Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 16:48
Behavioral task
behavioral1
Sample
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
-
Size
445KB
-
MD5
fba138788d8671443ac9b7899da1c6d0
-
SHA1
e774d7e5364759a563b819ab7d3f4dc06f3f0451
-
SHA256
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775de
-
SHA512
f74774acfee06e09bdac9e3a13fdaf8d69c9c1df7be17743ac5447cd3e7836d0739bf9d72b8279368808df3bfd2cb31c97c1f1f76173e29d8d6f2ed7bef81bca
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH5CJ:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMi
Malware Config
Signatures
-
Detect Blackmoon payload 53 IoCs
resource yara_rule behavioral1/memory/2900-7-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2992-17-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1784-31-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2976-28-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2824-52-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2308-49-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2308-47-0x00000000005D0000-0x0000000000604000-memory.dmp family_blackmoon behavioral1/memory/2944-69-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2944-66-0x00000000003A0000-0x00000000003D4000-memory.dmp family_blackmoon behavioral1/memory/2804-78-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2804-77-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2828-87-0x00000000001B0000-0x00000000001E4000-memory.dmp family_blackmoon behavioral1/memory/2828-89-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2284-106-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/3056-111-0x0000000000440000-0x0000000000474000-memory.dmp family_blackmoon behavioral1/memory/760-125-0x0000000000440000-0x0000000000474000-memory.dmp family_blackmoon behavioral1/memory/760-127-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1272-145-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1072-154-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2788-173-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2788-171-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2304-181-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2176-190-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2960-198-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1724-239-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/896-248-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1656-257-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2140-267-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1672-284-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2092-307-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2368-333-0x0000000000440000-0x0000000000474000-memory.dmp family_blackmoon behavioral1/memory/2368-332-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2836-352-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2752-359-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2752-378-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/1460-417-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2700-473-0x00000000003C0000-0x00000000003F4000-memory.dmp family_blackmoon behavioral1/memory/2428-578-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2216-604-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2444-611-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/3040-665-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/1892-706-0x00000000002A0000-0x00000000002D4000-memory.dmp family_blackmoon behavioral1/memory/1868-721-0x0000000000230000-0x0000000000264000-memory.dmp family_blackmoon behavioral1/memory/808-740-0x00000000001B0000-0x00000000001E4000-memory.dmp family_blackmoon behavioral1/memory/2952-753-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/808-761-0x00000000001B0000-0x00000000001E4000-memory.dmp family_blackmoon behavioral1/memory/1732-776-0x00000000001B0000-0x00000000001E4000-memory.dmp family_blackmoon behavioral1/memory/1188-790-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral1/memory/2284-950-0x0000000000220000-0x0000000000254000-memory.dmp family_blackmoon behavioral1/memory/2276-1001-0x00000000003A0000-0x00000000003D4000-memory.dmp family_blackmoon behavioral1/memory/1732-1051-0x0000000001C80000-0x0000000001CB4000-memory.dmp family_blackmoon behavioral1/memory/1732-1070-0x0000000001C80000-0x0000000001CB4000-memory.dmp family_blackmoon behavioral1/memory/2576-1089-0x00000000005D0000-0x0000000000604000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2992 pppdp.exe 2976 flxfrlf.exe 1784 jdjpd.exe 2308 hhbnbb.exe 2824 fxxlxlr.exe 2944 ntnhbh.exe 2804 nnthbn.exe 2828 1vpvv.exe 2608 tnhbhn.exe 2284 dvpvj.exe 3056 nnhbnt.exe 760 5jdjp.exe 1864 9hnnhb.exe 1272 llxxlrl.exe 1072 vvjvj.exe 1772 thbbnb.exe 2788 pppdp.exe 2304 ffxflrx.exe 2176 5jvvp.exe 2960 9fxfrxf.exe 2968 ddpvj.exe 1092 9xrxxxf.exe 2044 tnhnbb.exe 1076 dvjpp.exe 1724 7thntt.exe 896 dvjvv.exe 1656 nhhnnb.exe 2140 dvvjv.exe 1888 nhtbhb.exe 1672 hhnbth.exe 2684 fffxfrf.exe 2544 tnthbh.exe 2092 xxxrrxr.exe 2320 ttbnth.exe 2316 5djvv.exe 2976 rlfflrl.exe 2368 thhthn.exe 2732 hnhtnb.exe 2832 3jjjv.exe 2836 lxrfllx.exe 2752 ttbbhn.exe 2944 jvdvj.exe 2692 lrxxxlx.exe 2816 rflxrxl.exe 2668 nnnnnh.exe 2600 djjjd.exe 2404 lllxlxl.exe 3052 7nhtht.exe 3056 hhnbhb.exe 1460 vpjvp.exe 836 ffxrflf.exe 1928 xrlfrll.exe 2500 nhnhht.exe 1496 7pdjv.exe 2908 xlrfxll.exe 1772 hnhtht.exe 2460 btntbh.exe 2488 ppvpp.exe 2700 fxrxxfr.exe 756 3nnbtt.exe 3032 jdppd.exe 596 ppvpd.exe 1068 fxrxflx.exe 2504 bbbnht.exe -
resource yara_rule behavioral1/memory/2900-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2900-7-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0009000000012281-8.dat upx behavioral1/files/0x0008000000016d4f-18.dat upx behavioral1/memory/2992-17-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0007000000016d58-27.dat upx behavioral1/memory/1784-31-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2976-28-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0008000000016da7-38.dat upx behavioral1/files/0x0007000000016dd0-50.dat upx behavioral1/memory/2824-52-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2308-49-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2308-47-0x00000000005D0000-0x0000000000604000-memory.dmp upx behavioral1/files/0x0007000000016de4-60.dat upx behavioral1/files/0x0007000000016de8-68.dat upx behavioral1/memory/2944-69-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0008000000016eb8-79.dat upx behavioral1/memory/2804-77-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0008000000016edb-88.dat upx behavioral1/memory/2828-89-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0006000000018f65-98.dat upx behavioral1/files/0x000600000001904c-107.dat upx behavioral1/memory/2284-106-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00060000000190e1-116.dat upx behavioral1/memory/760-117-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/760-125-0x0000000000440000-0x0000000000474000-memory.dmp upx behavioral1/memory/1864-128-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/760-127-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00050000000191d2-126.dat upx behavioral1/files/0x00050000000191f6-136.dat upx behavioral1/memory/1272-145-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0009000000016d0d-146.dat upx behavioral1/files/0x0005000000019217-155.dat upx behavioral1/memory/1072-154-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0009000000012281-163.dat upx behavioral1/memory/2788-173-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019240-172.dat upx behavioral1/memory/2304-181-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019259-182.dat upx behavioral1/memory/2176-190-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019268-191.dat upx behavioral1/memory/2960-198-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x000500000001926c-199.dat upx behavioral1/files/0x0005000000019275-207.dat upx behavioral1/files/0x0005000000019278-215.dat upx behavioral1/files/0x000500000001929a-223.dat upx behavioral1/files/0x0005000000019319-231.dat upx behavioral1/files/0x0005000000019365-240.dat upx behavioral1/memory/1724-239-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/896-248-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019377-249.dat upx behavioral1/memory/1656-257-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019387-258.dat upx behavioral1/files/0x00050000000193a4-266.dat upx behavioral1/files/0x00050000000193b3-276.dat upx behavioral1/memory/2140-267-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x00050000000193c1-285.dat upx behavioral1/memory/1672-284-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/files/0x0005000000019433-293.dat upx behavioral1/memory/2092-307-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2368-333-0x0000000000440000-0x0000000000474000-memory.dmp upx behavioral1/memory/2368-332-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2836-352-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral1/memory/2752-359-0x0000000000400000-0x0000000000434000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnbthn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbtbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxrfllx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlfrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lfxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrfrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffrxlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7flflfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dddvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1lrxxxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3bhhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2992 2900 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2900 wrote to memory of 2992 2900 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2900 wrote to memory of 2992 2900 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2900 wrote to memory of 2992 2900 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 30 PID 2992 wrote to memory of 2976 2992 pppdp.exe 31 PID 2992 wrote to memory of 2976 2992 pppdp.exe 31 PID 2992 wrote to memory of 2976 2992 pppdp.exe 31 PID 2992 wrote to memory of 2976 2992 pppdp.exe 31 PID 2976 wrote to memory of 1784 2976 flxfrlf.exe 32 PID 2976 wrote to memory of 1784 2976 flxfrlf.exe 32 PID 2976 wrote to memory of 1784 2976 flxfrlf.exe 32 PID 2976 wrote to memory of 1784 2976 flxfrlf.exe 32 PID 1784 wrote to memory of 2308 1784 jdjpd.exe 33 PID 1784 wrote to memory of 2308 1784 jdjpd.exe 33 PID 1784 wrote to memory of 2308 1784 jdjpd.exe 33 PID 1784 wrote to memory of 2308 1784 jdjpd.exe 33 PID 2308 wrote to memory of 2824 2308 hhbnbb.exe 34 PID 2308 wrote to memory of 2824 2308 hhbnbb.exe 34 PID 2308 wrote to memory of 2824 2308 hhbnbb.exe 34 PID 2308 wrote to memory of 2824 2308 hhbnbb.exe 34 PID 2824 wrote to memory of 2944 2824 fxxlxlr.exe 35 PID 2824 wrote to memory of 2944 2824 fxxlxlr.exe 35 PID 2824 wrote to memory of 2944 2824 fxxlxlr.exe 35 PID 2824 wrote to memory of 2944 2824 fxxlxlr.exe 35 PID 2944 wrote to memory of 2804 2944 ntnhbh.exe 36 PID 2944 wrote to memory of 2804 2944 ntnhbh.exe 36 PID 2944 wrote to memory of 2804 2944 ntnhbh.exe 36 PID 2944 wrote to memory of 2804 2944 ntnhbh.exe 36 PID 2804 wrote to memory of 2828 2804 nnthbn.exe 37 PID 2804 wrote to memory of 2828 2804 nnthbn.exe 37 PID 2804 wrote to memory of 2828 2804 nnthbn.exe 37 PID 2804 wrote to memory of 2828 2804 nnthbn.exe 37 PID 2828 wrote to memory of 2608 2828 1vpvv.exe 38 PID 2828 wrote to memory of 2608 2828 1vpvv.exe 38 PID 2828 wrote to memory of 2608 2828 1vpvv.exe 38 PID 2828 wrote to memory of 2608 2828 1vpvv.exe 38 PID 2608 wrote to memory of 2284 2608 tnhbhn.exe 39 PID 2608 wrote to memory of 2284 2608 tnhbhn.exe 39 PID 2608 wrote to memory of 2284 2608 tnhbhn.exe 39 PID 2608 wrote to memory of 2284 2608 tnhbhn.exe 39 PID 2284 wrote to memory of 3056 2284 dvpvj.exe 40 PID 2284 wrote to memory of 3056 2284 dvpvj.exe 40 PID 2284 wrote to memory of 3056 2284 dvpvj.exe 40 PID 2284 wrote to memory of 3056 2284 dvpvj.exe 40 PID 3056 wrote to memory of 760 3056 nnhbnt.exe 41 PID 3056 wrote to memory of 760 3056 nnhbnt.exe 41 PID 3056 wrote to memory of 760 3056 nnhbnt.exe 41 PID 3056 wrote to memory of 760 3056 nnhbnt.exe 41 PID 760 wrote to memory of 1864 760 5jdjp.exe 42 PID 760 wrote to memory of 1864 760 5jdjp.exe 42 PID 760 wrote to memory of 1864 760 5jdjp.exe 42 PID 760 wrote to memory of 1864 760 5jdjp.exe 42 PID 1864 wrote to memory of 1272 1864 9hnnhb.exe 43 PID 1864 wrote to memory of 1272 1864 9hnnhb.exe 43 PID 1864 wrote to memory of 1272 1864 9hnnhb.exe 43 PID 1864 wrote to memory of 1272 1864 9hnnhb.exe 43 PID 1272 wrote to memory of 1072 1272 llxxlrl.exe 44 PID 1272 wrote to memory of 1072 1272 llxxlrl.exe 44 PID 1272 wrote to memory of 1072 1272 llxxlrl.exe 44 PID 1272 wrote to memory of 1072 1272 llxxlrl.exe 44 PID 1072 wrote to memory of 1772 1072 vvjvj.exe 45 PID 1072 wrote to memory of 1772 1072 vvjvj.exe 45 PID 1072 wrote to memory of 1772 1072 vvjvj.exe 45 PID 1072 wrote to memory of 1772 1072 vvjvj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\pppdp.exec:\pppdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
\??\c:\flxfrlf.exec:\flxfrlf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
\??\c:\jdjpd.exec:\jdjpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\hhbnbb.exec:\hhbnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\fxxlxlr.exec:\fxxlxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
\??\c:\ntnhbh.exec:\ntnhbh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
\??\c:\nnthbn.exec:\nnthbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\1vpvv.exec:\1vpvv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\tnhbhn.exec:\tnhbhn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\dvpvj.exec:\dvpvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
\??\c:\nnhbnt.exec:\nnhbnt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
\??\c:\5jdjp.exec:\5jdjp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:760 -
\??\c:\9hnnhb.exec:\9hnnhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1864 -
\??\c:\llxxlrl.exec:\llxxlrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\vvjvj.exec:\vvjvj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\thbbnb.exec:\thbbnb.exe17⤵
- Executes dropped EXE
PID:1772 -
\??\c:\pppdp.exec:\pppdp.exe18⤵
- Executes dropped EXE
PID:2788 -
\??\c:\ffxflrx.exec:\ffxflrx.exe19⤵
- Executes dropped EXE
PID:2304 -
\??\c:\5jvvp.exec:\5jvvp.exe20⤵
- Executes dropped EXE
PID:2176 -
\??\c:\9fxfrxf.exec:\9fxfrxf.exe21⤵
- Executes dropped EXE
PID:2960 -
\??\c:\ddpvj.exec:\ddpvj.exe22⤵
- Executes dropped EXE
PID:2968 -
\??\c:\9xrxxxf.exec:\9xrxxxf.exe23⤵
- Executes dropped EXE
PID:1092 -
\??\c:\tnhnbb.exec:\tnhnbb.exe24⤵
- Executes dropped EXE
PID:2044 -
\??\c:\dvjpp.exec:\dvjpp.exe25⤵
- Executes dropped EXE
PID:1076 -
\??\c:\7thntt.exec:\7thntt.exe26⤵
- Executes dropped EXE
PID:1724 -
\??\c:\dvjvv.exec:\dvjvv.exe27⤵
- Executes dropped EXE
PID:896 -
\??\c:\nhhnnb.exec:\nhhnnb.exe28⤵
- Executes dropped EXE
PID:1656 -
\??\c:\dvvjv.exec:\dvvjv.exe29⤵
- Executes dropped EXE
PID:2140 -
\??\c:\nhtbhb.exec:\nhtbhb.exe30⤵
- Executes dropped EXE
PID:1888 -
\??\c:\hhnbth.exec:\hhnbth.exe31⤵
- Executes dropped EXE
PID:1672 -
\??\c:\fffxfrf.exec:\fffxfrf.exe32⤵
- Executes dropped EXE
PID:2684 -
\??\c:\tnthbh.exec:\tnthbh.exe33⤵
- Executes dropped EXE
PID:2544 -
\??\c:\xxxrrxr.exec:\xxxrrxr.exe34⤵
- Executes dropped EXE
PID:2092 -
\??\c:\ttbnth.exec:\ttbnth.exe35⤵
- Executes dropped EXE
PID:2320 -
\??\c:\5djvv.exec:\5djvv.exe36⤵
- Executes dropped EXE
PID:2316 -
\??\c:\rlfflrl.exec:\rlfflrl.exe37⤵
- Executes dropped EXE
PID:2976 -
\??\c:\thhthn.exec:\thhthn.exe38⤵
- Executes dropped EXE
PID:2368 -
\??\c:\hnhtnb.exec:\hnhtnb.exe39⤵
- Executes dropped EXE
PID:2732 -
\??\c:\3jjjv.exec:\3jjjv.exe40⤵
- Executes dropped EXE
PID:2832 -
\??\c:\lxrfllx.exec:\lxrfllx.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2836 -
\??\c:\ttbbhn.exec:\ttbbhn.exe42⤵
- Executes dropped EXE
PID:2752 -
\??\c:\jvdvj.exec:\jvdvj.exe43⤵
- Executes dropped EXE
PID:2944 -
\??\c:\lrxxxlx.exec:\lrxxxlx.exe44⤵
- Executes dropped EXE
PID:2692 -
\??\c:\rflxrxl.exec:\rflxrxl.exe45⤵
- Executes dropped EXE
PID:2816 -
\??\c:\nnnnnh.exec:\nnnnnh.exe46⤵
- Executes dropped EXE
PID:2668 -
\??\c:\djjjd.exec:\djjjd.exe47⤵
- Executes dropped EXE
PID:2600 -
\??\c:\lllxlxl.exec:\lllxlxl.exe48⤵
- Executes dropped EXE
PID:2404 -
\??\c:\7nhtht.exec:\7nhtht.exe49⤵
- Executes dropped EXE
PID:3052 -
\??\c:\hhnbhb.exec:\hhnbhb.exe50⤵
- Executes dropped EXE
PID:3056 -
\??\c:\vpjvp.exec:\vpjvp.exe51⤵
- Executes dropped EXE
PID:1460 -
\??\c:\ffxrflf.exec:\ffxrflf.exe52⤵
- Executes dropped EXE
PID:836 -
\??\c:\xrlfrll.exec:\xrlfrll.exe53⤵
- Executes dropped EXE
PID:1928 -
\??\c:\nhnhht.exec:\nhnhht.exe54⤵
- Executes dropped EXE
PID:2500 -
\??\c:\7pdjv.exec:\7pdjv.exe55⤵
- Executes dropped EXE
PID:1496 -
\??\c:\xlrfxll.exec:\xlrfxll.exe56⤵
- Executes dropped EXE
PID:2908 -
\??\c:\hnhtht.exec:\hnhtht.exe57⤵
- Executes dropped EXE
PID:1772 -
\??\c:\btntbh.exec:\btntbh.exe58⤵
- Executes dropped EXE
PID:2460 -
\??\c:\ppvpp.exec:\ppvpp.exe59⤵
- Executes dropped EXE
PID:2488 -
\??\c:\fxrxxfr.exec:\fxrxxfr.exe60⤵
- Executes dropped EXE
PID:2700 -
\??\c:\3nnbtt.exec:\3nnbtt.exe61⤵
- Executes dropped EXE
PID:756 -
\??\c:\jdppd.exec:\jdppd.exe62⤵
- Executes dropped EXE
PID:3032 -
\??\c:\ppvpd.exec:\ppvpd.exe63⤵
- Executes dropped EXE
PID:596 -
\??\c:\fxrxflx.exec:\fxrxflx.exe64⤵
- Executes dropped EXE
PID:1068 -
\??\c:\bbbnht.exec:\bbbnht.exe65⤵
- Executes dropped EXE
PID:2504 -
\??\c:\ddpvd.exec:\ddpvd.exe66⤵PID:1188
-
\??\c:\1jpdj.exec:\1jpdj.exe67⤵PID:1704
-
\??\c:\rrlrflx.exec:\rrlrflx.exe68⤵PID:688
-
\??\c:\3tthnh.exec:\3tthnh.exe69⤵PID:832
-
\??\c:\pjvvj.exec:\pjvvj.exe70⤵PID:648
-
\??\c:\vddvp.exec:\vddvp.exe71⤵PID:952
-
\??\c:\9xlrrxl.exec:\9xlrrxl.exe72⤵PID:2060
-
\??\c:\tnnbnt.exec:\tnnbnt.exe73⤵PID:2120
-
\??\c:\dddjp.exec:\dddjp.exe74⤵PID:1060
-
\??\c:\3jjjp.exec:\3jjjp.exe75⤵PID:2496
-
\??\c:\fxxxflf.exec:\fxxxflf.exe76⤵PID:884
-
\??\c:\9bntnn.exec:\9bntnn.exe77⤵PID:2428
-
\??\c:\ppvdd.exec:\ppvdd.exe78⤵PID:2396
-
\??\c:\9lfrfxf.exec:\9lfrfxf.exe79⤵PID:1576
-
\??\c:\hbnthn.exec:\hbnthn.exe80⤵PID:1788
-
\??\c:\5bhnht.exec:\5bhnht.exe81⤵PID:2216
-
\??\c:\jjpdd.exec:\jjpdd.exe82⤵PID:2444
-
\??\c:\rrlrfrl.exec:\rrlrfrl.exe83⤵PID:2808
-
\??\c:\5hbnhn.exec:\5hbnhn.exe84⤵PID:2856
-
\??\c:\tbbhbh.exec:\tbbhbh.exe85⤵PID:2832
-
\??\c:\jjjpj.exec:\jjjpj.exe86⤵PID:2612
-
\??\c:\xrlrlrf.exec:\xrlrlrf.exe87⤵PID:2628
-
\??\c:\bbbthn.exec:\bbbthn.exe88⤵PID:2768
-
\??\c:\jjdpv.exec:\jjdpv.exe89⤵PID:2616
-
\??\c:\5vvvd.exec:\5vvvd.exe90⤵PID:3040
-
\??\c:\1lxxlrf.exec:\1lxxlrf.exe91⤵PID:2284
-
\??\c:\1bthnb.exec:\1bthnb.exe92⤵PID:1484
-
\??\c:\pvvjv.exec:\pvvjv.exe93⤵PID:1892
-
\??\c:\3llrlrr.exec:\3llrlrr.exe94⤵PID:2592
-
\??\c:\fxxxxlx.exec:\fxxxxlx.exe95⤵PID:1868
-
\??\c:\1hnhhb.exec:\1hnhhb.exe96⤵PID:1200
-
\??\c:\vpvdv.exec:\vpvdv.exe97⤵
- System Location Discovery: System Language Discovery
PID:1876 -
\??\c:\lxxrlxl.exec:\lxxrlxl.exe98⤵PID:1736
-
\??\c:\nntnnh.exec:\nntnnh.exe99⤵PID:2908
-
\??\c:\nnnbtb.exec:\nnnbtb.exe100⤵PID:2244
-
\??\c:\dddpj.exec:\dddpj.exe101⤵PID:808
-
\??\c:\rrlrrrr.exec:\rrlrrrr.exe102⤵PID:2456
-
\??\c:\tnhntt.exec:\tnhntt.exe103⤵PID:2952
-
\??\c:\djdvp.exec:\djdvp.exe104⤵PID:1036
-
\??\c:\5xxrlrl.exec:\5xxrlrl.exe105⤵PID:1280
-
\??\c:\bbbnbh.exec:\bbbnbh.exe106⤵PID:1732
-
\??\c:\1pvvp.exec:\1pvvp.exe107⤵PID:1528
-
\??\c:\jjjpj.exec:\jjjpj.exe108⤵PID:1188
-
\??\c:\1lrlflf.exec:\1lrlflf.exe109⤵PID:1704
-
\??\c:\tbbbtb.exec:\tbbbtb.exe110⤵PID:2880
-
\??\c:\jjjdp.exec:\jjjdp.exe111⤵PID:1524
-
\??\c:\lfrllrx.exec:\lfrllrx.exe112⤵PID:2132
-
\??\c:\tttbnt.exec:\tttbnt.exe113⤵PID:2392
-
\??\c:\jdpdj.exec:\jdpdj.exe114⤵PID:1052
-
\??\c:\7ppvj.exec:\7ppvj.exe115⤵PID:1684
-
\??\c:\rrlrxxf.exec:\rrlrxxf.exe116⤵PID:1744
-
\??\c:\1httbb.exec:\1httbb.exe117⤵PID:3008
-
\??\c:\bttbhh.exec:\bttbhh.exe118⤵PID:884
-
\??\c:\jjdvd.exec:\jjdvd.exe119⤵PID:2164
-
\??\c:\rllllrf.exec:\rllllrf.exe120⤵PID:1580
-
\??\c:\tbhnbh.exec:\tbhnbh.exe121⤵PID:2032
-
\??\c:\bnbbnn.exec:\bnbbnn.exe122⤵PID:264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-