Analysis
-
max time kernel
120s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 16:48
Behavioral task
behavioral1
Sample
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
Resource
win7-20240903-en
6 signatures
120 seconds
General
-
Target
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
-
Size
445KB
-
MD5
fba138788d8671443ac9b7899da1c6d0
-
SHA1
e774d7e5364759a563b819ab7d3f4dc06f3f0451
-
SHA256
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775de
-
SHA512
f74774acfee06e09bdac9e3a13fdaf8d69c9c1df7be17743ac5447cd3e7836d0739bf9d72b8279368808df3bfd2cb31c97c1f1f76173e29d8d6f2ed7bef81bca
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH5CJ:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMi
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2044-6-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4656-11-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1508-18-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2656-17-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4856-25-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2920-35-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4628-29-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1048-47-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3948-58-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1004-65-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1572-70-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3308-77-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3004-82-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/676-88-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3312-93-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1428-112-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3512-111-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1524-122-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4968-128-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2328-133-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1168-137-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1128-151-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3744-162-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2160-178-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2500-183-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2728-192-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1104-196-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3864-204-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4692-208-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3020-212-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2264-219-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/972-223-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1712-228-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2476-235-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2276-239-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2380-249-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2880-259-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2260-263-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2960-267-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/944-271-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3512-284-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4460-291-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4984-295-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1780-300-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/744-308-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/836-312-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2012-337-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4916-344-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2160-351-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2792-364-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4628-383-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2036-393-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1980-409-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4672-425-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1312-429-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/844-502-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4824-527-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2932-555-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1444-626-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4728-663-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/676-712-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1612-1047-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4276-1081-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4656 vjppp.exe 2656 rlxfrxf.exe 1508 nnhbbb.exe 4856 dpdpv.exe 4628 lrxlxlr.exe 2920 7btntb.exe 1048 pdddv.exe 1852 vdpvp.exe 3948 frxrrrl.exe 1004 dpdpv.exe 1572 hnnhbb.exe 3308 jvpdp.exe 3004 tbhbtt.exe 676 fllflfx.exe 3312 hhhbht.exe 2312 xxfxfxl.exe 2588 dvpdv.exe 3512 rlfxllf.exe 1428 nhbnbt.exe 1524 vvdvd.exe 4968 fflflfx.exe 2328 vdpjd.exe 1168 lxxrllf.exe 2336 bnnhtn.exe 1128 3pjjv.exe 400 bttnbh.exe 3744 pjjdp.exe 1784 7rfxxxx.exe 1772 ntbthh.exe 2160 9pdpp.exe 2500 xrxllfx.exe 4344 bhbhnb.exe 2728 xlrxrll.exe 1104 tbtntt.exe 1848 nbnbbt.exe 3864 9jppj.exe 4692 xlrffxx.exe 3020 lxlfxrr.exe 4228 thnbnh.exe 2264 9vvdv.exe 972 rflfxxr.exe 1712 btnhbt.exe 1852 tnnhtt.exe 2476 jdddv.exe 2276 rfllfll.exe 1980 flxfxfr.exe 2744 bhttth.exe 2380 llrlfll.exe 4120 xlfrffr.exe 2648 htnbhh.exe 2880 xfffffr.exe 2260 rfxlrlr.exe 2960 tbnbtn.exe 944 dddvp.exe 840 rxxrfxr.exe 3192 hbtnht.exe 3144 7vpdp.exe 3512 hbbnbh.exe 1108 pjjpv.exe 4460 xffflxf.exe 4984 hnnhtn.exe 784 vppdp.exe 1780 xllfrlf.exe 744 lfrllff.exe -
resource yara_rule behavioral2/memory/2044-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000c000000023b07-3.dat upx behavioral2/memory/2044-6-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4656-11-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000b000000023b60-12.dat upx behavioral2/memory/1508-18-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2656-17-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4856-25-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b66-28.dat upx behavioral2/files/0x000a000000023b67-34.dat upx behavioral2/memory/2920-35-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4628-29-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b65-22.dat upx behavioral2/files/0x000a000000023b64-16.dat upx behavioral2/files/0x0031000000023b68-40.dat upx behavioral2/files/0x0031000000023b69-43.dat upx behavioral2/memory/1048-47-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0031000000023b6a-50.dat upx behavioral2/files/0x000a000000023b65-55.dat upx behavioral2/memory/1004-56-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3948-58-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b6b-62.dat upx behavioral2/memory/1004-65-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b6d-68.dat upx behavioral2/memory/1572-70-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b6e-74.dat upx behavioral2/memory/3308-77-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b6f-80.dat upx behavioral2/memory/3004-82-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b70-86.dat upx behavioral2/memory/676-88-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3312-93-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000b000000023b61-94.dat upx behavioral2/files/0x000a000000023b71-98.dat upx behavioral2/files/0x000a000000023b72-103.dat upx behavioral2/files/0x000a000000023b73-108.dat upx behavioral2/memory/1428-112-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3512-111-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b74-117.dat upx behavioral2/memory/1524-122-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b75-120.dat upx behavioral2/files/0x000a000000023b76-126.dat upx behavioral2/memory/4968-128-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b77-134.dat upx behavioral2/memory/2328-133-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1168-137-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b78-139.dat upx behavioral2/files/0x000a000000023b79-144.dat upx behavioral2/files/0x000b000000023b7a-149.dat upx behavioral2/memory/1128-151-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000b000000023b7c-155.dat upx behavioral2/memory/3744-162-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b7d-160.dat upx behavioral2/files/0x000a000000023b7e-167.dat upx behavioral2/files/0x000a000000023b7f-171.dat upx behavioral2/files/0x000a000000023b80-176.dat upx behavioral2/memory/2160-178-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b81-184.dat upx behavioral2/memory/2500-183-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2728-192-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1104-196-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4692-202-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3864-204-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4692-208-0x0000000000400000-0x0000000000434000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrfxffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffflffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbhnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppjpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxlfrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 4656 2044 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 84 PID 2044 wrote to memory of 4656 2044 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 84 PID 2044 wrote to memory of 4656 2044 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 84 PID 4656 wrote to memory of 2656 4656 vjppp.exe 85 PID 4656 wrote to memory of 2656 4656 vjppp.exe 85 PID 4656 wrote to memory of 2656 4656 vjppp.exe 85 PID 2656 wrote to memory of 1508 2656 rlxfrxf.exe 86 PID 2656 wrote to memory of 1508 2656 rlxfrxf.exe 86 PID 2656 wrote to memory of 1508 2656 rlxfrxf.exe 86 PID 1508 wrote to memory of 4856 1508 nnhbbb.exe 87 PID 1508 wrote to memory of 4856 1508 nnhbbb.exe 87 PID 1508 wrote to memory of 4856 1508 nnhbbb.exe 87 PID 4856 wrote to memory of 4628 4856 dpdpv.exe 88 PID 4856 wrote to memory of 4628 4856 dpdpv.exe 88 PID 4856 wrote to memory of 4628 4856 dpdpv.exe 88 PID 4628 wrote to memory of 2920 4628 lrxlxlr.exe 89 PID 4628 wrote to memory of 2920 4628 lrxlxlr.exe 89 PID 4628 wrote to memory of 2920 4628 lrxlxlr.exe 89 PID 2920 wrote to memory of 1048 2920 7btntb.exe 90 PID 2920 wrote to memory of 1048 2920 7btntb.exe 90 PID 2920 wrote to memory of 1048 2920 7btntb.exe 90 PID 1048 wrote to memory of 1852 1048 pdddv.exe 91 PID 1048 wrote to memory of 1852 1048 pdddv.exe 91 PID 1048 wrote to memory of 1852 1048 pdddv.exe 91 PID 1852 wrote to memory of 3948 1852 vdpvp.exe 92 PID 1852 wrote to memory of 3948 1852 vdpvp.exe 92 PID 1852 wrote to memory of 3948 1852 vdpvp.exe 92 PID 3948 wrote to memory of 1004 3948 frxrrrl.exe 93 PID 3948 wrote to memory of 1004 3948 frxrrrl.exe 93 PID 3948 wrote to memory of 1004 3948 frxrrrl.exe 93 PID 1004 wrote to memory of 1572 1004 dpdpv.exe 94 PID 1004 wrote to memory of 1572 1004 dpdpv.exe 94 PID 1004 wrote to memory of 1572 1004 dpdpv.exe 94 PID 1572 wrote to memory of 3308 1572 hnnhbb.exe 96 PID 1572 wrote to memory of 3308 1572 hnnhbb.exe 96 PID 1572 wrote to memory of 3308 1572 hnnhbb.exe 96 PID 3308 wrote to memory of 3004 3308 jvpdp.exe 97 PID 3308 wrote to memory of 3004 3308 jvpdp.exe 97 PID 3308 wrote to memory of 3004 3308 jvpdp.exe 97 PID 3004 wrote to memory of 676 3004 tbhbtt.exe 98 PID 3004 wrote to memory of 676 3004 tbhbtt.exe 98 PID 3004 wrote to memory of 676 3004 tbhbtt.exe 98 PID 676 wrote to memory of 3312 676 fllflfx.exe 99 PID 676 wrote to memory of 3312 676 fllflfx.exe 99 PID 676 wrote to memory of 3312 676 fllflfx.exe 99 PID 3312 wrote to memory of 2312 3312 hhhbht.exe 100 PID 3312 wrote to memory of 2312 3312 hhhbht.exe 100 PID 3312 wrote to memory of 2312 3312 hhhbht.exe 100 PID 2312 wrote to memory of 2588 2312 xxfxfxl.exe 102 PID 2312 wrote to memory of 2588 2312 xxfxfxl.exe 102 PID 2312 wrote to memory of 2588 2312 xxfxfxl.exe 102 PID 2588 wrote to memory of 3512 2588 dvpdv.exe 103 PID 2588 wrote to memory of 3512 2588 dvpdv.exe 103 PID 2588 wrote to memory of 3512 2588 dvpdv.exe 103 PID 3512 wrote to memory of 1428 3512 rlfxllf.exe 104 PID 3512 wrote to memory of 1428 3512 rlfxllf.exe 104 PID 3512 wrote to memory of 1428 3512 rlfxllf.exe 104 PID 1428 wrote to memory of 1524 1428 nhbnbt.exe 106 PID 1428 wrote to memory of 1524 1428 nhbnbt.exe 106 PID 1428 wrote to memory of 1524 1428 nhbnbt.exe 106 PID 1524 wrote to memory of 4968 1524 vvdvd.exe 107 PID 1524 wrote to memory of 4968 1524 vvdvd.exe 107 PID 1524 wrote to memory of 4968 1524 vvdvd.exe 107 PID 4968 wrote to memory of 2328 4968 fflflfx.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\vjppp.exec:\vjppp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656 -
\??\c:\nnhbbb.exec:\nnhbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\dpdpv.exec:\dpdpv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\lrxlxlr.exec:\lrxlxlr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\7btntb.exec:\7btntb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\pdddv.exec:\pdddv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\vdpvp.exec:\vdpvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852 -
\??\c:\frxrrrl.exec:\frxrrrl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948 -
\??\c:\dpdpv.exec:\dpdpv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
\??\c:\hnnhbb.exec:\hnnhbb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\jvpdp.exec:\jvpdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\tbhbtt.exec:\tbhbtt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
\??\c:\fllflfx.exec:\fllflfx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:676 -
\??\c:\hhhbht.exec:\hhhbht.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\xxfxfxl.exec:\xxfxfxl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
\??\c:\dvpdv.exec:\dvpdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2588 -
\??\c:\rlfxllf.exec:\rlfxllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3512 -
\??\c:\nhbnbt.exec:\nhbnbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
\??\c:\vvdvd.exec:\vvdvd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
\??\c:\fflflfx.exec:\fflflfx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\vdpjd.exec:\vdpjd.exe23⤵
- Executes dropped EXE
PID:2328 -
\??\c:\lxxrllf.exec:\lxxrllf.exe24⤵
- Executes dropped EXE
PID:1168 -
\??\c:\bnnhtn.exec:\bnnhtn.exe25⤵
- Executes dropped EXE
PID:2336 -
\??\c:\3pjjv.exec:\3pjjv.exe26⤵
- Executes dropped EXE
PID:1128 -
\??\c:\bttnbh.exec:\bttnbh.exe27⤵
- Executes dropped EXE
PID:400 -
\??\c:\pjjdp.exec:\pjjdp.exe28⤵
- Executes dropped EXE
PID:3744 -
\??\c:\7rfxxxx.exec:\7rfxxxx.exe29⤵
- Executes dropped EXE
PID:1784 -
\??\c:\ntbthh.exec:\ntbthh.exe30⤵
- Executes dropped EXE
PID:1772 -
\??\c:\9pdpp.exec:\9pdpp.exe31⤵
- Executes dropped EXE
PID:2160 -
\??\c:\xrxllfx.exec:\xrxllfx.exe32⤵
- Executes dropped EXE
PID:2500 -
\??\c:\bhbhnb.exec:\bhbhnb.exe33⤵
- Executes dropped EXE
PID:4344 -
\??\c:\xlrxrll.exec:\xlrxrll.exe34⤵
- Executes dropped EXE
PID:2728 -
\??\c:\tbtntt.exec:\tbtntt.exe35⤵
- Executes dropped EXE
PID:1104 -
\??\c:\nbnbbt.exec:\nbnbbt.exe36⤵
- Executes dropped EXE
PID:1848 -
\??\c:\9jppj.exec:\9jppj.exe37⤵
- Executes dropped EXE
PID:3864 -
\??\c:\xlrffxx.exec:\xlrffxx.exe38⤵
- Executes dropped EXE
PID:4692 -
\??\c:\lxlfxrr.exec:\lxlfxrr.exe39⤵
- Executes dropped EXE
PID:3020 -
\??\c:\thnbnh.exec:\thnbnh.exe40⤵
- Executes dropped EXE
PID:4228 -
\??\c:\9vvdv.exec:\9vvdv.exe41⤵
- Executes dropped EXE
PID:2264 -
\??\c:\rflfxxr.exec:\rflfxxr.exe42⤵
- Executes dropped EXE
PID:972 -
\??\c:\btnhbt.exec:\btnhbt.exe43⤵
- Executes dropped EXE
PID:1712 -
\??\c:\tnnhtt.exec:\tnnhtt.exe44⤵
- Executes dropped EXE
PID:1852 -
\??\c:\jdddv.exec:\jdddv.exe45⤵
- Executes dropped EXE
PID:2476 -
\??\c:\rfllfll.exec:\rfllfll.exe46⤵
- Executes dropped EXE
PID:2276 -
\??\c:\flxfxfr.exec:\flxfxfr.exe47⤵
- Executes dropped EXE
PID:1980 -
\??\c:\bhttth.exec:\bhttth.exe48⤵
- Executes dropped EXE
PID:2744 -
\??\c:\llrlfll.exec:\llrlfll.exe49⤵
- Executes dropped EXE
PID:2380 -
\??\c:\xlfrffr.exec:\xlfrffr.exe50⤵
- Executes dropped EXE
PID:4120 -
\??\c:\htnbhh.exec:\htnbhh.exe51⤵
- Executes dropped EXE
PID:2648 -
\??\c:\xfffffr.exec:\xfffffr.exe52⤵
- Executes dropped EXE
PID:2880 -
\??\c:\rfxlrlr.exec:\rfxlrlr.exe53⤵
- Executes dropped EXE
PID:2260 -
\??\c:\tbnbtn.exec:\tbnbtn.exe54⤵
- Executes dropped EXE
PID:2960 -
\??\c:\dddvp.exec:\dddvp.exe55⤵
- Executes dropped EXE
PID:944 -
\??\c:\rxxrfxr.exec:\rxxrfxr.exe56⤵
- Executes dropped EXE
PID:840 -
\??\c:\hbtnht.exec:\hbtnht.exe57⤵
- Executes dropped EXE
PID:3192 -
\??\c:\7vpdp.exec:\7vpdp.exe58⤵
- Executes dropped EXE
PID:3144 -
\??\c:\hbbnbh.exec:\hbbnbh.exe59⤵
- Executes dropped EXE
PID:3512 -
\??\c:\pjjpv.exec:\pjjpv.exe60⤵
- Executes dropped EXE
PID:1108 -
\??\c:\xffflxf.exec:\xffflxf.exe61⤵
- Executes dropped EXE
PID:4460 -
\??\c:\hnnhtn.exec:\hnnhtn.exe62⤵
- Executes dropped EXE
PID:4984 -
\??\c:\vppdp.exec:\vppdp.exe63⤵
- Executes dropped EXE
PID:784 -
\??\c:\xllfrlf.exec:\xllfrlf.exe64⤵
- Executes dropped EXE
PID:1780 -
\??\c:\lfrllff.exec:\lfrllff.exe65⤵
- Executes dropped EXE
PID:744 -
\??\c:\nhhbth.exec:\nhhbth.exe66⤵PID:4968
-
\??\c:\3djjd.exec:\3djjd.exe67⤵PID:836
-
\??\c:\9djvv.exec:\9djvv.exe68⤵PID:1600
-
\??\c:\xxfxrxr.exec:\xxfxrxr.exe69⤵PID:3272
-
\??\c:\bbbbbt.exec:\bbbbbt.exe70⤵PID:1484
-
\??\c:\5jpjd.exec:\5jpjd.exe71⤵PID:2204
-
\??\c:\llrxlfx.exec:\llrxlfx.exe72⤵PID:3460
-
\??\c:\7nhbtn.exec:\7nhbtn.exe73⤵PID:3640
-
\??\c:\3vvjp.exec:\3vvjp.exe74⤵PID:2012
-
\??\c:\hhnhbh.exec:\hhnhbh.exe75⤵PID:2196
-
\??\c:\vdjpj.exec:\vdjpj.exe76⤵PID:4916
-
\??\c:\xrxlllf.exec:\xrxlllf.exe77⤵PID:4080
-
\??\c:\jdjdv.exec:\jdjdv.exe78⤵PID:2160
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe79⤵PID:4288
-
\??\c:\thtbbb.exec:\thtbbb.exe80⤵PID:4312
-
\??\c:\ppjpp.exec:\ppjpp.exe81⤵
- System Location Discovery: System Language Discovery
PID:4728 -
\??\c:\xxxrrrl.exec:\xxxrrrl.exe82⤵PID:2792
-
\??\c:\bbhttn.exec:\bbhttn.exe83⤵PID:1104
-
\??\c:\jjvpj.exec:\jjvpj.exe84⤵PID:1848
-
\??\c:\fxllxfx.exec:\fxllxfx.exe85⤵PID:3864
-
\??\c:\lflllxx.exec:\lflllxx.exe86⤵PID:2220
-
\??\c:\nbbttt.exec:\nbbttt.exe87⤵PID:3528
-
\??\c:\jdvpj.exec:\jdvpj.exe88⤵PID:4628
-
\??\c:\lffxxxx.exec:\lffxxxx.exe89⤵PID:532
-
\??\c:\rrxffxx.exec:\rrxffxx.exe90⤵PID:3928
-
\??\c:\5hbttt.exec:\5hbttt.exe91⤵PID:2036
-
\??\c:\jdddv.exec:\jdddv.exe92⤵PID:1156
-
\??\c:\djddv.exec:\djddv.exe93⤵PID:1312
-
\??\c:\lrrrlll.exec:\lrrrlll.exe94⤵PID:5060
-
\??\c:\tbhbtb.exec:\tbhbtb.exe95⤵PID:2276
-
\??\c:\ppppj.exec:\ppppj.exe96⤵PID:1980
-
\??\c:\xxffxfr.exec:\xxffxfr.exe97⤵PID:848
-
\??\c:\xlxllfx.exec:\xlxllfx.exe98⤵PID:1296
-
\??\c:\bttnhb.exec:\bttnhb.exe99⤵PID:612
-
\??\c:\vvddv.exec:\vvddv.exe100⤵PID:2648
-
\??\c:\vjjjd.exec:\vjjjd.exe101⤵PID:4672
-
\??\c:\lxlrrrr.exec:\lxlrrrr.exe102⤵PID:3376
-
\??\c:\hhbbtt.exec:\hhbbtt.exe103⤵PID:2700
-
\??\c:\1tnnhn.exec:\1tnnhn.exe104⤵PID:3756
-
\??\c:\1jjdp.exec:\1jjdp.exe105⤵PID:4064
-
\??\c:\rlffxff.exec:\rlffxff.exe106⤵PID:4316
-
\??\c:\hnhnhh.exec:\hnhnhh.exe107⤵PID:2384
-
\??\c:\vpppj.exec:\vpppj.exe108⤵PID:4428
-
\??\c:\xlxxllf.exec:\xlxxllf.exe109⤵PID:1108
-
\??\c:\xrllllf.exec:\xrllllf.exe110⤵PID:4032
-
\??\c:\nbhbtt.exec:\nbhbtt.exe111⤵PID:2864
-
\??\c:\vvvvv.exec:\vvvvv.exe112⤵PID:2040
-
\??\c:\llxrxxx.exec:\llxrxxx.exe113⤵PID:4060
-
\??\c:\3bhbtt.exec:\3bhbtt.exe114⤵PID:1900
-
\??\c:\djvvv.exec:\djvvv.exe115⤵PID:4968
-
\??\c:\lxxlrfx.exec:\lxxlrfx.exe116⤵PID:836
-
\??\c:\xrlllll.exec:\xrlllll.exe117⤵PID:4716
-
\??\c:\nthhnh.exec:\nthhnh.exe118⤵PID:3540
-
\??\c:\ddjjj.exec:\ddjjj.exe119⤵PID:3488
-
\??\c:\rlxrxlf.exec:\rlxrxlf.exe120⤵PID:1256
-
\??\c:\lfrxrfl.exec:\lfrxrfl.exe121⤵PID:2756
-
\??\c:\ntbhhb.exec:\ntbhhb.exe122⤵PID:3640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-