Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2024, 00:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10N.exe
-
Size
456KB
-
MD5
2918e261ffce1b0b12fd1563328ddf10
-
SHA1
77eacb20ad60fb98a131b42257fe1d251d9f22b0
-
SHA256
70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10
-
SHA512
b66c1a473af4e1823f1fd826d2a3c9a7b69bd208f88adeb64dca0a4057b53033d0409ba2329cb3b18e0c98f929da0ac08194078318ea059ff6f3e97b4c28770e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbex6:q7Tc2NYHUrAwfMp3CDM
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3716-8-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4208-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-25-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3604-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4388-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2888-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1636-59-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1196-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1068-69-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3892-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3940-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/940-88-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2956-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3428-118-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4668-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4964-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4768-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2884-177-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2944-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4424-185-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4492-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3340-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/764-215-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-219-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-229-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-233-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4496-240-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2832-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4824-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3900-269-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3052-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/688-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4420-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/996-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3672-322-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3744-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4532-351-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4128-361-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2264-380-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2616-390-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2736-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4308-432-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1224-436-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-490-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1696-509-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4012-531-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-535-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-551-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2560-588-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2284-610-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-623-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3084-645-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5096-709-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3384-737-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1240-932-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-984-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-1900-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4428-1968-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3716 vppjd.exe 1312 xrfxlfx.exe 2888 hbnbbb.exe 2600 vdppp.exe 3604 vvvpj.exe 2316 fxllrrx.exe 64 tnhthb.exe 4388 dpvpd.exe 1636 vppjd.exe 1196 rlrrflf.exe 1068 lffxffl.exe 3892 djpdj.exe 3940 bntbbb.exe 1992 vdjvv.exe 940 tbhbtt.exe 2420 ddddv.exe 2956 flxxlfx.exe 4268 jdjdd.exe 3428 lffxxrf.exe 5092 jpvjd.exe 4048 fxlffxl.exe 1064 9ddvv.exe 1388 rllxrlf.exe 2020 tnhbbb.exe 4668 5nnhbb.exe 3640 9nnhnt.exe 2672 5llfxfx.exe 4768 jvvpv.exe 4964 frfxrrf.exe 2944 bbhbnt.exe 2884 9vdvv.exe 4424 lfrlrrl.exe 1236 5nhbtt.exe 436 pdjdd.exe 2404 rllfxrr.exe 3836 btbtnh.exe 4492 djvjd.exe 1984 xrrlxrr.exe 3340 nhbtbt.exe 4344 llffrrf.exe 764 fllfxrl.exe 3172 bhnhhb.exe 1092 vpdvv.exe 4392 xflfllf.exe 4656 nhnbtb.exe 3388 jpvjd.exe 1424 pdpdp.exe 4496 thnttt.exe 2436 pdjvp.exe 1028 xrxrflf.exe 2028 9ttnhn.exe 2832 pjjdv.exe 4824 lrxrffx.exe 3368 htbnhb.exe 4836 jjpjd.exe 3900 ddpdp.exe 4724 xffxllf.exe 5052 tnnbtn.exe 3052 hnhbtn.exe 688 pvjvp.exe 4728 rrrlfxx.exe 4420 bnhbnh.exe 2456 jjvjd.exe 2532 xlrfrrl.exe -
resource yara_rule behavioral2/memory/3716-8-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4208-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3604-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4388-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2888-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1636-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1196-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1068-69-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3892-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3940-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/940-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2420-93-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2956-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3428-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4668-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4964-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4768-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2884-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2944-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4424-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4492-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3340-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/764-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-229-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4496-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2832-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4824-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3900-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3052-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/688-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4420-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/996-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3672-322-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3744-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4532-351-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4128-361-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2264-380-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2616-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2736-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4308-432-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1224-436-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-452-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1556-472-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-490-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1696-509-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4012-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-551-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2560-588-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2284-610-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-623-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3084-645-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5096-709-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3384-737-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1240-932-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-984-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vdpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdjvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrrlflf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflfllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrlxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5djdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhnhht.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllxlfx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppvjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhthhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3tnhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjvvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntbbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bttnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4208 wrote to memory of 3716 4208 70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10N.exe 82 PID 4208 wrote to memory of 3716 4208 70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10N.exe 82 PID 4208 wrote to memory of 3716 4208 70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10N.exe 82 PID 3716 wrote to memory of 1312 3716 vppjd.exe 83 PID 3716 wrote to memory of 1312 3716 vppjd.exe 83 PID 3716 wrote to memory of 1312 3716 vppjd.exe 83 PID 1312 wrote to memory of 2888 1312 xrfxlfx.exe 84 PID 1312 wrote to memory of 2888 1312 xrfxlfx.exe 84 PID 1312 wrote to memory of 2888 1312 xrfxlfx.exe 84 PID 2888 wrote to memory of 2600 2888 hbnbbb.exe 85 PID 2888 wrote to memory of 2600 2888 hbnbbb.exe 85 PID 2888 wrote to memory of 2600 2888 hbnbbb.exe 85 PID 2600 wrote to memory of 3604 2600 vdppp.exe 86 PID 2600 wrote to memory of 3604 2600 vdppp.exe 86 PID 2600 wrote to memory of 3604 2600 vdppp.exe 86 PID 3604 wrote to memory of 2316 3604 vvvpj.exe 87 PID 3604 wrote to memory of 2316 3604 vvvpj.exe 87 PID 3604 wrote to memory of 2316 3604 vvvpj.exe 87 PID 2316 wrote to memory of 64 2316 fxllrrx.exe 88 PID 2316 wrote to memory of 64 2316 fxllrrx.exe 88 PID 2316 wrote to memory of 64 2316 fxllrrx.exe 88 PID 64 wrote to memory of 4388 64 tnhthb.exe 89 PID 64 wrote to memory of 4388 64 tnhthb.exe 89 PID 64 wrote to memory of 4388 64 tnhthb.exe 89 PID 4388 wrote to memory of 1636 4388 dpvpd.exe 90 PID 4388 wrote to memory of 1636 4388 dpvpd.exe 90 PID 4388 wrote to memory of 1636 4388 dpvpd.exe 90 PID 1636 wrote to memory of 1196 1636 vppjd.exe 91 PID 1636 wrote to memory of 1196 1636 vppjd.exe 91 PID 1636 wrote to memory of 1196 1636 vppjd.exe 91 PID 1196 wrote to memory of 1068 1196 rlrrflf.exe 92 PID 1196 wrote to memory of 1068 1196 rlrrflf.exe 92 PID 1196 wrote to memory of 1068 1196 rlrrflf.exe 92 PID 1068 wrote to memory of 3892 1068 lffxffl.exe 93 PID 1068 wrote to memory of 3892 1068 lffxffl.exe 93 PID 1068 wrote to memory of 3892 1068 lffxffl.exe 93 PID 3892 wrote to memory of 3940 3892 djpdj.exe 94 PID 3892 wrote to memory of 3940 3892 djpdj.exe 94 PID 3892 wrote to memory of 3940 3892 djpdj.exe 94 PID 3940 wrote to memory of 1992 3940 bntbbb.exe 95 PID 3940 wrote to memory of 1992 3940 bntbbb.exe 95 PID 3940 wrote to memory of 1992 3940 bntbbb.exe 95 PID 1992 wrote to memory of 940 1992 vdjvv.exe 96 PID 1992 wrote to memory of 940 1992 vdjvv.exe 96 PID 1992 wrote to memory of 940 1992 vdjvv.exe 96 PID 940 wrote to memory of 2420 940 tbhbtt.exe 97 PID 940 wrote to memory of 2420 940 tbhbtt.exe 97 PID 940 wrote to memory of 2420 940 tbhbtt.exe 97 PID 2420 wrote to memory of 2956 2420 ddddv.exe 98 PID 2420 wrote to memory of 2956 2420 ddddv.exe 98 PID 2420 wrote to memory of 2956 2420 ddddv.exe 98 PID 2956 wrote to memory of 4268 2956 flxxlfx.exe 99 PID 2956 wrote to memory of 4268 2956 flxxlfx.exe 99 PID 2956 wrote to memory of 4268 2956 flxxlfx.exe 99 PID 4268 wrote to memory of 3428 4268 jdjdd.exe 100 PID 4268 wrote to memory of 3428 4268 jdjdd.exe 100 PID 4268 wrote to memory of 3428 4268 jdjdd.exe 100 PID 3428 wrote to memory of 5092 3428 lffxxrf.exe 101 PID 3428 wrote to memory of 5092 3428 lffxxrf.exe 101 PID 3428 wrote to memory of 5092 3428 lffxxrf.exe 101 PID 5092 wrote to memory of 4048 5092 jpvjd.exe 102 PID 5092 wrote to memory of 4048 5092 jpvjd.exe 102 PID 5092 wrote to memory of 4048 5092 jpvjd.exe 102 PID 4048 wrote to memory of 1064 4048 fxlffxl.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10N.exe"C:\Users\Admin\AppData\Local\Temp\70d81a865280be421d6c6b1744cef51938c6213c80044b1e5566b26deac0ec10N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
\??\c:\vppjd.exec:\vppjd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3716 -
\??\c:\xrfxlfx.exec:\xrfxlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312 -
\??\c:\hbnbbb.exec:\hbnbbb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2888 -
\??\c:\vdppp.exec:\vdppp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
\??\c:\vvvpj.exec:\vvvpj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
\??\c:\fxllrrx.exec:\fxllrrx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2316 -
\??\c:\tnhthb.exec:\tnhthb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
\??\c:\dpvpd.exec:\dpvpd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388 -
\??\c:\vppjd.exec:\vppjd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
\??\c:\rlrrflf.exec:\rlrrflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
\??\c:\lffxffl.exec:\lffxffl.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\djpdj.exec:\djpdj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3892 -
\??\c:\bntbbb.exec:\bntbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
\??\c:\vdjvv.exec:\vdjvv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\tbhbtt.exec:\tbhbtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:940 -
\??\c:\ddddv.exec:\ddddv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2420 -
\??\c:\flxxlfx.exec:\flxxlfx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
\??\c:\jdjdd.exec:\jdjdd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4268 -
\??\c:\lffxxrf.exec:\lffxxrf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3428 -
\??\c:\jpvjd.exec:\jpvjd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
\??\c:\fxlffxl.exec:\fxlffxl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\9ddvv.exec:\9ddvv.exe23⤵
- Executes dropped EXE
PID:1064 -
\??\c:\rllxrlf.exec:\rllxrlf.exe24⤵
- Executes dropped EXE
PID:1388 -
\??\c:\tnhbbb.exec:\tnhbbb.exe25⤵
- Executes dropped EXE
PID:2020 -
\??\c:\5nnhbb.exec:\5nnhbb.exe26⤵
- Executes dropped EXE
PID:4668 -
\??\c:\9nnhnt.exec:\9nnhnt.exe27⤵
- Executes dropped EXE
PID:3640 -
\??\c:\5llfxfx.exec:\5llfxfx.exe28⤵
- Executes dropped EXE
PID:2672 -
\??\c:\jvvpv.exec:\jvvpv.exe29⤵
- Executes dropped EXE
PID:4768 -
\??\c:\frfxrrf.exec:\frfxrrf.exe30⤵
- Executes dropped EXE
PID:4964 -
\??\c:\bbhbnt.exec:\bbhbnt.exe31⤵
- Executes dropped EXE
PID:2944 -
\??\c:\9vdvv.exec:\9vdvv.exe32⤵
- Executes dropped EXE
PID:2884 -
\??\c:\lfrlrrl.exec:\lfrlrrl.exe33⤵
- Executes dropped EXE
PID:4424 -
\??\c:\5nhbtt.exec:\5nhbtt.exe34⤵
- Executes dropped EXE
PID:1236 -
\??\c:\pdjdd.exec:\pdjdd.exe35⤵
- Executes dropped EXE
PID:436 -
\??\c:\rllfxrr.exec:\rllfxrr.exe36⤵
- Executes dropped EXE
PID:2404 -
\??\c:\btbtnh.exec:\btbtnh.exe37⤵
- Executes dropped EXE
PID:3836 -
\??\c:\djvjd.exec:\djvjd.exe38⤵
- Executes dropped EXE
PID:4492 -
\??\c:\xrrlxrr.exec:\xrrlxrr.exe39⤵
- Executes dropped EXE
PID:1984 -
\??\c:\nhbtbt.exec:\nhbtbt.exe40⤵
- Executes dropped EXE
PID:3340 -
\??\c:\llffrrf.exec:\llffrrf.exe41⤵
- Executes dropped EXE
PID:4344 -
\??\c:\fllfxrl.exec:\fllfxrl.exe42⤵
- Executes dropped EXE
PID:764 -
\??\c:\bhnhhb.exec:\bhnhhb.exe43⤵
- Executes dropped EXE
PID:3172 -
\??\c:\vpdvv.exec:\vpdvv.exe44⤵
- Executes dropped EXE
PID:1092 -
\??\c:\xflfllf.exec:\xflfllf.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392 -
\??\c:\nhnbtb.exec:\nhnbtb.exe46⤵
- Executes dropped EXE
PID:4656 -
\??\c:\jpvjd.exec:\jpvjd.exe47⤵
- Executes dropped EXE
PID:3388 -
\??\c:\pdpdp.exec:\pdpdp.exe48⤵
- Executes dropped EXE
PID:1424 -
\??\c:\thnttt.exec:\thnttt.exe49⤵
- Executes dropped EXE
PID:4496 -
\??\c:\pdjvp.exec:\pdjvp.exe50⤵
- Executes dropped EXE
PID:2436 -
\??\c:\xrxrflf.exec:\xrxrflf.exe51⤵
- Executes dropped EXE
PID:1028 -
\??\c:\9ttnhn.exec:\9ttnhn.exe52⤵
- Executes dropped EXE
PID:2028 -
\??\c:\bnbbnh.exec:\bnbbnh.exe53⤵PID:4408
-
\??\c:\pjjdv.exec:\pjjdv.exe54⤵
- Executes dropped EXE
PID:2832 -
\??\c:\lrxrffx.exec:\lrxrffx.exe55⤵
- Executes dropped EXE
PID:4824 -
\??\c:\htbnhb.exec:\htbnhb.exe56⤵
- Executes dropped EXE
PID:3368 -
\??\c:\jjpjd.exec:\jjpjd.exe57⤵
- Executes dropped EXE
PID:4836 -
\??\c:\ddpdp.exec:\ddpdp.exe58⤵
- Executes dropped EXE
PID:3900 -
\??\c:\xffxllf.exec:\xffxllf.exe59⤵
- Executes dropped EXE
PID:4724 -
\??\c:\tnnbtn.exec:\tnnbtn.exe60⤵
- Executes dropped EXE
PID:5052 -
\??\c:\hnhbtn.exec:\hnhbtn.exe61⤵
- Executes dropped EXE
PID:3052 -
\??\c:\pvjvp.exec:\pvjvp.exe62⤵
- Executes dropped EXE
PID:688 -
\??\c:\rrrlfxx.exec:\rrrlfxx.exe63⤵
- Executes dropped EXE
PID:4728 -
\??\c:\bnhbnh.exec:\bnhbnh.exe64⤵
- Executes dropped EXE
PID:4420 -
\??\c:\jjvjd.exec:\jjvjd.exe65⤵
- Executes dropped EXE
PID:2456 -
\??\c:\xlrfrrl.exec:\xlrfrrl.exe66⤵
- Executes dropped EXE
PID:2532 -
\??\c:\hbhbtt.exec:\hbhbtt.exe67⤵PID:1636
-
\??\c:\ddpdj.exec:\ddpdj.exe68⤵PID:2168
-
\??\c:\frxxrxr.exec:\frxxrxr.exe69⤵PID:3956
-
\??\c:\nhbttt.exec:\nhbttt.exe70⤵PID:1068
-
\??\c:\ddvdp.exec:\ddvdp.exe71⤵PID:996
-
\??\c:\5lfrffx.exec:\5lfrffx.exe72⤵PID:3584
-
\??\c:\nntnhn.exec:\nntnhn.exe73⤵PID:2236
-
\??\c:\bttbnh.exec:\bttbnh.exe74⤵PID:3672
-
\??\c:\7jpdv.exec:\7jpdv.exe75⤵PID:4548
-
\??\c:\rrlfxrr.exec:\rrlfxrr.exe76⤵PID:5108
-
\??\c:\tbnbnt.exec:\tbnbnt.exe77⤵PID:3744
-
\??\c:\jjdvp.exec:\jjdvp.exe78⤵PID:4800
-
\??\c:\lrxlxxf.exec:\lrxlxxf.exe79⤵PID:4544
-
\??\c:\nbbtnh.exec:\nbbtnh.exe80⤵PID:2576
-
\??\c:\dvjvp.exec:\dvjvp.exe81⤵PID:4980
-
\??\c:\pvdvv.exec:\pvdvv.exe82⤵PID:1948
-
\??\c:\rrfxllr.exec:\rrfxllr.exe83⤵PID:4532
-
\??\c:\bhhthb.exec:\bhhthb.exe84⤵PID:1544
-
\??\c:\ddddd.exec:\ddddd.exe85⤵PID:3100
-
\??\c:\llrfxfx.exec:\llrfxfx.exe86⤵PID:4128
-
\??\c:\btbtth.exec:\btbtth.exe87⤵PID:2120
-
\??\c:\hbhhbt.exec:\hbhhbt.exe88⤵PID:1740
-
\??\c:\xlrlxrl.exec:\xlrlxrl.exe89⤵PID:2064
-
\??\c:\rxxrlfx.exec:\rxxrlfx.exe90⤵PID:2336
-
\??\c:\ntbbtn.exec:\ntbbtn.exe91⤵
- System Location Discovery: System Language Discovery
PID:2096 -
\??\c:\pvdvp.exec:\pvdvp.exe92⤵PID:2264
-
\??\c:\jdjvp.exec:\jdjvp.exe93⤵PID:4776
-
\??\c:\frxxxrx.exec:\frxxxrx.exe94⤵PID:2656
-
\??\c:\ntbtnh.exec:\ntbtnh.exe95⤵PID:2616
-
\??\c:\jpvpd.exec:\jpvpd.exe96⤵PID:1096
-
\??\c:\frflllf.exec:\frflllf.exe97⤵PID:2736
-
\??\c:\xrxrlff.exec:\xrxrlff.exe98⤵PID:2256
-
\??\c:\thhbnh.exec:\thhbnh.exe99⤵PID:3448
-
\??\c:\vpvpv.exec:\vpvpv.exe100⤵PID:1652
-
\??\c:\hhnnnb.exec:\hhnnnb.exe101⤵PID:2260
-
\??\c:\vdjvp.exec:\vdjvp.exe102⤵PID:1332
-
\??\c:\5djdp.exec:\5djdp.exe103⤵
- System Location Discovery: System Language Discovery
PID:2540 -
\??\c:\rffxlfx.exec:\rffxlfx.exe104⤵PID:4676
-
\??\c:\thhbth.exec:\thhbth.exe105⤵PID:4304
-
\??\c:\bbhbtn.exec:\bbhbtn.exe106⤵PID:2176
-
\??\c:\vvpdd.exec:\vvpdd.exe107⤵PID:4024
-
\??\c:\5lrffxr.exec:\5lrffxr.exe108⤵PID:4308
-
\??\c:\httthh.exec:\httthh.exe109⤵PID:1224
-
\??\c:\httnhb.exec:\httnhb.exe110⤵PID:3616
-
\??\c:\pvvpd.exec:\pvvpd.exe111⤵PID:3864
-
\??\c:\flfrlfr.exec:\flfrlfr.exe112⤵PID:2620
-
\??\c:\bnhbnn.exec:\bnhbnn.exe113⤵PID:2692
-
\??\c:\jdvpd.exec:\jdvpd.exe114⤵PID:4432
-
\??\c:\flxxllf.exec:\flxxllf.exe115⤵PID:4368
-
\??\c:\bttntn.exec:\bttntn.exe116⤵PID:1932
-
\??\c:\tbbnbt.exec:\tbbnbt.exe117⤵PID:4316
-
\??\c:\pvvdp.exec:\pvvdp.exe118⤵PID:4396
-
\??\c:\lfxrllx.exec:\lfxrllx.exe119⤵PID:116
-
\??\c:\tbbtnh.exec:\tbbtnh.exe120⤵PID:1328
-
\??\c:\nbbthh.exec:\nbbthh.exe121⤵PID:1556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-