Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 21:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789.exe
-
Size
453KB
-
MD5
ce417fdd5c854baf6e47a136ddee9eae
-
SHA1
545b12a384d80b59ba13dcd2a354f7045fe89b30
-
SHA256
d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789
-
SHA512
1809ae6ef8e36605f194387c2c9e3a12c1023b34f2699fc991b5af06d0a3fda399a9c0536dfbb8c4fb48274382611458bc38ee129d5353cade0591bba34bbb04
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeV:q7Tc2NYHUrAwfMp3CDV
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1756-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2252-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-20-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4416-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4188-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4904-198-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1364-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3068-249-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4404-278-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2356-245-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2400-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4124-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1720-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-216-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1020-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3328-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3140-182-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2552-176-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2224-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2760-285-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-159-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-131-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/680-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-119-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-112-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1080-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-91-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4024-74-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3144-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1932-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1480-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2628-45-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4400-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4528-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3580-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4232-329-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/368-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/100-340-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1084-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1988-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3644-410-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2004-420-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/408-424-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4180-431-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-504-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-536-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-603-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-616-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2216-632-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-642-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4380-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2376-722-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-792-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-936-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4520-1308-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4416 rllxxxx.exe 2252 bhtnnt.exe 3976 jvdvv.exe 216 xrfflrx.exe 4400 7bnnnt.exe 3536 3jppp.exe 2628 fffxrlx.exe 1480 nntntn.exe 1932 jppjd.exe 3144 fxlfffx.exe 2328 rfflxrx.exe 4024 hbhnht.exe 4188 vjjvj.exe 3844 xfrlffx.exe 2596 btbbtt.exe 100 jvjjd.exe 1080 lrrlffx.exe 4976 hhtttb.exe 3788 7vvvp.exe 2804 flxrxrl.exe 680 lrxrrrr.exe 1828 tttbnh.exe 3980 7pvpp.exe 3948 xfllffx.exe 3276 bnttnn.exe 3124 ddppd.exe 2940 5ppjj.exe 2224 xfllffx.exe 3968 thtttb.exe 2552 vjpdv.exe 3140 1frlfrr.exe 4532 1rrlffx.exe 3696 tnnhnn.exe 4108 pdpjj.exe 4904 rflrlfl.exe 4920 xrrlffx.exe 3328 nbhbtn.exe 2000 9jjvp.exe 1020 3xxxlll.exe 1988 xllfxxr.exe 1720 hbnhbb.exe 1364 pvpdp.exe 4124 1llxlff.exe 2400 tnhhhn.exe 5060 pvdvv.exe 4860 lfflfxr.exe 4912 fxlffff.exe 2356 nnbnnt.exe 3068 3vjjd.exe 4864 xrrrlff.exe 4044 xxlrrxx.exe 3632 nbnhhh.exe 3944 3jjjj.exe 324 rrffxff.exe 4684 9rfxxll.exe 2860 bbbhhh.exe 2516 djvdd.exe 4404 xxfffff.exe 2760 hhbtnn.exe 4664 vdvpv.exe 4016 5lxrrrr.exe 5112 tnhttb.exe 4528 ppddd.exe 1716 frlrflx.exe -
resource yara_rule behavioral2/memory/1756-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2252-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-20-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4188-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4904-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1364-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3068-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4404-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2356-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2400-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4124-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1720-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1020-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3328-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3140-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2552-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2224-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2760-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/680-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-112-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-91-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4024-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3144-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1932-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1480-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2628-45-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4400-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4528-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3580-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4232-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/368-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/100-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1084-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1988-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3644-410-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2004-420-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/408-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-504-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/972-526-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-603-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-616-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2216-632-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-642-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4380-679-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2376-722-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-792-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4416-883-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xllfxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language htbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbntbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrlfffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbttn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxfrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbtbtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrlfxfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vpvdd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 4416 1756 d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789.exe 82 PID 1756 wrote to memory of 4416 1756 d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789.exe 82 PID 1756 wrote to memory of 4416 1756 d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789.exe 82 PID 4416 wrote to memory of 2252 4416 rllxxxx.exe 83 PID 4416 wrote to memory of 2252 4416 rllxxxx.exe 83 PID 4416 wrote to memory of 2252 4416 rllxxxx.exe 83 PID 2252 wrote to memory of 3976 2252 bhtnnt.exe 84 PID 2252 wrote to memory of 3976 2252 bhtnnt.exe 84 PID 2252 wrote to memory of 3976 2252 bhtnnt.exe 84 PID 3976 wrote to memory of 216 3976 jvdvv.exe 85 PID 3976 wrote to memory of 216 3976 jvdvv.exe 85 PID 3976 wrote to memory of 216 3976 jvdvv.exe 85 PID 216 wrote to memory of 4400 216 xrfflrx.exe 86 PID 216 wrote to memory of 4400 216 xrfflrx.exe 86 PID 216 wrote to memory of 4400 216 xrfflrx.exe 86 PID 4400 wrote to memory of 3536 4400 7bnnnt.exe 87 PID 4400 wrote to memory of 3536 4400 7bnnnt.exe 87 PID 4400 wrote to memory of 3536 4400 7bnnnt.exe 87 PID 3536 wrote to memory of 2628 3536 3jppp.exe 88 PID 3536 wrote to memory of 2628 3536 3jppp.exe 88 PID 3536 wrote to memory of 2628 3536 3jppp.exe 88 PID 2628 wrote to memory of 1480 2628 fffxrlx.exe 89 PID 2628 wrote to memory of 1480 2628 fffxrlx.exe 89 PID 2628 wrote to memory of 1480 2628 fffxrlx.exe 89 PID 1480 wrote to memory of 1932 1480 nntntn.exe 90 PID 1480 wrote to memory of 1932 1480 nntntn.exe 90 PID 1480 wrote to memory of 1932 1480 nntntn.exe 90 PID 1932 wrote to memory of 3144 1932 jppjd.exe 91 PID 1932 wrote to memory of 3144 1932 jppjd.exe 91 PID 1932 wrote to memory of 3144 1932 jppjd.exe 91 PID 3144 wrote to memory of 2328 3144 fxlfffx.exe 92 PID 3144 wrote to memory of 2328 3144 fxlfffx.exe 92 PID 3144 wrote to memory of 2328 3144 fxlfffx.exe 92 PID 2328 wrote to memory of 4024 2328 rfflxrx.exe 93 PID 2328 wrote to memory of 4024 2328 rfflxrx.exe 93 PID 2328 wrote to memory of 4024 2328 rfflxrx.exe 93 PID 4024 wrote to memory of 4188 4024 hbhnht.exe 94 PID 4024 wrote to memory of 4188 4024 hbhnht.exe 94 PID 4024 wrote to memory of 4188 4024 hbhnht.exe 94 PID 4188 wrote to memory of 3844 4188 vjjvj.exe 95 PID 4188 wrote to memory of 3844 4188 vjjvj.exe 95 PID 4188 wrote to memory of 3844 4188 vjjvj.exe 95 PID 3844 wrote to memory of 2596 3844 xfrlffx.exe 96 PID 3844 wrote to memory of 2596 3844 xfrlffx.exe 96 PID 3844 wrote to memory of 2596 3844 xfrlffx.exe 96 PID 2596 wrote to memory of 100 2596 btbbtt.exe 157 PID 2596 wrote to memory of 100 2596 btbbtt.exe 157 PID 2596 wrote to memory of 100 2596 btbbtt.exe 157 PID 100 wrote to memory of 1080 100 jvjjd.exe 98 PID 100 wrote to memory of 1080 100 jvjjd.exe 98 PID 100 wrote to memory of 1080 100 jvjjd.exe 98 PID 1080 wrote to memory of 4976 1080 lrrlffx.exe 99 PID 1080 wrote to memory of 4976 1080 lrrlffx.exe 99 PID 1080 wrote to memory of 4976 1080 lrrlffx.exe 99 PID 4976 wrote to memory of 3788 4976 hhtttb.exe 100 PID 4976 wrote to memory of 3788 4976 hhtttb.exe 100 PID 4976 wrote to memory of 3788 4976 hhtttb.exe 100 PID 3788 wrote to memory of 2804 3788 7vvvp.exe 101 PID 3788 wrote to memory of 2804 3788 7vvvp.exe 101 PID 3788 wrote to memory of 2804 3788 7vvvp.exe 101 PID 2804 wrote to memory of 680 2804 flxrxrl.exe 102 PID 2804 wrote to memory of 680 2804 flxrxrl.exe 102 PID 2804 wrote to memory of 680 2804 flxrxrl.exe 102 PID 680 wrote to memory of 1828 680 lrxrrrr.exe 162
Processes
-
C:\Users\Admin\AppData\Local\Temp\d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789.exe"C:\Users\Admin\AppData\Local\Temp\d97ba7dcdb821382b953f55b6c3290c2ececc65313c7fc8281b48a23520e8789.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
\??\c:\rllxxxx.exec:\rllxxxx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416 -
\??\c:\bhtnnt.exec:\bhtnnt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2252 -
\??\c:\jvdvv.exec:\jvdvv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\xrfflrx.exec:\xrfflrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
\??\c:\7bnnnt.exec:\7bnnnt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\3jppp.exec:\3jppp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
\??\c:\fffxrlx.exec:\fffxrlx.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
\??\c:\nntntn.exec:\nntntn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480 -
\??\c:\jppjd.exec:\jppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
\??\c:\fxlfffx.exec:\fxlfffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3144 -
\??\c:\rfflxrx.exec:\rfflxrx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2328 -
\??\c:\hbhnht.exec:\hbhnht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4024 -
\??\c:\vjjvj.exec:\vjjvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4188 -
\??\c:\xfrlffx.exec:\xfrlffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844 -
\??\c:\btbbtt.exec:\btbbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\jvjjd.exec:\jvjjd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:100 -
\??\c:\lrrlffx.exec:\lrrlffx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
\??\c:\hhtttb.exec:\hhtttb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\7vvvp.exec:\7vvvp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788 -
\??\c:\flxrxrl.exec:\flxrxrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
\??\c:\lrxrrrr.exec:\lrxrrrr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:680 -
\??\c:\tttbnh.exec:\tttbnh.exe23⤵
- Executes dropped EXE
PID:1828 -
\??\c:\7pvpp.exec:\7pvpp.exe24⤵
- Executes dropped EXE
PID:3980 -
\??\c:\xfllffx.exec:\xfllffx.exe25⤵
- Executes dropped EXE
PID:3948 -
\??\c:\bnttnn.exec:\bnttnn.exe26⤵
- Executes dropped EXE
PID:3276 -
\??\c:\ddppd.exec:\ddppd.exe27⤵
- Executes dropped EXE
PID:3124 -
\??\c:\5ppjj.exec:\5ppjj.exe28⤵
- Executes dropped EXE
PID:2940 -
\??\c:\xfllffx.exec:\xfllffx.exe29⤵
- Executes dropped EXE
PID:2224 -
\??\c:\thtttb.exec:\thtttb.exe30⤵
- Executes dropped EXE
PID:3968 -
\??\c:\vjpdv.exec:\vjpdv.exe31⤵
- Executes dropped EXE
PID:2552 -
\??\c:\1frlfrr.exec:\1frlfrr.exe32⤵
- Executes dropped EXE
PID:3140 -
\??\c:\1rrlffx.exec:\1rrlffx.exe33⤵
- Executes dropped EXE
PID:4532 -
\??\c:\tnnhnn.exec:\tnnhnn.exe34⤵
- Executes dropped EXE
PID:3696 -
\??\c:\pdpjj.exec:\pdpjj.exe35⤵
- Executes dropped EXE
PID:4108 -
\??\c:\rflrlfl.exec:\rflrlfl.exe36⤵
- Executes dropped EXE
PID:4904 -
\??\c:\xrrlffx.exec:\xrrlffx.exe37⤵
- Executes dropped EXE
PID:4920 -
\??\c:\nbhbtn.exec:\nbhbtn.exe38⤵
- Executes dropped EXE
PID:3328 -
\??\c:\9jjvp.exec:\9jjvp.exe39⤵
- Executes dropped EXE
PID:2000 -
\??\c:\3xxxlll.exec:\3xxxlll.exe40⤵
- Executes dropped EXE
PID:1020 -
\??\c:\xllfxxr.exec:\xllfxxr.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
\??\c:\hbnhbb.exec:\hbnhbb.exe42⤵
- Executes dropped EXE
PID:1720 -
\??\c:\pvpdp.exec:\pvpdp.exe43⤵
- Executes dropped EXE
PID:1364 -
\??\c:\1llxlff.exec:\1llxlff.exe44⤵
- Executes dropped EXE
PID:4124 -
\??\c:\tnhhhn.exec:\tnhhhn.exe45⤵
- Executes dropped EXE
PID:2400 -
\??\c:\pvdvv.exec:\pvdvv.exe46⤵
- Executes dropped EXE
PID:5060 -
\??\c:\lfflfxr.exec:\lfflfxr.exe47⤵
- Executes dropped EXE
PID:4860 -
\??\c:\fxlffff.exec:\fxlffff.exe48⤵
- Executes dropped EXE
PID:4912 -
\??\c:\nnbnnt.exec:\nnbnnt.exe49⤵
- Executes dropped EXE
PID:2356 -
\??\c:\3vjjd.exec:\3vjjd.exe50⤵
- Executes dropped EXE
PID:3068 -
\??\c:\xrrrlff.exec:\xrrrlff.exe51⤵
- Executes dropped EXE
PID:4864 -
\??\c:\xxlrrxx.exec:\xxlrrxx.exe52⤵
- Executes dropped EXE
PID:4044 -
\??\c:\nbnhhh.exec:\nbnhhh.exe53⤵
- Executes dropped EXE
PID:3632 -
\??\c:\3jjjj.exec:\3jjjj.exe54⤵
- Executes dropped EXE
PID:3944 -
\??\c:\rrffxff.exec:\rrffxff.exe55⤵
- Executes dropped EXE
PID:324 -
\??\c:\9rfxxll.exec:\9rfxxll.exe56⤵
- Executes dropped EXE
PID:4684 -
\??\c:\bbbhhh.exec:\bbbhhh.exe57⤵
- Executes dropped EXE
PID:2860 -
\??\c:\djvdd.exec:\djvdd.exe58⤵
- Executes dropped EXE
PID:2516 -
\??\c:\xxfffff.exec:\xxfffff.exe59⤵
- Executes dropped EXE
PID:4404 -
\??\c:\hhbtnn.exec:\hhbtnn.exe60⤵
- Executes dropped EXE
PID:2760 -
\??\c:\vdvpv.exec:\vdvpv.exe61⤵
- Executes dropped EXE
PID:4664 -
\??\c:\5lxrrrr.exec:\5lxrrrr.exe62⤵
- Executes dropped EXE
PID:4016 -
\??\c:\tnhttb.exec:\tnhttb.exe63⤵
- Executes dropped EXE
PID:5112 -
\??\c:\ppddd.exec:\ppddd.exe64⤵
- Executes dropped EXE
PID:4528 -
\??\c:\frlrflx.exec:\frlrflx.exe65⤵
- Executes dropped EXE
PID:1716 -
\??\c:\ttnnhn.exec:\ttnnhn.exe66⤵PID:1632
-
\??\c:\jvddv.exec:\jvddv.exe67⤵PID:2192
-
\??\c:\9xlfflf.exec:\9xlfflf.exe68⤵PID:3400
-
\??\c:\tbhhnt.exec:\tbhhnt.exe69⤵PID:1936
-
\??\c:\ddjdd.exec:\ddjdd.exe70⤵PID:3580
-
\??\c:\xrfffll.exec:\xrfffll.exe71⤵PID:3712
-
\??\c:\bbhhht.exec:\bbhhht.exe72⤵PID:1776
-
\??\c:\tthhhn.exec:\tthhhn.exe73⤵PID:1184
-
\??\c:\fffflrr.exec:\fffflrr.exe74⤵PID:4232
-
\??\c:\bhttht.exec:\bhttht.exe75⤵PID:4432
-
\??\c:\vvjjp.exec:\vvjjp.exe76⤵PID:368
-
\??\c:\vddpj.exec:\vddpj.exe77⤵PID:100
-
\??\c:\xrlfxfx.exec:\xrlfxfx.exe78⤵
- System Location Discovery: System Language Discovery
PID:1892 -
\??\c:\djpjj.exec:\djpjj.exe79⤵PID:3012
-
\??\c:\ffrxfff.exec:\ffrxfff.exe80⤵PID:3856
-
\??\c:\tbntbb.exec:\tbntbb.exe81⤵PID:4828
-
\??\c:\vjppj.exec:\vjppj.exe82⤵PID:1828
-
\??\c:\jdppj.exec:\jdppj.exe83⤵PID:3368
-
\??\c:\jvvdd.exec:\jvvdd.exe84⤵PID:1092
-
\??\c:\rlrlllf.exec:\rlrlllf.exe85⤵PID:796
-
\??\c:\llllrrr.exec:\llllrrr.exe86⤵PID:1084
-
\??\c:\3tnhtb.exec:\3tnhtb.exe87⤵PID:1696
-
\??\c:\1djdd.exec:\1djdd.exe88⤵PID:3384
-
\??\c:\xxrflll.exec:\xxrflll.exe89⤵PID:3772
-
\??\c:\nbhtnn.exec:\nbhtnn.exe90⤵PID:4280
-
\??\c:\3rxffxx.exec:\3rxffxx.exe91⤵PID:2228
-
\??\c:\thtbbh.exec:\thtbbh.exe92⤵PID:4464
-
\??\c:\vpdpj.exec:\vpdpj.exe93⤵PID:4108
-
\??\c:\jpdvv.exec:\jpdvv.exe94⤵PID:5056
-
\??\c:\xxlfrfx.exec:\xxlfrfx.exe95⤵PID:2128
-
\??\c:\vvppj.exec:\vvppj.exe96⤵PID:184
-
\??\c:\hnnhhh.exec:\hnnhhh.exe97⤵PID:3288
-
\??\c:\3rffflr.exec:\3rffflr.exe98⤵PID:1988
-
\??\c:\tnnhbh.exec:\tnnhbh.exe99⤵PID:3644
-
\??\c:\pdjpd.exec:\pdjpd.exe100⤵PID:4220
-
\??\c:\jvdvv.exec:\jvdvv.exe101⤵
- System Location Discovery: System Language Discovery
PID:2316 -
\??\c:\pjjjp.exec:\pjjjp.exe102⤵PID:2004
-
\??\c:\hbnttb.exec:\hbnttb.exe103⤵PID:408
-
\??\c:\jpjjv.exec:\jpjjv.exe104⤵PID:3120
-
\??\c:\frfxxll.exec:\frfxxll.exe105⤵PID:4180
-
\??\c:\bhnhhh.exec:\bhnhhh.exe106⤵PID:3000
-
\??\c:\vdpvv.exec:\vdpvv.exe107⤵PID:3068
-
\??\c:\rxxxrxx.exec:\rxxxrxx.exe108⤵PID:3472
-
\??\c:\bnbhhn.exec:\bnbhhn.exe109⤵PID:1368
-
\??\c:\ddpvd.exec:\ddpvd.exe110⤵PID:3460
-
\??\c:\vvppd.exec:\vvppd.exe111⤵PID:4452
-
\??\c:\dvjjj.exec:\dvjjj.exe112⤵PID:4748
-
\??\c:\xxfllrx.exec:\xxfllrx.exe113⤵PID:3584
-
\??\c:\ttnthn.exec:\ttnthn.exe114⤵PID:456
-
\??\c:\vvdvj.exec:\vvdvj.exe115⤵PID:4272
-
\??\c:\vjpdd.exec:\vjpdd.exe116⤵PID:4460
-
\??\c:\fffxxfl.exec:\fffxxfl.exe117⤵PID:528
-
\??\c:\bttnbt.exec:\bttnbt.exe118⤵PID:4504
-
\??\c:\hhbhtb.exec:\hhbhtb.exe119⤵PID:4208
-
\??\c:\vvppd.exec:\vvppd.exe120⤵PID:4388
-
\??\c:\3xffxxf.exec:\3xffxxf.exe121⤵PID:3080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-