Analysis
-
max time kernel
120s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2024, 23:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe
-
Size
346KB
-
MD5
ccabd7100dc60875227597623cdc2fa0
-
SHA1
9eb9f45714a2d36d8afe80771c7a543c9c58d54b
-
SHA256
69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066
-
SHA512
f384f24db710ae947abfd1b4f472f87049ff5a5483d6c3add1f5991217257a7231b884148edbf9c5b30a33bcf97889862d95d98a3c5eca0d439a6002c2541f2e
-
SSDEEP
6144:Xcm7ImGddXgYW5fNZWB5hFfci3Add4kGYAa:l7TcbWXZshJX2VGda
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/4728-4-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1952-13-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4940-11-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3460-19-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/696-31-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4456-36-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/964-42-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4148-48-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/220-54-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/784-70-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4916-76-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1468-91-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3836-90-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3632-82-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4420-110-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2708-122-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/756-128-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5036-147-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4356-138-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2996-157-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3620-159-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3000-187-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3248-192-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1776-182-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3448-171-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3300-203-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3608-202-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3336-208-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4512-212-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1660-216-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4728-223-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4428-226-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4616-241-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4980-257-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3940-261-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4208-283-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2692-287-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2268-291-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1600-316-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3944-320-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2116-331-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3496-335-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/5052-355-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2564-363-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2372-373-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3116-380-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3336-390-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/2380-421-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4980-431-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3940-435-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4388-466-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1688-473-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3856-486-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3488-493-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3336-535-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1828-599-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3216-606-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4588-634-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4580-716-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1944-817-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/4800-944-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1380-1059-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/1308-1484-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon behavioral2/memory/3248-1828-0x0000000000400000-0x0000000000428000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4940 nhnhbb.exe 1952 xxlxrrf.exe 3460 nnnbbb.exe 696 jdddd.exe 4456 ppvdv.exe 964 pdjjp.exe 4148 thtnhh.exe 220 pddjj.exe 4460 thtttb.exe 2892 frflxrl.exe 784 htbhnn.exe 4916 dddjj.exe 3632 bbtnbt.exe 3836 pjdvp.exe 1468 flrrlfl.exe 4388 rlrrlll.exe 4332 rxrrrrr.exe 4420 bbtttt.exe 2928 ffrxfff.exe 2708 7ppdd.exe 756 frxrrll.exe 4588 nnbbbb.exe 4356 vjjjv.exe 4720 xlxlxff.exe 5036 nthhhn.exe 2996 vvvpp.exe 3620 hhnhnn.exe 3972 ddddd.exe 3448 rlxflfr.exe 5080 htbtnn.exe 1776 nbtbnt.exe 3000 jjvdp.exe 1380 rllxrrf.exe 3248 pvjjv.exe 3608 ppvvv.exe 3300 llrrlll.exe 3336 thnbtt.exe 4512 jpvvd.exe 1660 7rrrfll.exe 1704 thnnnn.exe 4728 jddvd.exe 4428 fxxrffx.exe 620 fflfrrx.exe 4896 9nttnt.exe 1492 ppdjd.exe 4620 rxflxff.exe 4616 thnnnb.exe 1132 ntbbhh.exe 1620 pdvvd.exe 1504 3rfxxlf.exe 4148 tnbttb.exe 4980 jppjj.exe 3940 flxrlrl.exe 1524 hhnttt.exe 4460 jvjvd.exe 2944 rxrffff.exe 1532 1llllff.exe 1552 nnttbb.exe 4916 vdjjj.exe 4208 lrlllrr.exe 2692 rfrxfrl.exe 2268 vjjjj.exe 208 pdvvd.exe 3452 rlxfrxf.exe -
resource yara_rule behavioral2/memory/4728-4-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1952-13-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4940-11-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3460-19-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4456-29-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/696-31-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/696-23-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4456-36-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/964-42-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4148-48-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/220-54-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/784-70-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4916-76-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3836-84-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1468-91-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3836-90-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3632-82-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4420-110-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2708-122-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/756-128-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5036-147-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4356-138-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2996-157-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3620-159-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3000-187-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3248-192-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3608-197-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1776-182-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3448-171-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3300-203-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3608-202-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3336-208-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4512-212-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1660-216-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4728-223-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4428-226-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4616-241-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4980-257-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3940-261-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4208-283-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2692-287-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2268-291-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1600-316-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3944-320-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2116-327-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2116-331-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3496-335-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/5052-355-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2564-359-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2564-363-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2372-373-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3116-380-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3336-390-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2380-421-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4980-431-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3940-435-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/4388-466-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1688-473-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3856-486-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3488-493-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/2848-509-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3336-535-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/1828-599-0x0000000000400000-0x0000000000428000-memory.dmp upx behavioral2/memory/3216-606-0x0000000000400000-0x0000000000428000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfrxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnntnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ffrrxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhnnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frfflrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrxxlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfxxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4728 wrote to memory of 4940 4728 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 84 PID 4728 wrote to memory of 4940 4728 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 84 PID 4728 wrote to memory of 4940 4728 69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe 84 PID 4940 wrote to memory of 1952 4940 nhnhbb.exe 85 PID 4940 wrote to memory of 1952 4940 nhnhbb.exe 85 PID 4940 wrote to memory of 1952 4940 nhnhbb.exe 85 PID 1952 wrote to memory of 3460 1952 xxlxrrf.exe 86 PID 1952 wrote to memory of 3460 1952 xxlxrrf.exe 86 PID 1952 wrote to memory of 3460 1952 xxlxrrf.exe 86 PID 3460 wrote to memory of 696 3460 nnnbbb.exe 87 PID 3460 wrote to memory of 696 3460 nnnbbb.exe 87 PID 3460 wrote to memory of 696 3460 nnnbbb.exe 87 PID 696 wrote to memory of 4456 696 jdddd.exe 88 PID 696 wrote to memory of 4456 696 jdddd.exe 88 PID 696 wrote to memory of 4456 696 jdddd.exe 88 PID 4456 wrote to memory of 964 4456 ppvdv.exe 89 PID 4456 wrote to memory of 964 4456 ppvdv.exe 89 PID 4456 wrote to memory of 964 4456 ppvdv.exe 89 PID 964 wrote to memory of 4148 964 pdjjp.exe 90 PID 964 wrote to memory of 4148 964 pdjjp.exe 90 PID 964 wrote to memory of 4148 964 pdjjp.exe 90 PID 4148 wrote to memory of 220 4148 thtnhh.exe 91 PID 4148 wrote to memory of 220 4148 thtnhh.exe 91 PID 4148 wrote to memory of 220 4148 thtnhh.exe 91 PID 220 wrote to memory of 4460 220 pddjj.exe 93 PID 220 wrote to memory of 4460 220 pddjj.exe 93 PID 220 wrote to memory of 4460 220 pddjj.exe 93 PID 4460 wrote to memory of 2892 4460 thtttb.exe 94 PID 4460 wrote to memory of 2892 4460 thtttb.exe 94 PID 4460 wrote to memory of 2892 4460 thtttb.exe 94 PID 2892 wrote to memory of 784 2892 frflxrl.exe 95 PID 2892 wrote to memory of 784 2892 frflxrl.exe 95 PID 2892 wrote to memory of 784 2892 frflxrl.exe 95 PID 784 wrote to memory of 4916 784 htbhnn.exe 96 PID 784 wrote to memory of 4916 784 htbhnn.exe 96 PID 784 wrote to memory of 4916 784 htbhnn.exe 96 PID 4916 wrote to memory of 3632 4916 dddjj.exe 97 PID 4916 wrote to memory of 3632 4916 dddjj.exe 97 PID 4916 wrote to memory of 3632 4916 dddjj.exe 97 PID 3632 wrote to memory of 3836 3632 bbtnbt.exe 99 PID 3632 wrote to memory of 3836 3632 bbtnbt.exe 99 PID 3632 wrote to memory of 3836 3632 bbtnbt.exe 99 PID 3836 wrote to memory of 1468 3836 pjdvp.exe 100 PID 3836 wrote to memory of 1468 3836 pjdvp.exe 100 PID 3836 wrote to memory of 1468 3836 pjdvp.exe 100 PID 1468 wrote to memory of 4388 1468 flrrlfl.exe 102 PID 1468 wrote to memory of 4388 1468 flrrlfl.exe 102 PID 1468 wrote to memory of 4388 1468 flrrlfl.exe 102 PID 4388 wrote to memory of 4332 4388 rlrrlll.exe 103 PID 4388 wrote to memory of 4332 4388 rlrrlll.exe 103 PID 4388 wrote to memory of 4332 4388 rlrrlll.exe 103 PID 4332 wrote to memory of 4420 4332 rxrrrrr.exe 104 PID 4332 wrote to memory of 4420 4332 rxrrrrr.exe 104 PID 4332 wrote to memory of 4420 4332 rxrrrrr.exe 104 PID 4420 wrote to memory of 2928 4420 bbtttt.exe 105 PID 4420 wrote to memory of 2928 4420 bbtttt.exe 105 PID 4420 wrote to memory of 2928 4420 bbtttt.exe 105 PID 2928 wrote to memory of 2708 2928 ffrxfff.exe 106 PID 2928 wrote to memory of 2708 2928 ffrxfff.exe 106 PID 2928 wrote to memory of 2708 2928 ffrxfff.exe 106 PID 2708 wrote to memory of 756 2708 7ppdd.exe 107 PID 2708 wrote to memory of 756 2708 7ppdd.exe 107 PID 2708 wrote to memory of 756 2708 7ppdd.exe 107 PID 756 wrote to memory of 4588 756 frxrrll.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"C:\Users\Admin\AppData\Local\Temp\69b924916b98d3d0655e140e85c194a27230aad33711664c214a073c3e5ce066N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\nhnhbb.exec:\nhnhbb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\xxlxrrf.exec:\xxlxrrf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
\??\c:\nnnbbb.exec:\nnnbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3460 -
\??\c:\jdddd.exec:\jdddd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696 -
\??\c:\ppvdv.exec:\ppvdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\pdjjp.exec:\pdjjp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
\??\c:\thtnhh.exec:\thtnhh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\pddjj.exec:\pddjj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220 -
\??\c:\thtttb.exec:\thtttb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\frflxrl.exec:\frflxrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
\??\c:\htbhnn.exec:\htbhnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:784 -
\??\c:\dddjj.exec:\dddjj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\bbtnbt.exec:\bbtnbt.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\pjdvp.exec:\pjdvp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\flrrlfl.exec:\flrrlfl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\rlrrlll.exec:\rlrrlll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\rxrrrrr.exec:\rxrrrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\bbtttt.exec:\bbtttt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
\??\c:\ffrxfff.exec:\ffrxfff.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\7ppdd.exec:\7ppdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
\??\c:\frxrrll.exec:\frxrrll.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
\??\c:\nnbbbb.exec:\nnbbbb.exe23⤵
- Executes dropped EXE
PID:4588 -
\??\c:\vjjjv.exec:\vjjjv.exe24⤵
- Executes dropped EXE
PID:4356 -
\??\c:\xlxlxff.exec:\xlxlxff.exe25⤵
- Executes dropped EXE
PID:4720 -
\??\c:\nthhhn.exec:\nthhhn.exe26⤵
- Executes dropped EXE
PID:5036 -
\??\c:\vvvpp.exec:\vvvpp.exe27⤵
- Executes dropped EXE
PID:2996 -
\??\c:\hhnhnn.exec:\hhnhnn.exe28⤵
- Executes dropped EXE
PID:3620 -
\??\c:\ddddd.exec:\ddddd.exe29⤵
- Executes dropped EXE
PID:3972 -
\??\c:\rlxflfr.exec:\rlxflfr.exe30⤵
- Executes dropped EXE
PID:3448 -
\??\c:\htbtnn.exec:\htbtnn.exe31⤵
- Executes dropped EXE
PID:5080 -
\??\c:\nbtbnt.exec:\nbtbnt.exe32⤵
- Executes dropped EXE
PID:1776 -
\??\c:\jjvdp.exec:\jjvdp.exe33⤵
- Executes dropped EXE
PID:3000 -
\??\c:\rllxrrf.exec:\rllxrrf.exe34⤵
- Executes dropped EXE
PID:1380 -
\??\c:\pvjjv.exec:\pvjjv.exe35⤵
- Executes dropped EXE
PID:3248 -
\??\c:\ppvvv.exec:\ppvvv.exe36⤵
- Executes dropped EXE
PID:3608 -
\??\c:\llrrlll.exec:\llrrlll.exe37⤵
- Executes dropped EXE
PID:3300 -
\??\c:\thnbtt.exec:\thnbtt.exe38⤵
- Executes dropped EXE
PID:3336 -
\??\c:\jpvvd.exec:\jpvvd.exe39⤵
- Executes dropped EXE
PID:4512 -
\??\c:\7rrrfll.exec:\7rrrfll.exe40⤵
- Executes dropped EXE
PID:1660 -
\??\c:\thnnnn.exec:\thnnnn.exe41⤵
- Executes dropped EXE
PID:1704 -
\??\c:\jddvd.exec:\jddvd.exe42⤵
- Executes dropped EXE
PID:4728 -
\??\c:\fxxrffx.exec:\fxxrffx.exe43⤵
- Executes dropped EXE
PID:4428 -
\??\c:\fflfrrx.exec:\fflfrrx.exe44⤵
- Executes dropped EXE
PID:620 -
\??\c:\9nttnt.exec:\9nttnt.exe45⤵
- Executes dropped EXE
PID:4896 -
\??\c:\ppdjd.exec:\ppdjd.exe46⤵
- Executes dropped EXE
PID:1492 -
\??\c:\rxflxff.exec:\rxflxff.exe47⤵
- Executes dropped EXE
PID:4620 -
\??\c:\thnnnb.exec:\thnnnb.exe48⤵
- Executes dropped EXE
PID:4616 -
\??\c:\ntbbhh.exec:\ntbbhh.exe49⤵
- Executes dropped EXE
PID:1132 -
\??\c:\pdvvd.exec:\pdvvd.exe50⤵
- Executes dropped EXE
PID:1620 -
\??\c:\3rfxxlf.exec:\3rfxxlf.exe51⤵
- Executes dropped EXE
PID:1504 -
\??\c:\tnbttb.exec:\tnbttb.exe52⤵
- Executes dropped EXE
PID:4148 -
\??\c:\jppjj.exec:\jppjj.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980 -
\??\c:\flxrlrl.exec:\flxrlrl.exe54⤵
- Executes dropped EXE
PID:3940 -
\??\c:\hhnttt.exec:\hhnttt.exe55⤵
- Executes dropped EXE
PID:1524 -
\??\c:\jvjvd.exec:\jvjvd.exe56⤵
- Executes dropped EXE
PID:4460 -
\??\c:\rxrffff.exec:\rxrffff.exe57⤵
- Executes dropped EXE
PID:2944 -
\??\c:\1llllff.exec:\1llllff.exe58⤵
- Executes dropped EXE
PID:1532 -
\??\c:\nnttbb.exec:\nnttbb.exe59⤵
- Executes dropped EXE
PID:1552 -
\??\c:\vdjjj.exec:\vdjjj.exe60⤵
- Executes dropped EXE
PID:4916 -
\??\c:\lrlllrr.exec:\lrlllrr.exe61⤵
- Executes dropped EXE
PID:4208 -
\??\c:\rfrxfrl.exec:\rfrxfrl.exe62⤵
- Executes dropped EXE
PID:2692 -
\??\c:\vjjjj.exec:\vjjjj.exe63⤵
- Executes dropped EXE
PID:2268 -
\??\c:\pdvvd.exec:\pdvvd.exe64⤵
- Executes dropped EXE
PID:208 -
\??\c:\rlxfrxf.exec:\rlxfrxf.exe65⤵
- Executes dropped EXE
PID:3452 -
\??\c:\jpvdd.exec:\jpvdd.exe66⤵PID:3380
-
\??\c:\vjddd.exec:\vjddd.exe67⤵PID:4864
-
\??\c:\xxlrrrr.exec:\xxlrrrr.exe68⤵PID:4676
-
\??\c:\ttbhht.exec:\ttbhht.exe69⤵PID:2816
-
\??\c:\pjvpj.exec:\pjvpj.exe70⤵
- System Location Discovery: System Language Discovery
PID:3016 -
\??\c:\7lxxxfx.exec:\7lxxxfx.exe71⤵PID:1600
-
\??\c:\httbnt.exec:\httbnt.exe72⤵PID:3944
-
\??\c:\nhtbbh.exec:\nhtbbh.exe73⤵PID:4464
-
\??\c:\dvddv.exec:\dvddv.exe74⤵PID:5020
-
\??\c:\rxrfxlr.exec:\rxrfxlr.exe75⤵PID:2116
-
\??\c:\hhbnnb.exec:\hhbnnb.exe76⤵PID:3496
-
\??\c:\jpdvj.exec:\jpdvj.exe77⤵PID:4868
-
\??\c:\frxlxff.exec:\frxlxff.exe78⤵PID:4272
-
\??\c:\ntnnhh.exec:\ntnnhh.exe79⤵PID:2996
-
\??\c:\vdpvv.exec:\vdpvv.exe80⤵PID:368
-
\??\c:\rrxrrrr.exec:\rrxrrrr.exe81⤵PID:3192
-
\??\c:\7hbhth.exec:\7hbhth.exe82⤵PID:5052
-
\??\c:\vdjdp.exec:\vdjdp.exe83⤵PID:4440
-
\??\c:\rrlllrr.exec:\rrlllrr.exe84⤵PID:2564
-
\??\c:\ttntnt.exec:\ttntnt.exe85⤵PID:2656
-
\??\c:\lfffffl.exec:\lfffffl.exe86⤵PID:5012
-
\??\c:\3httth.exec:\3httth.exe87⤵PID:2372
-
\??\c:\hnnhnh.exec:\hnnhnh.exe88⤵PID:4800
-
\??\c:\pdddp.exec:\pdddp.exe89⤵PID:3116
-
\??\c:\llxflrf.exec:\llxflrf.exe90⤵PID:2204
-
\??\c:\7hbbtt.exec:\7hbbtt.exe91⤵PID:3068
-
\??\c:\jvdjd.exec:\jvdjd.exe92⤵PID:3336
-
\??\c:\lrlfllr.exec:\lrlfllr.exe93⤵PID:4268
-
\??\c:\bnnbtb.exec:\bnnbtb.exe94⤵PID:1660
-
\??\c:\ddddj.exec:\ddddj.exe95⤵PID:2040
-
\??\c:\xffrlrl.exec:\xffrlrl.exe96⤵PID:2288
-
\??\c:\bbbbtn.exec:\bbbbtn.exe97⤵PID:1940
-
\??\c:\5jpvv.exec:\5jpvv.exe98⤵PID:1492
-
\??\c:\5jpjj.exec:\5jpjj.exe99⤵PID:4620
-
\??\c:\xrxxrxx.exec:\xrxxrxx.exe100⤵PID:4368
-
\??\c:\nbbtnn.exec:\nbbtnn.exe101⤵PID:2128
-
\??\c:\jppvv.exec:\jppvv.exe102⤵PID:2380
-
\??\c:\jjppv.exec:\jjppv.exe103⤵PID:4280
-
\??\c:\lrfrrff.exec:\lrfrrff.exe104⤵PID:4148
-
\??\c:\tbnbnt.exec:\tbnbnt.exe105⤵PID:4980
-
\??\c:\pvpvj.exec:\pvpvj.exe106⤵PID:3940
-
\??\c:\vpddd.exec:\vpddd.exe107⤵PID:1880
-
\??\c:\lfrllrx.exec:\lfrllrx.exe108⤵PID:1984
-
\??\c:\vvppj.exec:\vvppj.exe109⤵PID:784
-
\??\c:\jdppv.exec:\jdppv.exe110⤵PID:3672
-
\??\c:\3rrxlxl.exec:\3rrxlxl.exe111⤵PID:464
-
\??\c:\nhhhtn.exec:\nhhhtn.exe112⤵PID:1828
-
\??\c:\jdjjp.exec:\jdjjp.exe113⤵PID:2028
-
\??\c:\djddj.exec:\djddj.exe114⤵PID:3216
-
\??\c:\xfrrlrf.exec:\xfrrlrf.exe115⤵PID:3656
-
\??\c:\bnhhhn.exec:\bnhhhn.exe116⤵PID:4388
-
\??\c:\thbbhh.exec:\thbbhh.exe117⤵PID:2736
-
\??\c:\dpddj.exec:\dpddj.exe118⤵PID:1688
-
\??\c:\ddpdd.exec:\ddpdd.exe119⤵PID:3536
-
\??\c:\xfxflrr.exec:\xfxflrr.exe120⤵PID:4420
-
\??\c:\hhnnbb.exec:\hhnnbb.exe121⤵PID:1748
-
\??\c:\tbbttb.exec:\tbbttb.exe122⤵PID:3856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-