Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 02:13
Behavioral task
behavioral1
Sample
972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
150 seconds
General
-
Target
972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246.exe
-
Size
97KB
-
MD5
34c282c20fb8a8cdb562a09a80aca2ef
-
SHA1
eef7b468c3b45dfb67c6266d7c5b57bbf5df392a
-
SHA256
972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246
-
SHA512
0198119ccafcf90346e9eb54c5dc237d1190a2bd57010f1277e1b86499a69d52b4ad40f1a53928ea8310e632fe73a841e1afa6839ba04a0257331a6c9d828eb2
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgb:8cm4FmowdHoSgWrXUgb
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2668-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3652-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2392-14-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/468-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1356-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-29-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4172-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4784-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4212-44-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3424-50-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2068-54-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1752-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-80-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1580-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4660-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2960-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3412-101-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3148-105-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2808-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2092-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3644-123-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1248-138-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1604-142-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-154-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2992-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3840-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4764-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3440-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1040-176-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-188-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4028-193-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4148-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-206-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3052-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-213-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-222-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1592-225-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2752-228-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/208-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-247-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4252-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4416-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4312-283-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1976-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-289-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2060-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/228-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1804-326-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3236-422-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4936-437-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1612-528-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3176-533-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2036-540-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4088-631-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3636-672-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1548-739-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3116-1075-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-1290-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-1335-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3652 xrrfxlf.exe 2392 nbbthh.exe 468 vvvpd.exe 1356 jpddp.exe 3052 llxlrrx.exe 4172 fllxlfr.exe 4784 bthbbb.exe 4212 thhtnt.exe 3424 vpdvp.exe 2068 rlllrrx.exe 5004 xxrxxxl.exe 1752 nbnhbb.exe 904 vvpjd.exe 1812 flrlfxl.exe 4252 thhbnh.exe 2732 1nnnbt.exe 1580 9pvpd.exe 4660 frrlrlr.exe 2960 xrfxfrf.exe 3412 bhhhbt.exe 3148 pjpjv.exe 4484 3lxrfxl.exe 2808 hthnhn.exe 2092 ntnthb.exe 3644 1vdpd.exe 3972 lfrrrxr.exe 3116 5nbbtn.exe 1248 ddjvp.exe 1604 xrxlffx.exe 2624 3bthtn.exe 3236 ttttbt.exe 4848 pvvvp.exe 2992 rrxxrrf.exe 3656 1rllfll.exe 3840 5tbtnh.exe 4764 httnbt.exe 3440 vppvd.exe 2212 llfxlfx.exe 2560 rrlfxrl.exe 1040 bnbnnh.exe 228 pjvjv.exe 3220 vpjdv.exe 1740 fflxllx.exe 4780 tttnhn.exe 1744 bhbtbn.exe 5072 nnhthb.exe 4028 dvpdp.exe 552 lllxlfr.exe 3652 pdvpd.exe 4148 rxxrfxl.exe 2260 xllfxrl.exe 3332 tbbtnn.exe 3484 pdpdv.exe 3052 xxflxfx.exe 2768 3fxlfxr.exe 3520 9hbhtb.exe 3940 nttntt.exe 3548 pddvd.exe 1788 rlxrxrf.exe 1592 1rxrllx.exe 2752 bnnhbt.exe 1664 7dvjv.exe 2044 rffxflx.exe 1532 rflfffl.exe -
resource yara_rule behavioral2/memory/2668-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b6d-3.dat upx behavioral2/memory/2668-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b77-9.dat upx behavioral2/memory/3652-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-11.dat upx behavioral2/memory/2392-14-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-18.dat upx behavioral2/memory/468-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-23.dat upx behavioral2/memory/1356-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-28.dat upx behavioral2/memory/3052-29-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-33.dat upx behavioral2/memory/4172-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-38.dat upx behavioral2/memory/4784-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-43.dat upx behavioral2/memory/4212-44-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3424-50-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-49.dat upx behavioral2/files/0x000a000000023b80-55.dat upx behavioral2/memory/2068-54-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b81-58.dat upx behavioral2/files/0x000a000000023b82-62.dat upx behavioral2/memory/1752-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b83-67.dat upx behavioral2/files/0x000a000000023b84-71.dat upx behavioral2/files/0x000a000000023b85-75.dat upx behavioral2/files/0x000a000000023b86-79.dat upx behavioral2/memory/2732-80-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-84.dat upx behavioral2/memory/1580-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4660-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-89.dat upx behavioral2/files/0x000a000000023b89-94.dat upx behavioral2/memory/2960-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-100.dat upx behavioral2/memory/3412-101-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-104.dat upx behavioral2/memory/3148-105-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-109.dat upx behavioral2/files/0x000a000000023b8d-113.dat upx behavioral2/memory/2808-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2092-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-119.dat upx behavioral2/files/0x000a000000023b8f-124.dat upx behavioral2/memory/3644-123-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-128.dat upx behavioral2/memory/3972-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-133.dat upx behavioral2/memory/1248-138-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b92-137.dat upx behavioral2/memory/1604-142-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b74-143.dat upx behavioral2/files/0x000b000000023b94-147.dat upx behavioral2/memory/3236-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9c-152.dat upx behavioral2/memory/2992-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3840-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4764-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3440-169-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1040-176-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/228-179-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjvjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddppv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bnhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vppjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxlxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xfxxlrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9jjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlrffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfxxrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 3652 2668 972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246.exe 83 PID 2668 wrote to memory of 3652 2668 972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246.exe 83 PID 2668 wrote to memory of 3652 2668 972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246.exe 83 PID 3652 wrote to memory of 2392 3652 xrrfxlf.exe 84 PID 3652 wrote to memory of 2392 3652 xrrfxlf.exe 84 PID 3652 wrote to memory of 2392 3652 xrrfxlf.exe 84 PID 2392 wrote to memory of 468 2392 nbbthh.exe 85 PID 2392 wrote to memory of 468 2392 nbbthh.exe 85 PID 2392 wrote to memory of 468 2392 nbbthh.exe 85 PID 468 wrote to memory of 1356 468 vvvpd.exe 86 PID 468 wrote to memory of 1356 468 vvvpd.exe 86 PID 468 wrote to memory of 1356 468 vvvpd.exe 86 PID 1356 wrote to memory of 3052 1356 jpddp.exe 87 PID 1356 wrote to memory of 3052 1356 jpddp.exe 87 PID 1356 wrote to memory of 3052 1356 jpddp.exe 87 PID 3052 wrote to memory of 4172 3052 llxlrrx.exe 88 PID 3052 wrote to memory of 4172 3052 llxlrrx.exe 88 PID 3052 wrote to memory of 4172 3052 llxlrrx.exe 88 PID 4172 wrote to memory of 4784 4172 fllxlfr.exe 89 PID 4172 wrote to memory of 4784 4172 fllxlfr.exe 89 PID 4172 wrote to memory of 4784 4172 fllxlfr.exe 89 PID 4784 wrote to memory of 4212 4784 bthbbb.exe 90 PID 4784 wrote to memory of 4212 4784 bthbbb.exe 90 PID 4784 wrote to memory of 4212 4784 bthbbb.exe 90 PID 4212 wrote to memory of 3424 4212 thhtnt.exe 91 PID 4212 wrote to memory of 3424 4212 thhtnt.exe 91 PID 4212 wrote to memory of 3424 4212 thhtnt.exe 91 PID 3424 wrote to memory of 2068 3424 vpdvp.exe 92 PID 3424 wrote to memory of 2068 3424 vpdvp.exe 92 PID 3424 wrote to memory of 2068 3424 vpdvp.exe 92 PID 2068 wrote to memory of 5004 2068 rlllrrx.exe 93 PID 2068 wrote to memory of 5004 2068 rlllrrx.exe 93 PID 2068 wrote to memory of 5004 2068 rlllrrx.exe 93 PID 5004 wrote to memory of 1752 5004 xxrxxxl.exe 94 PID 5004 wrote to memory of 1752 5004 xxrxxxl.exe 94 PID 5004 wrote to memory of 1752 5004 xxrxxxl.exe 94 PID 1752 wrote to memory of 904 1752 nbnhbb.exe 95 PID 1752 wrote to memory of 904 1752 nbnhbb.exe 95 PID 1752 wrote to memory of 904 1752 nbnhbb.exe 95 PID 904 wrote to memory of 1812 904 vvpjd.exe 96 PID 904 wrote to memory of 1812 904 vvpjd.exe 96 PID 904 wrote to memory of 1812 904 vvpjd.exe 96 PID 1812 wrote to memory of 4252 1812 flrlfxl.exe 97 PID 1812 wrote to memory of 4252 1812 flrlfxl.exe 97 PID 1812 wrote to memory of 4252 1812 flrlfxl.exe 97 PID 4252 wrote to memory of 2732 4252 thhbnh.exe 98 PID 4252 wrote to memory of 2732 4252 thhbnh.exe 98 PID 4252 wrote to memory of 2732 4252 thhbnh.exe 98 PID 2732 wrote to memory of 1580 2732 1nnnbt.exe 99 PID 2732 wrote to memory of 1580 2732 1nnnbt.exe 99 PID 2732 wrote to memory of 1580 2732 1nnnbt.exe 99 PID 1580 wrote to memory of 4660 1580 9pvpd.exe 100 PID 1580 wrote to memory of 4660 1580 9pvpd.exe 100 PID 1580 wrote to memory of 4660 1580 9pvpd.exe 100 PID 4660 wrote to memory of 2960 4660 frrlrlr.exe 101 PID 4660 wrote to memory of 2960 4660 frrlrlr.exe 101 PID 4660 wrote to memory of 2960 4660 frrlrlr.exe 101 PID 2960 wrote to memory of 3412 2960 xrfxfrf.exe 102 PID 2960 wrote to memory of 3412 2960 xrfxfrf.exe 102 PID 2960 wrote to memory of 3412 2960 xrfxfrf.exe 102 PID 3412 wrote to memory of 3148 3412 bhhhbt.exe 103 PID 3412 wrote to memory of 3148 3412 bhhhbt.exe 103 PID 3412 wrote to memory of 3148 3412 bhhhbt.exe 103 PID 3148 wrote to memory of 4484 3148 pjpjv.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246.exe"C:\Users\Admin\AppData\Local\Temp\972dddce899d31c60f99842aa57781887cb216f0d1a126a10c14f7c915f5c246.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
\??\c:\xrrfxlf.exec:\xrrfxlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
\??\c:\nbbthh.exec:\nbbthh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\vvvpd.exec:\vvvpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
\??\c:\jpddp.exec:\jpddp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
\??\c:\llxlrrx.exec:\llxlrrx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
\??\c:\fllxlfr.exec:\fllxlfr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4172 -
\??\c:\bthbbb.exec:\bthbbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4784 -
\??\c:\thhtnt.exec:\thhtnt.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4212 -
\??\c:\vpdvp.exec:\vpdvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
\??\c:\rlllrrx.exec:\rlllrrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
\??\c:\xxrxxxl.exec:\xxrxxxl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
\??\c:\nbnhbb.exec:\nbnhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\vvpjd.exec:\vvpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\flrlfxl.exec:\flrlfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
\??\c:\thhbnh.exec:\thhbnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
\??\c:\1nnnbt.exec:\1nnnbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
\??\c:\9pvpd.exec:\9pvpd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
\??\c:\frrlrlr.exec:\frrlrlr.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\xrfxfrf.exec:\xrfxfrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2960 -
\??\c:\bhhhbt.exec:\bhhhbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
\??\c:\pjpjv.exec:\pjpjv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148 -
\??\c:\3lxrfxl.exec:\3lxrfxl.exe23⤵
- Executes dropped EXE
PID:4484 -
\??\c:\hthnhn.exec:\hthnhn.exe24⤵
- Executes dropped EXE
PID:2808 -
\??\c:\ntnthb.exec:\ntnthb.exe25⤵
- Executes dropped EXE
PID:2092 -
\??\c:\1vdpd.exec:\1vdpd.exe26⤵
- Executes dropped EXE
PID:3644 -
\??\c:\lfrrrxr.exec:\lfrrrxr.exe27⤵
- Executes dropped EXE
PID:3972 -
\??\c:\5nbbtn.exec:\5nbbtn.exe28⤵
- Executes dropped EXE
PID:3116 -
\??\c:\ddjvp.exec:\ddjvp.exe29⤵
- Executes dropped EXE
PID:1248 -
\??\c:\xrxlffx.exec:\xrxlffx.exe30⤵
- Executes dropped EXE
PID:1604 -
\??\c:\3bthtn.exec:\3bthtn.exe31⤵
- Executes dropped EXE
PID:2624 -
\??\c:\ttttbt.exec:\ttttbt.exe32⤵
- Executes dropped EXE
PID:3236 -
\??\c:\pvvvp.exec:\pvvvp.exe33⤵
- Executes dropped EXE
PID:4848 -
\??\c:\rrxxrrf.exec:\rrxxrrf.exe34⤵
- Executes dropped EXE
PID:2992 -
\??\c:\1rllfll.exec:\1rllfll.exe35⤵
- Executes dropped EXE
PID:3656 -
\??\c:\5tbtnh.exec:\5tbtnh.exe36⤵
- Executes dropped EXE
PID:3840 -
\??\c:\httnbt.exec:\httnbt.exe37⤵
- Executes dropped EXE
PID:4764 -
\??\c:\vppvd.exec:\vppvd.exe38⤵
- Executes dropped EXE
PID:3440 -
\??\c:\llfxlfx.exec:\llfxlfx.exe39⤵
- Executes dropped EXE
PID:2212 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
\??\c:\bnbnnh.exec:\bnbnnh.exe41⤵
- Executes dropped EXE
PID:1040 -
\??\c:\pjvjv.exec:\pjvjv.exe42⤵
- Executes dropped EXE
PID:228 -
\??\c:\vpjdv.exec:\vpjdv.exe43⤵
- Executes dropped EXE
PID:3220 -
\??\c:\fflxllx.exec:\fflxllx.exe44⤵
- Executes dropped EXE
PID:1740 -
\??\c:\tttnhn.exec:\tttnhn.exe45⤵
- Executes dropped EXE
PID:4780 -
\??\c:\bhbtbn.exec:\bhbtbn.exe46⤵
- Executes dropped EXE
PID:1744 -
\??\c:\nnhthb.exec:\nnhthb.exe47⤵
- Executes dropped EXE
PID:5072 -
\??\c:\dvpdp.exec:\dvpdp.exe48⤵
- Executes dropped EXE
PID:4028 -
\??\c:\lllxlfr.exec:\lllxlfr.exe49⤵
- Executes dropped EXE
PID:552 -
\??\c:\pdvpd.exec:\pdvpd.exe50⤵
- Executes dropped EXE
PID:3652 -
\??\c:\rxxrfxl.exec:\rxxrfxl.exe51⤵
- Executes dropped EXE
PID:4148 -
\??\c:\xllfxrl.exec:\xllfxrl.exe52⤵
- Executes dropped EXE
PID:2260 -
\??\c:\tbbtnn.exec:\tbbtnn.exe53⤵
- Executes dropped EXE
PID:3332 -
\??\c:\pdpdv.exec:\pdpdv.exe54⤵
- Executes dropped EXE
PID:3484 -
\??\c:\xxflxfx.exec:\xxflxfx.exe55⤵
- Executes dropped EXE
PID:3052 -
\??\c:\3fxlfxr.exec:\3fxlfxr.exe56⤵
- Executes dropped EXE
PID:2768 -
\??\c:\9hbhtb.exec:\9hbhtb.exe57⤵
- Executes dropped EXE
PID:3520 -
\??\c:\nttntt.exec:\nttntt.exe58⤵
- Executes dropped EXE
PID:3940 -
\??\c:\pddvd.exec:\pddvd.exe59⤵
- Executes dropped EXE
PID:3548 -
\??\c:\rlxrxrf.exec:\rlxrxrf.exe60⤵
- Executes dropped EXE
PID:1788 -
\??\c:\1rxrllx.exec:\1rxrllx.exe61⤵
- Executes dropped EXE
PID:1592 -
\??\c:\bnnhbt.exec:\bnnhbt.exe62⤵
- Executes dropped EXE
PID:2752 -
\??\c:\7dvjv.exec:\7dvjv.exe63⤵
- Executes dropped EXE
PID:1664 -
\??\c:\rffxflx.exec:\rffxflx.exe64⤵
- Executes dropped EXE
PID:2044 -
\??\c:\rflfffl.exec:\rflfffl.exe65⤵
- Executes dropped EXE
PID:1532 -
\??\c:\bbbnbb.exec:\bbbnbb.exe66⤵PID:5000
-
\??\c:\5jdpd.exec:\5jdpd.exe67⤵PID:3004
-
\??\c:\vdvpd.exec:\vdvpd.exe68⤵PID:208
-
\??\c:\9rfrxrf.exec:\9rfrxrf.exe69⤵PID:2744
-
\??\c:\tnnhbn.exec:\tnnhbn.exe70⤵PID:2288
-
\??\c:\5bhbbb.exec:\5bhbbb.exe71⤵PID:4252
-
\??\c:\djdvp.exec:\djdvp.exe72⤵PID:5112
-
\??\c:\fxxfflx.exec:\fxxfflx.exe73⤵PID:1580
-
\??\c:\pjjpj.exec:\pjjpj.exe74⤵PID:1612
-
\??\c:\5ffxrrl.exec:\5ffxrrl.exe75⤵PID:4968
-
\??\c:\xllfrfl.exec:\xllfrfl.exe76⤵PID:2960
-
\??\c:\vpvjp.exec:\vpvjp.exe77⤵PID:408
-
\??\c:\pjvdp.exec:\pjvdp.exe78⤵PID:3508
-
\??\c:\djpdv.exec:\djpdv.exe79⤵PID:3020
-
\??\c:\rlxrlrx.exec:\rlxrlrx.exe80⤵PID:4416
-
\??\c:\btnnnn.exec:\btnnnn.exe81⤵PID:2132
-
\??\c:\bnbttt.exec:\bnbttt.exe82⤵PID:4136
-
\??\c:\pvdvp.exec:\pvdvp.exe83⤵PID:2856
-
\??\c:\fflxrlx.exec:\fflxrlx.exe84⤵PID:2980
-
\??\c:\thnhhh.exec:\thnhhh.exe85⤵PID:4888
-
\??\c:\tnnhbb.exec:\tnnhbb.exe86⤵PID:4312
-
\??\c:\jpjjd.exec:\jpjjd.exe87⤵PID:1976
-
\??\c:\pvvvj.exec:\pvvvj.exe88⤵PID:928
-
\??\c:\fflrrrf.exec:\fflrrrf.exe89⤵PID:4988
-
\??\c:\hhhntn.exec:\hhhntn.exe90⤵PID:2688
-
\??\c:\jjjvp.exec:\jjjvp.exe91⤵PID:1260
-
\??\c:\7flflfx.exec:\7flflfx.exe92⤵PID:4740
-
\??\c:\pdvjv.exec:\pdvjv.exe93⤵PID:4872
-
\??\c:\rxxlxxl.exec:\rxxlxxl.exe94⤵PID:2144
-
\??\c:\lxfxfxl.exec:\lxfxfxl.exe95⤵PID:4528
-
\??\c:\tbtnhb.exec:\tbtnhb.exe96⤵PID:1004
-
\??\c:\ppvdp.exec:\ppvdp.exe97⤵PID:2060
-
\??\c:\5ddvp.exec:\5ddvp.exe98⤵PID:2284
-
\??\c:\xlllxrr.exec:\xlllxrr.exe99⤵PID:1264
-
\??\c:\xxrlffr.exec:\xxrlffr.exe100⤵PID:228
-
\??\c:\htbbbt.exec:\htbbbt.exe101⤵PID:1896
-
\??\c:\vdpjv.exec:\vdpjv.exe102⤵PID:2792
-
\??\c:\3jdvp.exec:\3jdvp.exe103⤵PID:1600
-
\??\c:\3lfxllf.exec:\3lfxllf.exe104⤵PID:4672
-
\??\c:\nthhtn.exec:\nthhtn.exe105⤵PID:684
-
\??\c:\nttbbb.exec:\nttbbb.exe106⤵PID:1804
-
\??\c:\dvvjj.exec:\dvvjj.exe107⤵PID:3868
-
\??\c:\9vvvv.exec:\9vvvv.exe108⤵PID:748
-
\??\c:\xfffxxl.exec:\xfffxxl.exe109⤵PID:4436
-
\??\c:\hbbbtb.exec:\hbbbtb.exe110⤵PID:468
-
\??\c:\pjdjv.exec:\pjdjv.exe111⤵PID:1472
-
\??\c:\rllfrrr.exec:\rllfrrr.exe112⤵PID:4488
-
\??\c:\rlxlxxl.exec:\rlxlxxl.exe113⤵PID:3332
-
\??\c:\nnbbtt.exec:\nnbbtt.exe114⤵PID:2168
-
\??\c:\vjjpj.exec:\vjjpj.exe115⤵PID:3612
-
\??\c:\pjdpv.exec:\pjdpv.exe116⤵PID:3528
-
\??\c:\frrflrx.exec:\frrflrx.exe117⤵PID:5012
-
\??\c:\1xfxrrl.exec:\1xfxrrl.exe118⤵PID:3520
-
\??\c:\ntnhhn.exec:\ntnhhn.exe119⤵PID:3280
-
\??\c:\bbhhhb.exec:\bbhhhb.exe120⤵PID:3628
-
\??\c:\7jpjd.exec:\7jpjd.exe121⤵PID:4640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-