Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2025, 04:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe
Resource
win7-20241023-en
7 signatures
150 seconds
General
-
Target
97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe
-
Size
455KB
-
MD5
6857b120a773a359815780af834e4468
-
SHA1
ca4453d67a70ea409c62634172a7faaab566bea5
-
SHA256
97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56
-
SHA512
1062cc7297bde6a1e82e6a7a3b350afa571e510c0e71eaaae863f73c592828ac1706e6c754d711afd5176805f4e93847e12e0faf36b9ed746e05183c75a51757
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeT+:q7Tc2NYHUrAwfMp3CDS
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3368-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-7-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/516-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3372-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4752-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2716-33-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1072-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4840-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1324-73-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3552-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-85-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3932-92-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-104-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4776-108-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4228-116-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/668-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2756-132-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1816-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4988-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2068-167-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4656-184-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1476-186-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2828-200-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2424-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1268-212-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3032-220-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2836-227-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4476-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/780-244-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2804-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1704-266-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3424-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4820-280-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4860-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2232-312-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2296-319-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4972-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2876-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-352-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-368-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-387-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-397-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1956-401-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5004-429-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/876-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2044-520-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5052-530-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3620-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5008-620-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4032-688-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-1026-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1824-1471-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-1753-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3368 xllfxxr.exe 3372 llrlrlr.exe 516 3vppj.exe 4752 httnbb.exe 2716 rlxxrxx.exe 536 lflxlfl.exe 1072 pdvpj.exe 4840 hbnhht.exe 316 frrrllr.exe 4860 hbhbhb.exe 744 vppdd.exe 1324 hbtnhh.exe 3552 pvddd.exe 2928 hbbttn.exe 3932 jddjj.exe 4220 ntbttt.exe 2232 pjdjv.exe 4776 nnbbhh.exe 4228 hbhbtn.exe 668 ffxrllf.exe 4512 9tbbbb.exe 2756 7vdvp.exe 4736 xxxxfff.exe 1816 hbhbtt.exe 4988 pvddv.exe 4660 7pjpd.exe 640 pjpjd.exe 2068 3nthbb.exe 1420 jdjdd.exe 1600 jpdvv.exe 4656 fxxrlrr.exe 1476 9hhbbb.exe 4084 jdjdv.exe 2180 llrrfff.exe 2828 9jpjj.exe 1784 rflffll.exe 2424 hbtnhn.exe 1268 nbhnhh.exe 64 ddddp.exe 3032 1xfxxxr.exe 5004 frxlrrx.exe 2836 tttntn.exe 3916 jdjpv.exe 1148 pjpjd.exe 4476 3frllfx.exe 2464 hnbbtt.exe 2564 vjppj.exe 780 7tnhhh.exe 5100 bhthbn.exe 1740 dvvvp.exe 2804 fxlffff.exe 3124 bttnhh.exe 3240 tntnhh.exe 1704 7jpdv.exe 3424 fxxrlfx.exe 3964 7nbttn.exe 4032 9pvvd.exe 4820 xrrflrx.exe 4860 nnnhtn.exe 4184 tbtnhh.exe 4452 pvdjp.exe 2900 pvvpd.exe 3012 fllxrlf.exe 776 bbbtnh.exe -
resource yara_rule behavioral2/memory/3368-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-7-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/516-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3372-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4752-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2716-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1072-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4840-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1324-73-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3552-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-85-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3932-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-104-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4776-108-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4228-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/668-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2756-132-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1816-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2068-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4656-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1476-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2828-200-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2424-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1268-212-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3032-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2836-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4476-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/780-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2804-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1704-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3424-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4820-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4860-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2232-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2296-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4972-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2876-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-352-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-368-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-397-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1956-401-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5004-429-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/876-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2044-520-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5052-530-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-564-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3620-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5008-620-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4032-688-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/208-848-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-1026-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3020-1396-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxllffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nttnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1dpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language llxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhhtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ppppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language djpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btthbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxrfxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7hhhnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bnbnnb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4792 wrote to memory of 3368 4792 97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe 82 PID 4792 wrote to memory of 3368 4792 97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe 82 PID 4792 wrote to memory of 3368 4792 97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe 82 PID 3368 wrote to memory of 3372 3368 xllfxxr.exe 83 PID 3368 wrote to memory of 3372 3368 xllfxxr.exe 83 PID 3368 wrote to memory of 3372 3368 xllfxxr.exe 83 PID 3372 wrote to memory of 516 3372 llrlrlr.exe 84 PID 3372 wrote to memory of 516 3372 llrlrlr.exe 84 PID 3372 wrote to memory of 516 3372 llrlrlr.exe 84 PID 516 wrote to memory of 4752 516 3vppj.exe 85 PID 516 wrote to memory of 4752 516 3vppj.exe 85 PID 516 wrote to memory of 4752 516 3vppj.exe 85 PID 4752 wrote to memory of 2716 4752 httnbb.exe 86 PID 4752 wrote to memory of 2716 4752 httnbb.exe 86 PID 4752 wrote to memory of 2716 4752 httnbb.exe 86 PID 2716 wrote to memory of 536 2716 rlxxrxx.exe 87 PID 2716 wrote to memory of 536 2716 rlxxrxx.exe 87 PID 2716 wrote to memory of 536 2716 rlxxrxx.exe 87 PID 536 wrote to memory of 1072 536 lflxlfl.exe 88 PID 536 wrote to memory of 1072 536 lflxlfl.exe 88 PID 536 wrote to memory of 1072 536 lflxlfl.exe 88 PID 1072 wrote to memory of 4840 1072 pdvpj.exe 89 PID 1072 wrote to memory of 4840 1072 pdvpj.exe 89 PID 1072 wrote to memory of 4840 1072 pdvpj.exe 89 PID 4840 wrote to memory of 316 4840 hbnhht.exe 90 PID 4840 wrote to memory of 316 4840 hbnhht.exe 90 PID 4840 wrote to memory of 316 4840 hbnhht.exe 90 PID 316 wrote to memory of 4860 316 frrrllr.exe 91 PID 316 wrote to memory of 4860 316 frrrllr.exe 91 PID 316 wrote to memory of 4860 316 frrrllr.exe 91 PID 4860 wrote to memory of 744 4860 hbhbhb.exe 92 PID 4860 wrote to memory of 744 4860 hbhbhb.exe 92 PID 4860 wrote to memory of 744 4860 hbhbhb.exe 92 PID 744 wrote to memory of 1324 744 vppdd.exe 93 PID 744 wrote to memory of 1324 744 vppdd.exe 93 PID 744 wrote to memory of 1324 744 vppdd.exe 93 PID 1324 wrote to memory of 3552 1324 hbtnhh.exe 94 PID 1324 wrote to memory of 3552 1324 hbtnhh.exe 94 PID 1324 wrote to memory of 3552 1324 hbtnhh.exe 94 PID 3552 wrote to memory of 2928 3552 pvddd.exe 95 PID 3552 wrote to memory of 2928 3552 pvddd.exe 95 PID 3552 wrote to memory of 2928 3552 pvddd.exe 95 PID 2928 wrote to memory of 3932 2928 hbbttn.exe 96 PID 2928 wrote to memory of 3932 2928 hbbttn.exe 96 PID 2928 wrote to memory of 3932 2928 hbbttn.exe 96 PID 3932 wrote to memory of 4220 3932 jddjj.exe 97 PID 3932 wrote to memory of 4220 3932 jddjj.exe 97 PID 3932 wrote to memory of 4220 3932 jddjj.exe 97 PID 4220 wrote to memory of 2232 4220 ntbttt.exe 98 PID 4220 wrote to memory of 2232 4220 ntbttt.exe 98 PID 4220 wrote to memory of 2232 4220 ntbttt.exe 98 PID 2232 wrote to memory of 4776 2232 pjdjv.exe 99 PID 2232 wrote to memory of 4776 2232 pjdjv.exe 99 PID 2232 wrote to memory of 4776 2232 pjdjv.exe 99 PID 4776 wrote to memory of 4228 4776 nnbbhh.exe 100 PID 4776 wrote to memory of 4228 4776 nnbbhh.exe 100 PID 4776 wrote to memory of 4228 4776 nnbbhh.exe 100 PID 4228 wrote to memory of 668 4228 hbhbtn.exe 101 PID 4228 wrote to memory of 668 4228 hbhbtn.exe 101 PID 4228 wrote to memory of 668 4228 hbhbtn.exe 101 PID 668 wrote to memory of 4512 668 ffxrllf.exe 102 PID 668 wrote to memory of 4512 668 ffxrllf.exe 102 PID 668 wrote to memory of 4512 668 ffxrllf.exe 102 PID 4512 wrote to memory of 2756 4512 9tbbbb.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe"C:\Users\Admin\AppData\Local\Temp\97847a8f476973b89cd13ba55626f6ad195e6e52a9fa39dbd13c62a87c36db56.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\xllfxxr.exec:\xllfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368 -
\??\c:\llrlrlr.exec:\llrlrlr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
\??\c:\3vppj.exec:\3vppj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516 -
\??\c:\httnbb.exec:\httnbb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
\??\c:\rlxxrxx.exec:\rlxxrxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
\??\c:\lflxlfl.exec:\lflxlfl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:536 -
\??\c:\pdvpj.exec:\pdvpj.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\hbnhht.exec:\hbnhht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840 -
\??\c:\frrrllr.exec:\frrrllr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316 -
\??\c:\hbhbhb.exec:\hbhbhb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
\??\c:\vppdd.exec:\vppdd.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
\??\c:\hbtnhh.exec:\hbtnhh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
\??\c:\pvddd.exec:\pvddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3552 -
\??\c:\hbbttn.exec:\hbbttn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\jddjj.exec:\jddjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
\??\c:\ntbttt.exec:\ntbttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
\??\c:\pjdjv.exec:\pjdjv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
\??\c:\nnbbhh.exec:\nnbbhh.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
\??\c:\hbhbtn.exec:\hbhbtn.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4228 -
\??\c:\ffxrllf.exec:\ffxrllf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:668 -
\??\c:\9tbbbb.exec:\9tbbbb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
\??\c:\7vdvp.exec:\7vdvp.exe23⤵
- Executes dropped EXE
PID:2756 -
\??\c:\xxxxfff.exec:\xxxxfff.exe24⤵
- Executes dropped EXE
PID:4736 -
\??\c:\hbhbtt.exec:\hbhbtt.exe25⤵
- Executes dropped EXE
PID:1816 -
\??\c:\pvddv.exec:\pvddv.exe26⤵
- Executes dropped EXE
PID:4988 -
\??\c:\7pjpd.exec:\7pjpd.exe27⤵
- Executes dropped EXE
PID:4660 -
\??\c:\pjpjd.exec:\pjpjd.exe28⤵
- Executes dropped EXE
PID:640 -
\??\c:\3nthbb.exec:\3nthbb.exe29⤵
- Executes dropped EXE
PID:2068 -
\??\c:\jdjdd.exec:\jdjdd.exe30⤵
- Executes dropped EXE
PID:1420 -
\??\c:\jpdvv.exec:\jpdvv.exe31⤵
- Executes dropped EXE
PID:1600 -
\??\c:\fxxrlrr.exec:\fxxrlrr.exe32⤵
- Executes dropped EXE
PID:4656 -
\??\c:\9hhbbb.exec:\9hhbbb.exe33⤵
- Executes dropped EXE
PID:1476 -
\??\c:\jdjdv.exec:\jdjdv.exe34⤵
- Executes dropped EXE
PID:4084 -
\??\c:\llrrfff.exec:\llrrfff.exe35⤵
- Executes dropped EXE
PID:2180 -
\??\c:\9jpjj.exec:\9jpjj.exe36⤵
- Executes dropped EXE
PID:2828 -
\??\c:\rflffll.exec:\rflffll.exe37⤵
- Executes dropped EXE
PID:1784 -
\??\c:\hbtnhn.exec:\hbtnhn.exe38⤵
- Executes dropped EXE
PID:2424 -
\??\c:\nbhnhh.exec:\nbhnhh.exe39⤵
- Executes dropped EXE
PID:1268 -
\??\c:\ddddp.exec:\ddddp.exe40⤵
- Executes dropped EXE
PID:64 -
\??\c:\1xfxxxr.exec:\1xfxxxr.exe41⤵
- Executes dropped EXE
PID:3032 -
\??\c:\frxlrrx.exec:\frxlrrx.exe42⤵
- Executes dropped EXE
PID:5004 -
\??\c:\tttntn.exec:\tttntn.exe43⤵
- Executes dropped EXE
PID:2836 -
\??\c:\jdjpv.exec:\jdjpv.exe44⤵
- Executes dropped EXE
PID:3916 -
\??\c:\pjpjd.exec:\pjpjd.exe45⤵
- Executes dropped EXE
PID:1148 -
\??\c:\3frllfx.exec:\3frllfx.exe46⤵
- Executes dropped EXE
PID:4476 -
\??\c:\hnbbtt.exec:\hnbbtt.exe47⤵
- Executes dropped EXE
PID:2464 -
\??\c:\vjppj.exec:\vjppj.exe48⤵
- Executes dropped EXE
PID:2564 -
\??\c:\7tnhhh.exec:\7tnhhh.exe49⤵
- Executes dropped EXE
PID:780 -
\??\c:\bhthbn.exec:\bhthbn.exe50⤵
- Executes dropped EXE
PID:5100 -
\??\c:\dvvvp.exec:\dvvvp.exe51⤵
- Executes dropped EXE
PID:1740 -
\??\c:\fxlffff.exec:\fxlffff.exe52⤵
- Executes dropped EXE
PID:2804 -
\??\c:\bttnhh.exec:\bttnhh.exe53⤵
- Executes dropped EXE
PID:3124 -
\??\c:\tntnhh.exec:\tntnhh.exe54⤵
- Executes dropped EXE
PID:3240 -
\??\c:\7jpdv.exec:\7jpdv.exe55⤵
- Executes dropped EXE
PID:1704 -
\??\c:\fxxrlfx.exec:\fxxrlfx.exe56⤵
- Executes dropped EXE
PID:3424 -
\??\c:\7nbttn.exec:\7nbttn.exe57⤵
- Executes dropped EXE
PID:3964 -
\??\c:\9pvvd.exec:\9pvvd.exe58⤵
- Executes dropped EXE
PID:4032 -
\??\c:\xrrflrx.exec:\xrrflrx.exe59⤵
- Executes dropped EXE
PID:4820 -
\??\c:\nnnhtn.exec:\nnnhtn.exe60⤵
- Executes dropped EXE
PID:4860 -
\??\c:\tbtnhh.exec:\tbtnhh.exe61⤵
- Executes dropped EXE
PID:4184 -
\??\c:\pvdjp.exec:\pvdjp.exe62⤵
- Executes dropped EXE
PID:4452 -
\??\c:\pvvpd.exec:\pvvpd.exe63⤵
- Executes dropped EXE
PID:2900 -
\??\c:\fllxrlf.exec:\fllxrlf.exe64⤵
- Executes dropped EXE
PID:3012 -
\??\c:\bbbtnh.exec:\bbbtnh.exe65⤵
- Executes dropped EXE
PID:776 -
\??\c:\ddpdd.exec:\ddpdd.exe66⤵PID:1556
-
\??\c:\llxxffx.exec:\llxxffx.exe67⤵PID:2064
-
\??\c:\nnbbhh.exec:\nnbbhh.exe68⤵PID:2632
-
\??\c:\thhnbt.exec:\thhnbt.exe69⤵PID:1584
-
\??\c:\5ddvp.exec:\5ddvp.exe70⤵PID:2232
-
\??\c:\3lxrrlr.exec:\3lxrrlr.exe71⤵PID:2296
-
\??\c:\5ntnhb.exec:\5ntnhb.exe72⤵PID:1948
-
\??\c:\tnnbnh.exec:\tnnbnh.exe73⤵PID:4972
-
\??\c:\1ppjv.exec:\1ppjv.exe74⤵PID:4620
-
\??\c:\frrlfxr.exec:\frrlfxr.exe75⤵PID:868
-
\??\c:\1nhbnh.exec:\1nhbnh.exe76⤵PID:1440
-
\??\c:\pdjvj.exec:\pdjvj.exe77⤵PID:4784
-
\??\c:\dvjdj.exec:\dvjdj.exe78⤵PID:3492
-
\??\c:\9lrlxlf.exec:\9lrlxlf.exe79⤵PID:2876
-
\??\c:\nbbnbn.exec:\nbbnbn.exe80⤵PID:4664
-
\??\c:\jjjpj.exec:\jjjpj.exe81⤵PID:4488
-
\??\c:\xrfrlxl.exec:\xrfrlxl.exe82⤵PID:3620
-
\??\c:\xxlffxf.exec:\xxlffxf.exe83⤵PID:1696
-
\??\c:\tttnnn.exec:\tttnnn.exe84⤵PID:1452
-
\??\c:\rrxfxll.exec:\rrxfxll.exe85⤵PID:552
-
\??\c:\7xrrfff.exec:\7xrrfff.exe86⤵PID:4132
-
\??\c:\9bhbbh.exec:\9bhbbh.exe87⤵PID:2956
-
\??\c:\7jvpv.exec:\7jvpv.exe88⤵PID:2800
-
\??\c:\5fxrrlf.exec:\5fxrrlf.exe89⤵PID:3976
-
\??\c:\nbnhnn.exec:\nbnhnn.exe90⤵PID:620
-
\??\c:\tnhtnh.exec:\tnhtnh.exe91⤵PID:1600
-
\??\c:\ddjdv.exec:\ddjdv.exe92⤵PID:3308
-
\??\c:\frrlffx.exec:\frrlffx.exe93⤵PID:1360
-
\??\c:\ttttnn.exec:\ttttnn.exe94⤵PID:1204
-
\??\c:\hbhbnn.exec:\hbhbnn.exe95⤵PID:4068
-
\??\c:\vpdvv.exec:\vpdvv.exe96⤵PID:1956
-
\??\c:\rlrllll.exec:\rlrllll.exe97⤵PID:4976
-
\??\c:\lxllffx.exec:\lxllffx.exe98⤵
- System Location Discovery: System Language Discovery
PID:3656 -
\??\c:\hnbtht.exec:\hnbtht.exe99⤵PID:1504
-
\??\c:\ddddv.exec:\ddddv.exe100⤵PID:2424
-
\??\c:\dvpdv.exec:\dvpdv.exe101⤵PID:5064
-
\??\c:\fxffxxf.exec:\fxffxxf.exe102⤵PID:1376
-
\??\c:\9ntttt.exec:\9ntttt.exe103⤵PID:3744
-
\??\c:\7vvpp.exec:\7vvpp.exe104⤵PID:3032
-
\??\c:\lffxrxr.exec:\lffxrxr.exe105⤵PID:5004
-
\??\c:\ffrlrrx.exec:\ffrlrrx.exe106⤵PID:920
-
\??\c:\nhnnhh.exec:\nhnnhh.exe107⤵PID:4376
-
\??\c:\jppjj.exec:\jppjj.exe108⤵PID:928
-
\??\c:\3frlrlx.exec:\3frlrlx.exe109⤵PID:2300
-
\??\c:\ffllllr.exec:\ffllllr.exe110⤵PID:3864
-
\??\c:\tnnnhh.exec:\tnnnhh.exe111⤵PID:4180
-
\??\c:\1tnhnt.exec:\1tnhnt.exe112⤵PID:3456
-
\??\c:\9djjd.exec:\9djjd.exe113⤵PID:3404
-
\??\c:\llfxrrl.exec:\llfxrrl.exe114⤵PID:3584
-
\??\c:\nhnnnn.exec:\nhnnnn.exe115⤵PID:1740
-
\??\c:\9tnhtt.exec:\9tnhtt.exe116⤵PID:3612
-
\??\c:\vjvjv.exec:\vjvjv.exe117⤵PID:4504
-
\??\c:\lrfxrrr.exec:\lrfxrrr.exe118⤵PID:3240
-
\??\c:\7bbhtt.exec:\7bbhtt.exe119⤵PID:1104
-
\??\c:\jjppj.exec:\jjppj.exe120⤵PID:4768
-
\??\c:\rrfrllf.exec:\rrfrllf.exe121⤵PID:2476
-
\??\c:\tnhbbt.exec:\tnhbbt.exe122⤵PID:4020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-