Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 09:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434aN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434aN.exe
-
Size
454KB
-
MD5
f702d732e9d5f4715ec37a72b0dc4610
-
SHA1
7a404fccb7006749d5ae682a8fed678568a9c2b2
-
SHA256
9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434a
-
SHA512
fefaefb6fb8a814387442663f188a7dde957b302526bad33edb3666fc787b090de78fc74ff29b0d99d085694936009ac39d79ee459c94656e9b1248c3d83c5f9
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbey:q7Tc2NYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 61 IoCs
resource yara_rule behavioral2/memory/3232-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4328-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/960-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4788-32-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4576-38-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3764-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3272-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4104-56-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1916-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-68-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2052-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3772-97-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-109-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2036-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2308-121-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5036-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2408-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1444-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2204-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-171-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-179-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-190-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/628-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4564-202-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/892-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/632-210-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4976-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1548-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2604-292-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-327-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4168-334-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4216-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4936-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4324-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1996-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-421-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2632-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4688-445-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-507-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4872-517-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1420-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-631-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-660-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-691-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-750-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-799-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2272-812-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3612-831-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1968-970-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4764-1142-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4328 3nhtnn.exe 960 fxrfrlx.exe 920 fflfxll.exe 4788 jvvvp.exe 4576 htnbth.exe 3764 dvpjd.exe 3272 lfrrffr.exe 4104 vddpd.exe 1916 ppjdp.exe 1968 xrrlxrf.exe 3308 ttntbn.exe 4008 7ffxllf.exe 2044 ntbbtn.exe 2052 rffxrrl.exe 3772 nbbthb.exe 3684 jjjdd.exe 3312 7bhbnn.exe 2036 1jjvj.exe 2308 tttntn.exe 5036 7jjdd.exe 1676 rxfrlfr.exe 4520 nthhbt.exe 5072 vvvpp.exe 2408 flllrrx.exe 1444 lxxlxrl.exe 4448 ddvdv.exe 2204 3frlxxl.exe 1828 frxrllf.exe 8 jvdvd.exe 2264 fxxfrff.exe 4400 vdvdv.exe 3148 1xfxfll.exe 628 pjjpj.exe 4564 pvddp.exe 892 5thbnn.exe 632 7hnnnh.exe 4528 vdpjp.exe 4752 xxxrlfx.exe 4760 3htnhh.exe 4572 1nhhbb.exe 4032 jvvpj.exe 1716 ntbntn.exe 1068 1pvdp.exe 4976 rlfrllx.exe 5044 9xxrffx.exe 1708 ntbhbt.exe 1524 5pjdd.exe 4908 xflfrrl.exe 1548 9hhbtt.exe 5048 vppdv.exe 4584 9lffflf.exe 3928 7tbnhh.exe 3032 nbhttn.exe 4268 pvdvd.exe 4292 rlxlxxr.exe 3232 hnhhhh.exe 2064 tnbbtn.exe 5020 jjjdv.exe 1004 fxfrllf.exe 912 nhnhbt.exe 920 htbtnh.exe 2604 9vdvj.exe 4788 lrxrffr.exe 3680 hhhtnt.exe -
resource yara_rule behavioral2/memory/3232-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4328-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/960-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4788-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-39-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4576-38-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3764-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3272-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4104-56-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1916-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-68-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2052-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3772-97-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2036-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2308-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5036-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4520-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2408-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1444-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2204-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/628-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4564-202-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/892-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/632-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4976-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1548-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2604-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-327-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4168-334-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4216-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4936-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4324-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1996-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-421-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2632-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4688-445-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-507-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4872-517-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1420-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-631-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-660-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-691-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-750-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-799-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2272-812-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3612-831-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1968-970-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlrlffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhhhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrlllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxffxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1btnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5xxxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbtttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrlffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nttbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1rxrlrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thhnht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llrrrrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3232 wrote to memory of 4328 3232 9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434aN.exe 82 PID 3232 wrote to memory of 4328 3232 9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434aN.exe 82 PID 3232 wrote to memory of 4328 3232 9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434aN.exe 82 PID 4328 wrote to memory of 960 4328 3nhtnn.exe 83 PID 4328 wrote to memory of 960 4328 3nhtnn.exe 83 PID 4328 wrote to memory of 960 4328 3nhtnn.exe 83 PID 960 wrote to memory of 920 960 fxrfrlx.exe 84 PID 960 wrote to memory of 920 960 fxrfrlx.exe 84 PID 960 wrote to memory of 920 960 fxrfrlx.exe 84 PID 920 wrote to memory of 4788 920 fflfxll.exe 85 PID 920 wrote to memory of 4788 920 fflfxll.exe 85 PID 920 wrote to memory of 4788 920 fflfxll.exe 85 PID 4788 wrote to memory of 4576 4788 jvvvp.exe 86 PID 4788 wrote to memory of 4576 4788 jvvvp.exe 86 PID 4788 wrote to memory of 4576 4788 jvvvp.exe 86 PID 4576 wrote to memory of 3764 4576 htnbth.exe 87 PID 4576 wrote to memory of 3764 4576 htnbth.exe 87 PID 4576 wrote to memory of 3764 4576 htnbth.exe 87 PID 3764 wrote to memory of 3272 3764 dvpjd.exe 88 PID 3764 wrote to memory of 3272 3764 dvpjd.exe 88 PID 3764 wrote to memory of 3272 3764 dvpjd.exe 88 PID 3272 wrote to memory of 4104 3272 lfrrffr.exe 89 PID 3272 wrote to memory of 4104 3272 lfrrffr.exe 89 PID 3272 wrote to memory of 4104 3272 lfrrffr.exe 89 PID 4104 wrote to memory of 1916 4104 vddpd.exe 90 PID 4104 wrote to memory of 1916 4104 vddpd.exe 90 PID 4104 wrote to memory of 1916 4104 vddpd.exe 90 PID 1916 wrote to memory of 1968 1916 ppjdp.exe 91 PID 1916 wrote to memory of 1968 1916 ppjdp.exe 91 PID 1916 wrote to memory of 1968 1916 ppjdp.exe 91 PID 1968 wrote to memory of 3308 1968 xrrlxrf.exe 92 PID 1968 wrote to memory of 3308 1968 xrrlxrf.exe 92 PID 1968 wrote to memory of 3308 1968 xrrlxrf.exe 92 PID 3308 wrote to memory of 4008 3308 ttntbn.exe 93 PID 3308 wrote to memory of 4008 3308 ttntbn.exe 93 PID 3308 wrote to memory of 4008 3308 ttntbn.exe 93 PID 4008 wrote to memory of 2044 4008 7ffxllf.exe 94 PID 4008 wrote to memory of 2044 4008 7ffxllf.exe 94 PID 4008 wrote to memory of 2044 4008 7ffxllf.exe 94 PID 2044 wrote to memory of 2052 2044 ntbbtn.exe 95 PID 2044 wrote to memory of 2052 2044 ntbbtn.exe 95 PID 2044 wrote to memory of 2052 2044 ntbbtn.exe 95 PID 2052 wrote to memory of 3772 2052 rffxrrl.exe 96 PID 2052 wrote to memory of 3772 2052 rffxrrl.exe 96 PID 2052 wrote to memory of 3772 2052 rffxrrl.exe 96 PID 3772 wrote to memory of 3684 3772 nbbthb.exe 97 PID 3772 wrote to memory of 3684 3772 nbbthb.exe 97 PID 3772 wrote to memory of 3684 3772 nbbthb.exe 97 PID 3684 wrote to memory of 3312 3684 jjjdd.exe 98 PID 3684 wrote to memory of 3312 3684 jjjdd.exe 98 PID 3684 wrote to memory of 3312 3684 jjjdd.exe 98 PID 3312 wrote to memory of 2036 3312 7bhbnn.exe 99 PID 3312 wrote to memory of 2036 3312 7bhbnn.exe 99 PID 3312 wrote to memory of 2036 3312 7bhbnn.exe 99 PID 2036 wrote to memory of 2308 2036 1jjvj.exe 100 PID 2036 wrote to memory of 2308 2036 1jjvj.exe 100 PID 2036 wrote to memory of 2308 2036 1jjvj.exe 100 PID 2308 wrote to memory of 5036 2308 tttntn.exe 101 PID 2308 wrote to memory of 5036 2308 tttntn.exe 101 PID 2308 wrote to memory of 5036 2308 tttntn.exe 101 PID 5036 wrote to memory of 1676 5036 7jjdd.exe 102 PID 5036 wrote to memory of 1676 5036 7jjdd.exe 102 PID 5036 wrote to memory of 1676 5036 7jjdd.exe 102 PID 1676 wrote to memory of 4520 1676 rxfrlfr.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434aN.exe"C:\Users\Admin\AppData\Local\Temp\9e5276d89713ea695a0454b289fe730e4d12ff1a4648ed5b350edd6ad990434aN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
\??\c:\3nhtnn.exec:\3nhtnn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4328 -
\??\c:\fxrfrlx.exec:\fxrfrlx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\fflfxll.exec:\fflfxll.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:920 -
\??\c:\jvvvp.exec:\jvvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
\??\c:\htnbth.exec:\htnbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
\??\c:\dvpjd.exec:\dvpjd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3764 -
\??\c:\lfrrffr.exec:\lfrrffr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
\??\c:\vddpd.exec:\vddpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
\??\c:\ppjdp.exec:\ppjdp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1916 -
\??\c:\xrrlxrf.exec:\xrrlxrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
\??\c:\ttntbn.exec:\ttntbn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
\??\c:\7ffxllf.exec:\7ffxllf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4008 -
\??\c:\ntbbtn.exec:\ntbbtn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
\??\c:\rffxrrl.exec:\rffxrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
\??\c:\nbbthb.exec:\nbbthb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
\??\c:\jjjdd.exec:\jjjdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
\??\c:\7bhbnn.exec:\7bhbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
\??\c:\1jjvj.exec:\1jjvj.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
\??\c:\tttntn.exec:\tttntn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2308 -
\??\c:\7jjdd.exec:\7jjdd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
\??\c:\rxfrlfr.exec:\rxfrlfr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
\??\c:\nthhbt.exec:\nthhbt.exe23⤵
- Executes dropped EXE
PID:4520 -
\??\c:\vvvpp.exec:\vvvpp.exe24⤵
- Executes dropped EXE
PID:5072 -
\??\c:\flllrrx.exec:\flllrrx.exe25⤵
- Executes dropped EXE
PID:2408 -
\??\c:\lxxlxrl.exec:\lxxlxrl.exe26⤵
- Executes dropped EXE
PID:1444 -
\??\c:\ddvdv.exec:\ddvdv.exe27⤵
- Executes dropped EXE
PID:4448 -
\??\c:\3frlxxl.exec:\3frlxxl.exe28⤵
- Executes dropped EXE
PID:2204 -
\??\c:\frxrllf.exec:\frxrllf.exe29⤵
- Executes dropped EXE
PID:1828 -
\??\c:\jvdvd.exec:\jvdvd.exe30⤵
- Executes dropped EXE
PID:8 -
\??\c:\fxxfrff.exec:\fxxfrff.exe31⤵
- Executes dropped EXE
PID:2264 -
\??\c:\vdvdv.exec:\vdvdv.exe32⤵
- Executes dropped EXE
PID:4400 -
\??\c:\1xfxfll.exec:\1xfxfll.exe33⤵
- Executes dropped EXE
PID:3148 -
\??\c:\pjjpj.exec:\pjjpj.exe34⤵
- Executes dropped EXE
PID:628 -
\??\c:\pvddp.exec:\pvddp.exe35⤵
- Executes dropped EXE
PID:4564 -
\??\c:\5thbnn.exec:\5thbnn.exe36⤵
- Executes dropped EXE
PID:892 -
\??\c:\7hnnnh.exec:\7hnnnh.exe37⤵
- Executes dropped EXE
PID:632 -
\??\c:\vdpjp.exec:\vdpjp.exe38⤵
- Executes dropped EXE
PID:4528 -
\??\c:\xxxrlfx.exec:\xxxrlfx.exe39⤵
- Executes dropped EXE
PID:4752 -
\??\c:\3htnhh.exec:\3htnhh.exe40⤵
- Executes dropped EXE
PID:4760 -
\??\c:\1nhhbb.exec:\1nhhbb.exe41⤵
- Executes dropped EXE
PID:4572 -
\??\c:\jvvpj.exec:\jvvpj.exe42⤵
- Executes dropped EXE
PID:4032 -
\??\c:\ntbntn.exec:\ntbntn.exe43⤵
- Executes dropped EXE
PID:1716 -
\??\c:\1pvdp.exec:\1pvdp.exe44⤵
- Executes dropped EXE
PID:1068 -
\??\c:\rlfrllx.exec:\rlfrllx.exe45⤵
- Executes dropped EXE
PID:4976 -
\??\c:\9xxrffx.exec:\9xxrffx.exe46⤵
- Executes dropped EXE
PID:5044 -
\??\c:\ntbhbt.exec:\ntbhbt.exe47⤵
- Executes dropped EXE
PID:1708 -
\??\c:\5pjdd.exec:\5pjdd.exe48⤵
- Executes dropped EXE
PID:1524 -
\??\c:\xflfrrl.exec:\xflfrrl.exe49⤵
- Executes dropped EXE
PID:4908 -
\??\c:\9hhbtt.exec:\9hhbtt.exe50⤵
- Executes dropped EXE
PID:1548 -
\??\c:\vppdv.exec:\vppdv.exe51⤵
- Executes dropped EXE
PID:5048 -
\??\c:\9lffflf.exec:\9lffflf.exe52⤵
- Executes dropped EXE
PID:4584 -
\??\c:\7tbnhh.exec:\7tbnhh.exe53⤵
- Executes dropped EXE
PID:3928 -
\??\c:\nbhttn.exec:\nbhttn.exe54⤵
- Executes dropped EXE
PID:3032 -
\??\c:\pvdvd.exec:\pvdvd.exe55⤵
- Executes dropped EXE
PID:4268 -
\??\c:\rlxlxxr.exec:\rlxlxxr.exe56⤵
- Executes dropped EXE
PID:4292 -
\??\c:\hnhhhh.exec:\hnhhhh.exe57⤵
- Executes dropped EXE
PID:3232 -
\??\c:\tnbbtn.exec:\tnbbtn.exe58⤵
- Executes dropped EXE
PID:2064 -
\??\c:\jjjdv.exec:\jjjdv.exe59⤵
- Executes dropped EXE
PID:5020 -
\??\c:\fxfrllf.exec:\fxfrllf.exe60⤵
- Executes dropped EXE
PID:1004 -
\??\c:\nhnhbt.exec:\nhnhbt.exe61⤵
- Executes dropped EXE
PID:912 -
\??\c:\htbtnh.exec:\htbtnh.exe62⤵
- Executes dropped EXE
PID:920 -
\??\c:\9vdvj.exec:\9vdvj.exe63⤵
- Executes dropped EXE
PID:2604 -
\??\c:\lrxrffr.exec:\lrxrffr.exe64⤵
- Executes dropped EXE
PID:4788 -
\??\c:\hhhtnt.exec:\hhhtnt.exe65⤵
- Executes dropped EXE
PID:3680 -
\??\c:\jdpdp.exec:\jdpdp.exe66⤵PID:4256
-
\??\c:\vpdjd.exec:\vpdjd.exe67⤵PID:1036
-
\??\c:\5lxrlll.exec:\5lxrlll.exe68⤵PID:516
-
\??\c:\nbthbb.exec:\nbthbb.exe69⤵PID:4040
-
\??\c:\pdpjd.exec:\pdpjd.exe70⤵PID:1224
-
\??\c:\5frlxlx.exec:\5frlxlx.exe71⤵PID:1064
-
\??\c:\xxlflff.exec:\xxlflff.exe72⤵PID:2032
-
\??\c:\bnnbth.exec:\bnnbth.exe73⤵PID:1764
-
\??\c:\ddvpj.exec:\ddvpj.exe74⤵PID:4964
-
\??\c:\dvpdv.exec:\dvpdv.exe75⤵PID:2560
-
\??\c:\xllfxrr.exec:\xllfxrr.exe76⤵PID:4168
-
\??\c:\hbttnh.exec:\hbttnh.exe77⤵PID:2188
-
\??\c:\pjvpv.exec:\pjvpv.exe78⤵PID:2348
-
\??\c:\fxrlllf.exec:\fxrlllf.exe79⤵
- System Location Discovery: System Language Discovery
PID:3108 -
\??\c:\hbtnhn.exec:\hbtnhn.exe80⤵PID:3932
-
\??\c:\ppdpj.exec:\ppdpj.exe81⤵PID:4724
-
\??\c:\ffrlxxr.exec:\ffrlxxr.exe82⤵PID:936
-
\??\c:\bntttt.exec:\bntttt.exe83⤵PID:1688
-
\??\c:\bhnhbn.exec:\bhnhbn.exe84⤵PID:2788
-
\??\c:\5vvpj.exec:\5vvpj.exe85⤵PID:4316
-
\??\c:\5rxrllf.exec:\5rxrllf.exe86⤵PID:3504
-
\??\c:\thhhbb.exec:\thhhbb.exe87⤵PID:3652
-
\??\c:\dvvpd.exec:\dvvpd.exe88⤵PID:536
-
\??\c:\ppvpv.exec:\ppvpv.exe89⤵PID:644
-
\??\c:\rxxlxlf.exec:\rxxlxlf.exe90⤵PID:2192
-
\??\c:\1pddv.exec:\1pddv.exe91⤵PID:1220
-
\??\c:\fllrlxr.exec:\fllrlxr.exe92⤵PID:3436
-
\??\c:\xflrxll.exec:\xflrxll.exe93⤵PID:4216
-
\??\c:\nnnnnn.exec:\nnnnnn.exe94⤵PID:1172
-
\??\c:\vdppj.exec:\vdppj.exe95⤵PID:4936
-
\??\c:\ffxrlrl.exec:\ffxrlrl.exe96⤵PID:4324
-
\??\c:\fllxrlf.exec:\fllxrlf.exe97⤵PID:2012
-
\??\c:\3hnhbh.exec:\3hnhbh.exe98⤵PID:796
-
\??\c:\djvpv.exec:\djvpv.exe99⤵PID:1996
-
\??\c:\xrxfrrl.exec:\xrxfrrl.exe100⤵PID:4464
-
\??\c:\fxffxxr.exec:\fxffxxr.exe101⤵PID:3160
-
\??\c:\hnhttn.exec:\hnhttn.exe102⤵PID:3220
-
\??\c:\ppjpv.exec:\ppjpv.exe103⤵PID:1956
-
\??\c:\rxlfxrl.exec:\rxlfxrl.exe104⤵PID:4808
-
\??\c:\bbtnnn.exec:\bbtnnn.exe105⤵PID:2632
-
\??\c:\djvjd.exec:\djvjd.exe106⤵PID:2376
-
\??\c:\fxffffx.exec:\fxffffx.exe107⤵PID:1156
-
\??\c:\nnttbb.exec:\nnttbb.exe108⤵PID:1804
-
\??\c:\jjpjd.exec:\jjpjd.exe109⤵PID:1240
-
\??\c:\jddjj.exec:\jddjj.exe110⤵PID:4688
-
\??\c:\hbnnhn.exec:\hbnnhn.exe111⤵PID:4124
-
\??\c:\dpvpv.exec:\dpvpv.exe112⤵PID:2452
-
\??\c:\dpdvv.exec:\dpdvv.exe113⤵PID:1716
-
\??\c:\xfllfff.exec:\xfllfff.exe114⤵PID:1068
-
\??\c:\3tnhbb.exec:\3tnhbb.exe115⤵PID:4088
-
\??\c:\1djvp.exec:\1djvp.exe116⤵PID:3424
-
\??\c:\1jpdv.exec:\1jpdv.exe117⤵PID:3208
-
\??\c:\fxffxff.exec:\fxffxff.exe118⤵PID:1044
-
\??\c:\bhnbbt.exec:\bhnbbt.exe119⤵PID:2444
-
\??\c:\hththh.exec:\hththh.exe120⤵PID:3636
-
\??\c:\dddvp.exec:\dddvp.exe121⤵PID:4592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-