Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/10/2024, 16:52
Behavioral task
behavioral1
Sample
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
Resource
win7-20241010-en
6 signatures
150 seconds
General
-
Target
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe
-
Size
445KB
-
MD5
fba138788d8671443ac9b7899da1c6d0
-
SHA1
e774d7e5364759a563b819ab7d3f4dc06f3f0451
-
SHA256
f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775de
-
SHA512
f74774acfee06e09bdac9e3a13fdaf8d69c9c1df7be17743ac5447cd3e7836d0739bf9d72b8279368808df3bfd2cb31c97c1f1f76173e29d8d6f2ed7bef81bca
-
SSDEEP
12288:w4wFHoS9KxbNnidEhjEJd1kNpeUgI95yRoZHVaoJMOxFXnRV4PiGO0hUmH5CJ:kKxbNndhjEJd1kNpeUgI95yRoZHgoJMi
Malware Config
Signatures
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1516-6-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4768-14-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4620-13-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/436-19-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3128-24-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2660-35-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2456-41-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1312-53-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3296-59-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3480-65-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2572-70-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3912-77-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3956-85-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4184-84-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4368-95-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1120-104-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3204-110-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/628-102-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1604-123-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3724-137-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1176-116-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4820-153-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4024-162-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/388-168-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3756-173-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4344-184-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2416-190-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2720-194-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3020-201-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5060-205-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5024-209-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2080-214-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/448-220-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/64-224-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4540-228-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3480-231-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3640-240-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2788-243-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1440-253-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1196-257-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/5028-267-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1408-271-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3204-275-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4160-288-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3724-295-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4156-338-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4564-342-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4384-370-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/3928-400-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1880-433-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1868-440-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/868-471-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1492-481-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4080-488-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2408-522-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2844-538-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/2728-581-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/736-606-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4364-631-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/4680-656-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/512-718-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1420-926-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon behavioral2/memory/1444-1498-0x0000000000400000-0x0000000000434000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4620 xrfflll.exe 4768 nntbbt.exe 436 pddpj.exe 3128 vvppj.exe 2660 tnhbtt.exe 2456 lrxrlll.exe 3472 pdpjd.exe 1312 lxfxrrl.exe 3296 nhnnnh.exe 3480 flxflfr.exe 2572 hbhnnn.exe 3912 jvjdd.exe 4184 bttbbh.exe 3956 rrrrxfr.exe 4368 bhnttb.exe 628 3thbbb.exe 1120 rxlfxxr.exe 3204 7hhbtt.exe 1176 ppppj.exe 1604 hbttnn.exe 1880 pjvvp.exe 3724 xrlflrl.exe 640 tnbtnn.exe 352 llxrrll.exe 4820 nnnhhh.exe 2780 dvdvj.exe 4024 htbbbb.exe 388 rxllfll.exe 3756 ntbtth.exe 2424 xlxxxff.exe 4344 pjpjj.exe 2416 rlrllll.exe 2720 ffxrffl.exe 4192 nnhbhh.exe 3020 jdjjp.exe 5060 hbbbtt.exe 5024 jdppj.exe 2324 nhbtnn.exe 2080 xrllllf.exe 448 1fxxrlf.exe 64 bnbtbn.exe 4540 jvjdd.exe 3480 1rxflll.exe 4004 lrxxrrl.exe 3704 tntttt.exe 3640 vvvpp.exe 2788 pjddv.exe 3152 rlfxxxr.exe 440 ttbnnt.exe 1440 7vvpj.exe 1196 dvddv.exe 696 rlxrxrr.exe 3200 hhbbtb.exe 5028 jdvpd.exe 1408 lxfxffx.exe 3204 tnnnnn.exe 1176 jdjdv.exe 4316 jpdvj.exe 1804 rfrrlrr.exe 4160 5ttnnn.exe 4708 dvvpp.exe 3724 rfrrxxx.exe 856 9ttbbb.exe 4188 dpvvp.exe -
resource yara_rule behavioral2/memory/1516-0-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000c000000023b33-3.dat upx behavioral2/memory/1516-6-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000b000000023b8e-9.dat upx behavioral2/memory/4768-14-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4620-13-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b92-17.dat upx behavioral2/memory/436-19-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b93-22.dat upx behavioral2/memory/3128-24-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b94-29.dat upx behavioral2/files/0x000a000000023b96-33.dat upx behavioral2/memory/2660-35-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b97-39.dat upx behavioral2/memory/2456-41-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b98-45.dat upx behavioral2/files/0x000a000000023b99-50.dat upx behavioral2/memory/1312-53-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b9a-56.dat upx behavioral2/memory/3296-59-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b9b-63.dat upx behavioral2/memory/2572-66-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3480-65-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b9c-72.dat upx behavioral2/memory/2572-70-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3912-77-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b9d-78.dat upx behavioral2/files/0x000b000000023b8f-81.dat upx behavioral2/memory/3956-85-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/4184-84-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023b9e-88.dat upx behavioral2/files/0x000a000000023b9f-93.dat upx behavioral2/memory/4368-95-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023ba1-99.dat upx behavioral2/memory/1120-104-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023ba2-107.dat upx behavioral2/memory/3204-110-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/628-102-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x0031000000023ba4-119.dat upx behavioral2/memory/1604-123-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023ba5-126.dat upx behavioral2/files/0x0058000000023ba6-129.dat upx behavioral2/files/0x000a000000023ba7-135.dat upx behavioral2/memory/3724-137-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/1176-116-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023ba3-112.dat upx behavioral2/files/0x000a000000023ba8-140.dat upx behavioral2/files/0x000a000000023ba9-146.dat upx behavioral2/files/0x000a000000023baa-150.dat upx behavioral2/memory/4820-153-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023bab-156.dat upx behavioral2/files/0x000a000000023bac-161.dat upx behavioral2/memory/4024-162-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023bad-166.dat upx behavioral2/memory/388-168-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3756-173-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023bae-174.dat upx behavioral2/files/0x000a000000023baf-179.dat upx behavioral2/memory/4344-184-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/files/0x000a000000023bb0-186.dat upx behavioral2/memory/2416-187-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2416-190-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/2720-194-0x0000000000400000-0x0000000000434000-memory.dmp upx behavioral2/memory/3020-201-0x0000000000400000-0x0000000000434000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tttbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1516 wrote to memory of 4620 1516 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 84 PID 1516 wrote to memory of 4620 1516 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 84 PID 1516 wrote to memory of 4620 1516 f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe 84 PID 4620 wrote to memory of 4768 4620 xrfflll.exe 85 PID 4620 wrote to memory of 4768 4620 xrfflll.exe 85 PID 4620 wrote to memory of 4768 4620 xrfflll.exe 85 PID 4768 wrote to memory of 436 4768 nntbbt.exe 86 PID 4768 wrote to memory of 436 4768 nntbbt.exe 86 PID 4768 wrote to memory of 436 4768 nntbbt.exe 86 PID 436 wrote to memory of 3128 436 pddpj.exe 87 PID 436 wrote to memory of 3128 436 pddpj.exe 87 PID 436 wrote to memory of 3128 436 pddpj.exe 87 PID 3128 wrote to memory of 2660 3128 vvppj.exe 88 PID 3128 wrote to memory of 2660 3128 vvppj.exe 88 PID 3128 wrote to memory of 2660 3128 vvppj.exe 88 PID 2660 wrote to memory of 2456 2660 tnhbtt.exe 89 PID 2660 wrote to memory of 2456 2660 tnhbtt.exe 89 PID 2660 wrote to memory of 2456 2660 tnhbtt.exe 89 PID 2456 wrote to memory of 3472 2456 lrxrlll.exe 90 PID 2456 wrote to memory of 3472 2456 lrxrlll.exe 90 PID 2456 wrote to memory of 3472 2456 lrxrlll.exe 90 PID 3472 wrote to memory of 1312 3472 pdpjd.exe 91 PID 3472 wrote to memory of 1312 3472 pdpjd.exe 91 PID 3472 wrote to memory of 1312 3472 pdpjd.exe 91 PID 1312 wrote to memory of 3296 1312 lxfxrrl.exe 92 PID 1312 wrote to memory of 3296 1312 lxfxrrl.exe 92 PID 1312 wrote to memory of 3296 1312 lxfxrrl.exe 92 PID 3296 wrote to memory of 3480 3296 nhnnnh.exe 93 PID 3296 wrote to memory of 3480 3296 nhnnnh.exe 93 PID 3296 wrote to memory of 3480 3296 nhnnnh.exe 93 PID 3480 wrote to memory of 2572 3480 flxflfr.exe 94 PID 3480 wrote to memory of 2572 3480 flxflfr.exe 94 PID 3480 wrote to memory of 2572 3480 flxflfr.exe 94 PID 2572 wrote to memory of 3912 2572 hbhnnn.exe 95 PID 2572 wrote to memory of 3912 2572 hbhnnn.exe 95 PID 2572 wrote to memory of 3912 2572 hbhnnn.exe 95 PID 3912 wrote to memory of 4184 3912 jvjdd.exe 96 PID 3912 wrote to memory of 4184 3912 jvjdd.exe 96 PID 3912 wrote to memory of 4184 3912 jvjdd.exe 96 PID 4184 wrote to memory of 3956 4184 bttbbh.exe 97 PID 4184 wrote to memory of 3956 4184 bttbbh.exe 97 PID 4184 wrote to memory of 3956 4184 bttbbh.exe 97 PID 3956 wrote to memory of 4368 3956 rrrrxfr.exe 99 PID 3956 wrote to memory of 4368 3956 rrrrxfr.exe 99 PID 3956 wrote to memory of 4368 3956 rrrrxfr.exe 99 PID 4368 wrote to memory of 628 4368 bhnttb.exe 100 PID 4368 wrote to memory of 628 4368 bhnttb.exe 100 PID 4368 wrote to memory of 628 4368 bhnttb.exe 100 PID 628 wrote to memory of 1120 628 3thbbb.exe 101 PID 628 wrote to memory of 1120 628 3thbbb.exe 101 PID 628 wrote to memory of 1120 628 3thbbb.exe 101 PID 1120 wrote to memory of 3204 1120 rxlfxxr.exe 102 PID 1120 wrote to memory of 3204 1120 rxlfxxr.exe 102 PID 1120 wrote to memory of 3204 1120 rxlfxxr.exe 102 PID 3204 wrote to memory of 1176 3204 7hhbtt.exe 103 PID 3204 wrote to memory of 1176 3204 7hhbtt.exe 103 PID 3204 wrote to memory of 1176 3204 7hhbtt.exe 103 PID 1176 wrote to memory of 1604 1176 ppppj.exe 104 PID 1176 wrote to memory of 1604 1176 ppppj.exe 104 PID 1176 wrote to memory of 1604 1176 ppppj.exe 104 PID 1604 wrote to memory of 1880 1604 hbttnn.exe 105 PID 1604 wrote to memory of 1880 1604 hbttnn.exe 105 PID 1604 wrote to memory of 1880 1604 hbttnn.exe 105 PID 1880 wrote to memory of 3724 1880 pjvvp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"C:\Users\Admin\AppData\Local\Temp\f9df999443c64ed9d148c8f3cb21403a375373f0bbc8e9162f9213031d1775deN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
\??\c:\xrfflll.exec:\xrfflll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
\??\c:\nntbbt.exec:\nntbbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4768 -
\??\c:\pddpj.exec:\pddpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\vvppj.exec:\vvppj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
\??\c:\tnhbtt.exec:\tnhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\lrxrlll.exec:\lrxrlll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\pdpjd.exec:\pdpjd.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3472 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\nhnnnh.exec:\nhnnnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
\??\c:\flxflfr.exec:\flxflfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
\??\c:\hbhnnn.exec:\hbhnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\jvjdd.exec:\jvjdd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912 -
\??\c:\bttbbh.exec:\bttbbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4184 -
\??\c:\rrrrxfr.exec:\rrrrxfr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
\??\c:\bhnttb.exec:\bhnttb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
\??\c:\3thbbb.exec:\3thbbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
\??\c:\rxlfxxr.exec:\rxlfxxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120 -
\??\c:\7hhbtt.exec:\7hhbtt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\ppppj.exec:\ppppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
\??\c:\hbttnn.exec:\hbttnn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
\??\c:\pjvvp.exec:\pjvvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1880 -
\??\c:\xrlflrl.exec:\xrlflrl.exe23⤵
- Executes dropped EXE
PID:3724 -
\??\c:\tnbtnn.exec:\tnbtnn.exe24⤵
- Executes dropped EXE
PID:640 -
\??\c:\llxrrll.exec:\llxrrll.exe25⤵
- Executes dropped EXE
PID:352 -
\??\c:\nnnhhh.exec:\nnnhhh.exe26⤵
- Executes dropped EXE
PID:4820 -
\??\c:\dvdvj.exec:\dvdvj.exe27⤵
- Executes dropped EXE
PID:2780 -
\??\c:\htbbbb.exec:\htbbbb.exe28⤵
- Executes dropped EXE
PID:4024 -
\??\c:\rxllfll.exec:\rxllfll.exe29⤵
- Executes dropped EXE
PID:388 -
\??\c:\ntbtth.exec:\ntbtth.exe30⤵
- Executes dropped EXE
PID:3756 -
\??\c:\xlxxxff.exec:\xlxxxff.exe31⤵
- Executes dropped EXE
PID:2424 -
\??\c:\pjpjj.exec:\pjpjj.exe32⤵
- Executes dropped EXE
PID:4344 -
\??\c:\rlrllll.exec:\rlrllll.exe33⤵
- Executes dropped EXE
PID:2416 -
\??\c:\ffxrffl.exec:\ffxrffl.exe34⤵
- Executes dropped EXE
PID:2720 -
\??\c:\nnhbhh.exec:\nnhbhh.exe35⤵
- Executes dropped EXE
PID:4192 -
\??\c:\jdjjp.exec:\jdjjp.exe36⤵
- Executes dropped EXE
PID:3020 -
\??\c:\hbbbtt.exec:\hbbbtt.exe37⤵
- Executes dropped EXE
PID:5060 -
\??\c:\jdppj.exec:\jdppj.exe38⤵
- Executes dropped EXE
PID:5024 -
\??\c:\nhbtnn.exec:\nhbtnn.exe39⤵
- Executes dropped EXE
PID:2324 -
\??\c:\xrllllf.exec:\xrllllf.exe40⤵
- Executes dropped EXE
PID:2080 -
\??\c:\1fxxrlf.exec:\1fxxrlf.exe41⤵
- Executes dropped EXE
PID:448 -
\??\c:\bnbtbn.exec:\bnbtbn.exe42⤵
- Executes dropped EXE
PID:64 -
\??\c:\jvjdd.exec:\jvjdd.exe43⤵
- Executes dropped EXE
PID:4540 -
\??\c:\1rxflll.exec:\1rxflll.exe44⤵
- Executes dropped EXE
PID:3480 -
\??\c:\lrxxrrl.exec:\lrxxrrl.exe45⤵
- Executes dropped EXE
PID:4004 -
\??\c:\tntttt.exec:\tntttt.exe46⤵
- Executes dropped EXE
PID:3704 -
\??\c:\vvvpp.exec:\vvvpp.exe47⤵
- Executes dropped EXE
PID:3640 -
\??\c:\pjddv.exec:\pjddv.exe48⤵
- Executes dropped EXE
PID:2788 -
\??\c:\rlfxxxr.exec:\rlfxxxr.exe49⤵
- Executes dropped EXE
PID:3152 -
\??\c:\ttbnnt.exec:\ttbnnt.exe50⤵
- Executes dropped EXE
PID:440 -
\??\c:\7vvpj.exec:\7vvpj.exe51⤵
- Executes dropped EXE
PID:1440 -
\??\c:\dvddv.exec:\dvddv.exe52⤵
- Executes dropped EXE
PID:1196 -
\??\c:\rlxrxrr.exec:\rlxrxrr.exe53⤵
- Executes dropped EXE
PID:696 -
\??\c:\hhbbtb.exec:\hhbbtb.exe54⤵
- Executes dropped EXE
PID:3200 -
\??\c:\jdvpd.exec:\jdvpd.exe55⤵
- Executes dropped EXE
PID:5028 -
\??\c:\lxfxffx.exec:\lxfxffx.exe56⤵
- Executes dropped EXE
PID:1408 -
\??\c:\tnnnnn.exec:\tnnnnn.exe57⤵
- Executes dropped EXE
PID:3204 -
\??\c:\jdjdv.exec:\jdjdv.exe58⤵
- Executes dropped EXE
PID:1176 -
\??\c:\jpdvj.exec:\jpdvj.exe59⤵
- Executes dropped EXE
PID:4316 -
\??\c:\rfrrlrr.exec:\rfrrlrr.exe60⤵
- Executes dropped EXE
PID:1804 -
\??\c:\5ttnnn.exec:\5ttnnn.exe61⤵
- Executes dropped EXE
PID:4160 -
\??\c:\dvvpp.exec:\dvvpp.exe62⤵
- Executes dropped EXE
PID:4708 -
\??\c:\rfrrxxx.exec:\rfrrxxx.exe63⤵
- Executes dropped EXE
PID:3724 -
\??\c:\9ttbbb.exec:\9ttbbb.exe64⤵
- Executes dropped EXE
PID:856 -
\??\c:\dpvvp.exec:\dpvvp.exe65⤵
- Executes dropped EXE
PID:4188 -
\??\c:\pdvvp.exec:\pdvvp.exe66⤵PID:4860
-
\??\c:\btbbbb.exec:\btbbbb.exe67⤵PID:3220
-
\??\c:\jddvd.exec:\jddvd.exe68⤵PID:2388
-
\??\c:\frfffff.exec:\frfffff.exe69⤵PID:2316
-
\??\c:\bbhbtt.exec:\bbhbtt.exe70⤵PID:4600
-
\??\c:\7nbttb.exec:\7nbttb.exe71⤵PID:868
-
\??\c:\pdppj.exec:\pdppj.exe72⤵PID:2780
-
\??\c:\rlffllx.exec:\rlffllx.exe73⤵PID:4024
-
\??\c:\hbtntt.exec:\hbtntt.exe74⤵PID:5100
-
\??\c:\hnhhbh.exec:\hnhhbh.exe75⤵PID:2204
-
\??\c:\jdjjj.exec:\jdjjj.exe76⤵PID:1780
-
\??\c:\7llfxxf.exec:\7llfxxf.exe77⤵PID:4156
-
\??\c:\tnnnnn.exec:\tnnnnn.exe78⤵
- System Location Discovery: System Language Discovery
PID:4564 -
\??\c:\7hbtnh.exec:\7hbtnh.exe79⤵PID:1040
-
\??\c:\jvppj.exec:\jvppj.exe80⤵PID:4844
-
\??\c:\xrfxllr.exec:\xrfxllr.exe81⤵PID:2444
-
\??\c:\hbntnb.exec:\hbntnb.exe82⤵PID:3124
-
\??\c:\pjddd.exec:\pjddd.exe83⤵PID:2720
-
\??\c:\flrlfff.exec:\flrlfff.exe84⤵PID:1472
-
\??\c:\nnbbnb.exec:\nnbbnb.exe85⤵PID:3024
-
\??\c:\jvdpj.exec:\jvdpj.exe86⤵PID:4660
-
\??\c:\vpjdd.exec:\vpjdd.exe87⤵PID:4384
-
\??\c:\rrxrlfx.exec:\rrxrlfx.exe88⤵PID:4664
-
\??\c:\tnttnn.exec:\tnttnn.exe89⤵PID:2916
-
\??\c:\3bbtnn.exec:\3bbtnn.exe90⤵PID:4440
-
\??\c:\pvvpp.exec:\pvvpp.exe91⤵PID:1548
-
\??\c:\5fllfxx.exec:\5fllfxx.exe92⤵PID:1896
-
\??\c:\hbbtnn.exec:\hbbtnn.exe93⤵PID:2864
-
\??\c:\nhnnbb.exec:\nhnnbb.exe94⤵PID:2680
-
\??\c:\vvdpj.exec:\vvdpj.exe95⤵PID:2024
-
\??\c:\rrfrrll.exec:\rrfrrll.exe96⤵PID:4004
-
\??\c:\lxxrllf.exec:\lxxrllf.exe97⤵PID:3312
-
\??\c:\ttttnn.exec:\ttttnn.exe98⤵PID:3928
-
\??\c:\9djdv.exec:\9djdv.exe99⤵PID:3992
-
\??\c:\fxfxxlf.exec:\fxfxxlf.exe100⤵PID:3028
-
\??\c:\thnhbb.exec:\thnhbb.exe101⤵PID:4552
-
\??\c:\jdvjv.exec:\jdvjv.exe102⤵PID:5028
-
\??\c:\dvdvv.exec:\dvdvv.exe103⤵PID:2096
-
\??\c:\xxlxxfl.exec:\xxlxxfl.exe104⤵PID:3716
-
\??\c:\bttntn.exec:\bttntn.exe105⤵PID:3340
-
\??\c:\dpvpj.exec:\dpvpj.exe106⤵PID:2480
-
\??\c:\rxfffxx.exec:\rxfffxx.exe107⤵PID:1880
-
\??\c:\xrrrlrr.exec:\xrrrlrr.exe108⤵PID:1972
-
\??\c:\btbtnt.exec:\btbtnt.exe109⤵PID:1868
-
\??\c:\vjppv.exec:\vjppv.exe110⤵PID:3620
-
\??\c:\fxllffx.exec:\fxllffx.exe111⤵PID:1400
-
\??\c:\nnhbnn.exec:\nnhbnn.exe112⤵PID:4896
-
\??\c:\7vvjp.exec:\7vvjp.exe113⤵PID:5004
-
\??\c:\llllllf.exec:\llllllf.exe114⤵PID:4092
-
\??\c:\hthbhh.exec:\hthbhh.exe115⤵PID:4276
-
\??\c:\hnbbtb.exec:\hnbbtb.exe116⤵PID:2176
-
\??\c:\vjjjv.exec:\vjjjv.exe117⤵PID:2316
-
\??\c:\rxrrxff.exec:\rxrrxff.exe118⤵PID:4600
-
\??\c:\htbthh.exec:\htbthh.exe119⤵PID:868
-
\??\c:\djppv.exec:\djppv.exe120⤵PID:2780
-
\??\c:\rlxxffr.exec:\rlxxffr.exe121⤵PID:4200
-
\??\c:\bthbbt.exec:\bthbbt.exe122⤵PID:1492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-