Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 07:44
Behavioral task
behavioral1
Sample
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe
-
Size
335KB
-
MD5
5c607a1bc09df2b598835688cd4bef86
-
SHA1
059ec216e2d5e557570179b623107a8fe7ef5b23
-
SHA256
3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e
-
SHA512
44074d20040f262c4f3ebbac6cffd1374042fdbc74570cb6e7c1897351b31c75de67d5951dcde6df2796bab46111af4b5a08c62d8812a0019314d6a3e217f3ae
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbeRp:R4wFHoSHYHUrAwfMp3CDRp
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/3560-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4428-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3740-17-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2552-16-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4004-23-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3632-30-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3000-36-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1496-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1772-59-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4400-63-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1424-67-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2688-78-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3660-73-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4108-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1800-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-106-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4820-102-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4296-116-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2464-122-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3452-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2532-145-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3648-153-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3620-162-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2788-165-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3164-168-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/920-171-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1616-180-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2296-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3188-186-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2040-189-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-197-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-200-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3512-205-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-212-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2964-219-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1576-226-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4468-229-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/924-232-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1120-235-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2228-242-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4884-253-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4824-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4600-263-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-266-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1508-271-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-280-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1184-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3056-320-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-327-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3736-332-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2096-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1776-376-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/536-401-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/956-414-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-439-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4364-442-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3304-446-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1264-452-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1104-523-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4428 1vdvv.exe 2552 llrrlfx.exe 3740 rxfxrlx.exe 4004 tbhhhb.exe 3632 dvjvv.exe 3000 ntbbtb.exe 4952 lfrlxrr.exe 4468 jppjp.exe 924 tttnnn.exe 1496 jjdvj.exe 1772 hthbtt.exe 4400 dvddv.exe 1424 xrxrllf.exe 3660 xfxrrrl.exe 2688 vjjdv.exe 4108 1fxxlxf.exe 4824 ddjdv.exe 4452 ffxrllf.exe 1800 jdpjj.exe 4820 5frlxxf.exe 2948 5pjdd.exe 3292 rxfxxxx.exe 4296 3fxffrl.exe 2464 9pjdv.exe 3452 nbbhbh.exe 536 fllllrr.exe 4736 tntnbh.exe 4404 fffxxxr.exe 2532 hnnhtt.exe 1104 vvjpj.exe 3648 hbtbth.exe 5100 xlrrlrl.exe 1884 bhtbbh.exe 3620 9ppjj.exe 2788 nhnhbb.exe 3164 dvppv.exe 920 1ppjj.exe 1516 lflfxfx.exe 2220 bttbbt.exe 4680 jdjdd.exe 1616 xrfflff.exe 2296 hhnntb.exe 3188 nnhbbb.exe 2040 dppvv.exe 4448 xxxrxfr.exe 3556 bbbttn.exe 4508 htttnn.exe 3304 5jvpp.exe 2552 xfrlfff.exe 3512 hbhbtt.exe 3740 3jjjv.exe 3792 jjpjd.exe 3436 lffxrrr.exe 5064 bbnhhh.exe 3632 nbhhhn.exe 2964 jppjd.exe 4316 vpvpj.exe 476 xfllrrx.exe 1576 bnbttn.exe 4468 jjjdd.exe 924 xxrrlrr.exe 1120 xrrrllf.exe 1140 ntbbtb.exe 3276 jdpvp.exe -
resource yara_rule behavioral2/memory/3560-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b52-4.dat upx behavioral2/memory/3560-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4428-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba7-9.dat upx behavioral2/memory/4428-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba8-12.dat upx behavioral2/memory/3740-17-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2552-16-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-20.dat upx behavioral2/memory/4004-23-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baa-25.dat upx behavioral2/files/0x000a000000023bab-29.dat upx behavioral2/memory/3632-30-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bac-34.dat upx behavioral2/memory/3000-36-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bad-39.dat upx behavioral2/memory/4952-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bae-44.dat upx behavioral2/memory/4468-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023baf-49.dat upx behavioral2/memory/924-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bb8-54.dat upx behavioral2/memory/1496-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1772-59-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bbf-61.dat upx behavioral2/memory/4400-63-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bc8-66.dat upx behavioral2/memory/1424-67-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bcd-71.dat upx behavioral2/files/0x0009000000023bce-75.dat upx behavioral2/files/0x000b000000023ba4-80.dat upx behavioral2/memory/2688-78-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3660-73-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0009000000023bcf-85.dat upx behavioral2/memory/4108-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000e000000023bd3-89.dat upx behavioral2/files/0x0008000000023bd5-93.dat upx behavioral2/files/0x0008000000023bd8-97.dat upx behavioral2/memory/1800-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bd9-103.dat upx behavioral2/memory/2948-106-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4820-102-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023bda-108.dat upx behavioral2/files/0x0008000000023bdb-112.dat upx behavioral2/files/0x0008000000023c0a-117.dat upx behavioral2/memory/4296-116-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0b-121.dat upx behavioral2/memory/2464-122-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0c-127.dat upx behavioral2/memory/3452-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0d-131.dat upx behavioral2/memory/536-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c0e-136.dat upx behavioral2/files/0x0008000000023c0f-140.dat upx behavioral2/memory/2532-145-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0008000000023c14-144.dat upx behavioral2/files/0x0008000000023c15-149.dat upx behavioral2/files/0x0008000000023c16-154.dat upx behavioral2/memory/3648-153-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3620-162-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2788-165-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3164-168-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/920-171-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxxxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlrrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tbnhnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrllrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxlfflr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvdjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pvvvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxrrrxf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1jjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fflllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxxxrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thnhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ddpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3560 wrote to memory of 4428 3560 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 83 PID 3560 wrote to memory of 4428 3560 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 83 PID 3560 wrote to memory of 4428 3560 3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe 83 PID 4428 wrote to memory of 2552 4428 1vdvv.exe 84 PID 4428 wrote to memory of 2552 4428 1vdvv.exe 84 PID 4428 wrote to memory of 2552 4428 1vdvv.exe 84 PID 2552 wrote to memory of 3740 2552 llrrlfx.exe 85 PID 2552 wrote to memory of 3740 2552 llrrlfx.exe 85 PID 2552 wrote to memory of 3740 2552 llrrlfx.exe 85 PID 3740 wrote to memory of 4004 3740 rxfxrlx.exe 86 PID 3740 wrote to memory of 4004 3740 rxfxrlx.exe 86 PID 3740 wrote to memory of 4004 3740 rxfxrlx.exe 86 PID 4004 wrote to memory of 3632 4004 tbhhhb.exe 87 PID 4004 wrote to memory of 3632 4004 tbhhhb.exe 87 PID 4004 wrote to memory of 3632 4004 tbhhhb.exe 87 PID 3632 wrote to memory of 3000 3632 dvjvv.exe 88 PID 3632 wrote to memory of 3000 3632 dvjvv.exe 88 PID 3632 wrote to memory of 3000 3632 dvjvv.exe 88 PID 3000 wrote to memory of 4952 3000 ntbbtb.exe 89 PID 3000 wrote to memory of 4952 3000 ntbbtb.exe 89 PID 3000 wrote to memory of 4952 3000 ntbbtb.exe 89 PID 4952 wrote to memory of 4468 4952 lfrlxrr.exe 90 PID 4952 wrote to memory of 4468 4952 lfrlxrr.exe 90 PID 4952 wrote to memory of 4468 4952 lfrlxrr.exe 90 PID 4468 wrote to memory of 924 4468 jppjp.exe 91 PID 4468 wrote to memory of 924 4468 jppjp.exe 91 PID 4468 wrote to memory of 924 4468 jppjp.exe 91 PID 924 wrote to memory of 1496 924 tttnnn.exe 92 PID 924 wrote to memory of 1496 924 tttnnn.exe 92 PID 924 wrote to memory of 1496 924 tttnnn.exe 92 PID 1496 wrote to memory of 1772 1496 jjdvj.exe 93 PID 1496 wrote to memory of 1772 1496 jjdvj.exe 93 PID 1496 wrote to memory of 1772 1496 jjdvj.exe 93 PID 1772 wrote to memory of 4400 1772 hthbtt.exe 94 PID 1772 wrote to memory of 4400 1772 hthbtt.exe 94 PID 1772 wrote to memory of 4400 1772 hthbtt.exe 94 PID 4400 wrote to memory of 1424 4400 dvddv.exe 95 PID 4400 wrote to memory of 1424 4400 dvddv.exe 95 PID 4400 wrote to memory of 1424 4400 dvddv.exe 95 PID 1424 wrote to memory of 3660 1424 xrxrllf.exe 96 PID 1424 wrote to memory of 3660 1424 xrxrllf.exe 96 PID 1424 wrote to memory of 3660 1424 xrxrllf.exe 96 PID 3660 wrote to memory of 2688 3660 xfxrrrl.exe 97 PID 3660 wrote to memory of 2688 3660 xfxrrrl.exe 97 PID 3660 wrote to memory of 2688 3660 xfxrrrl.exe 97 PID 2688 wrote to memory of 4108 2688 vjjdv.exe 98 PID 2688 wrote to memory of 4108 2688 vjjdv.exe 98 PID 2688 wrote to memory of 4108 2688 vjjdv.exe 98 PID 4108 wrote to memory of 4824 4108 1fxxlxf.exe 99 PID 4108 wrote to memory of 4824 4108 1fxxlxf.exe 99 PID 4108 wrote to memory of 4824 4108 1fxxlxf.exe 99 PID 4824 wrote to memory of 4452 4824 ddjdv.exe 100 PID 4824 wrote to memory of 4452 4824 ddjdv.exe 100 PID 4824 wrote to memory of 4452 4824 ddjdv.exe 100 PID 4452 wrote to memory of 1800 4452 ffxrllf.exe 101 PID 4452 wrote to memory of 1800 4452 ffxrllf.exe 101 PID 4452 wrote to memory of 1800 4452 ffxrllf.exe 101 PID 1800 wrote to memory of 4820 1800 jdpjj.exe 102 PID 1800 wrote to memory of 4820 1800 jdpjj.exe 102 PID 1800 wrote to memory of 4820 1800 jdpjj.exe 102 PID 4820 wrote to memory of 2948 4820 5frlxxf.exe 103 PID 4820 wrote to memory of 2948 4820 5frlxxf.exe 103 PID 4820 wrote to memory of 2948 4820 5frlxxf.exe 103 PID 2948 wrote to memory of 3292 2948 5pjdd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe"C:\Users\Admin\AppData\Local\Temp\3a0d3d05378db2dd4094ab8db2c263eb08ed485263ea5bf1fcf1256412294c3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3560 -
\??\c:\1vdvv.exec:\1vdvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4428 -
\??\c:\llrrlfx.exec:\llrrlfx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552 -
\??\c:\rxfxrlx.exec:\rxfxrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
\??\c:\tbhhhb.exec:\tbhhhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4004 -
\??\c:\dvjvv.exec:\dvjvv.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632 -
\??\c:\ntbbtb.exec:\ntbbtb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
\??\c:\lfrlxrr.exec:\lfrlxrr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4952 -
\??\c:\jppjp.exec:\jppjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\tttnnn.exec:\tttnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924 -
\??\c:\jjdvj.exec:\jjdvj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1496 -
\??\c:\hthbtt.exec:\hthbtt.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
\??\c:\dvddv.exec:\dvddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400 -
\??\c:\xrxrllf.exec:\xrxrllf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424 -
\??\c:\xfxrrrl.exec:\xfxrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
\??\c:\vjjdv.exec:\vjjdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\1fxxlxf.exec:\1fxxlxf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4108 -
\??\c:\ddjdv.exec:\ddjdv.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
\??\c:\ffxrllf.exec:\ffxrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452 -
\??\c:\jdpjj.exec:\jdpjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
\??\c:\5frlxxf.exec:\5frlxxf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820 -
\??\c:\5pjdd.exec:\5pjdd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
\??\c:\rxfxxxx.exec:\rxfxxxx.exe23⤵
- Executes dropped EXE
PID:3292 -
\??\c:\3fxffrl.exec:\3fxffrl.exe24⤵
- Executes dropped EXE
PID:4296 -
\??\c:\9pjdv.exec:\9pjdv.exe25⤵
- Executes dropped EXE
PID:2464 -
\??\c:\nbbhbh.exec:\nbbhbh.exe26⤵
- Executes dropped EXE
PID:3452 -
\??\c:\fllllrr.exec:\fllllrr.exe27⤵
- Executes dropped EXE
PID:536 -
\??\c:\tntnbh.exec:\tntnbh.exe28⤵
- Executes dropped EXE
PID:4736 -
\??\c:\fffxxxr.exec:\fffxxxr.exe29⤵
- Executes dropped EXE
PID:4404 -
\??\c:\hnnhtt.exec:\hnnhtt.exe30⤵
- Executes dropped EXE
PID:2532 -
\??\c:\vvjpj.exec:\vvjpj.exe31⤵
- Executes dropped EXE
PID:1104 -
\??\c:\hbtbth.exec:\hbtbth.exe32⤵
- Executes dropped EXE
PID:3648 -
\??\c:\xlrrlrl.exec:\xlrrlrl.exe33⤵
- Executes dropped EXE
PID:5100 -
\??\c:\bhtbbh.exec:\bhtbbh.exe34⤵
- Executes dropped EXE
PID:1884 -
\??\c:\9ppjj.exec:\9ppjj.exe35⤵
- Executes dropped EXE
PID:3620 -
\??\c:\nhnhbb.exec:\nhnhbb.exe36⤵
- Executes dropped EXE
PID:2788 -
\??\c:\dvppv.exec:\dvppv.exe37⤵
- Executes dropped EXE
PID:3164 -
\??\c:\1ppjj.exec:\1ppjj.exe38⤵
- Executes dropped EXE
PID:920 -
\??\c:\lflfxfx.exec:\lflfxfx.exe39⤵
- Executes dropped EXE
PID:1516 -
\??\c:\bttbbt.exec:\bttbbt.exe40⤵
- Executes dropped EXE
PID:2220 -
\??\c:\jdjdd.exec:\jdjdd.exe41⤵
- Executes dropped EXE
PID:4680 -
\??\c:\xrfflff.exec:\xrfflff.exe42⤵
- Executes dropped EXE
PID:1616 -
\??\c:\hhnntb.exec:\hhnntb.exe43⤵
- Executes dropped EXE
PID:2296 -
\??\c:\nnhbbb.exec:\nnhbbb.exe44⤵
- Executes dropped EXE
PID:3188 -
\??\c:\dppvv.exec:\dppvv.exe45⤵
- Executes dropped EXE
PID:2040 -
\??\c:\xxxrxfr.exec:\xxxrxfr.exe46⤵
- Executes dropped EXE
PID:4448 -
\??\c:\bbbttn.exec:\bbbttn.exe47⤵
- Executes dropped EXE
PID:3556 -
\??\c:\htttnn.exec:\htttnn.exe48⤵
- Executes dropped EXE
PID:4508 -
\??\c:\5jvpp.exec:\5jvpp.exe49⤵
- Executes dropped EXE
PID:3304 -
\??\c:\xfrlfff.exec:\xfrlfff.exe50⤵
- Executes dropped EXE
PID:2552 -
\??\c:\hbhbtt.exec:\hbhbtt.exe51⤵
- Executes dropped EXE
PID:3512 -
\??\c:\3jjjv.exec:\3jjjv.exe52⤵
- Executes dropped EXE
PID:3740 -
\??\c:\jjpjd.exec:\jjpjd.exe53⤵
- Executes dropped EXE
PID:3792 -
\??\c:\lffxrrr.exec:\lffxrrr.exe54⤵
- Executes dropped EXE
PID:3436 -
\??\c:\bbnhhh.exec:\bbnhhh.exe55⤵
- Executes dropped EXE
PID:5064 -
\??\c:\nbhhhn.exec:\nbhhhn.exe56⤵
- Executes dropped EXE
PID:3632 -
\??\c:\jppjd.exec:\jppjd.exe57⤵
- Executes dropped EXE
PID:2964 -
\??\c:\vpvpj.exec:\vpvpj.exe58⤵
- Executes dropped EXE
PID:4316 -
\??\c:\xfllrrx.exec:\xfllrrx.exe59⤵
- Executes dropped EXE
PID:476 -
\??\c:\bnbttn.exec:\bnbttn.exe60⤵
- Executes dropped EXE
PID:1576 -
\??\c:\jjjdd.exec:\jjjdd.exe61⤵
- Executes dropped EXE
PID:4468 -
\??\c:\xxrrlrr.exec:\xxrrlrr.exe62⤵
- Executes dropped EXE
PID:924 -
\??\c:\xrrrllf.exec:\xrrrllf.exe63⤵
- Executes dropped EXE
PID:1120 -
\??\c:\ntbbtb.exec:\ntbbtb.exe64⤵
- Executes dropped EXE
PID:1140 -
\??\c:\jdpvp.exec:\jdpvp.exe65⤵
- Executes dropped EXE
PID:3276 -
\??\c:\1xlfflf.exec:\1xlfflf.exe66⤵PID:2228
-
\??\c:\fxlfllr.exec:\fxlfllr.exe67⤵PID:2360
-
\??\c:\bnthhh.exec:\bnthhh.exe68⤵PID:3468
-
\??\c:\vpddd.exec:\vpddd.exe69⤵PID:3660
-
\??\c:\pjvvp.exec:\pjvvp.exe70⤵PID:4964
-
\??\c:\7xxrflf.exec:\7xxrflf.exe71⤵PID:4884
-
\??\c:\btbtnn.exec:\btbtnn.exe72⤵PID:4564
-
\??\c:\nhnhnh.exec:\nhnhnh.exe73⤵PID:4824
-
\??\c:\1jjdv.exec:\1jjdv.exe74⤵PID:3820
-
\??\c:\lxfxffx.exec:\lxfxffx.exe75⤵PID:4600
-
\??\c:\7xflfff.exec:\7xflfff.exe76⤵PID:5016
-
\??\c:\hbbtnt.exec:\hbbtnt.exe77⤵PID:3824
-
\??\c:\vdjjd.exec:\vdjjd.exe78⤵PID:1508
-
\??\c:\jpdpj.exec:\jpdpj.exe79⤵PID:3568
-
\??\c:\frlllll.exec:\frlllll.exe80⤵PID:3124
-
\??\c:\rrxrfff.exec:\rrxrfff.exe81⤵PID:4836
-
\??\c:\3bhbbb.exec:\3bhbbb.exe82⤵PID:536
-
\??\c:\djddd.exec:\djddd.exe83⤵PID:3968
-
\??\c:\dvvdv.exec:\dvvdv.exe84⤵PID:2532
-
\??\c:\lfrlffx.exec:\lfrlffx.exe85⤵PID:2668
-
\??\c:\ttbtnn.exec:\ttbtnn.exe86⤵PID:1480
-
\??\c:\hhnnhh.exec:\hhnnhh.exe87⤵PID:1184
-
\??\c:\9pjjd.exec:\9pjjd.exe88⤵PID:692
-
\??\c:\jjvvj.exec:\jjvvj.exe89⤵PID:2724
-
\??\c:\xffxxrl.exec:\xffxxrl.exe90⤵PID:1108
-
\??\c:\fxllffx.exec:\fxllffx.exe91⤵PID:2932
-
\??\c:\3tbhbt.exec:\3tbhbt.exe92⤵PID:3156
-
\??\c:\9nnnnn.exec:\9nnnnn.exe93⤵PID:1816
-
\??\c:\pppjj.exec:\pppjj.exe94⤵PID:3548
-
\??\c:\llrlrrr.exec:\llrlrrr.exe95⤵PID:2536
-
\??\c:\1ttnht.exec:\1ttnht.exe96⤵PID:2296
-
\??\c:\ppddj.exec:\ppddj.exe97⤵PID:3696
-
\??\c:\xrxxllr.exec:\xrxxllr.exe98⤵PID:2132
-
\??\c:\lflfxxx.exec:\lflfxxx.exe99⤵PID:2620
-
\??\c:\tbhhhh.exec:\tbhhhh.exe100⤵PID:4448
-
\??\c:\djpjj.exec:\djpjj.exe101⤵PID:3056
-
\??\c:\jjpjj.exec:\jjpjj.exe102⤵PID:2968
-
\??\c:\7rxrlff.exec:\7rxrlff.exe103⤵PID:4932
-
\??\c:\ttbbtb.exec:\ttbbtb.exe104⤵PID:3604
-
\??\c:\vvjjd.exec:\vvjjd.exe105⤵PID:3472
-
\??\c:\dvdvp.exec:\dvdvp.exe106⤵PID:3736
-
\??\c:\xxflllr.exec:\xxflllr.exe107⤵PID:4516
-
\??\c:\nnbbth.exec:\nnbbth.exe108⤵PID:4012
-
\??\c:\bbnhbh.exec:\bbnhbh.exe109⤵
- System Location Discovery: System Language Discovery
PID:3636 -
\??\c:\9jddd.exec:\9jddd.exe110⤵PID:3632
-
\??\c:\vpppp.exec:\vpppp.exe111⤵PID:2012
-
\??\c:\xxlfxxf.exec:\xxlfxxf.exe112⤵PID:1444
-
\??\c:\3bhbhn.exec:\3bhbhn.exe113⤵PID:324
-
\??\c:\vvjpj.exec:\vvjpj.exe114⤵PID:2280
-
\??\c:\jdvpd.exec:\jdvpd.exe115⤵PID:4800
-
\??\c:\7frlrrr.exec:\7frlrrr.exe116⤵PID:388
-
\??\c:\bntthn.exec:\bntthn.exe117⤵PID:924
-
\??\c:\1ttnhn.exec:\1ttnhn.exe118⤵PID:1032
-
\??\c:\jppjd.exec:\jppjd.exe119⤵PID:2096
-
\??\c:\rxxxllf.exec:\rxxxllf.exe120⤵PID:3276
-
\??\c:\lfrlrxl.exec:\lfrlrxl.exe121⤵PID:2072
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-