Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991.exe
-
Size
455KB
-
MD5
d2661e33f97a97b2d62d6108d3e509d3
-
SHA1
fc4d331435f88889b3c4b3dde63b7640ab4f50dd
-
SHA256
9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991
-
SHA512
99cff4f03b19fc68ee1fca1082d3ae86b5c2ff71c54404aaf2365318ea64e1e0d750c6f8788e2e2c6c754ca8242d93f2283b9251a3928a539530e64c22be1f4c
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbe1:q7Tc2NYHUrAwfMp3CD1
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/3116-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4612-24-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/112-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2148-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1164-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-82-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4332-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1416-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4928-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3436-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3468-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3984-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4916-168-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1800-174-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/880-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4748-192-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4016-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-225-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4608-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2696-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-237-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4448-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1152-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2644-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2388-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3004-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/836-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2792-320-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4044-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-346-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4336-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3576-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-376-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3244-389-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/796-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4360-406-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-428-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3996-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1292-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2260-452-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-534-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-550-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-575-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4580-594-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2648-607-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-656-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4056-687-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/736-761-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4584-1160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4616-1227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1940 9frllll.exe 1468 7hhhbb.exe 4612 nhnhth.exe 112 dvpjd.exe 5084 3hnnbh.exe 4672 vvvvp.exe 2148 nthbtt.exe 3332 pvdpd.exe 4308 1lrfxll.exe 3172 vvdvj.exe 1164 7xfxfxf.exe 4976 vjvpv.exe 3064 rfrfxfr.exe 2828 3vvpj.exe 2632 9xlfrxf.exe 4332 thnnbb.exe 1416 vdpjd.exe 4928 9tnnnn.exe 4132 7pvdj.exe 464 fxfxlrl.exe 1616 vppjp.exe 3576 9llxrrr.exe 3436 bhttnn.exe 3468 jpvvv.exe 4076 frlfxlf.exe 3984 jppjj.exe 5100 jdpjj.exe 4916 bhtnbb.exe 1800 7rlxrrr.exe 348 xlrrllf.exe 880 dvddv.exe 4652 lfrlllf.exe 4748 7hbtnn.exe 4812 jdvpv.exe 264 xlxrlfx.exe 2416 hbbtnn.exe 3776 9pjvv.exe 1204 llfflff.exe 4016 tbhhhb.exe 3388 jpdvv.exe 3148 fxfxrrl.exe 1180 vpdvv.exe 2252 ffrrxxr.exe 4608 hthbbh.exe 2696 dvvdp.exe 2260 rxrfrlr.exe 5064 3tnhtt.exe 2772 jdpjd.exe 1480 9lxrrlf.exe 4448 rlrlllf.exe 3972 bbnhbb.exe 1312 dppjv.exe 2072 7rlfrlf.exe 5024 tbnbbh.exe 3128 jpvvp.exe 3556 rxxlfrl.exe 3416 xxxlfrl.exe 220 7jpjv.exe 4820 pjvvp.exe 1152 rffrlff.exe 1812 bbnbth.exe 2644 pvvpj.exe 3332 xfxlffr.exe 2388 tntnhb.exe -
resource yara_rule behavioral2/memory/3116-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4612-24-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/112-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2148-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1164-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-82-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4332-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1416-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4928-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-133-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3436-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3468-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3984-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5100-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4916-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1800-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/880-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4748-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4016-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-225-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4608-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2696-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4448-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/220-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1152-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2644-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2388-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3004-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/836-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2792-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4044-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-346-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4336-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3576-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-376-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3244-389-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/796-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4360-406-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-428-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3996-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1292-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2260-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-534-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-550-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-575-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4580-594-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2648-607-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-656-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4056-687-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-724-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5jdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3ppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language frxrlff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrfrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxlrlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5lfrfxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlxlrl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3116 wrote to memory of 1940 3116 9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991.exe 83 PID 3116 wrote to memory of 1940 3116 9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991.exe 83 PID 3116 wrote to memory of 1940 3116 9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991.exe 83 PID 1940 wrote to memory of 1468 1940 9frllll.exe 84 PID 1940 wrote to memory of 1468 1940 9frllll.exe 84 PID 1940 wrote to memory of 1468 1940 9frllll.exe 84 PID 1468 wrote to memory of 4612 1468 7hhhbb.exe 85 PID 1468 wrote to memory of 4612 1468 7hhhbb.exe 85 PID 1468 wrote to memory of 4612 1468 7hhhbb.exe 85 PID 4612 wrote to memory of 112 4612 nhnhth.exe 86 PID 4612 wrote to memory of 112 4612 nhnhth.exe 86 PID 4612 wrote to memory of 112 4612 nhnhth.exe 86 PID 112 wrote to memory of 5084 112 dvpjd.exe 87 PID 112 wrote to memory of 5084 112 dvpjd.exe 87 PID 112 wrote to memory of 5084 112 dvpjd.exe 87 PID 5084 wrote to memory of 4672 5084 3hnnbh.exe 88 PID 5084 wrote to memory of 4672 5084 3hnnbh.exe 88 PID 5084 wrote to memory of 4672 5084 3hnnbh.exe 88 PID 4672 wrote to memory of 2148 4672 vvvvp.exe 89 PID 4672 wrote to memory of 2148 4672 vvvvp.exe 89 PID 4672 wrote to memory of 2148 4672 vvvvp.exe 89 PID 2148 wrote to memory of 3332 2148 nthbtt.exe 90 PID 2148 wrote to memory of 3332 2148 nthbtt.exe 90 PID 2148 wrote to memory of 3332 2148 nthbtt.exe 90 PID 3332 wrote to memory of 4308 3332 pvdpd.exe 91 PID 3332 wrote to memory of 4308 3332 pvdpd.exe 91 PID 3332 wrote to memory of 4308 3332 pvdpd.exe 91 PID 4308 wrote to memory of 3172 4308 1lrfxll.exe 92 PID 4308 wrote to memory of 3172 4308 1lrfxll.exe 92 PID 4308 wrote to memory of 3172 4308 1lrfxll.exe 92 PID 3172 wrote to memory of 1164 3172 vvdvj.exe 93 PID 3172 wrote to memory of 1164 3172 vvdvj.exe 93 PID 3172 wrote to memory of 1164 3172 vvdvj.exe 93 PID 1164 wrote to memory of 4976 1164 7xfxfxf.exe 94 PID 1164 wrote to memory of 4976 1164 7xfxfxf.exe 94 PID 1164 wrote to memory of 4976 1164 7xfxfxf.exe 94 PID 4976 wrote to memory of 3064 4976 vjvpv.exe 95 PID 4976 wrote to memory of 3064 4976 vjvpv.exe 95 PID 4976 wrote to memory of 3064 4976 vjvpv.exe 95 PID 3064 wrote to memory of 2828 3064 rfrfxfr.exe 96 PID 3064 wrote to memory of 2828 3064 rfrfxfr.exe 96 PID 3064 wrote to memory of 2828 3064 rfrfxfr.exe 96 PID 2828 wrote to memory of 2632 2828 3vvpj.exe 97 PID 2828 wrote to memory of 2632 2828 3vvpj.exe 97 PID 2828 wrote to memory of 2632 2828 3vvpj.exe 97 PID 2632 wrote to memory of 4332 2632 9xlfrxf.exe 98 PID 2632 wrote to memory of 4332 2632 9xlfrxf.exe 98 PID 2632 wrote to memory of 4332 2632 9xlfrxf.exe 98 PID 4332 wrote to memory of 1416 4332 thnnbb.exe 99 PID 4332 wrote to memory of 1416 4332 thnnbb.exe 99 PID 4332 wrote to memory of 1416 4332 thnnbb.exe 99 PID 1416 wrote to memory of 4928 1416 vdpjd.exe 100 PID 1416 wrote to memory of 4928 1416 vdpjd.exe 100 PID 1416 wrote to memory of 4928 1416 vdpjd.exe 100 PID 4928 wrote to memory of 4132 4928 9tnnnn.exe 101 PID 4928 wrote to memory of 4132 4928 9tnnnn.exe 101 PID 4928 wrote to memory of 4132 4928 9tnnnn.exe 101 PID 4132 wrote to memory of 464 4132 7pvdj.exe 102 PID 4132 wrote to memory of 464 4132 7pvdj.exe 102 PID 4132 wrote to memory of 464 4132 7pvdj.exe 102 PID 464 wrote to memory of 1616 464 fxfxlrl.exe 103 PID 464 wrote to memory of 1616 464 fxfxlrl.exe 103 PID 464 wrote to memory of 1616 464 fxfxlrl.exe 103 PID 1616 wrote to memory of 3576 1616 vppjp.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991.exe"C:\Users\Admin\AppData\Local\Temp\9739c3ffbd58fb5068bd639fcd6c53f6bfc89730cd559c9d304a5faabf7ee991.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
\??\c:\9frllll.exec:\9frllll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\7hhhbb.exec:\7hhhbb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1468 -
\??\c:\nhnhth.exec:\nhnhth.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
\??\c:\dvpjd.exec:\dvpjd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\3hnnbh.exec:\3hnnbh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5084 -
\??\c:\vvvvp.exec:\vvvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4672 -
\??\c:\nthbtt.exec:\nthbtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
\??\c:\pvdpd.exec:\pvdpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3332 -
\??\c:\1lrfxll.exec:\1lrfxll.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
\??\c:\vvdvj.exec:\vvdvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3172 -
\??\c:\7xfxfxf.exec:\7xfxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164 -
\??\c:\vjvpv.exec:\vjvpv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\rfrfxfr.exec:\rfrfxfr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\3vvpj.exec:\3vvpj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
\??\c:\9xlfrxf.exec:\9xlfrxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
\??\c:\thnnbb.exec:\thnnbb.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
\??\c:\vdpjd.exec:\vdpjd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\9tnnnn.exec:\9tnnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
\??\c:\7pvdj.exec:\7pvdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4132 -
\??\c:\fxfxlrl.exec:\fxfxlrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464 -
\??\c:\vppjp.exec:\vppjp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\9llxrrr.exec:\9llxrrr.exe23⤵
- Executes dropped EXE
PID:3576 -
\??\c:\bhttnn.exec:\bhttnn.exe24⤵
- Executes dropped EXE
PID:3436 -
\??\c:\jpvvv.exec:\jpvvv.exe25⤵
- Executes dropped EXE
PID:3468 -
\??\c:\frlfxlf.exec:\frlfxlf.exe26⤵
- Executes dropped EXE
PID:4076 -
\??\c:\jppjj.exec:\jppjj.exe27⤵
- Executes dropped EXE
PID:3984 -
\??\c:\jdpjj.exec:\jdpjj.exe28⤵
- Executes dropped EXE
PID:5100 -
\??\c:\bhtnbb.exec:\bhtnbb.exe29⤵
- Executes dropped EXE
PID:4916 -
\??\c:\7rlxrrr.exec:\7rlxrrr.exe30⤵
- Executes dropped EXE
PID:1800 -
\??\c:\xlrrllf.exec:\xlrrllf.exe31⤵
- Executes dropped EXE
PID:348 -
\??\c:\dvddv.exec:\dvddv.exe32⤵
- Executes dropped EXE
PID:880 -
\??\c:\lfrlllf.exec:\lfrlllf.exe33⤵
- Executes dropped EXE
PID:4652 -
\??\c:\7hbtnn.exec:\7hbtnn.exe34⤵
- Executes dropped EXE
PID:4748 -
\??\c:\jdvpv.exec:\jdvpv.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4812 -
\??\c:\xlxrlfx.exec:\xlxrlfx.exe36⤵
- Executes dropped EXE
PID:264 -
\??\c:\hbbtnn.exec:\hbbtnn.exe37⤵
- Executes dropped EXE
PID:2416 -
\??\c:\9pjvv.exec:\9pjvv.exe38⤵
- Executes dropped EXE
PID:3776 -
\??\c:\llfflff.exec:\llfflff.exe39⤵
- Executes dropped EXE
PID:1204 -
\??\c:\tbhhhb.exec:\tbhhhb.exe40⤵
- Executes dropped EXE
PID:4016 -
\??\c:\jpdvv.exec:\jpdvv.exe41⤵
- Executes dropped EXE
PID:3388 -
\??\c:\fxfxrrl.exec:\fxfxrrl.exe42⤵
- Executes dropped EXE
PID:3148 -
\??\c:\vpdvv.exec:\vpdvv.exe43⤵
- Executes dropped EXE
PID:1180 -
\??\c:\ffrrxxr.exec:\ffrrxxr.exe44⤵
- Executes dropped EXE
PID:2252 -
\??\c:\hthbbh.exec:\hthbbh.exe45⤵
- Executes dropped EXE
PID:4608 -
\??\c:\dvvdp.exec:\dvvdp.exe46⤵
- Executes dropped EXE
PID:2696 -
\??\c:\rxrfrlr.exec:\rxrfrlr.exe47⤵
- Executes dropped EXE
PID:2260 -
\??\c:\3tnhtt.exec:\3tnhtt.exe48⤵
- Executes dropped EXE
PID:5064 -
\??\c:\jdpjd.exec:\jdpjd.exe49⤵
- Executes dropped EXE
PID:2772 -
\??\c:\9lxrrlf.exec:\9lxrrlf.exe50⤵
- Executes dropped EXE
PID:1480 -
\??\c:\rlrlllf.exec:\rlrlllf.exe51⤵
- Executes dropped EXE
PID:4448 -
\??\c:\bbnhbb.exec:\bbnhbb.exe52⤵
- Executes dropped EXE
PID:3972 -
\??\c:\dppjv.exec:\dppjv.exe53⤵
- Executes dropped EXE
PID:1312 -
\??\c:\7rlfrlf.exec:\7rlfrlf.exe54⤵
- Executes dropped EXE
PID:2072 -
\??\c:\tbnbbh.exec:\tbnbbh.exe55⤵
- Executes dropped EXE
PID:5024 -
\??\c:\jpvvp.exec:\jpvvp.exe56⤵
- Executes dropped EXE
PID:3128 -
\??\c:\rxxlfrl.exec:\rxxlfrl.exe57⤵
- Executes dropped EXE
PID:3556 -
\??\c:\xxxlfrl.exec:\xxxlfrl.exe58⤵
- Executes dropped EXE
PID:3416 -
\??\c:\7jpjv.exec:\7jpjv.exe59⤵
- Executes dropped EXE
PID:220 -
\??\c:\pjvvp.exec:\pjvvp.exe60⤵
- Executes dropped EXE
PID:4820 -
\??\c:\rffrlff.exec:\rffrlff.exe61⤵
- Executes dropped EXE
PID:1152 -
\??\c:\bbnbth.exec:\bbnbth.exe62⤵
- Executes dropped EXE
PID:1812 -
\??\c:\pvvpj.exec:\pvvpj.exe63⤵
- Executes dropped EXE
PID:2644 -
\??\c:\xfxlffr.exec:\xfxlffr.exe64⤵
- Executes dropped EXE
PID:3332 -
\??\c:\tntnhb.exec:\tntnhb.exe65⤵
- Executes dropped EXE
PID:2388 -
\??\c:\nbtnbb.exec:\nbtnbb.exe66⤵PID:3172
-
\??\c:\7vjpd.exec:\7vjpd.exe67⤵PID:912
-
\??\c:\xffrfxr.exec:\xffrfxr.exe68⤵PID:3068
-
\??\c:\tnnnnh.exec:\tnnnnh.exe69⤵PID:3004
-
\??\c:\ppvdp.exec:\ppvdp.exe70⤵PID:836
-
\??\c:\3flxllx.exec:\3flxllx.exe71⤵PID:2792
-
\??\c:\1ntnbb.exec:\1ntnbb.exe72⤵PID:1564
-
\??\c:\jdvpv.exec:\jdvpv.exe73⤵PID:936
-
\??\c:\pdjvj.exec:\pdjvj.exe74⤵PID:4600
-
\??\c:\ffxlflf.exec:\ffxlflf.exe75⤵PID:4044
-
\??\c:\thnhtt.exec:\thnhtt.exe76⤵PID:5056
-
\??\c:\vvdpj.exec:\vvdpj.exe77⤵PID:5044
-
\??\c:\lllfllf.exec:\lllfllf.exe78⤵PID:4020
-
\??\c:\btnhbb.exec:\btnhbb.exe79⤵PID:1612
-
\??\c:\1ddvp.exec:\1ddvp.exe80⤵PID:4336
-
\??\c:\vdjdv.exec:\vdjdv.exe81⤵PID:4412
-
\??\c:\1llxlfx.exec:\1llxlfx.exe82⤵PID:3576
-
\??\c:\thttnh.exec:\thttnh.exe83⤵PID:4264
-
\??\c:\vpvjv.exec:\vpvjv.exe84⤵PID:1884
-
\??\c:\3frfrlx.exec:\3frfrlx.exe85⤵PID:4900
-
\??\c:\btbthh.exec:\btbthh.exe86⤵PID:4128
-
\??\c:\jdjdj.exec:\jdjdj.exe87⤵PID:2008
-
\??\c:\3vppd.exec:\3vppd.exe88⤵PID:2888
-
\??\c:\xxfrxxl.exec:\xxfrxxl.exe89⤵PID:2584
-
\??\c:\lfxlxrl.exec:\lfxlxrl.exe90⤵PID:4304
-
\??\c:\7tttnn.exec:\7tttnn.exe91⤵PID:412
-
\??\c:\pjpdv.exec:\pjpdv.exe92⤵PID:3244
-
\??\c:\xlrlfxx.exec:\xlrlfxx.exe93⤵PID:796
-
\??\c:\7tnnbt.exec:\7tnnbt.exe94⤵PID:740
-
\??\c:\nhnbhb.exec:\nhnbhb.exe95⤵PID:3656
-
\??\c:\5jdvj.exec:\5jdvj.exe96⤵PID:1272
-
\??\c:\9rrfrrf.exec:\9rrfrrf.exe97⤵PID:4360
-
\??\c:\ttnhtt.exec:\ttnhtt.exe98⤵PID:1916
-
\??\c:\bttnhb.exec:\bttnhb.exe99⤵PID:2352
-
\??\c:\jdjjj.exec:\jdjjj.exe100⤵PID:2004
-
\??\c:\rflfrlx.exec:\rflfrlx.exe101⤵PID:1516
-
\??\c:\thnhhh.exec:\thnhhh.exe102⤵PID:4648
-
\??\c:\bnhhbb.exec:\bnhhbb.exe103⤵PID:688
-
\??\c:\jvdpd.exec:\jvdpd.exe104⤵PID:644
-
\??\c:\xxlfrrr.exec:\xxlfrrr.exe105⤵PID:3996
-
\??\c:\7tbtth.exec:\7tbtth.exe106⤵PID:2024
-
\??\c:\9ddvj.exec:\9ddvj.exe107⤵PID:1444
-
\??\c:\1pvpj.exec:\1pvpj.exe108⤵PID:4184
-
\??\c:\3rxlxxl.exec:\3rxlxxl.exe109⤵PID:1292
-
\??\c:\xrlfxxl.exec:\xrlfxxl.exe110⤵PID:2696
-
\??\c:\tnhthb.exec:\tnhthb.exe111⤵PID:2260
-
\??\c:\dvvdp.exec:\dvvdp.exe112⤵PID:3208
-
\??\c:\xlrlxxx.exec:\xlrlxxx.exe113⤵PID:4440
-
\??\c:\hthnhh.exec:\hthnhh.exe114⤵PID:5004
-
\??\c:\hbhhtt.exec:\hbhhtt.exe115⤵PID:4448
-
\??\c:\jjvjj.exec:\jjvjj.exe116⤵PID:3116
-
\??\c:\djpdv.exec:\djpdv.exe117⤵PID:2412
-
\??\c:\rfrlffx.exec:\rfrlffx.exe118⤵PID:400
-
\??\c:\3tntnb.exec:\3tntnb.exe119⤵PID:4176
-
\??\c:\jvdpj.exec:\jvdpj.exe120⤵PID:1428
-
\??\c:\ddpjv.exec:\ddpjv.exe121⤵PID:1032
-
\??\c:\rflfxrl.exec:\rflfxrl.exe122⤵PID:112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-