Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe
Resource
win7-20240903-en
7 signatures
120 seconds
General
-
Target
f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe
-
Size
454KB
-
MD5
d884599bc7f70d21692cdb41865021b0
-
SHA1
c08aee552c09e6d883d3897ed6c7b14325028aff
-
SHA256
f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5
-
SHA512
9a571f547beef515fc6bb068e5f23d7faab00cf8de5a34ea67943541bdb104f6df2d3b29b7912aa2953c2930b59d37ae4e732b3fd14df37aab177170813cb578
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3288-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1544-10-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4120-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4992-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4884-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4720-49-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4744-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1460-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2584-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4236-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4464-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1280-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5108-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3560-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3504-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3724-197-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1436-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4740-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2548-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2952-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1344-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/116-248-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3780-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1792-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4548-288-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-323-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-331-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-341-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1260-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-373-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1804-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3208-384-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1272-407-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2880-447-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-460-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3616-497-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-501-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2164-589-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-599-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1408-609-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1796-784-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1856-917-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-921-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-943-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1544 rrfxxrr.exe 4992 pjdvp.exe 4120 5lflfrr.exe 4756 bnhbbt.exe 4884 nhhnnn.exe 3576 nnnhbb.exe 644 hbbtnh.exe 4720 fffxxll.exe 4744 vjddv.exe 4764 thhhbb.exe 1584 pjdpj.exe 5008 xxrlllf.exe 8 3hnbnh.exe 1460 nhtnhb.exe 4460 vdjdv.exe 3772 vjppv.exe 1908 lrxxrrr.exe 4236 lxxrllf.exe 2584 tbhhbt.exe 4748 tbhnhn.exe 4464 flrrllx.exe 456 thhbtn.exe 4080 pjvpv.exe 4412 jpvvv.exe 1028 vjpdd.exe 3068 3pjjj.exe 1280 lfrrxrx.exe 232 ffllffx.exe 4416 rlxlrrl.exe 5108 nhtntn.exe 2544 nhnhbb.exe 3560 9nhhbn.exe 3504 lfrfxrx.exe 2684 ffrrxxf.exe 3724 nhbbnt.exe 3828 pjjdj.exe 1656 fllfxxx.exe 4964 btbbtt.exe 1436 bbbbbb.exe 4740 dvdvp.exe 4500 5htthh.exe 2548 7ttttb.exe 2952 flrrllf.exe 3164 7lrrrlr.exe 1424 btbtht.exe 1948 djpjj.exe 4552 vdjvp.exe 1344 xlrlfrl.exe 116 bnnttb.exe 4340 jdpjp.exe 4576 xfxfxlf.exe 4700 ntbttt.exe 4868 5vddd.exe 4992 lfrrfff.exe 4820 tntntt.exe 3492 pjpjv.exe 4904 7vddv.exe 3780 7rxrllx.exe 1792 nhtntt.exe 3888 pjvpd.exe 4548 tnbbbb.exe 3172 5hnhbt.exe 4248 vpdvp.exe 3892 7xffxfx.exe -
resource yara_rule behavioral2/memory/3288-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1544-10-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4120-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4992-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4720-49-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-57-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4744-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1460-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2584-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4236-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4464-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1280-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5108-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3560-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3724-197-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1436-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4740-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2548-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2952-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1344-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/116-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3780-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1792-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4548-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-341-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1260-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-373-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1804-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3208-384-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1272-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2880-447-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4428-460-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3616-497-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2164-589-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-599-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1408-609-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-640-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-753-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1172-756-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1796-784-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhtnnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frllfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llffxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nthhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhtnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfxrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbtnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3rxrflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3288 wrote to memory of 1544 3288 f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe 82 PID 3288 wrote to memory of 1544 3288 f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe 82 PID 3288 wrote to memory of 1544 3288 f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe 82 PID 1544 wrote to memory of 4992 1544 rrfxxrr.exe 83 PID 1544 wrote to memory of 4992 1544 rrfxxrr.exe 83 PID 1544 wrote to memory of 4992 1544 rrfxxrr.exe 83 PID 4992 wrote to memory of 4120 4992 pjdvp.exe 84 PID 4992 wrote to memory of 4120 4992 pjdvp.exe 84 PID 4992 wrote to memory of 4120 4992 pjdvp.exe 84 PID 4120 wrote to memory of 4756 4120 5lflfrr.exe 85 PID 4120 wrote to memory of 4756 4120 5lflfrr.exe 85 PID 4120 wrote to memory of 4756 4120 5lflfrr.exe 85 PID 4756 wrote to memory of 4884 4756 bnhbbt.exe 86 PID 4756 wrote to memory of 4884 4756 bnhbbt.exe 86 PID 4756 wrote to memory of 4884 4756 bnhbbt.exe 86 PID 4884 wrote to memory of 3576 4884 nhhnnn.exe 87 PID 4884 wrote to memory of 3576 4884 nhhnnn.exe 87 PID 4884 wrote to memory of 3576 4884 nhhnnn.exe 87 PID 3576 wrote to memory of 644 3576 nnnhbb.exe 88 PID 3576 wrote to memory of 644 3576 nnnhbb.exe 88 PID 3576 wrote to memory of 644 3576 nnnhbb.exe 88 PID 644 wrote to memory of 4720 644 hbbtnh.exe 89 PID 644 wrote to memory of 4720 644 hbbtnh.exe 89 PID 644 wrote to memory of 4720 644 hbbtnh.exe 89 PID 4720 wrote to memory of 4744 4720 fffxxll.exe 90 PID 4720 wrote to memory of 4744 4720 fffxxll.exe 90 PID 4720 wrote to memory of 4744 4720 fffxxll.exe 90 PID 4744 wrote to memory of 4764 4744 vjddv.exe 91 PID 4744 wrote to memory of 4764 4744 vjddv.exe 91 PID 4744 wrote to memory of 4764 4744 vjddv.exe 91 PID 4764 wrote to memory of 1584 4764 thhhbb.exe 92 PID 4764 wrote to memory of 1584 4764 thhhbb.exe 92 PID 4764 wrote to memory of 1584 4764 thhhbb.exe 92 PID 1584 wrote to memory of 5008 1584 pjdpj.exe 93 PID 1584 wrote to memory of 5008 1584 pjdpj.exe 93 PID 1584 wrote to memory of 5008 1584 pjdpj.exe 93 PID 5008 wrote to memory of 8 5008 xxrlllf.exe 94 PID 5008 wrote to memory of 8 5008 xxrlllf.exe 94 PID 5008 wrote to memory of 8 5008 xxrlllf.exe 94 PID 8 wrote to memory of 1460 8 3hnbnh.exe 95 PID 8 wrote to memory of 1460 8 3hnbnh.exe 95 PID 8 wrote to memory of 1460 8 3hnbnh.exe 95 PID 1460 wrote to memory of 4460 1460 nhtnhb.exe 96 PID 1460 wrote to memory of 4460 1460 nhtnhb.exe 96 PID 1460 wrote to memory of 4460 1460 nhtnhb.exe 96 PID 4460 wrote to memory of 3772 4460 vdjdv.exe 97 PID 4460 wrote to memory of 3772 4460 vdjdv.exe 97 PID 4460 wrote to memory of 3772 4460 vdjdv.exe 97 PID 3772 wrote to memory of 1908 3772 vjppv.exe 98 PID 3772 wrote to memory of 1908 3772 vjppv.exe 98 PID 3772 wrote to memory of 1908 3772 vjppv.exe 98 PID 1908 wrote to memory of 4236 1908 lrxxrrr.exe 99 PID 1908 wrote to memory of 4236 1908 lrxxrrr.exe 99 PID 1908 wrote to memory of 4236 1908 lrxxrrr.exe 99 PID 4236 wrote to memory of 2584 4236 lxxrllf.exe 100 PID 4236 wrote to memory of 2584 4236 lxxrllf.exe 100 PID 4236 wrote to memory of 2584 4236 lxxrllf.exe 100 PID 2584 wrote to memory of 4748 2584 tbhhbt.exe 101 PID 2584 wrote to memory of 4748 2584 tbhhbt.exe 101 PID 2584 wrote to memory of 4748 2584 tbhhbt.exe 101 PID 4748 wrote to memory of 4464 4748 tbhnhn.exe 102 PID 4748 wrote to memory of 4464 4748 tbhnhn.exe 102 PID 4748 wrote to memory of 4464 4748 tbhnhn.exe 102 PID 4464 wrote to memory of 456 4464 flrrllx.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe"C:\Users\Admin\AppData\Local\Temp\f69a9900d5017ff8e095c2d5f3db44476c52ba188dfdf0e92b00dc65ab84e0a5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
\??\c:\rrfxxrr.exec:\rrfxxrr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
\??\c:\pjdvp.exec:\pjdvp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\5lflfrr.exec:\5lflfrr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4120 -
\??\c:\bnhbbt.exec:\bnhbbt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\nhhnnn.exec:\nhhnnn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
\??\c:\nnnhbb.exec:\nnnhbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
\??\c:\hbbtnh.exec:\hbbtnh.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644 -
\??\c:\fffxxll.exec:\fffxxll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720 -
\??\c:\vjddv.exec:\vjddv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744 -
\??\c:\thhhbb.exec:\thhhbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
\??\c:\pjdpj.exec:\pjdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
\??\c:\xxrlllf.exec:\xxrlllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
\??\c:\3hnbnh.exec:\3hnbnh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\nhtnhb.exec:\nhtnhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
\??\c:\vdjdv.exec:\vdjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
\??\c:\vjppv.exec:\vjppv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\lrxxrrr.exec:\lrxxrrr.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\lxxrllf.exec:\lxxrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236 -
\??\c:\tbhhbt.exec:\tbhhbt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2584 -
\??\c:\tbhnhn.exec:\tbhnhn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4748 -
\??\c:\flrrllx.exec:\flrrllx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
\??\c:\thhbtn.exec:\thhbtn.exe23⤵
- Executes dropped EXE
PID:456 -
\??\c:\pjvpv.exec:\pjvpv.exe24⤵
- Executes dropped EXE
PID:4080 -
\??\c:\jpvvv.exec:\jpvvv.exe25⤵
- Executes dropped EXE
PID:4412 -
\??\c:\vjpdd.exec:\vjpdd.exe26⤵
- Executes dropped EXE
PID:1028 -
\??\c:\3pjjj.exec:\3pjjj.exe27⤵
- Executes dropped EXE
PID:3068 -
\??\c:\lfrrxrx.exec:\lfrrxrx.exe28⤵
- Executes dropped EXE
PID:1280 -
\??\c:\ffllffx.exec:\ffllffx.exe29⤵
- Executes dropped EXE
PID:232 -
\??\c:\rlxlrrl.exec:\rlxlrrl.exe30⤵
- Executes dropped EXE
PID:4416 -
\??\c:\nhtntn.exec:\nhtntn.exe31⤵
- Executes dropped EXE
PID:5108 -
\??\c:\nhnhbb.exec:\nhnhbb.exe32⤵
- Executes dropped EXE
PID:2544 -
\??\c:\9nhhbn.exec:\9nhhbn.exe33⤵
- Executes dropped EXE
PID:3560 -
\??\c:\lfrfxrx.exec:\lfrfxrx.exe34⤵
- Executes dropped EXE
PID:3504 -
\??\c:\ffrrxxf.exec:\ffrrxxf.exe35⤵
- Executes dropped EXE
PID:2684 -
\??\c:\nhbbnt.exec:\nhbbnt.exe36⤵
- Executes dropped EXE
PID:3724 -
\??\c:\pjjdj.exec:\pjjdj.exe37⤵
- Executes dropped EXE
PID:3828 -
\??\c:\fllfxxx.exec:\fllfxxx.exe38⤵
- Executes dropped EXE
PID:1656 -
\??\c:\btbbtt.exec:\btbbtt.exe39⤵
- Executes dropped EXE
PID:4964 -
\??\c:\bbbbbb.exec:\bbbbbb.exe40⤵
- Executes dropped EXE
PID:1436 -
\??\c:\dvdvp.exec:\dvdvp.exe41⤵
- Executes dropped EXE
PID:4740 -
\??\c:\5htthh.exec:\5htthh.exe42⤵
- Executes dropped EXE
PID:4500 -
\??\c:\7ttttb.exec:\7ttttb.exe43⤵
- Executes dropped EXE
PID:2548 -
\??\c:\flrrllf.exec:\flrrllf.exe44⤵
- Executes dropped EXE
PID:2952 -
\??\c:\7lrrrlr.exec:\7lrrrlr.exe45⤵
- Executes dropped EXE
PID:3164 -
\??\c:\btbtht.exec:\btbtht.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1424 -
\??\c:\djpjj.exec:\djpjj.exe47⤵
- Executes dropped EXE
PID:1948 -
\??\c:\vdjvp.exec:\vdjvp.exe48⤵
- Executes dropped EXE
PID:4552 -
\??\c:\xlrlfrl.exec:\xlrlfrl.exe49⤵
- Executes dropped EXE
PID:1344 -
\??\c:\bnnttb.exec:\bnnttb.exe50⤵
- Executes dropped EXE
PID:116 -
\??\c:\jdpjp.exec:\jdpjp.exe51⤵
- Executes dropped EXE
PID:4340 -
\??\c:\xfxfxlf.exec:\xfxfxlf.exe52⤵
- Executes dropped EXE
PID:4576 -
\??\c:\ntbttt.exec:\ntbttt.exe53⤵
- Executes dropped EXE
PID:4700 -
\??\c:\5vddd.exec:\5vddd.exe54⤵
- Executes dropped EXE
PID:4868 -
\??\c:\lfrrfff.exec:\lfrrfff.exe55⤵
- Executes dropped EXE
PID:4992 -
\??\c:\tntntt.exec:\tntntt.exe56⤵
- Executes dropped EXE
PID:4820 -
\??\c:\pjpjv.exec:\pjpjv.exe57⤵
- Executes dropped EXE
PID:3492 -
\??\c:\7vddv.exec:\7vddv.exe58⤵
- Executes dropped EXE
PID:4904 -
\??\c:\7rxrllx.exec:\7rxrllx.exe59⤵
- Executes dropped EXE
PID:3780 -
\??\c:\nhtntt.exec:\nhtntt.exe60⤵
- Executes dropped EXE
PID:1792 -
\??\c:\pjvpd.exec:\pjvpd.exe61⤵
- Executes dropped EXE
PID:3888 -
\??\c:\tnbbbb.exec:\tnbbbb.exe62⤵
- Executes dropped EXE
PID:4548 -
\??\c:\5hnhbt.exec:\5hnhbt.exe63⤵
- Executes dropped EXE
PID:3172 -
\??\c:\vpdvp.exec:\vpdvp.exe64⤵
- Executes dropped EXE
PID:4248 -
\??\c:\7xffxfx.exec:\7xffxfx.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3892 -
\??\c:\hbbhbt.exec:\hbbhbt.exe66⤵PID:2216
-
\??\c:\pjpjj.exec:\pjpjj.exe67⤵PID:2728
-
\??\c:\flrrlff.exec:\flrrlff.exe68⤵PID:4492
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe69⤵PID:1584
-
\??\c:\nnttnt.exec:\nnttnt.exe70⤵PID:5008
-
\??\c:\vpppp.exec:\vpppp.exe71⤵PID:808
-
\??\c:\9lrrrrr.exec:\9lrrrrr.exe72⤵PID:8
-
\??\c:\nhttnn.exec:\nhttnn.exe73⤵PID:4768
-
\??\c:\ddjdd.exec:\ddjdd.exe74⤵PID:3744
-
\??\c:\xrfxllf.exec:\xrfxllf.exe75⤵PID:3772
-
\??\c:\tnnhbn.exec:\tnnhbn.exe76⤵PID:3416
-
\??\c:\ppjdj.exec:\ppjdj.exe77⤵PID:1968
-
\??\c:\ffflrrr.exec:\ffflrrr.exe78⤵PID:1940
-
\??\c:\bhbbht.exec:\bhbbht.exe79⤵PID:2392
-
\??\c:\5nhbtt.exec:\5nhbtt.exe80⤵PID:2100
-
\??\c:\9pvpj.exec:\9pvpj.exe81⤵PID:2660
-
\??\c:\fxrlrlr.exec:\fxrlrlr.exe82⤵PID:2112
-
\??\c:\xffxrrr.exec:\xffxrrr.exe83⤵PID:1260
-
\??\c:\5ttnhh.exec:\5ttnhh.exe84⤵PID:456
-
\??\c:\pjjdv.exec:\pjjdv.exe85⤵PID:4080
-
\??\c:\llffxfx.exec:\llffxfx.exe86⤵
- System Location Discovery: System Language Discovery
PID:3196 -
\??\c:\5ttbnt.exec:\5ttbnt.exe87⤵PID:1824
-
\??\c:\djpdp.exec:\djpdp.exe88⤵PID:4916
-
\??\c:\flxrlrr.exec:\flxrlrr.exe89⤵PID:4960
-
\??\c:\fxlffff.exec:\fxlffff.exe90⤵PID:1804
-
\??\c:\thhbtt.exec:\thhbtt.exe91⤵PID:3208
-
\??\c:\jvdvv.exec:\jvdvv.exe92⤵PID:3584
-
\??\c:\5lfllfx.exec:\5lfllfx.exe93⤵PID:1416
-
\??\c:\tbhnhn.exec:\tbhnhn.exe94⤵PID:3684
-
\??\c:\dpddv.exec:\dpddv.exe95⤵PID:812
-
\??\c:\xrxrlfx.exec:\xrxrlfx.exe96⤵PID:4504
-
\??\c:\tntnnh.exec:\tntnnh.exe97⤵PID:748
-
\??\c:\ddjdd.exec:\ddjdd.exe98⤵PID:1272
-
\??\c:\rrxxxxx.exec:\rrxxxxx.exe99⤵PID:1620
-
\??\c:\ttbbbh.exec:\ttbbbh.exe100⤵PID:3540
-
\??\c:\dpppj.exec:\dpppj.exe101⤵PID:3724
-
\??\c:\5flfrxf.exec:\5flfrxf.exe102⤵PID:2420
-
\??\c:\nbhhhh.exec:\nbhhhh.exe103⤵PID:2136
-
\??\c:\5vdvp.exec:\5vdvp.exe104⤵PID:4968
-
\??\c:\xllllff.exec:\xllllff.exe105⤵PID:1924
-
\??\c:\htbnhh.exec:\htbnhh.exe106⤵PID:2848
-
\??\c:\9bbtnn.exec:\9bbtnn.exe107⤵PID:4500
-
\??\c:\5jpjv.exec:\5jpjv.exe108⤵PID:708
-
\??\c:\rlxflfr.exec:\rlxflfr.exe109⤵PID:2952
-
\??\c:\9btnnt.exec:\9btnnt.exe110⤵PID:676
-
\??\c:\vvdvv.exec:\vvdvv.exe111⤵PID:2880
-
\??\c:\5flfxxr.exec:\5flfxxr.exe112⤵PID:1948
-
\??\c:\tnhhbt.exec:\tnhhbt.exe113⤵PID:4588
-
\??\c:\dvvvp.exec:\dvvvp.exe114⤵PID:2872
-
\??\c:\pdddd.exec:\pdddd.exe115⤵PID:4428
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe116⤵PID:4444
-
\??\c:\nnthbb.exec:\nnthbb.exe117⤵PID:2352
-
\??\c:\hhbtbn.exec:\hhbtbn.exe118⤵PID:4200
-
\??\c:\ppjjd.exec:\ppjjd.exe119⤵PID:3380
-
\??\c:\ffllffx.exec:\ffllffx.exe120⤵PID:1004
-
\??\c:\hbtttt.exec:\hbtttt.exe121⤵PID:4628
-
\??\c:\vpppj.exec:\vpppj.exe122⤵PID:1516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-