Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:54
Behavioral task
behavioral1
Sample
970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe
Resource
win7-20240903-en
7 signatures
150 seconds
General
-
Target
970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe
-
Size
333KB
-
MD5
46cf49e73a08135af2bb988b8042f0c9
-
SHA1
535ce21c0cfa2738ecb32128d88c8fac9a06386a
-
SHA256
970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e
-
SHA512
6bb6195381c115d2f1771b2905da19a57936f61b5a638a1687cb522b5150432f78de866543952ebe8895e3049683ca38e34c9888dc87754ff49a5ddeabda89cd
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbey:R4wFHoSHYHUrAwfMp3CDy
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2792-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4292-9-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1416-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-19-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4448-24-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1084-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3400-38-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2140-43-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3816-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3152-62-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1784-69-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-68-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/400-75-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4144-86-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3808-91-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4992-97-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2364-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3868-114-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4984-117-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4460-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3332-129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-134-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2816-148-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3536-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1500-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1252-166-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2588-169-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4768-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-177-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4308-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3884-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3760-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2980-191-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-196-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1928-201-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-208-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2208-217-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2768-234-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3376-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2032-244-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2056-270-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-275-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2116-282-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1788-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/872-310-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2732-329-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2728-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-369-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-386-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2008-411-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1628-440-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3968-443-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3244-466-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2020-491-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-494-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2112-497-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-500-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2984-507-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4568-629-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2200-793-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2820-833-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2460-924-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4292 ffxxffl.exe 1416 vpvpp.exe 380 bhttht.exe 4448 ddjdp.exe 1084 5rrrlrl.exe 4216 hthttt.exe 3400 xxrllrl.exe 2140 bbbbnb.exe 3816 pvppd.exe 1704 rrrlfff.exe 2008 7tnhtn.exe 3152 djjdv.exe 3972 jvpdp.exe 1784 frlfffr.exe 400 xlrrlff.exe 536 nnnnhh.exe 4144 ddddd.exe 3808 rrxrlfl.exe 4992 5nbbbb.exe 2364 dvdvv.exe 3484 bbbhtb.exe 432 xxfxrrl.exe 3868 bbnhnn.exe 4984 jjddv.exe 4460 7dvvp.exe 3332 thbhbh.exe 2260 ddvvd.exe 872 fxffxxr.exe 1552 xlxxrxl.exe 2816 lrrrxfl.exe 3852 rrlfxrl.exe 3536 nthnnb.exe 4452 vjppp.exe 1500 lfxrxxf.exe 1252 1ttttt.exe 2588 ttnhbb.exe 2356 jdjjv.exe 4768 pvvpp.exe 3240 ppddp.exe 4308 frxfxxx.exe 3884 9tttnn.exe 3760 thhhbh.exe 116 vdpjp.exe 2980 fxrlffx.exe 4696 tnbttt.exe 4468 nnttnb.exe 4816 pvvjv.exe 1928 rrrlrlx.exe 1072 lfxrlll.exe 1384 tnhnnn.exe 2436 pdpjd.exe 3260 5djdp.exe 2776 rrrfrrf.exe 4388 nnntnn.exe 2208 thnbtb.exe 3592 jdvvv.exe 1188 rllfxxx.exe 3828 lfllrrl.exe 1700 thnnnn.exe 380 jvppj.exe 852 djvpj.exe 2944 lxlfxxr.exe 2768 ntttnt.exe 3376 hhhhbb.exe -
resource yara_rule behavioral2/memory/2792-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2792-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b1a-3.dat upx behavioral2/files/0x000b000000023b77-8.dat upx behavioral2/memory/4292-9-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7c-11.dat upx behavioral2/memory/1416-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-18.dat upx behavioral2/memory/380-19-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-23.dat upx behavioral2/memory/4448-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b7f-28.dat upx behavioral2/memory/1084-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b80-33.dat upx behavioral2/memory/3400-38-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b81-37.dat upx behavioral2/memory/2140-43-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-44.dat upx behavioral2/files/0x000a000000023b83-47.dat upx behavioral2/memory/3816-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-52.dat upx behavioral2/files/0x000a000000023b85-56.dat upx behavioral2/memory/2008-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-61.dat upx behavioral2/memory/3152-62-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b87-66.dat upx behavioral2/memory/1784-69-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3972-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-73.dat upx behavioral2/memory/400-75-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b89-78.dat upx behavioral2/files/0x000a000000023b8a-81.dat upx behavioral2/files/0x000b000000023b78-85.dat upx behavioral2/memory/4144-86-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-90.dat upx behavioral2/memory/3808-91-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4992-97-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2364-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-96.dat upx behavioral2/files/0x000a000000023b8d-101.dat upx behavioral2/memory/2364-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-106.dat upx behavioral2/files/0x000a000000023b8f-110.dat upx behavioral2/memory/3868-114-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-116.dat upx behavioral2/memory/4984-117-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-120.dat upx behavioral2/files/0x000a000000023b92-124.dat upx behavioral2/memory/4460-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-130.dat upx behavioral2/memory/3332-129-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2260-134-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-135.dat upx behavioral2/files/0x000a000000023b96-139.dat upx behavioral2/memory/1552-141-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-144.dat upx behavioral2/memory/2816-148-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-150.dat upx behavioral2/files/0x000a000000023b99-153.dat upx behavioral2/memory/3536-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1252-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1500-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1252-166-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2588-169-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxlrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3xrrlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7tttnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlxfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 4292 2792 970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe 82 PID 2792 wrote to memory of 4292 2792 970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe 82 PID 2792 wrote to memory of 4292 2792 970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe 82 PID 4292 wrote to memory of 1416 4292 ffxxffl.exe 83 PID 4292 wrote to memory of 1416 4292 ffxxffl.exe 83 PID 4292 wrote to memory of 1416 4292 ffxxffl.exe 83 PID 1416 wrote to memory of 380 1416 vpvpp.exe 84 PID 1416 wrote to memory of 380 1416 vpvpp.exe 84 PID 1416 wrote to memory of 380 1416 vpvpp.exe 84 PID 380 wrote to memory of 4448 380 bhttht.exe 85 PID 380 wrote to memory of 4448 380 bhttht.exe 85 PID 380 wrote to memory of 4448 380 bhttht.exe 85 PID 4448 wrote to memory of 1084 4448 ddjdp.exe 86 PID 4448 wrote to memory of 1084 4448 ddjdp.exe 86 PID 4448 wrote to memory of 1084 4448 ddjdp.exe 86 PID 1084 wrote to memory of 4216 1084 5rrrlrl.exe 87 PID 1084 wrote to memory of 4216 1084 5rrrlrl.exe 87 PID 1084 wrote to memory of 4216 1084 5rrrlrl.exe 87 PID 4216 wrote to memory of 3400 4216 hthttt.exe 88 PID 4216 wrote to memory of 3400 4216 hthttt.exe 88 PID 4216 wrote to memory of 3400 4216 hthttt.exe 88 PID 3400 wrote to memory of 2140 3400 xxrllrl.exe 89 PID 3400 wrote to memory of 2140 3400 xxrllrl.exe 89 PID 3400 wrote to memory of 2140 3400 xxrllrl.exe 89 PID 2140 wrote to memory of 3816 2140 bbbbnb.exe 90 PID 2140 wrote to memory of 3816 2140 bbbbnb.exe 90 PID 2140 wrote to memory of 3816 2140 bbbbnb.exe 90 PID 3816 wrote to memory of 1704 3816 pvppd.exe 91 PID 3816 wrote to memory of 1704 3816 pvppd.exe 91 PID 3816 wrote to memory of 1704 3816 pvppd.exe 91 PID 1704 wrote to memory of 2008 1704 rrrlfff.exe 92 PID 1704 wrote to memory of 2008 1704 rrrlfff.exe 92 PID 1704 wrote to memory of 2008 1704 rrrlfff.exe 92 PID 2008 wrote to memory of 3152 2008 7tnhtn.exe 93 PID 2008 wrote to memory of 3152 2008 7tnhtn.exe 93 PID 2008 wrote to memory of 3152 2008 7tnhtn.exe 93 PID 3152 wrote to memory of 3972 3152 djjdv.exe 94 PID 3152 wrote to memory of 3972 3152 djjdv.exe 94 PID 3152 wrote to memory of 3972 3152 djjdv.exe 94 PID 3972 wrote to memory of 1784 3972 jvpdp.exe 95 PID 3972 wrote to memory of 1784 3972 jvpdp.exe 95 PID 3972 wrote to memory of 1784 3972 jvpdp.exe 95 PID 1784 wrote to memory of 400 1784 frlfffr.exe 96 PID 1784 wrote to memory of 400 1784 frlfffr.exe 96 PID 1784 wrote to memory of 400 1784 frlfffr.exe 96 PID 400 wrote to memory of 536 400 xlrrlff.exe 97 PID 400 wrote to memory of 536 400 xlrrlff.exe 97 PID 400 wrote to memory of 536 400 xlrrlff.exe 97 PID 536 wrote to memory of 4144 536 nnnnhh.exe 98 PID 536 wrote to memory of 4144 536 nnnnhh.exe 98 PID 536 wrote to memory of 4144 536 nnnnhh.exe 98 PID 4144 wrote to memory of 3808 4144 ddddd.exe 99 PID 4144 wrote to memory of 3808 4144 ddddd.exe 99 PID 4144 wrote to memory of 3808 4144 ddddd.exe 99 PID 3808 wrote to memory of 4992 3808 rrxrlfl.exe 100 PID 3808 wrote to memory of 4992 3808 rrxrlfl.exe 100 PID 3808 wrote to memory of 4992 3808 rrxrlfl.exe 100 PID 4992 wrote to memory of 2364 4992 5nbbbb.exe 101 PID 4992 wrote to memory of 2364 4992 5nbbbb.exe 101 PID 4992 wrote to memory of 2364 4992 5nbbbb.exe 101 PID 2364 wrote to memory of 3484 2364 dvdvv.exe 102 PID 2364 wrote to memory of 3484 2364 dvdvv.exe 102 PID 2364 wrote to memory of 3484 2364 dvdvv.exe 102 PID 3484 wrote to memory of 432 3484 bbbhtb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe"C:\Users\Admin\AppData\Local\Temp\970cbec753eb71e1d6406c5e397af9d6a9f49002721501c32abb40fdb1747a3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
\??\c:\ffxxffl.exec:\ffxxffl.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\vpvpp.exec:\vpvpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
\??\c:\bhttht.exec:\bhttht.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\ddjdp.exec:\ddjdp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
\??\c:\5rrrlrl.exec:\5rrrlrl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084 -
\??\c:\hthttt.exec:\hthttt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216 -
\??\c:\xxrllrl.exec:\xxrllrl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
\??\c:\bbbbnb.exec:\bbbbnb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
\??\c:\pvppd.exec:\pvppd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
\??\c:\rrrlfff.exec:\rrrlfff.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
\??\c:\7tnhtn.exec:\7tnhtn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
\??\c:\djjdv.exec:\djjdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
\??\c:\jvpdp.exec:\jvpdp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972 -
\??\c:\frlfffr.exec:\frlfffr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784 -
\??\c:\xlrrlff.exec:\xlrrlff.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\nnnnhh.exec:\nnnnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\ddddd.exec:\ddddd.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\rrxrlfl.exec:\rrxrlfl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
\??\c:\5nbbbb.exec:\5nbbbb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
\??\c:\dvdvv.exec:\dvdvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2364 -
\??\c:\bbbhtb.exec:\bbbhtb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
\??\c:\xxfxrrl.exec:\xxfxrrl.exe23⤵
- Executes dropped EXE
PID:432 -
\??\c:\bbnhnn.exec:\bbnhnn.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3868 -
\??\c:\jjddv.exec:\jjddv.exe25⤵
- Executes dropped EXE
PID:4984 -
\??\c:\7dvvp.exec:\7dvvp.exe26⤵
- Executes dropped EXE
PID:4460 -
\??\c:\thbhbh.exec:\thbhbh.exe27⤵
- Executes dropped EXE
PID:3332 -
\??\c:\ddvvd.exec:\ddvvd.exe28⤵
- Executes dropped EXE
PID:2260 -
\??\c:\fxffxxr.exec:\fxffxxr.exe29⤵
- Executes dropped EXE
PID:872 -
\??\c:\xlxxrxl.exec:\xlxxrxl.exe30⤵
- Executes dropped EXE
PID:1552 -
\??\c:\lrrrxfl.exec:\lrrrxfl.exe31⤵
- Executes dropped EXE
PID:2816 -
\??\c:\rrlfxrl.exec:\rrlfxrl.exe32⤵
- Executes dropped EXE
PID:3852 -
\??\c:\nthnnb.exec:\nthnnb.exe33⤵
- Executes dropped EXE
PID:3536 -
\??\c:\vjppp.exec:\vjppp.exe34⤵
- Executes dropped EXE
PID:4452 -
\??\c:\lfxrxxf.exec:\lfxrxxf.exe35⤵
- Executes dropped EXE
PID:1500 -
\??\c:\1ttttt.exec:\1ttttt.exe36⤵
- Executes dropped EXE
PID:1252 -
\??\c:\ttnhbb.exec:\ttnhbb.exe37⤵
- Executes dropped EXE
PID:2588 -
\??\c:\jdjjv.exec:\jdjjv.exe38⤵
- Executes dropped EXE
PID:2356 -
\??\c:\pvvpp.exec:\pvvpp.exe39⤵
- Executes dropped EXE
PID:4768 -
\??\c:\ppddp.exec:\ppddp.exe40⤵
- Executes dropped EXE
PID:3240 -
\??\c:\frxfxxx.exec:\frxfxxx.exe41⤵
- Executes dropped EXE
PID:4308 -
\??\c:\9tttnn.exec:\9tttnn.exe42⤵
- Executes dropped EXE
PID:3884 -
\??\c:\thhhbh.exec:\thhhbh.exe43⤵
- Executes dropped EXE
PID:3760 -
\??\c:\vdpjp.exec:\vdpjp.exe44⤵
- Executes dropped EXE
PID:116 -
\??\c:\fxrlffx.exec:\fxrlffx.exe45⤵
- Executes dropped EXE
PID:2980 -
\??\c:\tnbttt.exec:\tnbttt.exe46⤵
- Executes dropped EXE
PID:4696 -
\??\c:\nnttnb.exec:\nnttnb.exe47⤵
- Executes dropped EXE
PID:4468 -
\??\c:\pvvjv.exec:\pvvjv.exe48⤵
- Executes dropped EXE
PID:4816 -
\??\c:\rrrlrlx.exec:\rrrlrlx.exe49⤵
- Executes dropped EXE
PID:1928 -
\??\c:\lfxrlll.exec:\lfxrlll.exe50⤵
- Executes dropped EXE
PID:1072 -
\??\c:\tnhnnn.exec:\tnhnnn.exe51⤵
- Executes dropped EXE
PID:1384 -
\??\c:\pdpjd.exec:\pdpjd.exe52⤵
- Executes dropped EXE
PID:2436 -
\??\c:\5djdp.exec:\5djdp.exe53⤵
- Executes dropped EXE
PID:3260 -
\??\c:\rrrfrrf.exec:\rrrfrrf.exe54⤵
- Executes dropped EXE
PID:2776 -
\??\c:\nnntnn.exec:\nnntnn.exe55⤵
- Executes dropped EXE
PID:4388 -
\??\c:\thnbtb.exec:\thnbtb.exe56⤵
- Executes dropped EXE
PID:2208 -
\??\c:\jdvvv.exec:\jdvvv.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3592 -
\??\c:\rllfxxx.exec:\rllfxxx.exe58⤵
- Executes dropped EXE
PID:1188 -
\??\c:\lfllrrl.exec:\lfllrrl.exe59⤵
- Executes dropped EXE
PID:3828 -
\??\c:\thnnnn.exec:\thnnnn.exe60⤵
- Executes dropped EXE
PID:1700 -
\??\c:\jvppj.exec:\jvppj.exe61⤵
- Executes dropped EXE
PID:380 -
\??\c:\djvpj.exec:\djvpj.exe62⤵
- Executes dropped EXE
PID:852 -
\??\c:\lxlfxxr.exec:\lxlfxxr.exe63⤵
- Executes dropped EXE
PID:2944 -
\??\c:\ntttnt.exec:\ntttnt.exe64⤵
- Executes dropped EXE
PID:2768 -
\??\c:\hhhhbb.exec:\hhhhbb.exe65⤵
- Executes dropped EXE
PID:3376 -
\??\c:\dvddv.exec:\dvddv.exe66⤵PID:1056
-
\??\c:\1llfffx.exec:\1llfffx.exe67⤵PID:4972
-
\??\c:\xlxxflr.exec:\xlxxflr.exe68⤵PID:2032
-
\??\c:\tntnbh.exec:\tntnbh.exe69⤵PID:3660
-
\??\c:\pjvdp.exec:\pjvdp.exe70⤵PID:1428
-
\??\c:\7pdvv.exec:\7pdvv.exe71⤵PID:1904
-
\??\c:\xxxxrrl.exec:\xxxxrrl.exe72⤵PID:4232
-
\??\c:\ffxrrxx.exec:\ffxrrxx.exe73⤵PID:3040
-
\??\c:\1tbttt.exec:\1tbttt.exe74⤵PID:1960
-
\??\c:\3bhbth.exec:\3bhbth.exe75⤵PID:2836
-
\??\c:\vpddp.exec:\vpddp.exe76⤵PID:4180
-
\??\c:\xfxflfx.exec:\xfxflfx.exe77⤵PID:4220
-
\??\c:\frxrrrr.exec:\frxrrrr.exe78⤵PID:1468
-
\??\c:\5bhbbb.exec:\5bhbbb.exe79⤵PID:3848
-
\??\c:\jdjvp.exec:\jdjvp.exe80⤵PID:2056
-
\??\c:\fxfrlrr.exec:\fxfrlrr.exe81⤵PID:4016
-
\??\c:\nnbtbb.exec:\nnbtbb.exe82⤵PID:4884
-
\??\c:\pjvdv.exec:\pjvdv.exe83⤵PID:1316
-
\??\c:\rflfxxx.exec:\rflfxxx.exe84⤵PID:1536
-
\??\c:\1rffxxl.exec:\1rffxxl.exe85⤵PID:2116
-
\??\c:\bbnnhn.exec:\bbnnhn.exe86⤵PID:1920
-
\??\c:\hbbttn.exec:\hbbttn.exe87⤵PID:3968
-
\??\c:\vpddj.exec:\vpddj.exe88⤵PID:3456
-
\??\c:\xlrlxfr.exec:\xlrlxfr.exe89⤵
- System Location Discovery: System Language Discovery
PID:2716 -
\??\c:\ffxrffx.exec:\ffxrffx.exe90⤵PID:436
-
\??\c:\tbnhhh.exec:\tbnhhh.exe91⤵PID:3868
-
\??\c:\dddpd.exec:\dddpd.exe92⤵PID:4984
-
\??\c:\rlffxlf.exec:\rlffxlf.exe93⤵PID:2312
-
\??\c:\nhhbtt.exec:\nhhbtt.exe94⤵PID:1768
-
\??\c:\nbbtnn.exec:\nbbtnn.exe95⤵PID:1788
-
\??\c:\dvjdj.exec:\dvjdj.exe96⤵PID:3332
-
\??\c:\lxfxrxr.exec:\lxfxrxr.exe97⤵PID:3208
-
\??\c:\lxllxlx.exec:\lxllxlx.exe98⤵PID:872
-
\??\c:\ntnbhh.exec:\ntnbhh.exe99⤵PID:928
-
\??\c:\djdpj.exec:\djdpj.exe100⤵PID:1648
-
\??\c:\jdpjd.exec:\jdpjd.exe101⤵PID:2684
-
\??\c:\rxxrffx.exec:\rxxrffx.exe102⤵PID:4132
-
\??\c:\hnnhbt.exec:\hnnhbt.exe103⤵PID:1592
-
\??\c:\pjvjv.exec:\pjvjv.exe104⤵PID:4452
-
\??\c:\pjdjd.exec:\pjdjd.exe105⤵PID:1972
-
\??\c:\lrfxrlr.exec:\lrfxrlr.exe106⤵PID:4160
-
\??\c:\hbnnhb.exec:\hbnnhb.exe107⤵PID:2732
-
\??\c:\5ttttb.exec:\5ttttb.exe108⤵PID:2216
-
\??\c:\dpvjv.exec:\dpvjv.exe109⤵PID:628
-
\??\c:\7ffrxff.exec:\7ffrxff.exe110⤵PID:2020
-
\??\c:\fxrflll.exec:\fxrflll.exe111⤵PID:2812
-
\??\c:\hthhnn.exec:\hthhnn.exe112⤵PID:2744
-
\??\c:\jddvp.exec:\jddvp.exe113⤵PID:912
-
\??\c:\dvdvv.exec:\dvdvv.exe114⤵PID:1448
-
\??\c:\lffxrrl.exec:\lffxrrl.exe115⤵PID:3108
-
\??\c:\nnnhnn.exec:\nnnhnn.exe116⤵PID:2128
-
\??\c:\vdjjj.exec:\vdjjj.exe117⤵PID:3020
-
\??\c:\xlffrrr.exec:\xlffrrr.exe118⤵PID:2728
-
\??\c:\rlxfxlf.exec:\rlxfxlf.exe119⤵PID:1388
-
\??\c:\nhbbtb.exec:\nhbbtb.exe120⤵PID:1036
-
\??\c:\jdppj.exec:\jdppj.exe121⤵PID:452
-
\??\c:\7rrlflf.exec:\7rrlflf.exe122⤵PID:1556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-