Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29/12/2024, 02:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2.exe
-
Size
454KB
-
MD5
7f6afa959f22a138b2b49c396a1d5c3f
-
SHA1
d0245159a4f53652b3d013104068eb359e151592
-
SHA256
9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2
-
SHA512
34931164f904c77bfdb1f48fc270562c4916adad5895fdb8b3d6598d85b67c9bd2528cfeb61ff45230fb8fac6ceb4ab6663e7169502ca277998f1ce588bf0886
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeb:q7Tc2NYHUrAwfMp3CDb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4456-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2620-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-35-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1308-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1504-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3408-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2904-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4848-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1172-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-106-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/412-128-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1664-133-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3688-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4092-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1944-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1692-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1472-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4912-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1304-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1300-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5080-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3636-241-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-247-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/440-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2636-281-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5088-303-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1200-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3784-348-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4780-358-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/720-374-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3988-381-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3336-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2196-439-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-467-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-489-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-502-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4700-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1624-528-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-728-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/676-732-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-787-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3404-982-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4432-1031-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2192-1077-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2872-1108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3168-1130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4088 pjjdd.exe 2148 frrrlff.exe 2620 djpjd.exe 216 xrrlrrx.exe 4904 pdjdv.exe 1308 ntbbtn.exe 828 xffxllf.exe 1504 thhntn.exe 3408 dvdvv.exe 2904 5ffrllf.exe 4848 tbbthb.exe 2388 7bhthh.exe 4612 3lrlflf.exe 372 7tbbtt.exe 1172 pjpjp.exe 1456 lffxrrl.exe 4728 httnbb.exe 3660 ppvpj.exe 3464 dvvjp.exe 4640 rxflrfx.exe 412 bbhbhh.exe 1664 rllfxxr.exe 3688 fxxrlll.exe 4092 1ntntt.exe 404 5rxrxfx.exe 3744 9jdvd.exe 3404 1fllfff.exe 1944 9tttnn.exe 1160 1ppjd.exe 1692 7rrxrfx.exe 1472 bttnbn.exe 3532 fffxxxl.exe 1320 bnbthb.exe 4472 fxfxrlf.exe 4404 tbnhbn.exe 4912 9rfxllx.exe 1304 vdvdv.exe 2740 3fxlffx.exe 4660 lxxlrlf.exe 1300 7ntnbb.exe 2452 hthhnt.exe 1392 pjpdv.exe 2236 5frfxrf.exe 4680 hnthbt.exe 2952 9hbnbt.exe 5080 9pjdv.exe 3636 llxrllf.exe 4084 hnnhtb.exe 4916 9nhbnh.exe 5044 pddvp.exe 440 fxfxfff.exe 4860 hntnhb.exe 3796 llxrlfx.exe 2192 htbttn.exe 3496 nbbnhb.exe 2456 dvvjp.exe 1156 fflffrl.exe 3840 httbtt.exe 2636 hntnhh.exe 3888 ddjvv.exe 2532 frxrxxx.exe 2424 hbbbtt.exe 3396 dpjdj.exe 944 3jdvj.exe -
resource yara_rule behavioral2/memory/4456-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2620-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-35-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1504-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3408-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2904-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4848-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-106-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/412-128-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1664-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3688-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4092-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1944-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1692-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1472-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4912-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1304-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1300-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5080-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3636-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-247-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/440-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2636-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5088-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1200-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3784-348-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4780-358-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/720-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3988-381-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3336-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2196-439-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-467-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-489-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-502-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4700-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1624-528-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-592-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-728-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/676-732-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-787-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3404-982-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4432-1031-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2192-1077-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2872-1108-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflffff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxrlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhtntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1nhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvdp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 4088 4456 9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2.exe 84 PID 4456 wrote to memory of 4088 4456 9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2.exe 84 PID 4456 wrote to memory of 4088 4456 9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2.exe 84 PID 4088 wrote to memory of 2148 4088 pjjdd.exe 85 PID 4088 wrote to memory of 2148 4088 pjjdd.exe 85 PID 4088 wrote to memory of 2148 4088 pjjdd.exe 85 PID 2148 wrote to memory of 2620 2148 frrrlff.exe 86 PID 2148 wrote to memory of 2620 2148 frrrlff.exe 86 PID 2148 wrote to memory of 2620 2148 frrrlff.exe 86 PID 2620 wrote to memory of 216 2620 djpjd.exe 87 PID 2620 wrote to memory of 216 2620 djpjd.exe 87 PID 2620 wrote to memory of 216 2620 djpjd.exe 87 PID 216 wrote to memory of 4904 216 xrrlrrx.exe 88 PID 216 wrote to memory of 4904 216 xrrlrrx.exe 88 PID 216 wrote to memory of 4904 216 xrrlrrx.exe 88 PID 4904 wrote to memory of 1308 4904 pdjdv.exe 89 PID 4904 wrote to memory of 1308 4904 pdjdv.exe 89 PID 4904 wrote to memory of 1308 4904 pdjdv.exe 89 PID 1308 wrote to memory of 828 1308 ntbbtn.exe 90 PID 1308 wrote to memory of 828 1308 ntbbtn.exe 90 PID 1308 wrote to memory of 828 1308 ntbbtn.exe 90 PID 828 wrote to memory of 1504 828 xffxllf.exe 91 PID 828 wrote to memory of 1504 828 xffxllf.exe 91 PID 828 wrote to memory of 1504 828 xffxllf.exe 91 PID 1504 wrote to memory of 3408 1504 thhntn.exe 92 PID 1504 wrote to memory of 3408 1504 thhntn.exe 92 PID 1504 wrote to memory of 3408 1504 thhntn.exe 92 PID 3408 wrote to memory of 2904 3408 dvdvv.exe 93 PID 3408 wrote to memory of 2904 3408 dvdvv.exe 93 PID 3408 wrote to memory of 2904 3408 dvdvv.exe 93 PID 2904 wrote to memory of 4848 2904 5ffrllf.exe 94 PID 2904 wrote to memory of 4848 2904 5ffrllf.exe 94 PID 2904 wrote to memory of 4848 2904 5ffrllf.exe 94 PID 4848 wrote to memory of 2388 4848 tbbthb.exe 95 PID 4848 wrote to memory of 2388 4848 tbbthb.exe 95 PID 4848 wrote to memory of 2388 4848 tbbthb.exe 95 PID 2388 wrote to memory of 4612 2388 7bhthh.exe 96 PID 2388 wrote to memory of 4612 2388 7bhthh.exe 96 PID 2388 wrote to memory of 4612 2388 7bhthh.exe 96 PID 4612 wrote to memory of 372 4612 3lrlflf.exe 97 PID 4612 wrote to memory of 372 4612 3lrlflf.exe 97 PID 4612 wrote to memory of 372 4612 3lrlflf.exe 97 PID 372 wrote to memory of 1172 372 7tbbtt.exe 98 PID 372 wrote to memory of 1172 372 7tbbtt.exe 98 PID 372 wrote to memory of 1172 372 7tbbtt.exe 98 PID 1172 wrote to memory of 1456 1172 pjpjp.exe 99 PID 1172 wrote to memory of 1456 1172 pjpjp.exe 99 PID 1172 wrote to memory of 1456 1172 pjpjp.exe 99 PID 1456 wrote to memory of 4728 1456 lffxrrl.exe 100 PID 1456 wrote to memory of 4728 1456 lffxrrl.exe 100 PID 1456 wrote to memory of 4728 1456 lffxrrl.exe 100 PID 4728 wrote to memory of 3660 4728 httnbb.exe 101 PID 4728 wrote to memory of 3660 4728 httnbb.exe 101 PID 4728 wrote to memory of 3660 4728 httnbb.exe 101 PID 3660 wrote to memory of 3464 3660 ppvpj.exe 102 PID 3660 wrote to memory of 3464 3660 ppvpj.exe 102 PID 3660 wrote to memory of 3464 3660 ppvpj.exe 102 PID 3464 wrote to memory of 4640 3464 dvvjp.exe 103 PID 3464 wrote to memory of 4640 3464 dvvjp.exe 103 PID 3464 wrote to memory of 4640 3464 dvvjp.exe 103 PID 4640 wrote to memory of 412 4640 rxflrfx.exe 104 PID 4640 wrote to memory of 412 4640 rxflrfx.exe 104 PID 4640 wrote to memory of 412 4640 rxflrfx.exe 104 PID 412 wrote to memory of 1664 412 bbhbhh.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2.exe"C:\Users\Admin\AppData\Local\Temp\9968f321c6feb5f5d6b6ab84cc2bc419c5a35dac14cbe2b5d3fb83010a007dc2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
\??\c:\pjjdd.exec:\pjjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088 -
\??\c:\frrrlff.exec:\frrrlff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\djpjd.exec:\djpjd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2620 -
\??\c:\xrrlrrx.exec:\xrrlrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\pdjdv.exec:\pdjdv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
\??\c:\ntbbtn.exec:\ntbbtn.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308 -
\??\c:\xffxllf.exec:\xffxllf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
\??\c:\thhntn.exec:\thhntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1504 -
\??\c:\dvdvv.exec:\dvdvv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3408 -
\??\c:\5ffrllf.exec:\5ffrllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\tbbthb.exec:\tbbthb.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848 -
\??\c:\7bhthh.exec:\7bhthh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
\??\c:\3lrlflf.exec:\3lrlflf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\7tbbtt.exec:\7tbbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
\??\c:\pjpjp.exec:\pjpjp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
\??\c:\lffxrrl.exec:\lffxrrl.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\httnbb.exec:\httnbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
\??\c:\ppvpj.exec:\ppvpj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\dvvjp.exec:\dvvjp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3464 -
\??\c:\rxflrfx.exec:\rxflrfx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
\??\c:\bbhbhh.exec:\bbhbhh.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
\??\c:\rllfxxr.exec:\rllfxxr.exe23⤵
- Executes dropped EXE
PID:1664 -
\??\c:\fxxrlll.exec:\fxxrlll.exe24⤵
- Executes dropped EXE
PID:3688 -
\??\c:\1ntntt.exec:\1ntntt.exe25⤵
- Executes dropped EXE
PID:4092 -
\??\c:\5rxrxfx.exec:\5rxrxfx.exe26⤵
- Executes dropped EXE
PID:404 -
\??\c:\9jdvd.exec:\9jdvd.exe27⤵
- Executes dropped EXE
PID:3744 -
\??\c:\1fllfff.exec:\1fllfff.exe28⤵
- Executes dropped EXE
PID:3404 -
\??\c:\9tttnn.exec:\9tttnn.exe29⤵
- Executes dropped EXE
PID:1944 -
\??\c:\1ppjd.exec:\1ppjd.exe30⤵
- Executes dropped EXE
PID:1160 -
\??\c:\7rrxrfx.exec:\7rrxrfx.exe31⤵
- Executes dropped EXE
PID:1692 -
\??\c:\bttnbn.exec:\bttnbn.exe32⤵
- Executes dropped EXE
PID:1472 -
\??\c:\fffxxxl.exec:\fffxxxl.exe33⤵
- Executes dropped EXE
PID:3532 -
\??\c:\bnbthb.exec:\bnbthb.exe34⤵
- Executes dropped EXE
PID:1320 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe35⤵
- Executes dropped EXE
PID:4472 -
\??\c:\tbnhbn.exec:\tbnhbn.exe36⤵
- Executes dropped EXE
PID:4404 -
\??\c:\9rfxllx.exec:\9rfxllx.exe37⤵
- Executes dropped EXE
PID:4912 -
\??\c:\vdvdv.exec:\vdvdv.exe38⤵
- Executes dropped EXE
PID:1304 -
\??\c:\3fxlffx.exec:\3fxlffx.exe39⤵
- Executes dropped EXE
PID:2740 -
\??\c:\lxxlrlf.exec:\lxxlrlf.exe40⤵
- Executes dropped EXE
PID:4660 -
\??\c:\7ntnbb.exec:\7ntnbb.exe41⤵
- Executes dropped EXE
PID:1300 -
\??\c:\hthhnt.exec:\hthhnt.exe42⤵
- Executes dropped EXE
PID:2452 -
\??\c:\pjpdv.exec:\pjpdv.exe43⤵
- Executes dropped EXE
PID:1392 -
\??\c:\5frfxrf.exec:\5frfxrf.exe44⤵
- Executes dropped EXE
PID:2236 -
\??\c:\hnthbt.exec:\hnthbt.exe45⤵
- Executes dropped EXE
PID:4680 -
\??\c:\9hbnbt.exec:\9hbnbt.exe46⤵
- Executes dropped EXE
PID:2952 -
\??\c:\9pjdv.exec:\9pjdv.exe47⤵
- Executes dropped EXE
PID:5080 -
\??\c:\llxrllf.exec:\llxrllf.exe48⤵
- Executes dropped EXE
PID:3636 -
\??\c:\hnnhtb.exec:\hnnhtb.exe49⤵
- Executes dropped EXE
PID:4084 -
\??\c:\9nhbnh.exec:\9nhbnh.exe50⤵
- Executes dropped EXE
PID:4916 -
\??\c:\pddvp.exec:\pddvp.exe51⤵
- Executes dropped EXE
PID:5044 -
\??\c:\fxfxfff.exec:\fxfxfff.exe52⤵
- Executes dropped EXE
PID:440 -
\??\c:\hntnhb.exec:\hntnhb.exe53⤵
- Executes dropped EXE
PID:4860 -
\??\c:\llxrlfx.exec:\llxrlfx.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3796 -
\??\c:\htbttn.exec:\htbttn.exe55⤵
- Executes dropped EXE
PID:2192 -
\??\c:\nbbnhb.exec:\nbbnhb.exe56⤵
- Executes dropped EXE
PID:3496 -
\??\c:\dvvjp.exec:\dvvjp.exe57⤵
- Executes dropped EXE
PID:2456 -
\??\c:\fflffrl.exec:\fflffrl.exe58⤵
- Executes dropped EXE
PID:1156 -
\??\c:\httbtt.exec:\httbtt.exe59⤵
- Executes dropped EXE
PID:3840 -
\??\c:\hntnhh.exec:\hntnhh.exe60⤵
- Executes dropped EXE
PID:2636 -
\??\c:\ddjvv.exec:\ddjvv.exe61⤵
- Executes dropped EXE
PID:3888 -
\??\c:\frxrxxx.exec:\frxrxxx.exe62⤵
- Executes dropped EXE
PID:2532 -
\??\c:\hbbbtt.exec:\hbbbtt.exe63⤵
- Executes dropped EXE
PID:2424 -
\??\c:\dpjdj.exec:\dpjdj.exe64⤵
- Executes dropped EXE
PID:3396 -
\??\c:\3jdvj.exec:\3jdvj.exe65⤵
- Executes dropped EXE
PID:944 -
\??\c:\xrrxrxr.exec:\xrrxrxr.exe66⤵PID:3196
-
\??\c:\thbtnh.exec:\thbtnh.exe67⤵PID:5088
-
\??\c:\vjppp.exec:\vjppp.exe68⤵PID:1576
-
\??\c:\7xlfrrl.exec:\7xlfrrl.exe69⤵PID:2040
-
\??\c:\fxrfxll.exec:\fxrfxll.exe70⤵PID:4832
-
\??\c:\hbhbtt.exec:\hbhbtt.exe71⤵PID:2432
-
\??\c:\bntnhh.exec:\bntnhh.exe72⤵PID:4208
-
\??\c:\pjjvp.exec:\pjjvp.exe73⤵PID:4512
-
\??\c:\xlxxllf.exec:\xlxxllf.exe74⤵PID:4424
-
\??\c:\nhhbhb.exec:\nhhbhb.exe75⤵PID:912
-
\??\c:\nbhbtt.exec:\nbhbtt.exe76⤵PID:2604
-
\??\c:\vppdv.exec:\vppdv.exe77⤵PID:4836
-
\??\c:\lrrlrlr.exec:\lrrlrlr.exe78⤵PID:2940
-
\??\c:\1bbtnn.exec:\1bbtnn.exe79⤵PID:4948
-
\??\c:\7dvvp.exec:\7dvvp.exe80⤵PID:1200
-
\??\c:\dpvpd.exec:\dpvpd.exe81⤵PID:3784
-
\??\c:\xxxrllf.exec:\xxxrllf.exe82⤵PID:468
-
\??\c:\bbbbbb.exec:\bbbbbb.exe83⤵PID:412
-
\??\c:\ddjpv.exec:\ddjpv.exe84⤵PID:4780
-
\??\c:\fxlffxx.exec:\fxlffxx.exe85⤵PID:3592
-
\??\c:\7ttnhh.exec:\7ttnhh.exe86⤵PID:3908
-
\??\c:\3pjdp.exec:\3pjdp.exe87⤵PID:1784
-
\??\c:\ffxlxxl.exec:\ffxlxxl.exe88⤵PID:1516
-
\??\c:\3xffffx.exec:\3xffffx.exe89⤵PID:720
-
\??\c:\bnnhbb.exec:\bnnhbb.exe90⤵PID:4072
-
\??\c:\vddvj.exec:\vddvj.exe91⤵PID:3988
-
\??\c:\rxfxfxr.exec:\rxfxfxr.exe92⤵PID:3540
-
\??\c:\xlrrlll.exec:\xlrrlll.exe93⤵PID:2348
-
\??\c:\hnnhhb.exec:\hnnhhb.exe94⤵PID:1584
-
\??\c:\7jjdd.exec:\7jjdd.exe95⤵PID:4196
-
\??\c:\xflffff.exec:\xflffff.exe96⤵
- System Location Discovery: System Language Discovery
PID:3728 -
\??\c:\5lxrfxr.exec:\5lxrfxr.exe97⤵PID:3336
-
\??\c:\bhntnh.exec:\bhntnh.exe98⤵PID:3116
-
\??\c:\jdjjj.exec:\jdjjj.exe99⤵PID:3020
-
\??\c:\vvvdv.exec:\vvvdv.exe100⤵PID:628
-
\??\c:\1rlfrrl.exec:\1rlfrrl.exe101⤵PID:4404
-
\??\c:\7hbbtt.exec:\7hbbtt.exe102⤵PID:2736
-
\??\c:\1vvvp.exec:\1vvvp.exe103⤵PID:4432
-
\??\c:\rffxllx.exec:\rffxllx.exe104⤵PID:1984
-
\??\c:\rflfrrl.exec:\rflfrrl.exe105⤵PID:5084
-
\??\c:\btnhth.exec:\btnhth.exe106⤵PID:2884
-
\??\c:\vpjjd.exec:\vpjjd.exe107⤵PID:2096
-
\??\c:\lllfxrl.exec:\lllfxrl.exe108⤵PID:552
-
\??\c:\thtntn.exec:\thtntn.exe109⤵PID:2196
-
\??\c:\1nnhbt.exec:\1nnhbt.exe110⤵PID:1124
-
\??\c:\frxlxrl.exec:\frxlxrl.exe111⤵PID:2952
-
\??\c:\flrrxrx.exec:\flrrxrx.exe112⤵PID:5080
-
\??\c:\9nhbtt.exec:\9nhbtt.exe113⤵PID:3636
-
\??\c:\dpjdd.exec:\dpjdd.exe114⤵PID:4084
-
\??\c:\pdpdv.exec:\pdpdv.exe115⤵PID:1572
-
\??\c:\xxxlxrf.exec:\xxxlxrf.exe116⤵PID:5044
-
\??\c:\nhbnbt.exec:\nhbnbt.exe117⤵PID:4740
-
\??\c:\tbbtnt.exec:\tbbtnt.exe118⤵PID:1180
-
\??\c:\vdjdd.exec:\vdjdd.exe119⤵PID:4100
-
\??\c:\lffxrrl.exec:\lffxrrl.exe120⤵PID:3944
-
\??\c:\tntnnn.exec:\tntnnn.exe121⤵PID:4280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-