Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 12:34
Static task
static1
Behavioral task
behavioral1
Sample
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
Resource
win7-20240903-en
General
-
Target
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe
-
Size
333KB
-
MD5
6f15a34ff2f291fbdbb06cda86083060
-
SHA1
1b9e7e4b967d1791dd54b7b983f9c29b1c30933b
-
SHA256
f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fc
-
SHA512
341ba223867983230a2809cbead9fe7406bd2d6e8c83d228ef565b088f0d0ef3f39adc2c797994929348162ef348f84d904af8ae0b3e0efad2e6fc1249dfed2b
-
SSDEEP
6144:3cm7ImGddXsJdJIjaRleL42bL37BoTPkhu9gX5yGsTshQc8R0nxA5ij8+RC7tPhq:F7Tc8JdSjylh2b77BoTMA9gX59sTsuTa
Malware Config
Signatures
-
Detect Blackmoon payload 43 IoCs
resource yara_rule behavioral1/memory/2192-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2716-16-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2692-28-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2940-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2596-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2688-54-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2688-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2648-63-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2648-66-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/636-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2100-93-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2436-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2212-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2888-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2480-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1612-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1756-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2952-181-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2280-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2240-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1076-218-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1616-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2356-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2680-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/872-289-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2788-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2828-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2904-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/2916-338-0x0000000000250000-0x000000000027A000-memory.dmp family_blackmoon behavioral1/memory/2916-339-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1044-425-0x00000000002C0000-0x00000000002EA000-memory.dmp family_blackmoon behavioral1/memory/112-440-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2188-463-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/2236-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1412-495-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1120-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1920-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral1/memory/1728-560-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1624-578-0x0000000000220000-0x000000000024A000-memory.dmp family_blackmoon behavioral1/memory/1520-585-0x00000000003A0000-0x00000000003CA000-memory.dmp family_blackmoon behavioral1/memory/2332-592-0x0000000001B50000-0x0000000001B7A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2716 jjjjj.exe 2940 llxfxfl.exe 2692 hbbhbb.exe 2596 9fxfllr.exe 2688 5nhbht.exe 2648 lrflxfx.exe 2068 hhbbtt.exe 636 9djvp.exe 2100 xrrfrlx.exe 2436 bbnnhb.exe 2212 7rfrflx.exe 2888 ttbtth.exe 2480 5pjpj.exe 1612 flffxrr.exe 2880 tnnbhh.exe 1756 jvjjp.exe 1964 bbthnn.exe 2952 hnnbbn.exe 2280 rlxxflx.exe 2136 5nbthh.exe 2240 vdvdp.exe 1076 tntbtb.exe 1548 ttnthn.exe 440 pvpjj.exe 1276 hhbhnb.exe 2976 hbbnnt.exe 1616 7xfrlrr.exe 2356 hhbbhn.exe 2056 xxrffrr.exe 872 nhtbnb.exe 2680 jdvvd.exe 1496 xxlxxfr.exe 2788 pjppv.exe 2828 3xfrflr.exe 2904 ththnt.exe 2916 vvpvj.exe 2640 xrrxffr.exe 2592 tthntb.exe 3008 lffrfxf.exe 1108 7bthbb.exe 264 jdjdp.exe 480 frlrfff.exe 2160 ntbttn.exe 2396 7pjjp.exe 2884 llffllx.exe 2540 fxrlrxf.exe 1768 5vvdd.exe 1980 rflxlxr.exe 1044 hhbnbb.exe 2764 tthhnt.exe 112 1pddv.exe 1572 7flfffl.exe 3068 5hbbtt.exe 2188 nhbbnn.exe 2236 ddvpd.exe 2280 xrlfllf.exe 2000 btntnn.exe 1412 vjjdj.exe 1120 jdvdp.exe 904 lllxxxl.exe 964 nnnbbn.exe 1476 jdddp.exe 372 fxrfxxf.exe 292 rrlflrx.exe -
resource yara_rule behavioral1/memory/2192-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2716-16-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2692-28-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2940-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2688-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/636-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2436-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2212-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2888-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2480-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1612-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1756-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-171-0x00000000002A0000-0x00000000002CA000-memory.dmp upx behavioral1/memory/2952-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2280-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2240-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1276-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1616-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2356-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2680-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/872-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2788-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2828-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2904-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2916-339-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2160-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-440-0x0000000000220000-0x000000000024A000-memory.dmp upx behavioral1/memory/2236-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1120-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-537-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1920-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1728-560-0x0000000000220000-0x000000000024A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5pvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrfxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxflrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ntbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlrlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhntb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthtnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xllflx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjpdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2716 2192 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 2192 wrote to memory of 2716 2192 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 2192 wrote to memory of 2716 2192 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 2192 wrote to memory of 2716 2192 f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe 30 PID 2716 wrote to memory of 2940 2716 jjjjj.exe 31 PID 2716 wrote to memory of 2940 2716 jjjjj.exe 31 PID 2716 wrote to memory of 2940 2716 jjjjj.exe 31 PID 2716 wrote to memory of 2940 2716 jjjjj.exe 31 PID 2940 wrote to memory of 2692 2940 llxfxfl.exe 32 PID 2940 wrote to memory of 2692 2940 llxfxfl.exe 32 PID 2940 wrote to memory of 2692 2940 llxfxfl.exe 32 PID 2940 wrote to memory of 2692 2940 llxfxfl.exe 32 PID 2692 wrote to memory of 2596 2692 hbbhbb.exe 33 PID 2692 wrote to memory of 2596 2692 hbbhbb.exe 33 PID 2692 wrote to memory of 2596 2692 hbbhbb.exe 33 PID 2692 wrote to memory of 2596 2692 hbbhbb.exe 33 PID 2596 wrote to memory of 2688 2596 9fxfllr.exe 34 PID 2596 wrote to memory of 2688 2596 9fxfllr.exe 34 PID 2596 wrote to memory of 2688 2596 9fxfllr.exe 34 PID 2596 wrote to memory of 2688 2596 9fxfllr.exe 34 PID 2688 wrote to memory of 2648 2688 5nhbht.exe 35 PID 2688 wrote to memory of 2648 2688 5nhbht.exe 35 PID 2688 wrote to memory of 2648 2688 5nhbht.exe 35 PID 2688 wrote to memory of 2648 2688 5nhbht.exe 35 PID 2648 wrote to memory of 2068 2648 lrflxfx.exe 36 PID 2648 wrote to memory of 2068 2648 lrflxfx.exe 36 PID 2648 wrote to memory of 2068 2648 lrflxfx.exe 36 PID 2648 wrote to memory of 2068 2648 lrflxfx.exe 36 PID 2068 wrote to memory of 636 2068 hhbbtt.exe 37 PID 2068 wrote to memory of 636 2068 hhbbtt.exe 37 PID 2068 wrote to memory of 636 2068 hhbbtt.exe 37 PID 2068 wrote to memory of 636 2068 hhbbtt.exe 37 PID 636 wrote to memory of 2100 636 9djvp.exe 38 PID 636 wrote to memory of 2100 636 9djvp.exe 38 PID 636 wrote to memory of 2100 636 9djvp.exe 38 PID 636 wrote to memory of 2100 636 9djvp.exe 38 PID 2100 wrote to memory of 2436 2100 xrrfrlx.exe 39 PID 2100 wrote to memory of 2436 2100 xrrfrlx.exe 39 PID 2100 wrote to memory of 2436 2100 xrrfrlx.exe 39 PID 2100 wrote to memory of 2436 2100 xrrfrlx.exe 39 PID 2436 wrote to memory of 2212 2436 bbnnhb.exe 40 PID 2436 wrote to memory of 2212 2436 bbnnhb.exe 40 PID 2436 wrote to memory of 2212 2436 bbnnhb.exe 40 PID 2436 wrote to memory of 2212 2436 bbnnhb.exe 40 PID 2212 wrote to memory of 2888 2212 7rfrflx.exe 41 PID 2212 wrote to memory of 2888 2212 7rfrflx.exe 41 PID 2212 wrote to memory of 2888 2212 7rfrflx.exe 41 PID 2212 wrote to memory of 2888 2212 7rfrflx.exe 41 PID 2888 wrote to memory of 2480 2888 ttbtth.exe 42 PID 2888 wrote to memory of 2480 2888 ttbtth.exe 42 PID 2888 wrote to memory of 2480 2888 ttbtth.exe 42 PID 2888 wrote to memory of 2480 2888 ttbtth.exe 42 PID 2480 wrote to memory of 1612 2480 5pjpj.exe 43 PID 2480 wrote to memory of 1612 2480 5pjpj.exe 43 PID 2480 wrote to memory of 1612 2480 5pjpj.exe 43 PID 2480 wrote to memory of 1612 2480 5pjpj.exe 43 PID 1612 wrote to memory of 2880 1612 flffxrr.exe 44 PID 1612 wrote to memory of 2880 1612 flffxrr.exe 44 PID 1612 wrote to memory of 2880 1612 flffxrr.exe 44 PID 1612 wrote to memory of 2880 1612 flffxrr.exe 44 PID 2880 wrote to memory of 1756 2880 tnnbhh.exe 45 PID 2880 wrote to memory of 1756 2880 tnnbhh.exe 45 PID 2880 wrote to memory of 1756 2880 tnnbhh.exe 45 PID 2880 wrote to memory of 1756 2880 tnnbhh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"C:\Users\Admin\AppData\Local\Temp\f9d6d75256c5c7514f8abf96b1b11af0331d06a93be70de532dbcdad4f4a04fcN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2192 -
\??\c:\jjjjj.exec:\jjjjj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\llxfxfl.exec:\llxfxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
\??\c:\hbbhbb.exec:\hbbhbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
\??\c:\9fxfllr.exec:\9fxfllr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\5nhbht.exec:\5nhbht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\lrflxfx.exec:\lrflxfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
\??\c:\hhbbtt.exec:\hhbbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\9djvp.exec:\9djvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:636 -
\??\c:\xrrfrlx.exec:\xrrfrlx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\bbnnhb.exec:\bbnnhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
\??\c:\7rfrflx.exec:\7rfrflx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
\??\c:\ttbtth.exec:\ttbtth.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\5pjpj.exec:\5pjpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
\??\c:\flffxrr.exec:\flffxrr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
\??\c:\tnnbhh.exec:\tnnbhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
\??\c:\jvjjp.exec:\jvjjp.exe17⤵
- Executes dropped EXE
PID:1756 -
\??\c:\bbthnn.exec:\bbthnn.exe18⤵
- Executes dropped EXE
PID:1964 -
\??\c:\hnnbbn.exec:\hnnbbn.exe19⤵
- Executes dropped EXE
PID:2952 -
\??\c:\rlxxflx.exec:\rlxxflx.exe20⤵
- Executes dropped EXE
PID:2280 -
\??\c:\5nbthh.exec:\5nbthh.exe21⤵
- Executes dropped EXE
PID:2136 -
\??\c:\vdvdp.exec:\vdvdp.exe22⤵
- Executes dropped EXE
PID:2240 -
\??\c:\tntbtb.exec:\tntbtb.exe23⤵
- Executes dropped EXE
PID:1076 -
\??\c:\ttnthn.exec:\ttnthn.exe24⤵
- Executes dropped EXE
PID:1548 -
\??\c:\pvpjj.exec:\pvpjj.exe25⤵
- Executes dropped EXE
PID:440 -
\??\c:\hhbhnb.exec:\hhbhnb.exe26⤵
- Executes dropped EXE
PID:1276 -
\??\c:\hbbnnt.exec:\hbbnnt.exe27⤵
- Executes dropped EXE
PID:2976 -
\??\c:\7xfrlrr.exec:\7xfrlrr.exe28⤵
- Executes dropped EXE
PID:1616 -
\??\c:\hhbbhn.exec:\hhbbhn.exe29⤵
- Executes dropped EXE
PID:2356 -
\??\c:\xxrffrr.exec:\xxrffrr.exe30⤵
- Executes dropped EXE
PID:2056 -
\??\c:\nhtbnb.exec:\nhtbnb.exe31⤵
- Executes dropped EXE
PID:872 -
\??\c:\jdvvd.exec:\jdvvd.exe32⤵
- Executes dropped EXE
PID:2680 -
\??\c:\xxlxxfr.exec:\xxlxxfr.exe33⤵
- Executes dropped EXE
PID:1496 -
\??\c:\pjppv.exec:\pjppv.exe34⤵
- Executes dropped EXE
PID:2788 -
\??\c:\3xfrflr.exec:\3xfrflr.exe35⤵
- Executes dropped EXE
PID:2828 -
\??\c:\ththnt.exec:\ththnt.exe36⤵
- Executes dropped EXE
PID:2904 -
\??\c:\vvpvj.exec:\vvpvj.exe37⤵
- Executes dropped EXE
PID:2916 -
\??\c:\xrrxffr.exec:\xrrxffr.exe38⤵
- Executes dropped EXE
PID:2640 -
\??\c:\tthntb.exec:\tthntb.exe39⤵
- Executes dropped EXE
PID:2592 -
\??\c:\lffrfxf.exec:\lffrfxf.exe40⤵
- Executes dropped EXE
PID:3008 -
\??\c:\7bthbb.exec:\7bthbb.exe41⤵
- Executes dropped EXE
PID:1108 -
\??\c:\jdjdp.exec:\jdjdp.exe42⤵
- Executes dropped EXE
PID:264 -
\??\c:\frlrfff.exec:\frlrfff.exe43⤵
- Executes dropped EXE
PID:480 -
\??\c:\ntbttn.exec:\ntbttn.exe44⤵
- Executes dropped EXE
PID:2160 -
\??\c:\7pjjp.exec:\7pjjp.exe45⤵
- Executes dropped EXE
PID:2396 -
\??\c:\llffllx.exec:\llffllx.exe46⤵
- Executes dropped EXE
PID:2884 -
\??\c:\fxrlrxf.exec:\fxrlrxf.exe47⤵
- Executes dropped EXE
PID:2540 -
\??\c:\5vvdd.exec:\5vvdd.exe48⤵
- Executes dropped EXE
PID:1768 -
\??\c:\rflxlxr.exec:\rflxlxr.exe49⤵
- Executes dropped EXE
PID:1980 -
\??\c:\hhbnbb.exec:\hhbnbb.exe50⤵
- Executes dropped EXE
PID:1044 -
\??\c:\tthhnt.exec:\tthhnt.exe51⤵
- Executes dropped EXE
PID:2764 -
\??\c:\1pddv.exec:\1pddv.exe52⤵
- Executes dropped EXE
PID:112 -
\??\c:\7flfffl.exec:\7flfffl.exe53⤵
- Executes dropped EXE
PID:1572 -
\??\c:\5hbbtt.exec:\5hbbtt.exe54⤵
- Executes dropped EXE
PID:3068 -
\??\c:\nhbbnn.exec:\nhbbnn.exe55⤵
- Executes dropped EXE
PID:2188 -
\??\c:\ddvpd.exec:\ddvpd.exe56⤵
- Executes dropped EXE
PID:2236 -
\??\c:\xrlfllf.exec:\xrlfllf.exe57⤵
- Executes dropped EXE
PID:2280 -
\??\c:\btntnn.exec:\btntnn.exe58⤵
- Executes dropped EXE
PID:2000 -
\??\c:\vjjdj.exec:\vjjdj.exe59⤵
- Executes dropped EXE
PID:1412 -
\??\c:\jdvdp.exec:\jdvdp.exe60⤵
- Executes dropped EXE
PID:1120 -
\??\c:\lllxxxl.exec:\lllxxxl.exe61⤵
- Executes dropped EXE
PID:904 -
\??\c:\nnnbbn.exec:\nnnbbn.exe62⤵
- Executes dropped EXE
PID:964 -
\??\c:\jdddp.exec:\jdddp.exe63⤵
- Executes dropped EXE
PID:1476 -
\??\c:\fxrfxxf.exec:\fxrfxxf.exe64⤵
- Executes dropped EXE
PID:372 -
\??\c:\rrlflrx.exec:\rrlflrx.exe65⤵
- Executes dropped EXE
PID:292 -
\??\c:\1nbhhh.exec:\1nbhhh.exe66⤵PID:1920
-
\??\c:\tbbhbb.exec:\tbbhbb.exe67⤵PID:1420
-
\??\c:\pjpvd.exec:\pjpvd.exe68⤵PID:1728
-
\??\c:\lrlrflx.exec:\lrlrflx.exe69⤵PID:1556
-
\??\c:\3tnbnt.exec:\3tnbnt.exe70⤵PID:2332
-
\??\c:\dvdjp.exec:\dvdjp.exe71⤵PID:1624
-
\??\c:\ppjpj.exec:\ppjpj.exe72⤵PID:1520
-
\??\c:\llflxxf.exec:\llflxxf.exe73⤵PID:1800
-
\??\c:\nnhtnn.exec:\nnhtnn.exe74⤵PID:2444
-
\??\c:\ttbnbn.exec:\ttbnbn.exe75⤵PID:2712
-
\??\c:\dddpd.exec:\dddpd.exe76⤵PID:2576
-
\??\c:\9ffrxrx.exec:\9ffrxrx.exe77⤵PID:2620
-
\??\c:\hthnbh.exec:\hthnbh.exe78⤵PID:2696
-
\??\c:\hhhnhh.exec:\hhhnhh.exe79⤵PID:532
-
\??\c:\ppjpj.exec:\ppjpj.exe80⤵PID:772
-
\??\c:\rllfllr.exec:\rllfllr.exe81⤵PID:696
-
\??\c:\lfxfxxl.exec:\lfxfxxl.exe82⤵PID:1716
-
\??\c:\5htbtb.exec:\5htbtb.exe83⤵PID:2468
-
\??\c:\ddvdp.exec:\ddvdp.exe84⤵PID:576
-
\??\c:\pppvj.exec:\pppvj.exe85⤵PID:336
-
\??\c:\rlrxlrf.exec:\rlrxlrf.exe86⤵PID:1232
-
\??\c:\hbtbnt.exec:\hbtbnt.exe87⤵PID:2432
-
\??\c:\5tbhnn.exec:\5tbhnn.exe88⤵PID:1768
-
\??\c:\vvppv.exec:\vvppv.exe89⤵PID:1980
-
\??\c:\xfrxrrr.exec:\xfrxrrr.exe90⤵PID:1044
-
\??\c:\1fffrxf.exec:\1fffrxf.exe91⤵PID:2340
-
\??\c:\hbthth.exec:\hbthth.exe92⤵PID:2912
-
\??\c:\nhttbb.exec:\nhttbb.exe93⤵PID:1976
-
\??\c:\jpvpp.exec:\jpvpp.exe94⤵PID:2556
-
\??\c:\xfrllfl.exec:\xfrllfl.exe95⤵PID:1940
-
\??\c:\rlxfrxf.exec:\rlxfrxf.exe96⤵PID:1696
-
\??\c:\7hbthh.exec:\7hbthh.exe97⤵PID:2448
-
\??\c:\7pppd.exec:\7pppd.exe98⤵PID:2428
-
\??\c:\pjjpd.exec:\pjjpd.exe99⤵PID:2964
-
\??\c:\xlfxlll.exec:\xlfxlll.exe100⤵PID:1076
-
\??\c:\bnbhbt.exec:\bnbhbt.exe101⤵PID:1860
-
\??\c:\bthntt.exec:\bthntt.exe102⤵PID:1796
-
\??\c:\djvjj.exec:\djvjj.exe103⤵PID:964
-
\??\c:\jjvjv.exec:\jjvjv.exe104⤵PID:1668
-
\??\c:\lfxfrrf.exec:\lfxfrrf.exe105⤵PID:372
-
\??\c:\fxrxlxf.exec:\fxrxlxf.exe106⤵PID:1928
-
\??\c:\hbnbnb.exec:\hbnbnb.exe107⤵PID:1712
-
\??\c:\pjpvd.exec:\pjpvd.exe108⤵
- System Location Discovery: System Language Discovery
PID:2292 -
\??\c:\ddvvj.exec:\ddvvj.exe109⤵PID:1676
-
\??\c:\ffrfllr.exec:\ffrfllr.exe110⤵PID:868
-
\??\c:\lrrllxx.exec:\lrrllxx.exe111⤵PID:2728
-
\??\c:\7htbhn.exec:\7htbhn.exe112⤵PID:2668
-
\??\c:\hbtnhn.exec:\hbtnhn.exe113⤵PID:2284
-
\??\c:\jdvpv.exec:\jdvpv.exe114⤵PID:2852
-
\??\c:\1pppv.exec:\1pppv.exe115⤵PID:2904
-
\??\c:\9xrxfxl.exec:\9xrxfxl.exe116⤵PID:2572
-
\??\c:\3hbhth.exec:\3hbhth.exe117⤵PID:2588
-
\??\c:\ththhh.exec:\ththhh.exe118⤵PID:3044
-
\??\c:\jdvpj.exec:\jdvpj.exe119⤵PID:2744
-
\??\c:\llffxfl.exec:\llffxfl.exe120⤵PID:772
-
\??\c:\xrffrxl.exec:\xrffrxl.exe121⤵PID:696
-
\??\c:\7ntbhn.exec:\7ntbhn.exe122⤵
- System Location Discovery: System Language Discovery
PID:2464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-