID 4508 wrote to memory of 228 4508 bbhhhn.exe 93 PID 228 wrote to memory of 3064 228 jvvpj.exe 94 PID 228 wrote to memory of 3064 228 jvvpj.exe 94 PID 228 wrote to memory of 3064 228 jvvpj.exe 94 PID 3064 wrote to memory of 4688 3064 7hhtnn.exe 95 PID 3064 wrote to memory of 4688 3064 7hhtnn.exe 95 PID 3064 wrote to memory of 4688 3064 7hhtnn.exe 95 PID 4688 wrote to memory of 4548 4688 jddvp.exe 96 PID 4688 wrote to memory of 4548 4688 jddvp.exe 96 PID 4688 wrote to memory of 4548 4688 jddvp.exe 96 PID 4548 wrote to memory of 2392 4548 7xlffff.exe 97 PID 4548 wrote to memory of 2392 4548 7xlffff.exe 97 PID 4548 wrote to memory of 2392 4548 7xlffff.exe 97 PID 2392 wrote to memory of 2236 2392 hnnhhh.exe 99 PID 2392 wrote to memory of 2236 2392 hnnhhh.exe 99 PID 2392 wrote to memory of 2236 2392 hnnhhh.exe 99 PID 2236 wrote to memory of 1860 2236 nbnhbt.exe 100 PID 2236 wrote to memory of 1860 2236 nbnhbt.exe 100 PID 2236 wrote to memory of 1860 2236 nbnhbt.exe 100 PID 1860 wrote to memory of 2964 1860 thhbhb.exe 101 PID 1860 wrote to memory of 2964 1860 thhbhb.exe 101 PID 1860 wrote to memory of 2964 1860 thhbhb.exe 101 PID 2964 wrote to memory of 8 2964 rfxrrrf.exe 102 PID 2964 wrote to memory of 8 2964 rfxrrrf.exe 102 PID 2964 wrote to memory of 8 2964 rfxrrrf.exe 102 PID 8 wrote to memory of 3032 8 tthbbb.exe 103 PID 8 wrote to memory of 3032 8 tthbbb.exe 103 PID 8 wrote to memory of 3032 8 tthbbb.exe 103 PID 3032 wrote to memory of 4180 3032 vpjdv.exe 104 PID 3032 wrote to memory of 4180 3032 vpjdv.exe 104 PID 3032 wrote to memory of 4180 3032 vpjdv.exe 104 PID 4180 wrote to memory of 4712 4180 bhbthb.exe 105 PID 4180 wrote to memory of 4712 4180 bhbthb.exe 105 PID 4180 wrote to memory of 4712 4180 bhbthb.exe 105 PID 4712 wrote to memory of 4372 4712 pjpjp.exe 106 PID 4712 wrote to memory of 4372 4712 pjpjp.exe 106 PID 4712 wrote to memory of 4372 4712 pjpjp.exe 106 PID 4372 wrote to memory of 2660 4372 fxxrffr.exe 107 PID 4372 wrote to memory of 2660 4372 fxxrffr.exe 107 PID 4372 wrote to memory of 2660 4372 fxxrffr.exe 107 PID 2660 wrote to memory of 4828 2660 btbnnn.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\nntnnh.exec:\nntnnh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\5ffxrrl.exec:\5ffxrrl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
\??\c:\hbnhbb.exec:\hbnhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
\??\c:\vvdvd.exec:\vvdvd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3840 -
\??\c:\xrxlflr.exec:\xrxlflr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\pjdvp.exec:\pjdvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792 -
\??\c:\bbhhhn.exec:\bbhhhn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508 -
\??\c:\jvvpj.exec:\jvvpj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\7hhtnn.exec:\7hhtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\jddvp.exec:\jddvp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4688 -
\??\c:\7xlffff.exec:\7xlffff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
\??\c:\hnnhhh.exec:\hnnhhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\nbnhbt.exec:\nbnhbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\thhbhb.exec:\thhbhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1860 -
\??\c:\rfxrrrf.exec:\rfxrrrf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2964 -
\??\c:\tthbbb.exec:\tthbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\vpjdv.exec:\vpjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\bhbthb.exec:\bhbthb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4180 -
\??\c:\pjpjp.exec:\pjpjp.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4712 -
\??\c:\fxxrffr.exec:\fxxrffr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
\??\c:\btbnnn.exec:\btbnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\xxlxrrl.exec:\xxlxrrl.exe23⤵
- Executes dropped EXE
PID:4828 -
\??\c:\bbtnnt.exec:\bbtnnt.exe24⤵
- Executes dropped EXE
PID:1820 -
\??\c:\pppdv.exec:\pppdv.exe25⤵
- Executes dropped EXE
PID:5004 -
\??\c:\3llffxf.exec:\3llffxf.exe26⤵
- Executes dropped EXE
PID:1300 -
\??\c:\3nnhtt.exec:\3nnhtt.exe27⤵
- Executes dropped EXE
PID:1952 -
\??\c:\vpjdp.exec:\vpjdp.exe28⤵
- Executes dropped EXE
PID:2484 -
\??\c:\vvdvp.exec:\vvdvp.exe29⤵
- Executes dropped EXE
PID:740 -
\??\c:\9djvj.exec:\9djvj.exe30⤵
- Executes dropped EXE
PID:4928 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3200 -
\??\c:\tntbnt.exec:\tntbnt.exe32⤵
- Executes dropped EXE
PID:1724 -
\??\c:\pdpjd.exec:\pdpjd.exe33⤵
- Executes dropped EXE
PID:5096 -
\??\c:\hhbhbb.exec:\hhbhbb.exe34⤵
- Executes dropped EXE
PID:1132 -
\??\c:\9jpjj.exec:\9jpjj.exe35⤵
- Executes dropped EXE
PID:592 -
\??\c:\xflxrlf.exec:\xflxrlf.exe36⤵
- Executes dropped EXE
PID:2620 -
\??\c:\lfrrrrf.exec:\lfrrrrf.exe37⤵
- Executes dropped EXE
PID:1680 -
\??\c:\jvjdv.exec:\jvjdv.exe38⤵
- Executes dropped EXE
PID:3724 -
\??\c:\lxfrrlx.exec:\lxfrrlx.exe39⤵
- Executes dropped EXE
PID:2496 -
\??\c:\3fxfxxx.exec:\3fxfxxx.exe40⤵
- Executes dropped EXE
PID:4496 -
\??\c:\nnbtbb.exec:\nnbtbb.exe41⤵
- Executes dropped EXE
PID:2736 -
\??\c:\ddjjp.exec:\ddjjp.exe42⤵
- Executes dropped EXE
PID:456 -
\??\c:\xrxlffx.exec:\xrxlffx.exe43⤵
- Executes dropped EXE
PID:1932 -
\??\c:\jddvp.exec:\jddvp.exe44⤵
- Executes dropped EXE
PID:2712 -
\??\c:\1xfxxxf.exec:\1xfxxxf.exe45⤵
- Executes dropped EXE
PID:1376 -
\??\c:\tbbnhh.exec:\tbbnhh.exe46⤵
- Executes dropped EXE
PID:948 -
\??\c:\dvvpj.exec:\dvvpj.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4632 -
\??\c:\fxrllff.exec:\fxrllff.exe48⤵
- Executes dropped EXE
PID:1432 -
\??\c:\lfrrllf.exec:\lfrrllf.exe49⤵
- Executes dropped EXE
PID:3792 -
\??\c:\bhhbnn.exec:\bhhbnn.exe50⤵
- Executes dropped EXE
PID:116 -
\??\c:\ppdvv.exec:\ppdvv.exe51⤵
- Executes dropped EXE
PID:3636 -
\??\c:\dpvpj.exec:\dpvpj.exe52⤵
- Executes dropped EXE
PID:228 -
\??\c:\lxfxrlf.exec:\lxfxrlf.exe53⤵
- Executes dropped EXE
PID:5044 -
\??\c:\bhnntt.exec:\bhnntt.exe54⤵
- Executes dropped EXE
PID:912 -
\??\c:\hbnhtt.exec:\hbnhtt.exe55⤵
- Executes dropped EXE
PID:4996 -
\??\c:\vjjdv.exec:\vjjdv.exe56⤵
- Executes dropped EXE
PID:3740 -
\??\c:\xllfxxr.exec:\xllfxxr.exe57⤵
- Executes dropped EXE
PID:532 -
\??\c:\ttnbbb.exec:\ttnbbb.exe58⤵
- Executes dropped EXE
PID:1344 -
\??\c:\ddddd.exec:\ddddd.exe59⤵
- Executes dropped EXE
PID:2392 -
\??\c:\frxrlfx.exec:\frxrlfx.exe60⤵
- Executes dropped EXE
PID:2224 -
\??\c:\7llfxrl.exec:\7llfxrl.exe61⤵
- Executes dropped EXE
PID:4276 -
\??\c:\3bhtnn.exec:\3bhtnn.exe62⤵
- Executes dropped EXE
PID:1628 -
\??\c:\5tbttt.exec:\5tbttt.exe63⤵
- Executes dropped EXE
PID:1860 -
\??\c:\djppp.exec:\djppp.exe64⤵
- Executes dropped EXE
PID:2964 -
\??\c:\rfxrlfx.exec:\rfxrlfx.exe65⤵
- Executes dropped EXE
PID:1948 -
\??\c:\thhnhh.exec:\thhnhh.exe66⤵PID:388
-
\??\c:\nttnhh.exec:\nttnhh.exe67⤵PID:4060
-
\??\c:\ddvjv.exec:\ddvjv.exe68⤵PID:5092
-
\??\c:\9xrlxxr.exec:\9xrlxxr.exe69⤵PID:4712
-
\??\c:\rrfxrrr.exec:\rrfxrrr.exe70⤵PID:1640
-
\??\c:\nttnnh.exec:\nttnnh.exe71⤵PID:3284
-
\??\c:\vvvpd.exec:\vvvpd.exe72⤵PID:2692
-
\??\c:\vpvpj.exec:\vpvpj.exe73⤵PID:4052
-
\??\c:\rrfxxxr.exec:\rrfxxxr.exe74⤵PID:3168
-
\??\c:\tthbhh.exec:\tthbhh.exe75⤵PID:4952
-
\??\c:\pjjdd.exec:\pjjdd.exe76⤵PID:4612
-
\??\c:\3rllfrf.exec:\3rllfrf.exe77⤵PID:3320
-
\??\c:\btbtnn.exec:\btbtnn.exe78⤵PID:1952
-
\??\c:\jjddp.exec:\jjddp.exe79⤵PID:400
-
\??\c:\vjjdv.exec:\vjjdv.exe80⤵PID:536
-
\??\c:\5rrrllf.exec:\5rrrllf.exe81⤵PID:4964
-
\??\c:\nbhnhh.exec:\nbhnhh.exe82⤵PID:1936
-
\??\c:\7ntnhb.exec:\7ntnhb.exe83⤵PID:1408
-
\??\c:\pvdvv.exec:\pvdvv.exe84⤵PID:3404
-
\??\c:\7xrlrlf.exec:\7xrlrlf.exe85⤵PID:5068
-
\??\c:\hhhbtt.exec:\hhhbtt.exe86⤵PID:5096
-
\??\c:\vvdvj.exec:\vvdvj.exe87⤵PID:1132
-
\??\c:\jvvpj.exec:\jvvpj.exe88⤵PID:1576
-
\??\c:\lrrlrrl.exec:\lrrlrrl.exe89⤵PID:2620
-
\??\c:\fflfxxl.exec:\fflfxxl.exe90⤵PID:1680
-
\??\c:\nnnnnn.exec:\nnnnnn.exe91⤵PID:3572
-
\??\c:\9nnhnn.exec:\9nnhnn.exe92⤵PID:4524
-
\??\c:\5dpjv.exec:\5dpjv.exe93⤵PID:2776
-
\??\c:\ffxrlrr.exec:\ffxrlrr.exe94⤵PID:2724
-
\??\c:\bntnhb.exec:\bntnhb.exe95⤵PID:3008
-
\??\c:\jjvpv.exec:\jjvpv.exe96⤵PID:3176
-
\??\c:\9jvjd.exec:\9jvjd.exe97⤵PID:2712
-
\??\c:\rxxrffx.exec:\rxxrffx.exe98⤵PID:1376
-
\??\c:\hnbnhh.exec:\hnbnhh.exe99⤵PID:4572
-
\??\c:\hbtbnn.exec:\hbtbnn.exe100⤵PID:3360
-
\??\c:\vdjvp.exec:\vdjvp.exe101⤵PID:116
-
\??\c:\pjvdd.exec:\pjvdd.exe102⤵PID:3516
-
\??\c:\lxxrlfx.exec:\lxxrlfx.exe103⤵PID:3064
-
\??\c:\bhnttb.exec:\bhnttb.exe104⤵PID:3740
-
\??\c:\bbtbnb.exec:\bbtbnb.exe105⤵PID:4260
-
\??\c:\vpdvp.exec:\vpdvp.exe106⤵PID:1872
-
\??\c:\pjddv.exec:\pjddv.exe107⤵PID:2392
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe108⤵PID:1416
-
\??\c:\btnnbb.exec:\btnnbb.exe109⤵PID:2524
-
\??\c:\dvvvv.exec:\dvvvv.exe110⤵PID:3532
-
\??\c:\vvdvp.exec:\vvdvp.exe111⤵PID:2052
-
\??\c:\ttbtnh.exec:\ttbtnh.exe112⤵PID:2148
-
\??\c:\jvjdd.exec:\jvjdd.exe113⤵PID:1516
-
\??\c:\5xrllfl.exec:\5xrllfl.exe114⤵PID:4120
-
\??\c:\hhtbbh.exec:\hhtbbh.exe115⤵PID:4208
-
\??\c:\vvvjd.exec:\vvvjd.exe116⤵PID:5092
-
\??\c:\lfxfxrr.exec:\lfxfxrr.exe117⤵PID:4712
-
\??\c:\xffxxrl.exec:\xffxxrl.exe118⤵PID:1640
-
\??\c:\hthbtt.exec:\hthbtt.exe119⤵PID:1840
-
\??\c:\dddpj.exec:\dddpj.exe120⤵PID:212
-
\??\c:\djpjv.exec:\djpjv.exe121⤵PID:4576
-
\??\c:\lxxlxxr.exec:\lxxlxxr.exe122⤵PID:3168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-