Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 11:57
Behavioral task
behavioral1
Sample
755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924fN.exe
Resource
win7-20241023-en
windows7-x64
7 signatures
120 seconds
General
-
Target
755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924fN.exe
-
Size
91KB
-
MD5
49a772277fa5346d5ad6f09a703c5610
-
SHA1
9d12f1040d9c8ed9eed1fd6e8c65208def083a65
-
SHA256
755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924f
-
SHA512
cf9ba70eca784b3306458210e5e6c25a9ae436fea30fa967c2189a13f3972b6bc00cf5924736d57513778c2564b0fd8f5eb24e041ffaceaf0879eb0b5838e876
-
SSDEEP
1536:9vQBeOGtrYS3srx93UBWfwC6Ggnouy8PbhnyLFbUZJjw51Mh2RUpt/0Ku:9hOmTsF93UYfwC6GIoutz5yLp1MhZpVE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4744-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1912-12-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2044-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-31-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1672-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3980-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4876-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1056-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2660-56-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3616-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3708-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1464-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3944-103-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3108-109-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4048-115-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3104-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-149-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3468-170-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-181-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4000-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/972-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1764-207-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-223-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/880-231-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4152-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-248-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/460-254-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4744-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2240-262-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-269-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-287-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1960-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-296-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2196-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3964-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-361-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-380-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4912-387-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4676-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3820-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4732-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/784-453-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-478-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2184-503-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-510-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/636-561-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2028-652-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-770-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4584-894-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4456-961-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2600-1450-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1912 fffrfxl.exe 2260 1bhtnn.exe 2044 1hhtnh.exe 3584 djpjd.exe 1672 rllfxxl.exe 1056 htnbnh.exe 3980 jjdpp.exe 4876 3vdpv.exe 2660 rxxlxxl.exe 4428 9rfrfxl.exe 2208 9tnhhb.exe 3616 vddvv.exe 2484 rffxrlx.exe 3708 5thbtn.exe 4940 dvdpj.exe 1464 dpdjp.exe 3944 5lffxrf.exe 3108 bnntth.exe 4048 pddvp.exe 3680 xxffllx.exe 2384 bnhthb.exe 3104 dvpdp.exe 4532 rrfrfxl.exe 3312 nbnbnh.exe 1688 vvpdp.exe 4036 llfxlfx.exe 3640 hbbthh.exe 3348 pdvjv.exe 3468 5ppvj.exe 2488 7pvpj.exe 5044 bhtbtb.exe 3128 bnnbnh.exe 4000 jdjdp.exe 5052 frlfxxx.exe 972 lfxxflf.exe 4308 9bthbb.exe 4896 3jpvd.exe 1764 pjpjd.exe 2880 rflfrrl.exe 4860 nbbtnn.exe 3936 1pdvv.exe 212 jvpjv.exe 2732 lxxlxrf.exe 4540 5hhbtn.exe 880 pjdjv.exe 4152 djjdp.exe 2980 9rrlxrr.exe 1732 thbthb.exe 4312 dvdvp.exe 4148 vjdvj.exe 4392 lllrfrl.exe 460 xlllxxx.exe 4744 1httnh.exe 2240 bnbtnn.exe 4692 jjjvp.exe 3972 lxxfxxx.exe 3516 xfllrrx.exe 3584 1nnnhb.exe 544 7tnnhb.exe 4584 pvvpj.exe 1960 lffxllf.exe 4952 3xrlffx.exe 3204 ttnhbt.exe 5056 1dddv.exe -
resource yara_rule behavioral2/memory/4744-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023c1e-3.dat upx behavioral2/memory/4744-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c98-9.dat upx behavioral2/memory/1912-12-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cab-13.dat upx behavioral2/memory/2044-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2260-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3584-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cac-22.dat upx behavioral2/files/0x0007000000023cad-28.dat upx behavioral2/memory/3584-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-37.dat upx behavioral2/memory/1672-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-40.dat upx behavioral2/files/0x0007000000023cb0-46.dat upx behavioral2/memory/3980-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4876-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1056-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-54.dat upx behavioral2/memory/2660-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb2-60.dat upx behavioral2/memory/4428-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb3-64.dat upx behavioral2/files/0x0007000000023cb5-70.dat upx behavioral2/memory/2208-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb6-75.dat upx behavioral2/memory/3616-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb7-81.dat upx behavioral2/memory/3708-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-87.dat upx behavioral2/files/0x0007000000023cb9-91.dat upx behavioral2/files/0x0007000000023cba-98.dat upx behavioral2/memory/1464-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3944-103-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-102.dat upx behavioral2/files/0x0007000000023cbc-107.dat upx behavioral2/memory/3108-109-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbd-113.dat upx behavioral2/memory/4048-115-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbe-119.dat upx behavioral2/memory/3680-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-125.dat upx behavioral2/files/0x0007000000023cc0-130.dat upx behavioral2/memory/3104-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc1-136.dat upx behavioral2/files/0x0007000000023cc2-141.dat upx behavioral2/files/0x000a000000023c9f-146.dat upx behavioral2/memory/1688-149-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4036-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc3-154.dat upx behavioral2/files/0x0007000000023cc4-159.dat upx behavioral2/files/0x0007000000023cc5-164.dat upx behavioral2/files/0x0007000000023cc6-168.dat upx behavioral2/memory/3468-170-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cc7-174.dat upx behavioral2/files/0x0007000000023cc8-179.dat upx behavioral2/memory/5044-181-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4000-189-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/972-196-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4308-200-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1764-207-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2732-223-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4540-227-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3jpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxllrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1pjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthtbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9fxxxrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5thhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4744 wrote to memory of 1912 4744 755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924fN.exe 82 PID 4744 wrote to memory of 1912 4744 755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924fN.exe 82 PID 4744 wrote to memory of 1912 4744 755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924fN.exe 82 PID 1912 wrote to memory of 2260 1912 fffrfxl.exe 83 PID 1912 wrote to memory of 2260 1912 fffrfxl.exe 83 PID 1912 wrote to memory of 2260 1912 fffrfxl.exe 83 PID 2260 wrote to memory of 2044 2260 1bhtnn.exe 84 PID 2260 wrote to memory of 2044 2260 1bhtnn.exe 84 PID 2260 wrote to memory of 2044 2260 1bhtnn.exe 84 PID 2044 wrote to memory of 3584 2044 1hhtnh.exe 85 PID 2044 wrote to memory of 3584 2044 1hhtnh.exe 85 PID 2044 wrote to memory of 3584 2044 1hhtnh.exe 85 PID 3584 wrote to memory of 1672 3584 djpjd.exe 86 PID 3584 wrote to memory of 1672 3584 djpjd.exe 86 PID 3584 wrote to memory of 1672 3584 djpjd.exe 86 PID 1672 wrote to memory of 1056 1672 rllfxxl.exe 87 PID 1672 wrote to memory of 1056 1672 rllfxxl.exe 87 PID 1672 wrote to memory of 1056 1672 rllfxxl.exe 87 PID 1056 wrote to memory of 3980 1056 htnbnh.exe 88 PID 1056 wrote to memory of 3980 1056 htnbnh.exe 88 PID 1056 wrote to memory of 3980 1056 htnbnh.exe 88 PID 3980 wrote to memory of 4876 3980 jjdpp.exe 89 PID 3980 wrote to memory of 4876 3980 jjdpp.exe 89 PID 3980 wrote to memory of 4876 3980 jjdpp.exe 89 PID 4876 wrote to memory of 2660 4876 3vdpv.exe 90 PID 4876 wrote to memory of 2660 4876 3vdpv.exe 90 PID 4876 wrote to memory of 2660 4876 3vdpv.exe 90 PID 2660 wrote to memory of 4428 2660 rxxlxxl.exe 91 PID 2660 wrote to memory of 4428 2660 rxxlxxl.exe 91 PID 2660 wrote to memory of 4428 2660 rxxlxxl.exe 91 PID 4428 wrote to memory of 2208 4428 9rfrfxl.exe 92 PID 4428 wrote to memory of 2208 4428 9rfrfxl.exe 92 PID 4428 wrote to memory of 2208 4428 9rfrfxl.exe 92 PID 2208 wrote to memory of 3616 2208 9tnhhb.exe 93 PID 2208 wrote to memory of 3616 2208 9tnhhb.exe 93 PID 2208 wrote to memory of 3616 2208 9tnhhb.exe 93 PID 3616 wrote to memory of 2484 3616 vddvv.exe 94 PID 3616 wrote to memory of 2484 3616 vddvv.exe 94 PID 3616 wrote to memory of 2484 3616 vddvv.exe 94 PID 2484 wrote to memory of 3708 2484 rffxrlx.exe 95 PID 2484 wrote to memory of 3708 2484 rffxrlx.exe 95 PID 2484 wrote to memory of 3708 2484 rffxrlx.exe 95 PID 3708 wrote to memory of 4940 3708 5thbtn.exe 96 PID 3708 wrote to memory of 4940 3708 5thbtn.exe 96 PID 3708 wrote to memory of 4940 3708 5thbtn.exe 96 PID 4940 wrote to memory of 1464 4940 dvdpj.exe 97 PID 4940 wrote to memory of 1464 4940 dvdpj.exe 97 PID 4940 wrote to memory of 1464 4940 dvdpj.exe 97 PID 1464 wrote to memory of 3944 1464 dpdjp.exe 98 PID 1464 wrote to memory of 3944 1464 dpdjp.exe 98 PID 1464 wrote to memory of 3944 1464 dpdjp.exe 98 PID 3944 wrote to memory of 3108 3944 5lffxrf.exe 99 PID 3944 wrote to memory of 3108 3944 5lffxrf.exe 99 PID 3944 wrote to memory of 3108 3944 5lffxrf.exe 99 PID 3108 wrote to memory of 4048 3108 bnntth.exe 100 PID 3108 wrote to memory of 4048 3108 bnntth.exe 100 PID 3108 wrote to memory of 4048 3108 bnntth.exe 100 PID 4048 wrote to memory of 3680 4048 pddvp.exe 101 PID 4048 wrote to memory of 3680 4048 pddvp.exe 101 PID 4048 wrote to memory of 3680 4048 pddvp.exe 101 PID 3680 wrote to memory of 2384 3680 xxffllx.exe 102 PID 3680 wrote to memory of 2384 3680 xxffllx.exe 102 PID 3680 wrote to memory of 2384 3680 xxffllx.exe 102 PID 2384 wrote to memory of 3104 2384 bnhthb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924fN.exe"C:\Users\Admin\AppData\Local\Temp\755217f96413a3de51e605bdb125b63cd8331a4b36b70db88044e3a779ab924fN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\fffrfxl.exec:\fffrfxl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912 -
\??\c:\1bhtnn.exec:\1bhtnn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\1hhtnh.exec:\1hhtnh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\djpjd.exec:\djpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
\??\c:\rllfxxl.exec:\rllfxxl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\htnbnh.exec:\htnbnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\jjdpp.exec:\jjdpp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\3vdpv.exec:\3vdpv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\rxxlxxl.exec:\rxxlxxl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
\??\c:\9rfrfxl.exec:\9rfrfxl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\9tnhhb.exec:\9tnhhb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\vddvv.exec:\vddvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3616 -
\??\c:\rffxrlx.exec:\rffxrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\5thbtn.exec:\5thbtn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708 -
\??\c:\dvdpj.exec:\dvdpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
\??\c:\dpdjp.exec:\dpdjp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1464 -
\??\c:\5lffxrf.exec:\5lffxrf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3944 -
\??\c:\bnntth.exec:\bnntth.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108 -
\??\c:\pddvp.exec:\pddvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\xxffllx.exec:\xxffllx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\bnhthb.exec:\bnhthb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
\??\c:\dvpdp.exec:\dvpdp.exe23⤵
- Executes dropped EXE
PID:3104 -
\??\c:\rrfrfxl.exec:\rrfrfxl.exe24⤵
- Executes dropped EXE
PID:4532 -
\??\c:\nbnbnh.exec:\nbnbnh.exe25⤵
- Executes dropped EXE
PID:3312 -
\??\c:\vvpdp.exec:\vvpdp.exe26⤵
- Executes dropped EXE
PID:1688 -
\??\c:\llfxlfx.exec:\llfxlfx.exe27⤵
- Executes dropped EXE
PID:4036 -
\??\c:\hbbthh.exec:\hbbthh.exe28⤵
- Executes dropped EXE
PID:3640 -
\??\c:\pdvjv.exec:\pdvjv.exe29⤵
- Executes dropped EXE
PID:3348 -
\??\c:\5ppvj.exec:\5ppvj.exe30⤵
- Executes dropped EXE
PID:3468 -
\??\c:\7pvpj.exec:\7pvpj.exe31⤵
- Executes dropped EXE
PID:2488 -
\??\c:\bhtbtb.exec:\bhtbtb.exe32⤵
- Executes dropped EXE
PID:5044 -
\??\c:\bnnbnh.exec:\bnnbnh.exe33⤵
- Executes dropped EXE
PID:3128 -
\??\c:\jdjdp.exec:\jdjdp.exe34⤵
- Executes dropped EXE
PID:4000 -
\??\c:\frlfxxx.exec:\frlfxxx.exe35⤵
- Executes dropped EXE
PID:5052 -
\??\c:\lfxxflf.exec:\lfxxflf.exe36⤵
- Executes dropped EXE
PID:972 -
\??\c:\9bthbb.exec:\9bthbb.exe37⤵
- Executes dropped EXE
PID:4308 -
\??\c:\3jpvd.exec:\3jpvd.exe38⤵
- Executes dropped EXE
PID:4896 -
\??\c:\pjpjd.exec:\pjpjd.exe39⤵
- Executes dropped EXE
PID:1764 -
\??\c:\rflfrrl.exec:\rflfrrl.exe40⤵
- Executes dropped EXE
PID:2880 -
\??\c:\nbbtnn.exec:\nbbtnn.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860 -
\??\c:\1pdvv.exec:\1pdvv.exe42⤵
- Executes dropped EXE
PID:3936 -
\??\c:\jvpjv.exec:\jvpjv.exe43⤵
- Executes dropped EXE
PID:212 -
\??\c:\lxxlxrf.exec:\lxxlxrf.exe44⤵
- Executes dropped EXE
PID:2732 -
\??\c:\5hhbtn.exec:\5hhbtn.exe45⤵
- Executes dropped EXE
PID:4540 -
\??\c:\pjdjv.exec:\pjdjv.exe46⤵
- Executes dropped EXE
PID:880 -
\??\c:\djjdp.exec:\djjdp.exe47⤵
- Executes dropped EXE
PID:4152 -
\??\c:\9rrlxrr.exec:\9rrlxrr.exe48⤵
- Executes dropped EXE
PID:2980 -
\??\c:\thbthb.exec:\thbthb.exe49⤵
- Executes dropped EXE
PID:1732 -
\??\c:\dvdvp.exec:\dvdvp.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4312 -
\??\c:\vjdvj.exec:\vjdvj.exe51⤵
- Executes dropped EXE
PID:4148 -
\??\c:\lllrfrl.exec:\lllrfrl.exe52⤵
- Executes dropped EXE
PID:4392 -
\??\c:\xlllxxx.exec:\xlllxxx.exe53⤵
- Executes dropped EXE
PID:460 -
\??\c:\1httnh.exec:\1httnh.exe54⤵
- Executes dropped EXE
PID:4744 -
\??\c:\bnbtnn.exec:\bnbtnn.exe55⤵
- Executes dropped EXE
PID:2240 -
\??\c:\jjjvp.exec:\jjjvp.exe56⤵
- Executes dropped EXE
PID:4692 -
\??\c:\lxxfxxx.exec:\lxxfxxx.exe57⤵
- Executes dropped EXE
PID:3972 -
\??\c:\xfllrrx.exec:\xfllrrx.exe58⤵
- Executes dropped EXE
PID:3516 -
\??\c:\1nnnhb.exec:\1nnnhb.exe59⤵
- Executes dropped EXE
PID:3584 -
\??\c:\7tnnhb.exec:\7tnnhb.exe60⤵
- Executes dropped EXE
PID:544 -
\??\c:\pvvpj.exec:\pvvpj.exe61⤵
- Executes dropped EXE
PID:4584 -
\??\c:\lffxllf.exec:\lffxllf.exe62⤵
- Executes dropped EXE
PID:1960 -
\??\c:\3xrlffx.exec:\3xrlffx.exe63⤵
- Executes dropped EXE
PID:4952 -
\??\c:\ttnhbt.exec:\ttnhbt.exe64⤵
- Executes dropped EXE
PID:3204 -
\??\c:\1dddv.exec:\1dddv.exe65⤵
- Executes dropped EXE
PID:5056 -
\??\c:\7rrlxxx.exec:\7rrlxxx.exe66⤵PID:5028
-
\??\c:\5tbbhh.exec:\5tbbhh.exe67⤵PID:2008
-
\??\c:\httnhh.exec:\httnhh.exe68⤵PID:4272
-
\??\c:\jdjdd.exec:\jdjdd.exe69⤵PID:4720
-
\??\c:\1pjvj.exec:\1pjvj.exe70⤵PID:2196
-
\??\c:\frxrlrl.exec:\frxrlrl.exe71⤵PID:4496
-
\??\c:\hbhbhb.exec:\hbhbhb.exe72⤵PID:3964
-
\??\c:\pjjjd.exec:\pjjjd.exe73⤵PID:1804
-
\??\c:\xrllflr.exec:\xrllflr.exe74⤵PID:2568
-
\??\c:\hbbtbb.exec:\hbbtbb.exe75⤵PID:2004
-
\??\c:\hbttnn.exec:\hbttnn.exe76⤵PID:1892
-
\??\c:\dvvjv.exec:\dvvjv.exe77⤵PID:1240
-
\??\c:\1pvpj.exec:\1pvpj.exe78⤵PID:5092
-
\??\c:\nhhbnn.exec:\nhhbnn.exe79⤵PID:4208
-
\??\c:\nnthbt.exec:\nnthbt.exe80⤵PID:1172
-
\??\c:\dvjjp.exec:\dvjjp.exe81⤵PID:4336
-
\??\c:\ffrrffx.exec:\ffrrffx.exe82⤵PID:4776
-
\??\c:\fxrlxxr.exec:\fxrlxxr.exe83⤵PID:2312
-
\??\c:\5nhhtt.exec:\5nhhtt.exe84⤵PID:2704
-
\??\c:\pdpdd.exec:\pdpdd.exe85⤵PID:4864
-
\??\c:\jjdpd.exec:\jjdpd.exe86⤵PID:3336
-
\??\c:\7lfxrll.exec:\7lfxrll.exe87⤵PID:1224
-
\??\c:\hhtntt.exec:\hhtntt.exe88⤵PID:1320
-
\??\c:\pjdvj.exec:\pjdvj.exe89⤵PID:4608
-
\??\c:\dvpjj.exec:\dvpjj.exe90⤵PID:2776
-
\??\c:\9rfxrrr.exec:\9rfxrrr.exe91⤵PID:1776
-
\??\c:\tntthb.exec:\tntthb.exe92⤵PID:2756
-
\??\c:\nbhtnn.exec:\nbhtnn.exe93⤵PID:4912
-
\??\c:\vppjv.exec:\vppjv.exe94⤵PID:3596
-
\??\c:\ddpjj.exec:\ddpjj.exe95⤵PID:4676
-
\??\c:\fflfxrx.exec:\fflfxrx.exe96⤵PID:1824
-
\??\c:\htnbtn.exec:\htnbtn.exe97⤵PID:3776
-
\??\c:\hthbnn.exec:\hthbnn.exe98⤵PID:2476
-
\??\c:\ddvpj.exec:\ddvpj.exe99⤵PID:4828
-
\??\c:\xfrlffx.exec:\xfrlffx.exe100⤵PID:3156
-
\??\c:\rxfrxrx.exec:\rxfrxrx.exe101⤵PID:4308
-
\??\c:\1hbtnh.exec:\1hbtnh.exe102⤵PID:3820
-
\??\c:\ththbb.exec:\ththbb.exe103⤵PID:4340
-
\??\c:\dvjjj.exec:\dvjjj.exe104⤵PID:2880
-
\??\c:\fxffllf.exec:\fxffllf.exe105⤵PID:4860
-
\??\c:\9fxfxxl.exec:\9fxfxxl.exe106⤵PID:3936
-
\??\c:\bhnnhh.exec:\bhnnhh.exe107⤵PID:648
-
\??\c:\hnbtnn.exec:\hnbtnn.exe108⤵PID:2732
-
\??\c:\ddvpj.exec:\ddvpj.exe109⤵PID:4732
-
\??\c:\5pdpv.exec:\5pdpv.exe110⤵PID:3884
-
\??\c:\fllxrlf.exec:\fllxrlf.exe111⤵PID:2268
-
\??\c:\tbtttt.exec:\tbtttt.exe112⤵PID:2628
-
\??\c:\hnbbbt.exec:\hnbbbt.exe113⤵PID:784
-
\??\c:\pjpjp.exec:\pjpjp.exe114⤵PID:1364
-
\??\c:\9fxxxrx.exec:\9fxxxrx.exe115⤵
- System Location Discovery: System Language Discovery
PID:4148 -
\??\c:\xxrrlfx.exec:\xxrrlfx.exe116⤵PID:1152
-
\??\c:\hnhhtn.exec:\hnhhtn.exe117⤵PID:320
-
\??\c:\jddvj.exec:\jddvj.exe118⤵PID:4724
-
\??\c:\9jjvj.exec:\9jjvj.exe119⤵PID:2240
-
\??\c:\llfxrrl.exec:\llfxrrl.exe120⤵PID:4708
-
\??\c:\5lxrfxf.exec:\5lxrfxf.exe121⤵PID:552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-