Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 01:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4.exe
-
Size
455KB
-
MD5
fd29874125f0360d3a1e601663fad100
-
SHA1
658d7e04d299559f8f679a68d71db9382570ce1c
-
SHA256
3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4
-
SHA512
a480490c9c8f7f892812707c7247f40a67564c245a5aed8a9d5577454d2286cb5896408e4e24f56e4884cafd13d99748ffcbfecc9aa1f4904ba9ce249fab22ed
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeE:q7Tc2NYHUrAwfMp3CDE
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4048-5-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4412-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-19-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/228-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-44-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3888-43-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4572-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3124-50-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/904-65-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1288-71-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4760-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/936-83-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1752-99-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1888-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1440-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-115-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1576-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4676-144-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4068-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-166-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2808-173-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4808-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/948-188-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4996-204-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4408-208-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3656-211-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4852-214-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2292-218-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/64-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3592-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1972-251-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4800-255-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-259-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2936-272-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3396-276-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1100-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1332-290-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3720-309-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3496-316-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2980-332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1584-345-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1424-355-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1520-365-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/404-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2072-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4644-393-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1860-400-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4220-425-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3080-457-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-482-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-513-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3256-544-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4272-548-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4268-629-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/400-675-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/376-679-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2772-954-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2324-1699-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4148 5rxxxff.exe 400 xrrlfff.exe 4412 pdvpp.exe 228 vpjjj.exe 2936 thbttb.exe 3888 ffrlfll.exe 3976 ntbtnn.exe 3124 pjjdd.exe 4572 rflfflf.exe 904 btbtbb.exe 1288 fxxxrrr.exe 4760 lflffff.exe 936 jdjdd.exe 1508 9nnbtt.exe 1440 dddjd.exe 1752 xrxrllf.exe 1888 tnhhbt.exe 1576 pdpjv.exe 4272 pdpdv.exe 4916 xrrxrrr.exe 4128 bnbtnn.exe 4508 nhtnhn.exe 4500 rxxrlfx.exe 4676 7nnhbb.exe 3668 xfffxrl.exe 4492 vvdvv.exe 4068 fxxrlll.exe 808 jdjpd.exe 2808 ffxfllr.exe 4808 bthhbb.exe 3476 hbbbtt.exe 948 xrrlffx.exe 3928 hntnbb.exe 4452 rfrllff.exe 1468 rfrfxxl.exe 384 nnbbbh.exe 4996 rlxxffl.exe 4408 bttbht.exe 3656 vjpjj.exe 4852 frlffxf.exe 2292 7bthnn.exe 1552 5ppvp.exe 2324 lfrlllf.exe 3760 nbnhbb.exe 64 jjpvp.exe 3592 fllxlfr.exe 3056 hnnbht.exe 4396 dvvpp.exe 4252 rxfxrrr.exe 1068 nttttb.exe 1972 jvdpj.exe 4800 fxlfllx.exe 400 hbnbtt.exe 4792 vvppv.exe 2076 7xfxrrl.exe 4152 ntnhhh.exe 2936 jvdvp.exe 3396 3xxfxxx.exe 2228 9hbtbh.exe 3748 7jjdv.exe 1100 rfrlfff.exe 1332 1nnhbb.exe 1512 djdpp.exe 704 xxxrrlf.exe -
resource yara_rule behavioral2/memory/4048-5-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4412-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-19-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/228-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3976-44-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3888-43-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4572-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3124-50-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/904-65-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1288-71-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/936-83-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1752-99-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1888-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1440-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1576-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4676-144-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4068-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2808-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4808-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/948-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4996-204-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4408-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3656-211-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4852-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2292-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2324-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/64-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3592-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1972-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4800-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2936-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3396-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1100-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1332-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3720-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3496-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2980-332-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1584-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1424-355-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1520-365-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/404-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2072-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-393-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1860-400-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4220-425-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3080-457-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-482-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-513-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3256-544-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4272-548-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1492-586-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4268-629-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/400-675-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/376-679-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbbbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfffll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffrrxxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tthhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flfrfrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4048 wrote to memory of 4148 4048 3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4.exe 82 PID 4048 wrote to memory of 4148 4048 3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4.exe 82 PID 4048 wrote to memory of 4148 4048 3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4.exe 82 PID 4148 wrote to memory of 400 4148 5rxxxff.exe 83 PID 4148 wrote to memory of 400 4148 5rxxxff.exe 83 PID 4148 wrote to memory of 400 4148 5rxxxff.exe 83 PID 400 wrote to memory of 4412 400 xrrlfff.exe 84 PID 400 wrote to memory of 4412 400 xrrlfff.exe 84 PID 400 wrote to memory of 4412 400 xrrlfff.exe 84 PID 4412 wrote to memory of 228 4412 pdvpp.exe 85 PID 4412 wrote to memory of 228 4412 pdvpp.exe 85 PID 4412 wrote to memory of 228 4412 pdvpp.exe 85 PID 228 wrote to memory of 2936 228 vpjjj.exe 86 PID 228 wrote to memory of 2936 228 vpjjj.exe 86 PID 228 wrote to memory of 2936 228 vpjjj.exe 86 PID 2936 wrote to memory of 3888 2936 thbttb.exe 87 PID 2936 wrote to memory of 3888 2936 thbttb.exe 87 PID 2936 wrote to memory of 3888 2936 thbttb.exe 87 PID 3888 wrote to memory of 3976 3888 ffrlfll.exe 88 PID 3888 wrote to memory of 3976 3888 ffrlfll.exe 88 PID 3888 wrote to memory of 3976 3888 ffrlfll.exe 88 PID 3976 wrote to memory of 3124 3976 ntbtnn.exe 89 PID 3976 wrote to memory of 3124 3976 ntbtnn.exe 89 PID 3976 wrote to memory of 3124 3976 ntbtnn.exe 89 PID 3124 wrote to memory of 4572 3124 pjjdd.exe 90 PID 3124 wrote to memory of 4572 3124 pjjdd.exe 90 PID 3124 wrote to memory of 4572 3124 pjjdd.exe 90 PID 4572 wrote to memory of 904 4572 rflfflf.exe 91 PID 4572 wrote to memory of 904 4572 rflfflf.exe 91 PID 4572 wrote to memory of 904 4572 rflfflf.exe 91 PID 904 wrote to memory of 1288 904 btbtbb.exe 92 PID 904 wrote to memory of 1288 904 btbtbb.exe 92 PID 904 wrote to memory of 1288 904 btbtbb.exe 92 PID 1288 wrote to memory of 4760 1288 fxxxrrr.exe 93 PID 1288 wrote to memory of 4760 1288 fxxxrrr.exe 93 PID 1288 wrote to memory of 4760 1288 fxxxrrr.exe 93 PID 4760 wrote to memory of 936 4760 lflffff.exe 94 PID 4760 wrote to memory of 936 4760 lflffff.exe 94 PID 4760 wrote to memory of 936 4760 lflffff.exe 94 PID 936 wrote to memory of 1508 936 jdjdd.exe 95 PID 936 wrote to memory of 1508 936 jdjdd.exe 95 PID 936 wrote to memory of 1508 936 jdjdd.exe 95 PID 1508 wrote to memory of 1440 1508 9nnbtt.exe 96 PID 1508 wrote to memory of 1440 1508 9nnbtt.exe 96 PID 1508 wrote to memory of 1440 1508 9nnbtt.exe 96 PID 1440 wrote to memory of 1752 1440 dddjd.exe 97 PID 1440 wrote to memory of 1752 1440 dddjd.exe 97 PID 1440 wrote to memory of 1752 1440 dddjd.exe 97 PID 1752 wrote to memory of 1888 1752 xrxrllf.exe 98 PID 1752 wrote to memory of 1888 1752 xrxrllf.exe 98 PID 1752 wrote to memory of 1888 1752 xrxrllf.exe 98 PID 1888 wrote to memory of 1576 1888 tnhhbt.exe 99 PID 1888 wrote to memory of 1576 1888 tnhhbt.exe 99 PID 1888 wrote to memory of 1576 1888 tnhhbt.exe 99 PID 1576 wrote to memory of 4272 1576 pdpjv.exe 100 PID 1576 wrote to memory of 4272 1576 pdpjv.exe 100 PID 1576 wrote to memory of 4272 1576 pdpjv.exe 100 PID 4272 wrote to memory of 4916 4272 pdpdv.exe 101 PID 4272 wrote to memory of 4916 4272 pdpdv.exe 101 PID 4272 wrote to memory of 4916 4272 pdpdv.exe 101 PID 4916 wrote to memory of 4128 4916 xrrxrrr.exe 102 PID 4916 wrote to memory of 4128 4916 xrrxrrr.exe 102 PID 4916 wrote to memory of 4128 4916 xrrxrrr.exe 102 PID 4128 wrote to memory of 4508 4128 bnbtnn.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4.exe"C:\Users\Admin\AppData\Local\Temp\3fc0d66009d49d5cc86c430bded5981586251e78abe5a432bcdec58cf5287aa4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
\??\c:\5rxxxff.exec:\5rxxxff.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\xrrlfff.exec:\xrrlfff.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
\??\c:\pdvpp.exec:\pdvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4412 -
\??\c:\vpjjj.exec:\vpjjj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
\??\c:\thbttb.exec:\thbttb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
\??\c:\ffrlfll.exec:\ffrlfll.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888 -
\??\c:\ntbtnn.exec:\ntbtnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976 -
\??\c:\pjjdd.exec:\pjjdd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124 -
\??\c:\rflfflf.exec:\rflfflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
\??\c:\btbtbb.exec:\btbtbb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
\??\c:\fxxxrrr.exec:\fxxxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1288 -
\??\c:\lflffff.exec:\lflffff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4760 -
\??\c:\jdjdd.exec:\jdjdd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:936 -
\??\c:\9nnbtt.exec:\9nnbtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
\??\c:\dddjd.exec:\dddjd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
\??\c:\xrxrllf.exec:\xrxrllf.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1752 -
\??\c:\tnhhbt.exec:\tnhhbt.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
\??\c:\pdpjv.exec:\pdpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
\??\c:\pdpdv.exec:\pdpdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4272 -
\??\c:\xrrxrrr.exec:\xrrxrrr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
\??\c:\bnbtnn.exec:\bnbtnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
\??\c:\nhtnhn.exec:\nhtnhn.exe23⤵
- Executes dropped EXE
PID:4508 -
\??\c:\rxxrlfx.exec:\rxxrlfx.exe24⤵
- Executes dropped EXE
PID:4500 -
\??\c:\7nnhbb.exec:\7nnhbb.exe25⤵
- Executes dropped EXE
PID:4676 -
\??\c:\xfffxrl.exec:\xfffxrl.exe26⤵
- Executes dropped EXE
PID:3668 -
\??\c:\vvdvv.exec:\vvdvv.exe27⤵
- Executes dropped EXE
PID:4492 -
\??\c:\fxxrlll.exec:\fxxrlll.exe28⤵
- Executes dropped EXE
PID:4068 -
\??\c:\jdjpd.exec:\jdjpd.exe29⤵
- Executes dropped EXE
PID:808 -
\??\c:\ffxfllr.exec:\ffxfllr.exe30⤵
- Executes dropped EXE
PID:2808 -
\??\c:\bthhbb.exec:\bthhbb.exe31⤵
- Executes dropped EXE
PID:4808 -
\??\c:\hbbbtt.exec:\hbbbtt.exe32⤵
- Executes dropped EXE
PID:3476 -
\??\c:\xrrlffx.exec:\xrrlffx.exe33⤵
- Executes dropped EXE
PID:948 -
\??\c:\hntnbb.exec:\hntnbb.exe34⤵
- Executes dropped EXE
PID:3928 -
\??\c:\rfrllff.exec:\rfrllff.exe35⤵
- Executes dropped EXE
PID:4452 -
\??\c:\rfrfxxl.exec:\rfrfxxl.exe36⤵
- Executes dropped EXE
PID:1468 -
\??\c:\nnbbbh.exec:\nnbbbh.exe37⤵
- Executes dropped EXE
PID:384 -
\??\c:\rlxxffl.exec:\rlxxffl.exe38⤵
- Executes dropped EXE
PID:4996 -
\??\c:\bttbht.exec:\bttbht.exe39⤵
- Executes dropped EXE
PID:4408 -
\??\c:\vjpjj.exec:\vjpjj.exe40⤵
- Executes dropped EXE
PID:3656 -
\??\c:\frlffxf.exec:\frlffxf.exe41⤵
- Executes dropped EXE
PID:4852 -
\??\c:\7bthnn.exec:\7bthnn.exe42⤵
- Executes dropped EXE
PID:2292 -
\??\c:\5ppvp.exec:\5ppvp.exe43⤵
- Executes dropped EXE
PID:1552 -
\??\c:\lfrlllf.exec:\lfrlllf.exe44⤵
- Executes dropped EXE
PID:2324 -
\??\c:\nbnhbb.exec:\nbnhbb.exe45⤵
- Executes dropped EXE
PID:3760 -
\??\c:\jjpvp.exec:\jjpvp.exe46⤵
- Executes dropped EXE
PID:64 -
\??\c:\fllxlfr.exec:\fllxlfr.exe47⤵
- Executes dropped EXE
PID:3592 -
\??\c:\hnnbht.exec:\hnnbht.exe48⤵
- Executes dropped EXE
PID:3056 -
\??\c:\dvvpp.exec:\dvvpp.exe49⤵
- Executes dropped EXE
PID:4396 -
\??\c:\rxfxrrr.exec:\rxfxrrr.exe50⤵
- Executes dropped EXE
PID:4252 -
\??\c:\nttttb.exec:\nttttb.exe51⤵
- Executes dropped EXE
PID:1068 -
\??\c:\jvdpj.exec:\jvdpj.exe52⤵
- Executes dropped EXE
PID:1972 -
\??\c:\fxlfllx.exec:\fxlfllx.exe53⤵
- Executes dropped EXE
PID:4800 -
\??\c:\hbnbtt.exec:\hbnbtt.exe54⤵
- Executes dropped EXE
PID:400 -
\??\c:\vvppv.exec:\vvppv.exe55⤵
- Executes dropped EXE
PID:4792 -
\??\c:\7xfxrrl.exec:\7xfxrrl.exe56⤵
- Executes dropped EXE
PID:2076 -
\??\c:\ntnhhh.exec:\ntnhhh.exe57⤵
- Executes dropped EXE
PID:4152 -
\??\c:\jvdvp.exec:\jvdvp.exe58⤵
- Executes dropped EXE
PID:2936 -
\??\c:\3xxfxxx.exec:\3xxfxxx.exe59⤵
- Executes dropped EXE
PID:3396 -
\??\c:\9hbtbh.exec:\9hbtbh.exe60⤵
- Executes dropped EXE
PID:2228 -
\??\c:\7jjdv.exec:\7jjdv.exe61⤵
- Executes dropped EXE
PID:3748 -
\??\c:\rfrlfff.exec:\rfrlfff.exe62⤵
- Executes dropped EXE
PID:1100 -
\??\c:\1nnhbb.exec:\1nnhbb.exe63⤵
- Executes dropped EXE
PID:1332 -
\??\c:\djdpp.exec:\djdpp.exe64⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xxxrrlf.exec:\xxxrrlf.exe65⤵
- Executes dropped EXE
PID:704 -
\??\c:\bhtnhb.exec:\bhtnhb.exe66⤵PID:2876
-
\??\c:\3pjpj.exec:\3pjpj.exe67⤵PID:2864
-
\??\c:\7fxrrxx.exec:\7fxrrxx.exe68⤵PID:4664
-
\??\c:\bbhbbb.exec:\bbhbbb.exe69⤵PID:3720
-
\??\c:\ppvpj.exec:\ppvpj.exe70⤵PID:2856
-
\??\c:\frfrrrf.exec:\frfrrrf.exe71⤵PID:3496
-
\??\c:\3dddv.exec:\3dddv.exe72⤵PID:5080
-
\??\c:\jddpj.exec:\jddpj.exe73⤵PID:1664
-
\??\c:\fffxxrr.exec:\fffxxrr.exe74⤵PID:8
-
\??\c:\ttbbht.exec:\ttbbht.exe75⤵PID:4024
-
\??\c:\pjjdp.exec:\pjjdp.exe76⤵PID:2980
-
\??\c:\frffxfx.exec:\frffxfx.exe77⤵PID:5092
-
\??\c:\hbthbb.exec:\hbthbb.exe78⤵PID:3364
-
\??\c:\dpppp.exec:\dpppp.exe79⤵PID:1652
-
\??\c:\vjddv.exec:\vjddv.exe80⤵PID:1584
-
\??\c:\lflrrlr.exec:\lflrrlr.exe81⤵PID:1412
-
\??\c:\tbbtnh.exec:\tbbtnh.exe82⤵PID:4348
-
\??\c:\pdvpj.exec:\pdvpj.exe83⤵PID:1424
-
\??\c:\xllfxxr.exec:\xllfxxr.exe84⤵PID:4668
-
\??\c:\dpvvp.exec:\dpvvp.exe85⤵PID:2232
-
\??\c:\fxfrfxr.exec:\fxfrfxr.exe86⤵PID:1520
-
\??\c:\ttntbn.exec:\ttntbn.exe87⤵PID:1536
-
\??\c:\pvjjd.exec:\pvjjd.exe88⤵PID:2368
-
\??\c:\fxxrlff.exec:\fxxrlff.exe89⤵PID:2824
-
\??\c:\htbthb.exec:\htbthb.exe90⤵PID:404
-
\??\c:\1vvvp.exec:\1vvvp.exe91⤵PID:1064
-
\??\c:\rfxffll.exec:\rfxffll.exe92⤵PID:2072
-
\??\c:\7rxrrff.exec:\7rxrrff.exe93⤵PID:1388
-
\??\c:\tnbbnb.exec:\tnbbnb.exe94⤵PID:4644
-
\??\c:\9vvdv.exec:\9vvdv.exe95⤵PID:768
-
\??\c:\llxrxxf.exec:\llxrxxf.exe96⤵PID:1860
-
\??\c:\bnbhth.exec:\bnbhth.exe97⤵PID:624
-
\??\c:\3hhbtt.exec:\3hhbtt.exe98⤵PID:4160
-
\??\c:\vpvvp.exec:\vpvvp.exe99⤵PID:1044
-
\??\c:\rxfxxxr.exec:\rxfxxxr.exe100⤵PID:3168
-
\??\c:\ttthtt.exec:\ttthtt.exe101⤵PID:2656
-
\??\c:\jvppj.exec:\jvppj.exe102⤵PID:836
-
\??\c:\1djdv.exec:\1djdv.exe103⤵PID:3000
-
\??\c:\ffrlrlr.exec:\ffrlrlr.exe104⤵PID:4220
-
\??\c:\nbhhbb.exec:\nbhhbb.exe105⤵PID:1680
-
\??\c:\jvppj.exec:\jvppj.exe106⤵PID:4480
-
\??\c:\xxlfxrl.exec:\xxlfxrl.exe107⤵PID:388
-
\??\c:\9tbbhn.exec:\9tbbhn.exe108⤵PID:1340
-
\??\c:\jdvpd.exec:\jdvpd.exe109⤵PID:3284
-
\??\c:\rrrlfff.exec:\rrrlfff.exe110⤵PID:224
-
\??\c:\thhbtt.exec:\thhbtt.exe111⤵PID:3508
-
\??\c:\jjjdv.exec:\jjjdv.exe112⤵PID:4008
-
\??\c:\vvdpj.exec:\vvdpj.exe113⤵PID:844
-
\??\c:\llfxxxx.exec:\llfxxxx.exe114⤵PID:4588
-
\??\c:\nntnnh.exec:\nntnnh.exe115⤵PID:3080
-
\??\c:\jvdvv.exec:\jvdvv.exe116⤵PID:3684
-
\??\c:\lfrlflf.exec:\lfrlflf.exe117⤵PID:376
-
\??\c:\nhbbtt.exec:\nhbbtt.exe118⤵PID:1428
-
\??\c:\nhnbht.exec:\nhnbht.exe119⤵PID:2276
-
\??\c:\dvdvp.exec:\dvdvp.exe120⤵PID:1696
-
\??\c:\xxfrrlf.exec:\xxfrrlf.exe121⤵PID:2516
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-