Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:45
Behavioral task
behavioral1
Sample
7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe
-
Size
97KB
-
MD5
5edadfd1abb63bbec55a6853de1eb46d
-
SHA1
00d79841b80e66268f2638d6649708eef273e9f4
-
SHA256
7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e
-
SHA512
74fbaf462fb08cf2e1b528e2d2e6d195153a2c685d836f2582d50e9de2b6938ee4f458072283be35e2ce6967dc9196111e253d5fd189a61190d3bcf7fefcd47a
-
SSDEEP
3072:8hOmTsF93UYfwC6GIout0fmCiiiXA6mzgRy:8cm4FmowdHoSgWrXUgs
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/2972-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-8-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1204-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5100-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4552-28-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1140-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2744-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4860-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1436-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3680-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2144-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4484-72-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4064-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1420-82-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1048-95-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4536-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-111-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/760-118-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-124-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4420-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3284-146-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1336-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3196-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2052-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-179-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4440-182-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4248-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1872-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-203-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/632-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4560-211-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-214-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/644-227-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4132-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-241-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3312-250-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-272-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3200-277-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1412-285-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2212-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1688-307-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4020-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1852-317-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3584-322-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4864-357-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4024-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4464-397-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1148-408-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3300-425-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5044-444-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/812-487-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1920-490-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4412-505-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1432-654-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/764-787-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2236-849-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1616 llfffff.exe 1204 3djdv.exe 5100 vpvpv.exe 3260 lrffxrl.exe 4552 nnnbth.exe 1140 vvpdp.exe 2744 rrxxrxx.exe 4860 httttb.exe 1436 ppjdv.exe 228 xxffllr.exe 808 bbnnhn.exe 3680 5jvpd.exe 2144 xffxxxx.exe 4484 pvvpp.exe 4064 rrxllll.exe 1420 fflfxlf.exe 5044 9htttt.exe 3268 vpppv.exe 1048 fxlfffr.exe 4536 tnntnb.exe 3156 1bnhtt.exe 1224 3vddv.exe 3040 xffxrxx.exe 760 xrxlxfx.exe 2212 rxrrrrl.exe 4420 hhhbbb.exe 1688 7dppv.exe 4772 lrrrlff.exe 4572 frllffx.exe 3284 ddvvp.exe 1336 ppppj.exe 4532 nnnnhh.exe 368 bbbtth.exe 1732 rxxrllf.exe 3196 ddpvd.exe 1432 ppjjd.exe 2516 tbtnnn.exe 2052 hhbbtt.exe 3232 7rrrlll.exe 4412 hthnnn.exe 548 thttnt.exe 4440 7vjvd.exe 3612 vpdjv.exe 3840 rrlxlfr.exe 3056 tttnnh.exe 4248 hnttnb.exe 1408 vddvp.exe 2396 rrlxrlx.exe 1740 lllfxrr.exe 1872 ttnbnn.exe 4824 ppppd.exe 1876 dvjdp.exe 632 fxlxrlx.exe 4560 tttnhb.exe 5080 btbbtt.exe 5004 jdpjd.exe 3604 frlxrlx.exe 4364 hnttnt.exe 436 dvdvd.exe 3264 vpjdp.exe 644 1rxxrxx.exe 4132 tthbtn.exe 3420 tbbtnn.exe 4464 ddjjd.exe -
resource yara_rule behavioral2/memory/2972-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023bad-3.dat upx behavioral2/memory/2972-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1616-8-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023ca1-9.dat upx behavioral2/files/0x0007000000023ca2-13.dat upx behavioral2/memory/1204-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca3-18.dat upx behavioral2/memory/5100-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca4-25.dat upx behavioral2/memory/3260-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4552-28-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca5-29.dat upx behavioral2/files/0x0007000000023ca6-35.dat upx behavioral2/memory/1140-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca7-38.dat upx behavioral2/memory/2744-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca8-43.dat upx behavioral2/memory/4860-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1436-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023ca9-48.dat upx behavioral2/files/0x0007000000023caa-53.dat upx behavioral2/files/0x0007000000023cab-57.dat upx behavioral2/files/0x0007000000023cac-61.dat upx behavioral2/memory/3680-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cad-66.dat upx behavioral2/memory/2144-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cae-71.dat upx behavioral2/memory/4484-72-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4064-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023caf-77.dat upx behavioral2/memory/1420-82-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb0-81.dat upx behavioral2/memory/5044-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb1-86.dat upx behavioral2/files/0x0007000000023cb3-91.dat upx behavioral2/files/0x0007000000023cb4-96.dat upx behavioral2/memory/1048-95-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4536-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb5-100.dat upx behavioral2/files/0x0007000000023cb6-105.dat upx behavioral2/files/0x0007000000023cb7-109.dat upx behavioral2/memory/1224-111-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cb8-114.dat upx behavioral2/memory/760-118-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023c97-119.dat upx behavioral2/files/0x0007000000023cb9-123.dat upx behavioral2/memory/2212-124-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4420-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1688-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbb-134.dat upx behavioral2/files/0x0007000000023cba-129.dat upx behavioral2/files/0x0007000000023cbc-138.dat upx behavioral2/files/0x0007000000023cbd-142.dat upx behavioral2/files/0x0007000000023cbe-147.dat upx behavioral2/memory/3284-146-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0007000000023cbf-151.dat upx behavioral2/memory/4532-154-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1336-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4532-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3196-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1432-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2052-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/548-179-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrlrlx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrfxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrlxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7pvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1vvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2972 wrote to memory of 1616 2972 7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe 83 PID 2972 wrote to memory of 1616 2972 7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe 83 PID 2972 wrote to memory of 1616 2972 7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe 83 PID 1616 wrote to memory of 1204 1616 llfffff.exe 84 PID 1616 wrote to memory of 1204 1616 llfffff.exe 84 PID 1616 wrote to memory of 1204 1616 llfffff.exe 84 PID 1204 wrote to memory of 5100 1204 3djdv.exe 85 PID 1204 wrote to memory of 5100 1204 3djdv.exe 85 PID 1204 wrote to memory of 5100 1204 3djdv.exe 85 PID 5100 wrote to memory of 3260 5100 vpvpv.exe 86 PID 5100 wrote to memory of 3260 5100 vpvpv.exe 86 PID 5100 wrote to memory of 3260 5100 vpvpv.exe 86 PID 3260 wrote to memory of 4552 3260 lrffxrl.exe 87 PID 3260 wrote to memory of 4552 3260 lrffxrl.exe 87 PID 3260 wrote to memory of 4552 3260 lrffxrl.exe 87 PID 4552 wrote to memory of 1140 4552 nnnbth.exe 88 PID 4552 wrote to memory of 1140 4552 nnnbth.exe 88 PID 4552 wrote to memory of 1140 4552 nnnbth.exe 88 PID 1140 wrote to memory of 2744 1140 vvpdp.exe 89 PID 1140 wrote to memory of 2744 1140 vvpdp.exe 89 PID 1140 wrote to memory of 2744 1140 vvpdp.exe 89 PID 2744 wrote to memory of 4860 2744 rrxxrxx.exe 90 PID 2744 wrote to memory of 4860 2744 rrxxrxx.exe 90 PID 2744 wrote to memory of 4860 2744 rrxxrxx.exe 90 PID 4860 wrote to memory of 1436 4860 httttb.exe 91 PID 4860 wrote to memory of 1436 4860 httttb.exe 91 PID 4860 wrote to memory of 1436 4860 httttb.exe 91 PID 1436 wrote to memory of 228 1436 ppjdv.exe 92 PID 1436 wrote to memory of 228 1436 ppjdv.exe 92 PID 1436 wrote to memory of 228 1436 ppjdv.exe 92 PID 228 wrote to memory of 808 228 xxffllr.exe 93 PID 228 wrote to memory of 808 228 xxffllr.exe 93 PID 228 wrote to memory of 808 228 xxffllr.exe 93 PID 808 wrote to memory of 3680 808 bbnnhn.exe 94 PID 808 wrote to memory of 3680 808 bbnnhn.exe 94 PID 808 wrote to memory of 3680 808 bbnnhn.exe 94 PID 3680 wrote to memory of 2144 3680 5jvpd.exe 95 PID 3680 wrote to memory of 2144 3680 5jvpd.exe 95 PID 3680 wrote to memory of 2144 3680 5jvpd.exe 95 PID 2144 wrote to memory of 4484 2144 xffxxxx.exe 96 PID 2144 wrote to memory of 4484 2144 xffxxxx.exe 96 PID 2144 wrote to memory of 4484 2144 xffxxxx.exe 96 PID 4484 wrote to memory of 4064 4484 pvvpp.exe 97 PID 4484 wrote to memory of 4064 4484 pvvpp.exe 97 PID 4484 wrote to memory of 4064 4484 pvvpp.exe 97 PID 4064 wrote to memory of 1420 4064 rrxllll.exe 98 PID 4064 wrote to memory of 1420 4064 rrxllll.exe 98 PID 4064 wrote to memory of 1420 4064 rrxllll.exe 98 PID 1420 wrote to memory of 5044 1420 fflfxlf.exe 99 PID 1420 wrote to memory of 5044 1420 fflfxlf.exe 99 PID 1420 wrote to memory of 5044 1420 fflfxlf.exe 99 PID 5044 wrote to memory of 3268 5044 9htttt.exe 100 PID 5044 wrote to memory of 3268 5044 9htttt.exe 100 PID 5044 wrote to memory of 3268 5044 9htttt.exe 100 PID 3268 wrote to memory of 1048 3268 vpppv.exe 101 PID 3268 wrote to memory of 1048 3268 vpppv.exe 101 PID 3268 wrote to memory of 1048 3268 vpppv.exe 101 PID 1048 wrote to memory of 4536 1048 fxlfffr.exe 102 PID 1048 wrote to memory of 4536 1048 fxlfffr.exe 102 PID 1048 wrote to memory of 4536 1048 fxlfffr.exe 102 PID 4536 wrote to memory of 3156 4536 tnntnb.exe 103 PID 4536 wrote to memory of 3156 4536 tnntnb.exe 103 PID 4536 wrote to memory of 3156 4536 tnntnb.exe 103 PID 3156 wrote to memory of 1224 3156 1bnhtt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe"C:\Users\Admin\AppData\Local\Temp\7ca8035f82649ace2568d72281919289e12d7f7628ee64d4fd0cc014dd3ad89e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
\??\c:\llfffff.exec:\llfffff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\3djdv.exec:\3djdv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1204 -
\??\c:\vpvpv.exec:\vpvpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
\??\c:\lrffxrl.exec:\lrffxrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\nnnbth.exec:\nnnbth.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4552 -
\??\c:\vvpdp.exec:\vvpdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1140 -
\??\c:\rrxxrxx.exec:\rrxxrxx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744 -
\??\c:\httttb.exec:\httttb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\ppjdv.exec:\ppjdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\xxffllr.exec:\xxffllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\bbnnhn.exec:\bbnnhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808 -
\??\c:\5jvpd.exec:\5jvpd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
\??\c:\xffxxxx.exec:\xffxxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2144 -
\??\c:\pvvpp.exec:\pvvpp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
\??\c:\rrxllll.exec:\rrxllll.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
\??\c:\fflfxlf.exec:\fflfxlf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
\??\c:\9htttt.exec:\9htttt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\vpppv.exec:\vpppv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
\??\c:\fxlfffr.exec:\fxlfffr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\tnntnb.exec:\tnntnb.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
\??\c:\1bnhtt.exec:\1bnhtt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3156 -
\??\c:\3vddv.exec:\3vddv.exe23⤵
- Executes dropped EXE
PID:1224 -
\??\c:\xffxrxx.exec:\xffxrxx.exe24⤵
- Executes dropped EXE
PID:3040 -
\??\c:\xrxlxfx.exec:\xrxlxfx.exe25⤵
- Executes dropped EXE
PID:760 -
\??\c:\rxrrrrl.exec:\rxrrrrl.exe26⤵
- Executes dropped EXE
PID:2212 -
\??\c:\hhhbbb.exec:\hhhbbb.exe27⤵
- Executes dropped EXE
PID:4420 -
\??\c:\7dppv.exec:\7dppv.exe28⤵
- Executes dropped EXE
PID:1688 -
\??\c:\lrrrlff.exec:\lrrrlff.exe29⤵
- Executes dropped EXE
PID:4772 -
\??\c:\frllffx.exec:\frllffx.exe30⤵
- Executes dropped EXE
PID:4572 -
\??\c:\ddvvp.exec:\ddvvp.exe31⤵
- Executes dropped EXE
PID:3284 -
\??\c:\ppppj.exec:\ppppj.exe32⤵
- Executes dropped EXE
PID:1336 -
\??\c:\nnnnhh.exec:\nnnnhh.exe33⤵
- Executes dropped EXE
PID:4532 -
\??\c:\bbbtth.exec:\bbbtth.exe34⤵
- Executes dropped EXE
PID:368 -
\??\c:\rxxrllf.exec:\rxxrllf.exe35⤵
- Executes dropped EXE
PID:1732 -
\??\c:\ddpvd.exec:\ddpvd.exe36⤵
- Executes dropped EXE
PID:3196 -
\??\c:\ppjjd.exec:\ppjjd.exe37⤵
- Executes dropped EXE
PID:1432 -
\??\c:\tbtnnn.exec:\tbtnnn.exe38⤵
- Executes dropped EXE
PID:2516 -
\??\c:\hhbbtt.exec:\hhbbtt.exe39⤵
- Executes dropped EXE
PID:2052 -
\??\c:\7rrrlll.exec:\7rrrlll.exe40⤵
- Executes dropped EXE
PID:3232 -
\??\c:\hthnnn.exec:\hthnnn.exe41⤵
- Executes dropped EXE
PID:4412 -
\??\c:\thttnt.exec:\thttnt.exe42⤵
- Executes dropped EXE
PID:548 -
\??\c:\7vjvd.exec:\7vjvd.exe43⤵
- Executes dropped EXE
PID:4440 -
\??\c:\vpdjv.exec:\vpdjv.exe44⤵
- Executes dropped EXE
PID:3612 -
\??\c:\rrlxlfr.exec:\rrlxlfr.exe45⤵
- Executes dropped EXE
PID:3840 -
\??\c:\tttnnh.exec:\tttnnh.exe46⤵
- Executes dropped EXE
PID:3056 -
\??\c:\hnttnb.exec:\hnttnb.exe47⤵
- Executes dropped EXE
PID:4248 -
\??\c:\vddvp.exec:\vddvp.exe48⤵
- Executes dropped EXE
PID:1408 -
\??\c:\rrlxrlx.exec:\rrlxrlx.exe49⤵
- Executes dropped EXE
PID:2396 -
\??\c:\lllfxrr.exec:\lllfxrr.exe50⤵
- Executes dropped EXE
PID:1740 -
\??\c:\ttnbnn.exec:\ttnbnn.exe51⤵
- Executes dropped EXE
PID:1872 -
\??\c:\ppppd.exec:\ppppd.exe52⤵
- Executes dropped EXE
PID:4824 -
\??\c:\dvjdp.exec:\dvjdp.exe53⤵
- Executes dropped EXE
PID:1876 -
\??\c:\fxlxrlx.exec:\fxlxrlx.exe54⤵
- Executes dropped EXE
PID:632 -
\??\c:\tttnhb.exec:\tttnhb.exe55⤵
- Executes dropped EXE
PID:4560 -
\??\c:\btbbtt.exec:\btbbtt.exe56⤵
- Executes dropped EXE
PID:5080 -
\??\c:\jdpjd.exec:\jdpjd.exe57⤵
- Executes dropped EXE
PID:5004 -
\??\c:\frlxrlx.exec:\frlxrlx.exe58⤵
- Executes dropped EXE
PID:3604 -
\??\c:\hnttnt.exec:\hnttnt.exe59⤵
- Executes dropped EXE
PID:4364 -
\??\c:\dvdvd.exec:\dvdvd.exe60⤵
- Executes dropped EXE
PID:436 -
\??\c:\vpjdp.exec:\vpjdp.exe61⤵
- Executes dropped EXE
PID:3264 -
\??\c:\1rxxrxx.exec:\1rxxrxx.exe62⤵
- Executes dropped EXE
PID:644 -
\??\c:\tthbtn.exec:\tthbtn.exe63⤵
- Executes dropped EXE
PID:4132 -
\??\c:\tbbtnn.exec:\tbbtnn.exe64⤵
- Executes dropped EXE
PID:3420 -
\??\c:\ddjjd.exec:\ddjjd.exe65⤵
- Executes dropped EXE
PID:4464 -
\??\c:\xrxfxxf.exec:\xrxfxxf.exe66⤵PID:2024
-
\??\c:\ttnnnn.exec:\ttnnnn.exe67⤵PID:2080
-
\??\c:\hhbthb.exec:\hhbthb.exe68⤵PID:4856
-
\??\c:\dvpvj.exec:\dvpvj.exe69⤵PID:1244
-
\??\c:\7pdvj.exec:\7pdvj.exe70⤵PID:1116
-
\??\c:\rxxrlfr.exec:\rxxrlfr.exe71⤵PID:4288
-
\??\c:\flfxrlf.exec:\flfxrlf.exe72⤵PID:3312
-
\??\c:\tnhtnh.exec:\tnhtnh.exe73⤵PID:5036
-
\??\c:\vddpj.exec:\vddpj.exe74⤵PID:772
-
\??\c:\pdddv.exec:\pdddv.exe75⤵PID:1656
-
\??\c:\xlrlxxl.exec:\xlrlxxl.exe76⤵PID:3836
-
\??\c:\frrlxxl.exec:\frrlxxl.exe77⤵PID:1184
-
\??\c:\thnnbb.exec:\thnnbb.exe78⤵PID:4052
-
\??\c:\dpvvp.exec:\dpvvp.exe79⤵PID:872
-
\??\c:\9lrrxxl.exec:\9lrrxxl.exe80⤵PID:2144
-
\??\c:\1nnnhb.exec:\1nnnhb.exe81⤵PID:4444
-
\??\c:\hnthbb.exec:\hnthbb.exe82⤵PID:3244
-
\??\c:\jddpd.exec:\jddpd.exe83⤵PID:3504
-
\??\c:\pjvdd.exec:\pjvdd.exe84⤵PID:3200
-
\??\c:\9xxfxxx.exec:\9xxfxxx.exe85⤵PID:5044
-
\??\c:\3bnnhb.exec:\3bnnhb.exe86⤵PID:3044
-
\??\c:\5jvpd.exec:\5jvpd.exe87⤵PID:1412
-
\??\c:\pdvjd.exec:\pdvjd.exe88⤵PID:440
-
\??\c:\xllxrlf.exec:\xllxrlf.exe89⤵PID:3548
-
\??\c:\ttbntn.exec:\ttbntn.exe90⤵PID:2012
-
\??\c:\7bbtnn.exec:\7bbtnn.exe91⤵PID:1556
-
\??\c:\1pjjd.exec:\1pjjd.exe92⤵PID:4564
-
\??\c:\vvddj.exec:\vvddj.exe93⤵PID:2928
-
\??\c:\3rllfxr.exec:\3rllfxr.exe94⤵PID:4644
-
\??\c:\7bthbb.exec:\7bthbb.exe95⤵PID:2212
-
\??\c:\thnbhb.exec:\thnbhb.exe96⤵PID:764
-
\??\c:\dvpdv.exec:\dvpdv.exe97⤵PID:1688
-
\??\c:\7xxlxrf.exec:\7xxlxrf.exe98⤵PID:4020
-
\??\c:\3rrfrrf.exec:\3rrfrrf.exe99⤵PID:4772
-
\??\c:\bntnnn.exec:\bntnnn.exe100⤵PID:4504
-
\??\c:\9hbnhh.exec:\9hbnhh.exe101⤵PID:1852
-
\??\c:\1dpjv.exec:\1dpjv.exe102⤵PID:3284
-
\??\c:\rxxxlfx.exec:\rxxxlfx.exe103⤵PID:3584
-
\??\c:\tbnhtb.exec:\tbnhtb.exe104⤵PID:812
-
\??\c:\1ttnhn.exec:\1ttnhn.exe105⤵PID:1992
-
\??\c:\jppjd.exec:\jppjd.exe106⤵PID:1528
-
\??\c:\jjjdv.exec:\jjjdv.exe107⤵PID:1064
-
\??\c:\lllxlfr.exec:\lllxlfr.exe108⤵PID:928
-
\??\c:\bttnhh.exec:\bttnhh.exe109⤵PID:1432
-
\??\c:\btbbtt.exec:\btbbtt.exe110⤵PID:2516
-
\??\c:\7dvvv.exec:\7dvvv.exe111⤵PID:412
-
\??\c:\lrxxffl.exec:\lrxxffl.exe112⤵PID:1812
-
\??\c:\bhnntt.exec:\bhnntt.exe113⤵PID:4556
-
\??\c:\hbnhbb.exec:\hbnhbb.exe114⤵PID:4160
-
\??\c:\djdvp.exec:\djdvp.exe115⤵PID:3236
-
\??\c:\5lllfff.exec:\5lllfff.exe116⤵PID:2504
-
\??\c:\rfxrlll.exec:\rfxrlll.exe117⤵PID:4176
-
\??\c:\3nhbtn.exec:\3nhbtn.exe118⤵PID:2916
-
\??\c:\vpjdp.exec:\vpjdp.exe119⤵PID:1756
-
\??\c:\jdjjj.exec:\jdjjj.exe120⤵PID:4864
-
\??\c:\llxlxrr.exec:\llxlxrr.exe121⤵PID:2740
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-