Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5N.exe
-
Size
456KB
-
MD5
6a9e548c3217770b05f5f9c5103ec070
-
SHA1
39951175ae2b79e108fd1195baa71faf0dca385a
-
SHA256
9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5
-
SHA512
da050184b29667dbaf43fd23cb13ac1fac7e3456f26b0b8867ef6a1dc42eff6aee4043894539a4cc5a8bd9254700f8e1e20994ef965ec5344e6e530f54418ed5
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRT:q7Tc2NYHUrAwfMp3CDRT
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3852-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4256-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3664-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2744-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1616-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2176-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/812-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2704-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-114-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3400-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3432-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-146-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1204-143-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2120-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3968-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5056-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3180-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2180-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-267-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3188-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-291-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-298-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1348-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-372-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2720-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4004-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-442-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2444-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-515-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-542-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-654-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-685-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-689-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5084-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-850-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4352-1109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4256 flfxffl.exe 2268 nttnhh.exe 3664 dddvv.exe 1272 frfxlll.exe 4740 jvdvv.exe 4028 tttttt.exe 2744 xflffff.exe 1616 vvddd.exe 2176 1rrrflr.exe 3692 jjppp.exe 812 ffrllll.exe 3996 tbhhbh.exe 2704 jdjdv.exe 4220 1hbbnn.exe 3772 xlrxlxl.exe 4764 ttnbth.exe 5088 3ttnhh.exe 4512 ddppd.exe 3432 xxffxxf.exe 3400 bbbttt.exe 2516 bthbtt.exe 1324 jjpjd.exe 1204 vpddj.exe 2192 lllffxx.exe 2120 hbbtnn.exe 3968 5vvvp.exe 3536 9thbtt.exe 456 xfxrrrr.exe 1656 dppjj.exe 2604 hhtnhb.exe 1392 pvdvp.exe 5056 rlxllll.exe 4572 jdpjd.exe 3308 9rrlllr.exe 2956 xrfxrfx.exe 3740 htnhtn.exe 528 vvpjd.exe 3032 xxlfffr.exe 3180 hbhbbb.exe 4852 dvvjd.exe 2916 rlfflrr.exe 4988 tbtnhb.exe 2180 pdvpd.exe 4488 rxxrlxr.exe 3788 7nhbbt.exe 3472 dvjdv.exe 1336 5lrfffl.exe 2092 5nnhhh.exe 2312 djpjv.exe 3964 pppjd.exe 1744 lxrrfxl.exe 4868 nntnbt.exe 3216 jjpdv.exe 1272 fffxxrl.exe 3712 7hhtnh.exe 4948 ppvvj.exe 3188 5xxxlll.exe 3036 3hnhhh.exe 4864 bntntt.exe 2112 9jvpj.exe 2388 lfrxfff.exe 1600 hbnhnn.exe 3692 jdjdv.exe 812 pppjd.exe -
resource yara_rule behavioral2/memory/3852-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4256-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3664-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2744-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1616-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/812-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2704-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3400-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3432-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-146-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1204-143-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2120-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3968-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5056-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3180-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2180-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3188-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-291-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1348-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2720-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4004-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-442-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-471-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2444-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-515-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-542-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-654-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4944-685-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-689-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2176-712-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3232-773-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbthb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnbnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9tthtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htnbnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5dvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flffflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5tnhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hntnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ddpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdpvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3852 wrote to memory of 4256 3852 9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5N.exe 82 PID 3852 wrote to memory of 4256 3852 9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5N.exe 82 PID 3852 wrote to memory of 4256 3852 9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5N.exe 82 PID 4256 wrote to memory of 2268 4256 flfxffl.exe 83 PID 4256 wrote to memory of 2268 4256 flfxffl.exe 83 PID 4256 wrote to memory of 2268 4256 flfxffl.exe 83 PID 2268 wrote to memory of 3664 2268 nttnhh.exe 84 PID 2268 wrote to memory of 3664 2268 nttnhh.exe 84 PID 2268 wrote to memory of 3664 2268 nttnhh.exe 84 PID 3664 wrote to memory of 1272 3664 dddvv.exe 85 PID 3664 wrote to memory of 1272 3664 dddvv.exe 85 PID 3664 wrote to memory of 1272 3664 dddvv.exe 85 PID 1272 wrote to memory of 4740 1272 frfxlll.exe 86 PID 1272 wrote to memory of 4740 1272 frfxlll.exe 86 PID 1272 wrote to memory of 4740 1272 frfxlll.exe 86 PID 4740 wrote to memory of 4028 4740 jvdvv.exe 87 PID 4740 wrote to memory of 4028 4740 jvdvv.exe 87 PID 4740 wrote to memory of 4028 4740 jvdvv.exe 87 PID 4028 wrote to memory of 2744 4028 tttttt.exe 88 PID 4028 wrote to memory of 2744 4028 tttttt.exe 88 PID 4028 wrote to memory of 2744 4028 tttttt.exe 88 PID 2744 wrote to memory of 1616 2744 xflffff.exe 89 PID 2744 wrote to memory of 1616 2744 xflffff.exe 89 PID 2744 wrote to memory of 1616 2744 xflffff.exe 89 PID 1616 wrote to memory of 2176 1616 vvddd.exe 90 PID 1616 wrote to memory of 2176 1616 vvddd.exe 90 PID 1616 wrote to memory of 2176 1616 vvddd.exe 90 PID 2176 wrote to memory of 3692 2176 1rrrflr.exe 91 PID 2176 wrote to memory of 3692 2176 1rrrflr.exe 91 PID 2176 wrote to memory of 3692 2176 1rrrflr.exe 91 PID 3692 wrote to memory of 812 3692 jjppp.exe 92 PID 3692 wrote to memory of 812 3692 jjppp.exe 92 PID 3692 wrote to memory of 812 3692 jjppp.exe 92 PID 812 wrote to memory of 3996 812 ffrllll.exe 93 PID 812 wrote to memory of 3996 812 ffrllll.exe 93 PID 812 wrote to memory of 3996 812 ffrllll.exe 93 PID 3996 wrote to memory of 2704 3996 tbhhbh.exe 94 PID 3996 wrote to memory of 2704 3996 tbhhbh.exe 94 PID 3996 wrote to memory of 2704 3996 tbhhbh.exe 94 PID 2704 wrote to memory of 4220 2704 jdjdv.exe 95 PID 2704 wrote to memory of 4220 2704 jdjdv.exe 95 PID 2704 wrote to memory of 4220 2704 jdjdv.exe 95 PID 4220 wrote to memory of 3772 4220 1hbbnn.exe 96 PID 4220 wrote to memory of 3772 4220 1hbbnn.exe 96 PID 4220 wrote to memory of 3772 4220 1hbbnn.exe 96 PID 3772 wrote to memory of 4764 3772 xlrxlxl.exe 97 PID 3772 wrote to memory of 4764 3772 xlrxlxl.exe 97 PID 3772 wrote to memory of 4764 3772 xlrxlxl.exe 97 PID 4764 wrote to memory of 5088 4764 ttnbth.exe 98 PID 4764 wrote to memory of 5088 4764 ttnbth.exe 98 PID 4764 wrote to memory of 5088 4764 ttnbth.exe 98 PID 5088 wrote to memory of 4512 5088 3ttnhh.exe 99 PID 5088 wrote to memory of 4512 5088 3ttnhh.exe 99 PID 5088 wrote to memory of 4512 5088 3ttnhh.exe 99 PID 4512 wrote to memory of 3432 4512 ddppd.exe 100 PID 4512 wrote to memory of 3432 4512 ddppd.exe 100 PID 4512 wrote to memory of 3432 4512 ddppd.exe 100 PID 3432 wrote to memory of 3400 3432 xxffxxf.exe 101 PID 3432 wrote to memory of 3400 3432 xxffxxf.exe 101 PID 3432 wrote to memory of 3400 3432 xxffxxf.exe 101 PID 3400 wrote to memory of 2516 3400 bbbttt.exe 102 PID 3400 wrote to memory of 2516 3400 bbbttt.exe 102 PID 3400 wrote to memory of 2516 3400 bbbttt.exe 102 PID 2516 wrote to memory of 1324 2516 bthbtt.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5N.exe"C:\Users\Admin\AppData\Local\Temp\9794268a109c37dc44b5603470b0cc03d539c62a49b0a25497382ec972231ca5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3852 -
\??\c:\flfxffl.exec:\flfxffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
\??\c:\nttnhh.exec:\nttnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\dddvv.exec:\dddvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3664 -
\??\c:\frfxlll.exec:\frfxlll.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272 -
\??\c:\jvdvv.exec:\jvdvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
\??\c:\tttttt.exec:\tttttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\xflffff.exec:\xflffff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\vvddd.exec:\vvddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\1rrrflr.exec:\1rrrflr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176 -
\??\c:\jjppp.exec:\jjppp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
\??\c:\ffrllll.exec:\ffrllll.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
\??\c:\tbhhbh.exec:\tbhhbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
\??\c:\jdjdv.exec:\jdjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\1hbbnn.exec:\1hbbnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\xlrxlxl.exec:\xlrxlxl.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\ttnbth.exec:\ttnbth.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\3ttnhh.exec:\3ttnhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
\??\c:\ddppd.exec:\ddppd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\xxffxxf.exec:\xxffxxf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432 -
\??\c:\bbbttt.exec:\bbbttt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\bthbtt.exec:\bthbtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
\??\c:\jjpjd.exec:\jjpjd.exe23⤵
- Executes dropped EXE
PID:1324 -
\??\c:\vpddj.exec:\vpddj.exe24⤵
- Executes dropped EXE
PID:1204 -
\??\c:\lllffxx.exec:\lllffxx.exe25⤵
- Executes dropped EXE
PID:2192 -
\??\c:\hbbtnn.exec:\hbbtnn.exe26⤵
- Executes dropped EXE
PID:2120 -
\??\c:\5vvvp.exec:\5vvvp.exe27⤵
- Executes dropped EXE
PID:3968 -
\??\c:\9thbtt.exec:\9thbtt.exe28⤵
- Executes dropped EXE
PID:3536 -
\??\c:\xfxrrrr.exec:\xfxrrrr.exe29⤵
- Executes dropped EXE
PID:456 -
\??\c:\dppjj.exec:\dppjj.exe30⤵
- Executes dropped EXE
PID:1656 -
\??\c:\hhtnhb.exec:\hhtnhb.exe31⤵
- Executes dropped EXE
PID:2604 -
\??\c:\pvdvp.exec:\pvdvp.exe32⤵
- Executes dropped EXE
PID:1392 -
\??\c:\rlxllll.exec:\rlxllll.exe33⤵
- Executes dropped EXE
PID:5056 -
\??\c:\jdpjd.exec:\jdpjd.exe34⤵
- Executes dropped EXE
PID:4572 -
\??\c:\9rrlllr.exec:\9rrlllr.exe35⤵
- Executes dropped EXE
PID:3308 -
\??\c:\xrfxrfx.exec:\xrfxrfx.exe36⤵
- Executes dropped EXE
PID:2956 -
\??\c:\htnhtn.exec:\htnhtn.exe37⤵
- Executes dropped EXE
PID:3740 -
\??\c:\vvpjd.exec:\vvpjd.exe38⤵
- Executes dropped EXE
PID:528 -
\??\c:\xxlfffr.exec:\xxlfffr.exe39⤵
- Executes dropped EXE
PID:3032 -
\??\c:\hbhbbb.exec:\hbhbbb.exe40⤵
- Executes dropped EXE
PID:3180 -
\??\c:\dvvjd.exec:\dvvjd.exe41⤵
- Executes dropped EXE
PID:4852 -
\??\c:\rlfflrr.exec:\rlfflrr.exe42⤵
- Executes dropped EXE
PID:2916 -
\??\c:\tbtnhb.exec:\tbtnhb.exe43⤵
- Executes dropped EXE
PID:4988 -
\??\c:\pdvpd.exec:\pdvpd.exe44⤵
- Executes dropped EXE
PID:2180 -
\??\c:\rxxrlxr.exec:\rxxrlxr.exe45⤵
- Executes dropped EXE
PID:4488 -
\??\c:\7nhbbt.exec:\7nhbbt.exe46⤵
- Executes dropped EXE
PID:3788 -
\??\c:\dvjdv.exec:\dvjdv.exe47⤵
- Executes dropped EXE
PID:3472 -
\??\c:\5lrfffl.exec:\5lrfffl.exe48⤵
- Executes dropped EXE
PID:1336 -
\??\c:\5nnhhh.exec:\5nnhhh.exe49⤵
- Executes dropped EXE
PID:2092 -
\??\c:\djpjv.exec:\djpjv.exe50⤵
- Executes dropped EXE
PID:2312 -
\??\c:\pppjd.exec:\pppjd.exe51⤵
- Executes dropped EXE
PID:3964 -
\??\c:\lxrrfxl.exec:\lxrrfxl.exe52⤵
- Executes dropped EXE
PID:1744 -
\??\c:\nntnbt.exec:\nntnbt.exe53⤵
- Executes dropped EXE
PID:4868 -
\??\c:\jjpdv.exec:\jjpdv.exe54⤵
- Executes dropped EXE
PID:3216 -
\??\c:\fffxxrl.exec:\fffxxrl.exe55⤵
- Executes dropped EXE
PID:1272 -
\??\c:\7hhtnh.exec:\7hhtnh.exe56⤵
- Executes dropped EXE
PID:3712 -
\??\c:\ppvvj.exec:\ppvvj.exe57⤵
- Executes dropped EXE
PID:4948 -
\??\c:\5xxxlll.exec:\5xxxlll.exe58⤵
- Executes dropped EXE
PID:3188 -
\??\c:\3hnhhh.exec:\3hnhhh.exe59⤵
- Executes dropped EXE
PID:3036 -
\??\c:\bntntt.exec:\bntntt.exe60⤵
- Executes dropped EXE
PID:4864 -
\??\c:\9jvpj.exec:\9jvpj.exe61⤵
- Executes dropped EXE
PID:2112 -
\??\c:\lfrxfff.exec:\lfrxfff.exe62⤵
- Executes dropped EXE
PID:2388 -
\??\c:\hbnhnn.exec:\hbnhnn.exe63⤵
- Executes dropped EXE
PID:1600 -
\??\c:\jdjdv.exec:\jdjdv.exe64⤵
- Executes dropped EXE
PID:3692 -
\??\c:\pppjd.exec:\pppjd.exe65⤵
- Executes dropped EXE
PID:812 -
\??\c:\9rfxlll.exec:\9rfxlll.exe66⤵PID:3344
-
\??\c:\bbhnhh.exec:\bbhnhh.exe67⤵PID:3068
-
\??\c:\dpvjv.exec:\dpvjv.exe68⤵PID:2248
-
\??\c:\xxfxxrl.exec:\xxfxxrl.exe69⤵PID:3600
-
\??\c:\thtnnn.exec:\thtnnn.exe70⤵PID:2136
-
\??\c:\thbtnn.exec:\thbtnn.exe71⤵PID:3496
-
\??\c:\pjjjj.exec:\pjjjj.exe72⤵PID:632
-
\??\c:\fflllll.exec:\fflllll.exe73⤵PID:2468
-
\??\c:\thbnhb.exec:\thbnhb.exe74⤵PID:4204
-
\??\c:\bhnbnh.exec:\bhnbnh.exe75⤵PID:1348
-
\??\c:\jdppj.exec:\jdppj.exe76⤵
- System Location Discovery: System Language Discovery
PID:3432 -
\??\c:\xrxrfff.exec:\xrxrfff.exe77⤵PID:2124
-
\??\c:\7hhbtn.exec:\7hhbtn.exe78⤵PID:2276
-
\??\c:\pddpd.exec:\pddpd.exe79⤵PID:1860
-
\??\c:\pdpjp.exec:\pdpjp.exe80⤵PID:1416
-
\??\c:\lllllrx.exec:\lllllrx.exe81⤵PID:2108
-
\??\c:\bhttbh.exec:\bhttbh.exe82⤵PID:1204
-
\??\c:\jjjdv.exec:\jjjdv.exe83⤵PID:4076
-
\??\c:\pjppj.exec:\pjppj.exe84⤵PID:1692
-
\??\c:\xrfxxxr.exec:\xrfxxxr.exe85⤵PID:4584
-
\??\c:\bnttnn.exec:\bnttnn.exe86⤵PID:4492
-
\??\c:\7jjdj.exec:\7jjdj.exe87⤵PID:4496
-
\??\c:\xrrrffx.exec:\xrrrffx.exe88⤵PID:1268
-
\??\c:\xxfxrxf.exec:\xxfxrxf.exe89⤵PID:4336
-
\??\c:\hhhbbt.exec:\hhhbbt.exe90⤵PID:2572
-
\??\c:\vpvvj.exec:\vpvvj.exe91⤵PID:2720
-
\??\c:\flrlfff.exec:\flrlfff.exe92⤵PID:4932
-
\??\c:\tbbnbt.exec:\tbbnbt.exe93⤵PID:1392
-
\??\c:\bhtntt.exec:\bhtntt.exe94⤵PID:1156
-
\??\c:\ddpjd.exec:\ddpjd.exe95⤵PID:3756
-
\??\c:\xxrlxrl.exec:\xxrlxrl.exe96⤵PID:3084
-
\??\c:\1hnnhh.exec:\1hnnhh.exe97⤵PID:1520
-
\??\c:\nhnnhn.exec:\nhnnhn.exe98⤵PID:2956
-
\??\c:\jpdvp.exec:\jpdvp.exe99⤵PID:440
-
\??\c:\xxxrxxf.exec:\xxxrxxf.exe100⤵PID:1168
-
\??\c:\btnhtn.exec:\btnhtn.exe101⤵PID:3252
-
\??\c:\1vjdp.exec:\1vjdp.exe102⤵PID:4140
-
\??\c:\jpdvd.exec:\jpdvd.exe103⤵PID:4004
-
\??\c:\xxxlfrl.exec:\xxxlfrl.exe104⤵PID:2916
-
\??\c:\9thtbb.exec:\9thtbb.exe105⤵PID:2980
-
\??\c:\9vvpp.exec:\9vvpp.exe106⤵PID:3924
-
\??\c:\fffrrxx.exec:\fffrrxx.exe107⤵PID:2244
-
\??\c:\bhbnht.exec:\bhbnht.exe108⤵PID:2272
-
\??\c:\3vvpd.exec:\3vvpd.exe109⤵PID:4300
-
\??\c:\ddpjd.exec:\ddpjd.exe110⤵PID:368
-
\??\c:\frxrfxr.exec:\frxrfxr.exe111⤵PID:1548
-
\??\c:\7bhbbb.exec:\7bhbbb.exe112⤵PID:2436
-
\??\c:\vpddv.exec:\vpddv.exe113⤵PID:3980
-
\??\c:\1lfxrxl.exec:\1lfxrxl.exe114⤵PID:3648
-
\??\c:\hnnnnh.exec:\hnnnnh.exe115⤵PID:436
-
\??\c:\ntttnt.exec:\ntttnt.exe116⤵PID:4580
-
\??\c:\dvdpj.exec:\dvdpj.exe117⤵PID:4612
-
\??\c:\xllxrrl.exec:\xllxrrl.exe118⤵PID:4724
-
\??\c:\flrlfxl.exec:\flrlfxl.exe119⤵PID:3848
-
\??\c:\7hnnhh.exec:\7hnnhh.exe120⤵PID:1716
-
\??\c:\vpdpj.exec:\vpdpj.exe121⤵PID:2744
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-