Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 15:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059N.exe
-
Size
456KB
-
MD5
8fb5f6692d9909919dd6780b65403a80
-
SHA1
092d88cb7ee8861a46cace994165119633414b9d
-
SHA256
9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059
-
SHA512
4b3ea023b38f100010404b77c2518ba7a21d4f881b505fa08daf2b965adcbcfef7927b82fc641715eeefbc5f18e570ccff85711995125c630835351fd6aa5a1e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeRe:q7Tc2NYHUrAwfMp3CDRe
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/440-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3928-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3740-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3500-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-60-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/348-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-122-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1156-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/732-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5040-238-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3024-194-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3420-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/716-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1184-161-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-151-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1112-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4592-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1108-274-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2008-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5060-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3100-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-330-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2428-354-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-370-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3964-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-388-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2172-405-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1168-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4364-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-526-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2244-539-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/312-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2612-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4372-677-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2144-739-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2280-779-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1848-807-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2932-853-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4300-1023-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3092-1159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3928 lflffxx.exe 3896 1pjdd.exe 4892 9rrlrrl.exe 3976 3jpjv.exe 4300 rffxrlf.exe 3740 dpvjd.exe 3500 5hhbtn.exe 3932 lllfxxr.exe 3900 tnntnh.exe 1080 xrrlfff.exe 2932 htbbtt.exe 1736 9hhbbb.exe 2968 jjpdv.exe 3720 jpvdd.exe 3080 bnnhbb.exe 348 9bnhbb.exe 3772 pvjdv.exe 4592 jjvjj.exe 4872 rflfxxr.exe 3980 ntbtnh.exe 632 nnhbtb.exe 3128 dvvpd.exe 1112 5fflffr.exe 1156 bhnhbt.exe 1580 dpvvp.exe 4428 1vvjd.exe 3668 flrlfxr.exe 1184 nthbnt.exe 716 bbbtnn.exe 4020 9vjdd.exe 3360 frxrrrr.exe 3420 lrrxllf.exe 4748 btbnhh.exe 3488 bntthn.exe 3024 vpvpj.exe 4420 lfllrlr.exe 5080 7lffxfx.exe 2376 5hhbbb.exe 4352 nbnnnn.exe 3892 pddpj.exe 2516 fxlfllr.exe 320 frlfxrx.exe 2512 3nnhbt.exe 820 7thbnn.exe 4432 djpjd.exe 4448 fxxrlfx.exe 1584 lxfxxrr.exe 5040 7nhbbb.exe 1940 pvdvv.exe 2216 vpvpp.exe 4596 fxxlfxr.exe 732 xlxfxrr.exe 3204 hntbtb.exe 2128 9ddvv.exe 4268 lxfxrrl.exe 404 tnnttt.exe 3652 djjdd.exe 1108 hhhbtn.exe 4284 pdjdv.exe 4980 nhbbtt.exe 2336 tnbtnh.exe 4460 lrxrlfl.exe 856 nhnhhb.exe 2008 bhhhhh.exe -
resource yara_rule behavioral2/memory/440-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3928-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4300-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-22-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3740-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3500-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/348-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1156-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/732-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5040-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3024-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3420-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/716-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1184-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1112-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4592-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1108-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2008-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3100-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-330-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2428-354-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-370-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3964-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-388-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2172-405-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1168-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4364-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2244-539-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/312-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2612-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4372-677-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2144-739-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2280-779-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1848-807-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2932-853-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thntnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxxxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9llxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xfflff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvpdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfflll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nntnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 440 wrote to memory of 3928 440 9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059N.exe 82 PID 440 wrote to memory of 3928 440 9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059N.exe 82 PID 440 wrote to memory of 3928 440 9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059N.exe 82 PID 3928 wrote to memory of 3896 3928 lflffxx.exe 83 PID 3928 wrote to memory of 3896 3928 lflffxx.exe 83 PID 3928 wrote to memory of 3896 3928 lflffxx.exe 83 PID 3896 wrote to memory of 4892 3896 1pjdd.exe 84 PID 3896 wrote to memory of 4892 3896 1pjdd.exe 84 PID 3896 wrote to memory of 4892 3896 1pjdd.exe 84 PID 4892 wrote to memory of 3976 4892 9rrlrrl.exe 85 PID 4892 wrote to memory of 3976 4892 9rrlrrl.exe 85 PID 4892 wrote to memory of 3976 4892 9rrlrrl.exe 85 PID 3976 wrote to memory of 4300 3976 3jpjv.exe 86 PID 3976 wrote to memory of 4300 3976 3jpjv.exe 86 PID 3976 wrote to memory of 4300 3976 3jpjv.exe 86 PID 4300 wrote to memory of 3740 4300 rffxrlf.exe 87 PID 4300 wrote to memory of 3740 4300 rffxrlf.exe 87 PID 4300 wrote to memory of 3740 4300 rffxrlf.exe 87 PID 3740 wrote to memory of 3500 3740 dpvjd.exe 88 PID 3740 wrote to memory of 3500 3740 dpvjd.exe 88 PID 3740 wrote to memory of 3500 3740 dpvjd.exe 88 PID 3500 wrote to memory of 3932 3500 5hhbtn.exe 89 PID 3500 wrote to memory of 3932 3500 5hhbtn.exe 89 PID 3500 wrote to memory of 3932 3500 5hhbtn.exe 89 PID 3932 wrote to memory of 3900 3932 lllfxxr.exe 90 PID 3932 wrote to memory of 3900 3932 lllfxxr.exe 90 PID 3932 wrote to memory of 3900 3932 lllfxxr.exe 90 PID 3900 wrote to memory of 1080 3900 tnntnh.exe 91 PID 3900 wrote to memory of 1080 3900 tnntnh.exe 91 PID 3900 wrote to memory of 1080 3900 tnntnh.exe 91 PID 1080 wrote to memory of 2932 1080 xrrlfff.exe 92 PID 1080 wrote to memory of 2932 1080 xrrlfff.exe 92 PID 1080 wrote to memory of 2932 1080 xrrlfff.exe 92 PID 2932 wrote to memory of 1736 2932 htbbtt.exe 93 PID 2932 wrote to memory of 1736 2932 htbbtt.exe 93 PID 2932 wrote to memory of 1736 2932 htbbtt.exe 93 PID 1736 wrote to memory of 2968 1736 9hhbbb.exe 94 PID 1736 wrote to memory of 2968 1736 9hhbbb.exe 94 PID 1736 wrote to memory of 2968 1736 9hhbbb.exe 94 PID 2968 wrote to memory of 3720 2968 jjpdv.exe 95 PID 2968 wrote to memory of 3720 2968 jjpdv.exe 95 PID 2968 wrote to memory of 3720 2968 jjpdv.exe 95 PID 3720 wrote to memory of 3080 3720 jpvdd.exe 96 PID 3720 wrote to memory of 3080 3720 jpvdd.exe 96 PID 3720 wrote to memory of 3080 3720 jpvdd.exe 96 PID 3080 wrote to memory of 348 3080 bnnhbb.exe 97 PID 3080 wrote to memory of 348 3080 bnnhbb.exe 97 PID 3080 wrote to memory of 348 3080 bnnhbb.exe 97 PID 348 wrote to memory of 3772 348 9bnhbb.exe 98 PID 348 wrote to memory of 3772 348 9bnhbb.exe 98 PID 348 wrote to memory of 3772 348 9bnhbb.exe 98 PID 3772 wrote to memory of 4592 3772 pvjdv.exe 99 PID 3772 wrote to memory of 4592 3772 pvjdv.exe 99 PID 3772 wrote to memory of 4592 3772 pvjdv.exe 99 PID 4592 wrote to memory of 4872 4592 jjvjj.exe 100 PID 4592 wrote to memory of 4872 4592 jjvjj.exe 100 PID 4592 wrote to memory of 4872 4592 jjvjj.exe 100 PID 4872 wrote to memory of 3980 4872 rflfxxr.exe 101 PID 4872 wrote to memory of 3980 4872 rflfxxr.exe 101 PID 4872 wrote to memory of 3980 4872 rflfxxr.exe 101 PID 3980 wrote to memory of 632 3980 ntbtnh.exe 102 PID 3980 wrote to memory of 632 3980 ntbtnh.exe 102 PID 3980 wrote to memory of 632 3980 ntbtnh.exe 102 PID 632 wrote to memory of 3128 632 nnhbtb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059N.exe"C:\Users\Admin\AppData\Local\Temp\9219a3239c6e5b34498a33c730b0dd03e441996b5ea6a1644a786b9ddedff059N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:440 -
\??\c:\lflffxx.exec:\lflffxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
\??\c:\1pjdd.exec:\1pjdd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\9rrlrrl.exec:\9rrlrrl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
\??\c:\3jpjv.exec:\3jpjv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\rffxrlf.exec:\rffxrlf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\dpvjd.exec:\dpvjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\5hhbtn.exec:\5hhbtn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
\??\c:\lllfxxr.exec:\lllfxxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\tnntnh.exec:\tnntnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
\??\c:\xrrlfff.exec:\xrrlfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\htbbtt.exec:\htbbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
\??\c:\9hhbbb.exec:\9hhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
\??\c:\jjpdv.exec:\jjpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2968 -
\??\c:\jpvdd.exec:\jpvdd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3720 -
\??\c:\bnnhbb.exec:\bnnhbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3080 -
\??\c:\9bnhbb.exec:\9bnhbb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
\??\c:\pvjdv.exec:\pvjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\jjvjj.exec:\jjvjj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
\??\c:\rflfxxr.exec:\rflfxxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\ntbtnh.exec:\ntbtnh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\nnhbtb.exec:\nnhbtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632 -
\??\c:\dvvpd.exec:\dvvpd.exe23⤵
- Executes dropped EXE
PID:3128 -
\??\c:\5fflffr.exec:\5fflffr.exe24⤵
- Executes dropped EXE
PID:1112 -
\??\c:\bhnhbt.exec:\bhnhbt.exe25⤵
- Executes dropped EXE
PID:1156 -
\??\c:\dpvvp.exec:\dpvvp.exe26⤵
- Executes dropped EXE
PID:1580 -
\??\c:\1vvjd.exec:\1vvjd.exe27⤵
- Executes dropped EXE
PID:4428 -
\??\c:\flrlfxr.exec:\flrlfxr.exe28⤵
- Executes dropped EXE
PID:3668 -
\??\c:\nthbnt.exec:\nthbnt.exe29⤵
- Executes dropped EXE
PID:1184 -
\??\c:\bbbtnn.exec:\bbbtnn.exe30⤵
- Executes dropped EXE
PID:716 -
\??\c:\9vjdd.exec:\9vjdd.exe31⤵
- Executes dropped EXE
PID:4020 -
\??\c:\frxrrrr.exec:\frxrrrr.exe32⤵
- Executes dropped EXE
PID:3360 -
\??\c:\lrrxllf.exec:\lrrxllf.exe33⤵
- Executes dropped EXE
PID:3420 -
\??\c:\btbnhh.exec:\btbnhh.exe34⤵
- Executes dropped EXE
PID:4748 -
\??\c:\bntthn.exec:\bntthn.exe35⤵
- Executes dropped EXE
PID:3488 -
\??\c:\vpvpj.exec:\vpvpj.exe36⤵
- Executes dropped EXE
PID:3024 -
\??\c:\lfllrlr.exec:\lfllrlr.exe37⤵
- Executes dropped EXE
PID:4420 -
\??\c:\7lffxfx.exec:\7lffxfx.exe38⤵
- Executes dropped EXE
PID:5080 -
\??\c:\5hhbbb.exec:\5hhbbb.exe39⤵
- Executes dropped EXE
PID:2376 -
\??\c:\nbnnnn.exec:\nbnnnn.exe40⤵
- Executes dropped EXE
PID:4352 -
\??\c:\pddpj.exec:\pddpj.exe41⤵
- Executes dropped EXE
PID:3892 -
\??\c:\fxlfllr.exec:\fxlfllr.exe42⤵
- Executes dropped EXE
PID:2516 -
\??\c:\frlfxrx.exec:\frlfxrx.exe43⤵
- Executes dropped EXE
PID:320 -
\??\c:\3nnhbt.exec:\3nnhbt.exe44⤵
- Executes dropped EXE
PID:2512 -
\??\c:\7thbnn.exec:\7thbnn.exe45⤵
- Executes dropped EXE
PID:820 -
\??\c:\djpjd.exec:\djpjd.exe46⤵
- Executes dropped EXE
PID:4432 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe47⤵
- Executes dropped EXE
PID:4448 -
\??\c:\lxfxxrr.exec:\lxfxxrr.exe48⤵
- Executes dropped EXE
PID:1584 -
\??\c:\7nhbbb.exec:\7nhbbb.exe49⤵
- Executes dropped EXE
PID:5040 -
\??\c:\pvdvv.exec:\pvdvv.exe50⤵
- Executes dropped EXE
PID:1940 -
\??\c:\vpvpp.exec:\vpvpp.exe51⤵
- Executes dropped EXE
PID:2216 -
\??\c:\fxxlfxr.exec:\fxxlfxr.exe52⤵
- Executes dropped EXE
PID:4596 -
\??\c:\xlxfxrr.exec:\xlxfxrr.exe53⤵
- Executes dropped EXE
PID:732 -
\??\c:\hntbtb.exec:\hntbtb.exe54⤵
- Executes dropped EXE
PID:3204 -
\??\c:\9ddvv.exec:\9ddvv.exe55⤵
- Executes dropped EXE
PID:2128 -
\??\c:\lxfxrrl.exec:\lxfxrrl.exe56⤵
- Executes dropped EXE
PID:4268 -
\??\c:\tnnttt.exec:\tnnttt.exe57⤵
- Executes dropped EXE
PID:404 -
\??\c:\djjdd.exec:\djjdd.exe58⤵
- Executes dropped EXE
PID:3652 -
\??\c:\hhhbtn.exec:\hhhbtn.exe59⤵
- Executes dropped EXE
PID:1108 -
\??\c:\pdjdv.exec:\pdjdv.exe60⤵
- Executes dropped EXE
PID:4284 -
\??\c:\nhbbtt.exec:\nhbbtt.exe61⤵
- Executes dropped EXE
PID:4980 -
\??\c:\tnbtnh.exec:\tnbtnh.exe62⤵
- Executes dropped EXE
PID:2336 -
\??\c:\lrxrlfl.exec:\lrxrlfl.exe63⤵
- Executes dropped EXE
PID:4460 -
\??\c:\nhnhhb.exec:\nhnhhb.exe64⤵
- Executes dropped EXE
PID:856 -
\??\c:\bhhhhh.exec:\bhhhhh.exe65⤵
- Executes dropped EXE
PID:2008 -
\??\c:\9nnbnh.exec:\9nnbnh.exe66⤵PID:3464
-
\??\c:\nbbbtt.exec:\nbbbtt.exe67⤵PID:2164
-
\??\c:\vpjdv.exec:\vpjdv.exe68⤵PID:4912
-
\??\c:\llfxlll.exec:\llfxlll.exe69⤵PID:5088
-
\??\c:\xllxrfx.exec:\xllxrfx.exe70⤵PID:3248
-
\??\c:\tntnhb.exec:\tntnhb.exe71⤵PID:4836
-
\??\c:\pppjd.exec:\pppjd.exe72⤵PID:5060
-
\??\c:\3pjdd.exec:\3pjdd.exe73⤵PID:2964
-
\??\c:\xlrfrrl.exec:\xlrfrrl.exe74⤵PID:3804
-
\??\c:\hhhthh.exec:\hhhthh.exe75⤵PID:3100
-
\??\c:\9pvjj.exec:\9pvjj.exe76⤵PID:760
-
\??\c:\fxrlfxr.exec:\fxrlfxr.exe77⤵PID:3128
-
\??\c:\lrfrlfr.exec:\lrfrlfr.exe78⤵PID:4724
-
\??\c:\1bbbtb.exec:\1bbbtb.exe79⤵PID:1364
-
\??\c:\vpvpd.exec:\vpvpd.exe80⤵PID:4620
-
\??\c:\lrrlfxr.exec:\lrrlfxr.exe81⤵PID:4428
-
\??\c:\nhtbtt.exec:\nhtbtt.exe82⤵PID:4788
-
\??\c:\btbbtt.exec:\btbbtt.exe83⤵PID:2428
-
\??\c:\pjvdv.exec:\pjvdv.exe84⤵PID:380
-
\??\c:\xllfrrl.exec:\xllfrrl.exe85⤵PID:4732
-
\??\c:\7xxrllx.exec:\7xxrllx.exe86⤵PID:4792
-
\??\c:\bbbbtt.exec:\bbbbtt.exe87⤵PID:2736
-
\??\c:\5nttnh.exec:\5nttnh.exe88⤵PID:2260
-
\??\c:\vpvpv.exec:\vpvpv.exe89⤵PID:3964
-
\??\c:\rflxrrf.exec:\rflxrrf.exe90⤵PID:4420
-
\??\c:\ntbtnn.exec:\ntbtnn.exe91⤵PID:3004
-
\??\c:\httnhn.exec:\httnhn.exe92⤵PID:3380
-
\??\c:\5vvpj.exec:\5vvpj.exe93⤵PID:4408
-
\??\c:\lffxllf.exec:\lffxllf.exe94⤵PID:644
-
\??\c:\rllfxrl.exec:\rllfxrl.exe95⤵PID:3444
-
\??\c:\3nbhnn.exec:\3nbhnn.exe96⤵PID:2020
-
\??\c:\5djdp.exec:\5djdp.exe97⤵PID:4016
-
\??\c:\fffxllf.exec:\fffxllf.exe98⤵PID:2172
-
\??\c:\bthbnh.exec:\bthbnh.exe99⤵PID:2012
-
\??\c:\ntnnhb.exec:\ntnnhb.exe100⤵PID:4220
-
\??\c:\9jvdv.exec:\9jvdv.exe101⤵PID:1036
-
\??\c:\frxrlxx.exec:\frxrlxx.exe102⤵PID:1084
-
\??\c:\xllffxx.exec:\xllffxx.exe103⤵PID:4056
-
\??\c:\tnnnhh.exec:\tnnnhh.exe104⤵PID:5040
-
\??\c:\jvdvp.exec:\jvdvp.exe105⤵PID:544
-
\??\c:\lflxrrl.exec:\lflxrrl.exe106⤵PID:4852
-
\??\c:\rlfrlxr.exec:\rlfrlxr.exe107⤵PID:4384
-
\??\c:\ttbbbt.exec:\ttbbbt.exe108⤵PID:1272
-
\??\c:\jvdvp.exec:\jvdvp.exe109⤵PID:3984
-
\??\c:\frxrflf.exec:\frxrflf.exe110⤵PID:4288
-
\??\c:\lfxrfxl.exec:\lfxrfxl.exe111⤵PID:4608
-
\??\c:\tnhtbt.exec:\tnhtbt.exe112⤵PID:1168
-
\??\c:\jvddv.exec:\jvddv.exe113⤵PID:2896
-
\??\c:\9llxlfr.exec:\9llxlfr.exe114⤵PID:4532
-
\??\c:\7ffxfxf.exec:\7ffxfxf.exe115⤵PID:3600
-
\??\c:\tnhtnn.exec:\tnhtnn.exe116⤵PID:3160
-
\??\c:\pjpdp.exec:\pjpdp.exe117⤵PID:3932
-
\??\c:\3vpjp.exec:\3vpjp.exe118⤵PID:4364
-
\??\c:\nthtnh.exec:\nthtnh.exe119⤵PID:452
-
\??\c:\nnnbnh.exec:\nnnbnh.exe120⤵PID:2744
-
\??\c:\jjdvj.exec:\jjdvj.exe121⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-