Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 21:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe
-
Size
454KB
-
MD5
9b75724fbeca4f69021aa0b85dab37c0
-
SHA1
11d83416871bcbc8633c9459a878d7018fa7e543
-
SHA256
9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e
-
SHA512
dfd37a1ad16dac7a32311183238406d0a80ff0239cac7626640812f9ff8a784825e5c3f74fb3ff951b1cb8b7064b10537b1b14adefb6d844467aeaf084748228
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT8:q7Tc2NYHUrAwfMp3CDo
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2604-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5032-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3868-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1820-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-75-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3460-142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4200-268-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2468-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-199-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1032-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-175-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-164-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2464-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3600-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/320-54-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2660-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4484-318-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3040-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4356-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-418-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5100-426-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-454-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2032-461-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/968-486-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2056-496-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-662-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1316-690-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-769-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3700-776-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-857-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1976-874-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/332-988-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-1110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-1242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-1504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3028-1803-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 840 nhtttn.exe 5032 hhhhhh.exe 3868 xfxrfxf.exe 1820 fffxffl.exe 1168 xxrrrxx.exe 4128 3vddv.exe 2008 lxxxxxx.exe 320 vpdvp.exe 2552 1bbbtt.exe 2208 ppddv.exe 2808 xrllllf.exe 1436 bthbhn.exe 4388 ddvpj.exe 1624 xlxxrrl.exe 4424 hhhhhn.exe 440 pdddp.exe 2572 5rfxrxr.exe 3772 xrfffll.exe 1844 bthhnn.exe 4188 jvddd.exe 3600 7dpjv.exe 776 flxrlfx.exe 2464 btbtnt.exe 3460 btnhhn.exe 4464 djdpv.exe 3384 rrrrlll.exe 2228 rfrllrr.exe 3144 tnhbht.exe 4924 pdddv.exe 4860 1flfrrf.exe 4472 rlrrxxf.exe 3788 bbttnb.exe 1032 pdpvp.exe 1792 fxxlffx.exe 3376 bnnnhn.exe 112 jpddv.exe 4856 7dppv.exe 2468 rlrrrrr.exe 4904 bntnnh.exe 4764 tnnhbt.exe 2024 pdppv.exe 4896 lflrlrl.exe 3724 xlxfrlr.exe 3052 tnbttt.exe 2520 pjvvd.exe 952 vvppj.exe 1536 rlxxxff.exe 1468 jjjjp.exe 1684 lxxxrrl.exe 1044 llllffx.exe 2192 9thbbh.exe 4300 1jvpv.exe 4900 1dvdv.exe 4200 hhhbth.exe 1544 djvpd.exe 1320 lxfxrrl.exe 2216 rlrllff.exe 4192 jdvvv.exe 3576 lrxrlfx.exe 4376 nnnnhh.exe 1352 vpjjp.exe 4920 rrfxffx.exe 4240 bhhbtt.exe 876 9rlllrr.exe -
resource yara_rule behavioral2/memory/2604-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5032-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3868-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1820-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-66-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3460-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4200-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2468-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-199-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1032-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2464-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3600-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/320-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2660-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4484-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3040-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4356-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-418-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-426-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-454-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2032-461-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/968-486-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2056-496-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-662-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1316-690-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-769-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3700-776-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-795-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-857-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1976-874-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/332-988-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-1012-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhnbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbhbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llflllr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rflffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jdjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9xrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9lllflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 840 2604 9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe 83 PID 2604 wrote to memory of 840 2604 9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe 83 PID 2604 wrote to memory of 840 2604 9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe 83 PID 840 wrote to memory of 5032 840 nhtttn.exe 84 PID 840 wrote to memory of 5032 840 nhtttn.exe 84 PID 840 wrote to memory of 5032 840 nhtttn.exe 84 PID 5032 wrote to memory of 3868 5032 hhhhhh.exe 85 PID 5032 wrote to memory of 3868 5032 hhhhhh.exe 85 PID 5032 wrote to memory of 3868 5032 hhhhhh.exe 85 PID 3868 wrote to memory of 1820 3868 xfxrfxf.exe 86 PID 3868 wrote to memory of 1820 3868 xfxrfxf.exe 86 PID 3868 wrote to memory of 1820 3868 xfxrfxf.exe 86 PID 1820 wrote to memory of 1168 1820 fffxffl.exe 87 PID 1820 wrote to memory of 1168 1820 fffxffl.exe 87 PID 1820 wrote to memory of 1168 1820 fffxffl.exe 87 PID 1168 wrote to memory of 4128 1168 xxrrrxx.exe 88 PID 1168 wrote to memory of 4128 1168 xxrrrxx.exe 88 PID 1168 wrote to memory of 4128 1168 xxrrrxx.exe 88 PID 4128 wrote to memory of 2008 4128 3vddv.exe 89 PID 4128 wrote to memory of 2008 4128 3vddv.exe 89 PID 4128 wrote to memory of 2008 4128 3vddv.exe 89 PID 2008 wrote to memory of 320 2008 lxxxxxx.exe 90 PID 2008 wrote to memory of 320 2008 lxxxxxx.exe 90 PID 2008 wrote to memory of 320 2008 lxxxxxx.exe 90 PID 320 wrote to memory of 2552 320 vpdvp.exe 91 PID 320 wrote to memory of 2552 320 vpdvp.exe 91 PID 320 wrote to memory of 2552 320 vpdvp.exe 91 PID 2552 wrote to memory of 2208 2552 1bbbtt.exe 92 PID 2552 wrote to memory of 2208 2552 1bbbtt.exe 92 PID 2552 wrote to memory of 2208 2552 1bbbtt.exe 92 PID 2208 wrote to memory of 2808 2208 ppddv.exe 93 PID 2208 wrote to memory of 2808 2208 ppddv.exe 93 PID 2208 wrote to memory of 2808 2208 ppddv.exe 93 PID 2808 wrote to memory of 1436 2808 xrllllf.exe 94 PID 2808 wrote to memory of 1436 2808 xrllllf.exe 94 PID 2808 wrote to memory of 1436 2808 xrllllf.exe 94 PID 1436 wrote to memory of 4388 1436 bthbhn.exe 95 PID 1436 wrote to memory of 4388 1436 bthbhn.exe 95 PID 1436 wrote to memory of 4388 1436 bthbhn.exe 95 PID 4388 wrote to memory of 1624 4388 ddvpj.exe 96 PID 4388 wrote to memory of 1624 4388 ddvpj.exe 96 PID 4388 wrote to memory of 1624 4388 ddvpj.exe 96 PID 1624 wrote to memory of 4424 1624 xlxxrrl.exe 97 PID 1624 wrote to memory of 4424 1624 xlxxrrl.exe 97 PID 1624 wrote to memory of 4424 1624 xlxxrrl.exe 97 PID 4424 wrote to memory of 440 4424 hhhhhn.exe 98 PID 4424 wrote to memory of 440 4424 hhhhhn.exe 98 PID 4424 wrote to memory of 440 4424 hhhhhn.exe 98 PID 440 wrote to memory of 2572 440 pdddp.exe 99 PID 440 wrote to memory of 2572 440 pdddp.exe 99 PID 440 wrote to memory of 2572 440 pdddp.exe 99 PID 2572 wrote to memory of 3772 2572 5rfxrxr.exe 100 PID 2572 wrote to memory of 3772 2572 5rfxrxr.exe 100 PID 2572 wrote to memory of 3772 2572 5rfxrxr.exe 100 PID 3772 wrote to memory of 1844 3772 xrfffll.exe 101 PID 3772 wrote to memory of 1844 3772 xrfffll.exe 101 PID 3772 wrote to memory of 1844 3772 xrfffll.exe 101 PID 1844 wrote to memory of 4188 1844 bthhnn.exe 102 PID 1844 wrote to memory of 4188 1844 bthhnn.exe 102 PID 1844 wrote to memory of 4188 1844 bthhnn.exe 102 PID 4188 wrote to memory of 3600 4188 jvddd.exe 103 PID 4188 wrote to memory of 3600 4188 jvddd.exe 103 PID 4188 wrote to memory of 3600 4188 jvddd.exe 103 PID 3600 wrote to memory of 776 3600 7dpjv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe"C:\Users\Admin\AppData\Local\Temp\9fc21b0e96d85ca8b4594e119613536cb44630d7a4b64a38b377f44ab4ca8d1e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\nhtttn.exec:\nhtttn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:840 -
\??\c:\hhhhhh.exec:\hhhhhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
\??\c:\xfxrfxf.exec:\xfxrfxf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3868 -
\??\c:\fffxffl.exec:\fffxffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820 -
\??\c:\xxrrrxx.exec:\xxrrrxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
\??\c:\3vddv.exec:\3vddv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\lxxxxxx.exec:\lxxxxxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\vpdvp.exec:\vpdvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:320 -
\??\c:\1bbbtt.exec:\1bbbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\ppddv.exec:\ppddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208 -
\??\c:\xrllllf.exec:\xrllllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
\??\c:\bthbhn.exec:\bthbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\ddvpj.exec:\ddvpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\xlxxrrl.exec:\xlxxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624 -
\??\c:\hhhhhn.exec:\hhhhhn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\pdddp.exec:\pdddp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\5rfxrxr.exec:\5rfxrxr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\xrfffll.exec:\xrfffll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\bthhnn.exec:\bthhnn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
\??\c:\jvddd.exec:\jvddd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\7dpjv.exec:\7dpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
\??\c:\flxrlfx.exec:\flxrlfx.exe23⤵
- Executes dropped EXE
PID:776 -
\??\c:\btbtnt.exec:\btbtnt.exe24⤵
- Executes dropped EXE
PID:2464 -
\??\c:\btnhhn.exec:\btnhhn.exe25⤵
- Executes dropped EXE
PID:3460 -
\??\c:\djdpv.exec:\djdpv.exe26⤵
- Executes dropped EXE
PID:4464 -
\??\c:\rrrrlll.exec:\rrrrlll.exe27⤵
- Executes dropped EXE
PID:3384 -
\??\c:\rfrllrr.exec:\rfrllrr.exe28⤵
- Executes dropped EXE
PID:2228 -
\??\c:\tnhbht.exec:\tnhbht.exe29⤵
- Executes dropped EXE
PID:3144 -
\??\c:\pdddv.exec:\pdddv.exe30⤵
- Executes dropped EXE
PID:4924 -
\??\c:\1flfrrf.exec:\1flfrrf.exe31⤵
- Executes dropped EXE
PID:4860 -
\??\c:\rlrrxxf.exec:\rlrrxxf.exe32⤵
- Executes dropped EXE
PID:4472 -
\??\c:\bbttnb.exec:\bbttnb.exe33⤵
- Executes dropped EXE
PID:3788 -
\??\c:\pdpvp.exec:\pdpvp.exe34⤵
- Executes dropped EXE
PID:1032 -
\??\c:\fxxlffx.exec:\fxxlffx.exe35⤵
- Executes dropped EXE
PID:1792 -
\??\c:\bnnnhn.exec:\bnnnhn.exe36⤵
- Executes dropped EXE
PID:3376 -
\??\c:\jpddv.exec:\jpddv.exe37⤵
- Executes dropped EXE
PID:112 -
\??\c:\7dppv.exec:\7dppv.exe38⤵
- Executes dropped EXE
PID:4856 -
\??\c:\rlrrrrr.exec:\rlrrrrr.exe39⤵
- Executes dropped EXE
PID:2468 -
\??\c:\bntnnh.exec:\bntnnh.exe40⤵
- Executes dropped EXE
PID:4904 -
\??\c:\tnnhbt.exec:\tnnhbt.exe41⤵
- Executes dropped EXE
PID:4764 -
\??\c:\pdppv.exec:\pdppv.exe42⤵
- Executes dropped EXE
PID:2024 -
\??\c:\lflrlrl.exec:\lflrlrl.exe43⤵
- Executes dropped EXE
PID:4896 -
\??\c:\xlxfrlr.exec:\xlxfrlr.exe44⤵
- Executes dropped EXE
PID:3724 -
\??\c:\tnbttt.exec:\tnbttt.exe45⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pjvvd.exec:\pjvvd.exe46⤵
- Executes dropped EXE
PID:2520 -
\??\c:\vvppj.exec:\vvppj.exe47⤵
- Executes dropped EXE
PID:952 -
\??\c:\rlxxxff.exec:\rlxxxff.exe48⤵
- Executes dropped EXE
PID:1536 -
\??\c:\jjjjp.exec:\jjjjp.exe49⤵
- Executes dropped EXE
PID:1468 -
\??\c:\lxxxrrl.exec:\lxxxrrl.exe50⤵
- Executes dropped EXE
PID:1684 -
\??\c:\llllffx.exec:\llllffx.exe51⤵
- Executes dropped EXE
PID:1044 -
\??\c:\9thbbh.exec:\9thbbh.exe52⤵
- Executes dropped EXE
PID:2192 -
\??\c:\1jvpv.exec:\1jvpv.exe53⤵
- Executes dropped EXE
PID:4300 -
\??\c:\1dvdv.exec:\1dvdv.exe54⤵
- Executes dropped EXE
PID:4900 -
\??\c:\rrffxxx.exec:\rrffxxx.exe55⤵PID:3104
-
\??\c:\hhhbth.exec:\hhhbth.exe56⤵
- Executes dropped EXE
PID:4200 -
\??\c:\djvpd.exec:\djvpd.exe57⤵
- Executes dropped EXE
PID:1544 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe58⤵
- Executes dropped EXE
PID:1320 -
\??\c:\rlrllff.exec:\rlrllff.exe59⤵
- Executes dropped EXE
PID:2216 -
\??\c:\jdvvv.exec:\jdvvv.exe60⤵
- Executes dropped EXE
PID:4192 -
\??\c:\lrxrlfx.exec:\lrxrlfx.exe61⤵
- Executes dropped EXE
PID:3576 -
\??\c:\nnnnhh.exec:\nnnnhh.exe62⤵
- Executes dropped EXE
PID:4376 -
\??\c:\vpjjp.exec:\vpjjp.exe63⤵
- Executes dropped EXE
PID:1352 -
\??\c:\rrfxffx.exec:\rrfxffx.exe64⤵
- Executes dropped EXE
PID:4920 -
\??\c:\bhhbtt.exec:\bhhbtt.exe65⤵
- Executes dropped EXE
PID:4240 -
\??\c:\9rlllrr.exec:\9rlllrr.exe66⤵
- Executes dropped EXE
PID:876 -
\??\c:\ntnttt.exec:\ntnttt.exe67⤵PID:116
-
\??\c:\3vvpv.exec:\3vvpv.exe68⤵PID:2660
-
\??\c:\5lrlllr.exec:\5lrlllr.exe69⤵PID:4236
-
\??\c:\dvddj.exec:\dvddj.exe70⤵PID:624
-
\??\c:\lrrllrr.exec:\lrrllrr.exe71⤵PID:4484
-
\??\c:\1nbhth.exec:\1nbhth.exe72⤵PID:1624
-
\??\c:\pvpvd.exec:\pvpvd.exe73⤵PID:4000
-
\??\c:\rllxrrl.exec:\rllxrrl.exe74⤵PID:1932
-
\??\c:\hhbtnh.exec:\hhbtnh.exe75⤵PID:384
-
\??\c:\pjvvp.exec:\pjvvp.exe76⤵PID:2572
-
\??\c:\rxllrrf.exec:\rxllrrf.exe77⤵PID:2456
-
\??\c:\hbnnhn.exec:\hbnnhn.exe78⤵PID:1844
-
\??\c:\ddppp.exec:\ddppp.exe79⤵PID:3708
-
\??\c:\rlflxfx.exec:\rlflxfx.exe80⤵PID:8
-
\??\c:\nnnhhh.exec:\nnnhhh.exe81⤵PID:3660
-
\??\c:\vvjjj.exec:\vvjjj.exe82⤵PID:3636
-
\??\c:\ffffxxx.exec:\ffffxxx.exe83⤵PID:1824
-
\??\c:\fxrlfff.exec:\fxrlfff.exe84⤵PID:1448
-
\??\c:\dpdvp.exec:\dpdvp.exe85⤵PID:1604
-
\??\c:\5rfxxxf.exec:\5rfxxxf.exe86⤵PID:3040
-
\??\c:\btttbh.exec:\btttbh.exe87⤵PID:3860
-
\??\c:\xxlfrfx.exec:\xxlfrfx.exe88⤵PID:920
-
\??\c:\nhtbth.exec:\nhtbth.exe89⤵PID:4356
-
\??\c:\lffxrlr.exec:\lffxrlr.exe90⤵PID:4824
-
\??\c:\bthhbh.exec:\bthhbh.exe91⤵PID:2576
-
\??\c:\jdppj.exec:\jdppj.exe92⤵PID:1400
-
\??\c:\xrrrflf.exec:\xrrrflf.exe93⤵PID:4056
-
\??\c:\1jdpj.exec:\1jdpj.exe94⤵PID:664
-
\??\c:\frlrllf.exec:\frlrllf.exe95⤵PID:2060
-
\??\c:\htbbtt.exec:\htbbtt.exe96⤵PID:1864
-
\??\c:\fxfffff.exec:\fxfffff.exe97⤵PID:4904
-
\??\c:\nntntt.exec:\nntntt.exe98⤵PID:4680
-
\??\c:\jjjjj.exec:\jjjjj.exe99⤵PID:3012
-
\??\c:\fffrlrr.exec:\fffrlrr.exe100⤵PID:1764
-
\??\c:\3xffflr.exec:\3xffflr.exe101⤵PID:4408
-
\??\c:\tbttnn.exec:\tbttnn.exe102⤵PID:3628
-
\??\c:\pdjdv.exec:\pdjdv.exe103⤵PID:4380
-
\??\c:\3dvvp.exec:\3dvvp.exe104⤵PID:2172
-
\??\c:\1xxllff.exec:\1xxllff.exe105⤵PID:5100
-
\??\c:\hnnnnt.exec:\hnnnnt.exe106⤵PID:1536
-
\??\c:\jjddp.exec:\jjddp.exe107⤵PID:4588
-
\??\c:\3xlfflr.exec:\3xlfflr.exe108⤵PID:4928
-
\??\c:\7tbbnn.exec:\7tbbnn.exe109⤵PID:3564
-
\??\c:\ththnh.exec:\ththnh.exe110⤵PID:4292
-
\??\c:\vvvvp.exec:\vvvvp.exe111⤵PID:2348
-
\??\c:\frfxrrr.exec:\frfxrrr.exe112⤵PID:4300
-
\??\c:\ntbbnt.exec:\ntbbnt.exe113⤵PID:812
-
\??\c:\pdpjj.exec:\pdpjj.exe114⤵PID:1456
-
\??\c:\xrlfxxr.exec:\xrlfxxr.exe115⤵PID:3508
-
\??\c:\ttbttt.exec:\ttbttt.exe116⤵
- System Location Discovery: System Language Discovery
PID:2032 -
\??\c:\bnnhhb.exec:\bnnhhb.exe117⤵PID:4772
-
\??\c:\jvppp.exec:\jvppp.exe118⤵PID:4700
-
\??\c:\1rrrlxx.exec:\1rrrlxx.exe119⤵PID:4524
-
\??\c:\nttttt.exec:\nttttt.exe120⤵PID:4256
-
\??\c:\btttnn.exec:\btttnn.exe121⤵PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-