Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 08:31
Behavioral task
behavioral1
Sample
3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe
-
Size
67KB
-
MD5
e9941016f1ec9341b0292b4fec81b700
-
SHA1
2fc9acb4124955e5ef0c90ce63a83cfb710dbd17
-
SHA256
3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5
-
SHA512
b5c7b2d8b1428dcfc12e21c59cc6c7938feea84af51c784165ef6b7a864ca80fa09f56876e8c32ebcdadff4f7e02d9c832bd31b29dad41b4a8fed41cf986b19a
-
SSDEEP
1536:/vQBeOGtrYS3srx93UBWfwC6Ggnouy8jb5DiLKrb08I:/hOmTsF93UYfwC6GIoutcKb+
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2392-4-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3872-11-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/456-18-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3240-13-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3100-27-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3588-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3904-40-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3436-45-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4624-51-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1716-57-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4872-65-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4036-66-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3836-76-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5080-87-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/112-98-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-104-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-110-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2772-121-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2664-126-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2132-132-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1176-137-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4432-144-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3992-152-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4588-157-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3172-163-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1304-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4832-174-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4532-184-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-195-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2272-194-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4256-210-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/868-209-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4508-216-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1224-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-230-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4472-268-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4952-284-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-291-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3560-298-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1284-302-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3252-313-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4540-324-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/388-337-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2468-341-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3972-352-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1728-365-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/828-384-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1740-394-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2704-396-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-400-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/220-406-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2968-418-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/928-434-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3604-447-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1524-460-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2332-467-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5116-492-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5016-559-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-578-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/548-600-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4404-605-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1988-647-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1124-883-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 3872 flflxlx.exe 3240 hnnnhb.exe 456 1vvpj.exe 3100 jddpj.exe 3588 7thbbt.exe 3904 jjdvj.exe 3436 vpjpj.exe 4624 5lfxlfx.exe 1716 nhhtnn.exe 4872 pdddv.exe 4036 rrfxfxf.exe 3836 rlllflf.exe 4644 3ddpj.exe 5080 vjjdv.exe 3752 lfllffr.exe 112 bhnnhb.exe 4844 vjdvp.exe 4072 jdddd.exe 3580 9rlxrlf.exe 2772 bhnhbt.exe 2664 jvpvj.exe 2132 dvjdp.exe 1176 1xrlffx.exe 4432 tnhbtt.exe 3992 1nbnnh.exe 4588 dvvpj.exe 3172 frflxxr.exe 1304 3nnhtt.exe 4832 5vppj.exe 4384 lffxxrf.exe 4532 1ffrffr.exe 4664 7hbtbb.exe 2480 9bnhtt.exe 2272 ddddd.exe 1512 rlflrlx.exe 940 xxxrlrl.exe 868 nnttnn.exe 4256 nhthbt.exe 4508 pvvvv.exe 3268 1flrfff.exe 3180 ffxllxr.exe 1224 5btbhh.exe 4404 bnnnnn.exe 1088 vvvpp.exe 2988 ddpjv.exe 1040 fflxrxx.exe 4752 hhthbt.exe 1624 vjvpp.exe 4152 9pjjd.exe 412 9lxrlll.exe 4560 thhhnn.exe 4052 nnnhbb.exe 3604 jjpjj.exe 536 xxxxxxx.exe 4472 tnbntt.exe 4340 hbhbbb.exe 5092 nntnnn.exe 2296 3jdvp.exe 1880 lrxxrxx.exe 4952 5lrrllr.exe 1576 ntbntt.exe 1632 vvdvd.exe 4524 1djpj.exe 3560 pjjjj.exe -
resource yara_rule behavioral2/memory/2392-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b19-3.dat upx behavioral2/memory/2392-4-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3872-11-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b6c-8.dat upx behavioral2/memory/456-18-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b77-22.dat upx behavioral2/memory/3100-24-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x0031000000023b76-15.dat upx behavioral2/memory/3240-13-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b78-28.dat upx behavioral2/memory/3100-27-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b79-32.dat upx behavioral2/memory/3588-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7a-38.dat upx behavioral2/memory/3904-40-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7b-44.dat upx behavioral2/memory/3436-45-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7d-49.dat upx behavioral2/memory/4624-51-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7e-55.dat upx behavioral2/memory/1716-57-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b7f-61.dat upx behavioral2/memory/4872-65-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4036-66-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3836-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b80-69.dat upx behavioral2/files/0x000a000000023b81-74.dat upx behavioral2/memory/3836-76-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b82-80.dat upx behavioral2/files/0x000a000000023b83-85.dat upx behavioral2/memory/5080-87-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b84-92.dat upx behavioral2/memory/112-98-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b85-99.dat upx behavioral2/memory/4844-104-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b86-102.dat upx behavioral2/files/0x000a000000023b87-108.dat upx behavioral2/memory/4072-110-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b88-115.dat upx behavioral2/files/0x000a000000023b89-119.dat upx behavioral2/memory/2772-121-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8a-125.dat upx behavioral2/memory/2664-126-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8b-130.dat upx behavioral2/memory/2132-132-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8c-138.dat upx behavioral2/memory/1176-137-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8d-142.dat upx behavioral2/memory/4432-144-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8e-149.dat upx behavioral2/memory/3992-152-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000d000000023b73-154.dat upx behavioral2/memory/4588-157-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b8f-159.dat upx behavioral2/memory/3172-163-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b90-168.dat upx behavioral2/memory/1304-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4832-174-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b91-172.dat upx behavioral2/files/0x000a000000023b92-178.dat upx behavioral2/files/0x000a000000023b93-185.dat upx behavioral2/memory/4532-184-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2480-195-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfxrlrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnttnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rxxfxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3htbbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lllffxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjddj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbhhtt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3dvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lxfllxr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2392 wrote to memory of 3872 2392 3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe 83 PID 2392 wrote to memory of 3872 2392 3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe 83 PID 2392 wrote to memory of 3872 2392 3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe 83 PID 3872 wrote to memory of 3240 3872 flflxlx.exe 84 PID 3872 wrote to memory of 3240 3872 flflxlx.exe 84 PID 3872 wrote to memory of 3240 3872 flflxlx.exe 84 PID 3240 wrote to memory of 456 3240 hnnnhb.exe 85 PID 3240 wrote to memory of 456 3240 hnnnhb.exe 85 PID 3240 wrote to memory of 456 3240 hnnnhb.exe 85 PID 456 wrote to memory of 3100 456 1vvpj.exe 86 PID 456 wrote to memory of 3100 456 1vvpj.exe 86 PID 456 wrote to memory of 3100 456 1vvpj.exe 86 PID 3100 wrote to memory of 3588 3100 jddpj.exe 87 PID 3100 wrote to memory of 3588 3100 jddpj.exe 87 PID 3100 wrote to memory of 3588 3100 jddpj.exe 87 PID 3588 wrote to memory of 3904 3588 7thbbt.exe 88 PID 3588 wrote to memory of 3904 3588 7thbbt.exe 88 PID 3588 wrote to memory of 3904 3588 7thbbt.exe 88 PID 3904 wrote to memory of 3436 3904 jjdvj.exe 89 PID 3904 wrote to memory of 3436 3904 jjdvj.exe 89 PID 3904 wrote to memory of 3436 3904 jjdvj.exe 89 PID 3436 wrote to memory of 4624 3436 vpjpj.exe 90 PID 3436 wrote to memory of 4624 3436 vpjpj.exe 90 PID 3436 wrote to memory of 4624 3436 vpjpj.exe 90 PID 4624 wrote to memory of 1716 4624 5lfxlfx.exe 91 PID 4624 wrote to memory of 1716 4624 5lfxlfx.exe 91 PID 4624 wrote to memory of 1716 4624 5lfxlfx.exe 91 PID 1716 wrote to memory of 4872 1716 nhhtnn.exe 92 PID 1716 wrote to memory of 4872 1716 nhhtnn.exe 92 PID 1716 wrote to memory of 4872 1716 nhhtnn.exe 92 PID 4872 wrote to memory of 4036 4872 pdddv.exe 93 PID 4872 wrote to memory of 4036 4872 pdddv.exe 93 PID 4872 wrote to memory of 4036 4872 pdddv.exe 93 PID 4036 wrote to memory of 3836 4036 rrfxfxf.exe 94 PID 4036 wrote to memory of 3836 4036 rrfxfxf.exe 94 PID 4036 wrote to memory of 3836 4036 rrfxfxf.exe 94 PID 3836 wrote to memory of 4644 3836 rlllflf.exe 95 PID 3836 wrote to memory of 4644 3836 rlllflf.exe 95 PID 3836 wrote to memory of 4644 3836 rlllflf.exe 95 PID 4644 wrote to memory of 5080 4644 3ddpj.exe 96 PID 4644 wrote to memory of 5080 4644 3ddpj.exe 96 PID 4644 wrote to memory of 5080 4644 3ddpj.exe 96 PID 5080 wrote to memory of 3752 5080 vjjdv.exe 97 PID 5080 wrote to memory of 3752 5080 vjjdv.exe 97 PID 5080 wrote to memory of 3752 5080 vjjdv.exe 97 PID 3752 wrote to memory of 112 3752 lfllffr.exe 98 PID 3752 wrote to memory of 112 3752 lfllffr.exe 98 PID 3752 wrote to memory of 112 3752 lfllffr.exe 98 PID 112 wrote to memory of 4844 112 bhnnhb.exe 99 PID 112 wrote to memory of 4844 112 bhnnhb.exe 99 PID 112 wrote to memory of 4844 112 bhnnhb.exe 99 PID 4844 wrote to memory of 4072 4844 vjdvp.exe 100 PID 4844 wrote to memory of 4072 4844 vjdvp.exe 100 PID 4844 wrote to memory of 4072 4844 vjdvp.exe 100 PID 4072 wrote to memory of 3580 4072 jdddd.exe 101 PID 4072 wrote to memory of 3580 4072 jdddd.exe 101 PID 4072 wrote to memory of 3580 4072 jdddd.exe 101 PID 3580 wrote to memory of 2772 3580 9rlxrlf.exe 102 PID 3580 wrote to memory of 2772 3580 9rlxrlf.exe 102 PID 3580 wrote to memory of 2772 3580 9rlxrlf.exe 102 PID 2772 wrote to memory of 2664 2772 bhnhbt.exe 103 PID 2772 wrote to memory of 2664 2772 bhnhbt.exe 103 PID 2772 wrote to memory of 2664 2772 bhnhbt.exe 103 PID 2664 wrote to memory of 2132 2664 jvpvj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe"C:\Users\Admin\AppData\Local\Temp\3b0dc89475af68a7d4f52088f48bcc2633c58d1f46b7fd7f2a5b66663d8a12e5N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
\??\c:\flflxlx.exec:\flflxlx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3872 -
\??\c:\hnnnhb.exec:\hnnnhb.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3240 -
\??\c:\1vvpj.exec:\1vvpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:456 -
\??\c:\jddpj.exec:\jddpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\7thbbt.exec:\7thbbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3588 -
\??\c:\jjdvj.exec:\jjdvj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904 -
\??\c:\vpjpj.exec:\vpjpj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
\??\c:\5lfxlfx.exec:\5lfxlfx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\nhhtnn.exec:\nhhtnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716 -
\??\c:\pdddv.exec:\pdddv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872 -
\??\c:\rrfxfxf.exec:\rrfxfxf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
\??\c:\rlllflf.exec:\rlllflf.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3836 -
\??\c:\3ddpj.exec:\3ddpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4644 -
\??\c:\vjjdv.exec:\vjjdv.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080 -
\??\c:\lfllffr.exec:\lfllffr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3752 -
\??\c:\bhnnhb.exec:\bhnnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:112 -
\??\c:\vjdvp.exec:\vjdvp.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\jdddd.exec:\jdddd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4072 -
\??\c:\9rlxrlf.exec:\9rlxrlf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
\??\c:\bhnhbt.exec:\bhnhbt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
\??\c:\jvpvj.exec:\jvpvj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664 -
\??\c:\dvjdp.exec:\dvjdp.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
\??\c:\1xrlffx.exec:\1xrlffx.exe24⤵
- Executes dropped EXE
PID:1176 -
\??\c:\tnhbtt.exec:\tnhbtt.exe25⤵
- Executes dropped EXE
PID:4432 -
\??\c:\1nbnnh.exec:\1nbnnh.exe26⤵
- Executes dropped EXE
PID:3992 -
\??\c:\dvvpj.exec:\dvvpj.exe27⤵
- Executes dropped EXE
PID:4588 -
\??\c:\frflxxr.exec:\frflxxr.exe28⤵
- Executes dropped EXE
PID:3172 -
\??\c:\3nnhtt.exec:\3nnhtt.exe29⤵
- Executes dropped EXE
PID:1304 -
\??\c:\5vppj.exec:\5vppj.exe30⤵
- Executes dropped EXE
PID:4832 -
\??\c:\lffxxrf.exec:\lffxxrf.exe31⤵
- Executes dropped EXE
PID:4384 -
\??\c:\1ffrffr.exec:\1ffrffr.exe32⤵
- Executes dropped EXE
PID:4532 -
\??\c:\7hbtbb.exec:\7hbtbb.exe33⤵
- Executes dropped EXE
PID:4664 -
\??\c:\9bnhtt.exec:\9bnhtt.exe34⤵
- Executes dropped EXE
PID:2480 -
\??\c:\ddddd.exec:\ddddd.exe35⤵
- Executes dropped EXE
PID:2272 -
\??\c:\rlflrlx.exec:\rlflrlx.exe36⤵
- Executes dropped EXE
PID:1512 -
\??\c:\xxxrlrl.exec:\xxxrlrl.exe37⤵
- Executes dropped EXE
PID:940 -
\??\c:\nnttnn.exec:\nnttnn.exe38⤵
- Executes dropped EXE
PID:868 -
\??\c:\nhthbt.exec:\nhthbt.exe39⤵
- Executes dropped EXE
PID:4256 -
\??\c:\pvvvv.exec:\pvvvv.exe40⤵
- Executes dropped EXE
PID:4508 -
\??\c:\1flrfff.exec:\1flrfff.exe41⤵
- Executes dropped EXE
PID:3268 -
\??\c:\ffxllxr.exec:\ffxllxr.exe42⤵
- Executes dropped EXE
PID:3180 -
\??\c:\5btbhh.exec:\5btbhh.exe43⤵
- Executes dropped EXE
PID:1224 -
\??\c:\bnnnnn.exec:\bnnnnn.exe44⤵
- Executes dropped EXE
PID:4404 -
\??\c:\vvvpp.exec:\vvvpp.exe45⤵
- Executes dropped EXE
PID:1088 -
\??\c:\ddpjv.exec:\ddpjv.exe46⤵
- Executes dropped EXE
PID:2988 -
\??\c:\fflxrxx.exec:\fflxrxx.exe47⤵
- Executes dropped EXE
PID:1040 -
\??\c:\hhthbt.exec:\hhthbt.exe48⤵
- Executes dropped EXE
PID:4752 -
\??\c:\vjvpp.exec:\vjvpp.exe49⤵
- Executes dropped EXE
PID:1624 -
\??\c:\9pjjd.exec:\9pjjd.exe50⤵
- Executes dropped EXE
PID:4152 -
\??\c:\9lxrlll.exec:\9lxrlll.exe51⤵
- Executes dropped EXE
PID:412 -
\??\c:\thhhnn.exec:\thhhnn.exe52⤵
- Executes dropped EXE
PID:4560 -
\??\c:\nnnhbb.exec:\nnnhbb.exe53⤵
- Executes dropped EXE
PID:4052 -
\??\c:\jjpjj.exec:\jjpjj.exe54⤵
- Executes dropped EXE
PID:3604 -
\??\c:\xxxxxxx.exec:\xxxxxxx.exe55⤵
- Executes dropped EXE
PID:536 -
\??\c:\tnbntt.exec:\tnbntt.exe56⤵
- Executes dropped EXE
PID:4472 -
\??\c:\hbhbbb.exec:\hbhbbb.exe57⤵
- Executes dropped EXE
PID:4340 -
\??\c:\nntnnn.exec:\nntnnn.exe58⤵
- Executes dropped EXE
PID:5092 -
\??\c:\3jdvp.exec:\3jdvp.exe59⤵
- Executes dropped EXE
PID:2296 -
\??\c:\lrxxrxx.exec:\lrxxrxx.exe60⤵
- Executes dropped EXE
PID:1880 -
\??\c:\5lrrllr.exec:\5lrrllr.exe61⤵
- Executes dropped EXE
PID:4952 -
\??\c:\ntbntt.exec:\ntbntt.exe62⤵
- Executes dropped EXE
PID:1576 -
\??\c:\vvdvd.exec:\vvdvd.exe63⤵
- Executes dropped EXE
PID:1632 -
\??\c:\1djpj.exec:\1djpj.exe64⤵
- Executes dropped EXE
PID:4524 -
\??\c:\pjjjj.exec:\pjjjj.exe65⤵
- Executes dropped EXE
PID:3560 -
\??\c:\hthbbb.exec:\hthbbb.exe66⤵PID:1284
-
\??\c:\ddddv.exec:\ddddv.exe67⤵PID:2172
-
\??\c:\ddddv.exec:\ddddv.exe68⤵PID:5116
-
\??\c:\1frrfff.exec:\1frrfff.exe69⤵PID:212
-
\??\c:\fxllrxx.exec:\fxllrxx.exe70⤵PID:3252
-
\??\c:\vjppp.exec:\vjppp.exe71⤵PID:1992
-
\??\c:\vvddp.exec:\vvddp.exe72⤵PID:2032
-
\??\c:\xlrxrrr.exec:\xlrxrrr.exe73⤵PID:4540
-
\??\c:\jvddd.exec:\jvddd.exe74⤵PID:2328
-
\??\c:\pdvpp.exec:\pdvpp.exe75⤵PID:2664
-
\??\c:\7hbbnn.exec:\7hbbnn.exe76⤵PID:1500
-
\??\c:\tttnhh.exec:\tttnhh.exe77⤵PID:388
-
\??\c:\5vddj.exec:\5vddj.exe78⤵PID:2468
-
\??\c:\vvddj.exec:\vvddj.exe79⤵PID:3776
-
\??\c:\5lxrrxx.exec:\5lxrrxx.exe80⤵PID:4432
-
\??\c:\hbnbhb.exec:\hbnbhb.exe81⤵PID:3972
-
\??\c:\ppdjj.exec:\ppdjj.exe82⤵PID:2852
-
\??\c:\lrrlflf.exec:\lrrlflf.exe83⤵PID:2220
-
\??\c:\llffxff.exec:\llffxff.exe84⤵PID:3460
-
\??\c:\vjppp.exec:\vjppp.exe85⤵PID:1728
-
\??\c:\jjpdp.exec:\jjpdp.exe86⤵PID:4208
-
\??\c:\rxffxfx.exec:\rxffxfx.exe87⤵PID:4912
-
\??\c:\fffxrrr.exec:\fffxrrr.exe88⤵PID:5016
-
\??\c:\nntnnt.exec:\nntnnt.exe89⤵PID:4144
-
\??\c:\jdvpj.exec:\jdvpj.exe90⤵PID:3404
-
\??\c:\llflrxx.exec:\llflrxx.exe91⤵PID:828
-
\??\c:\fxxfxxr.exec:\fxxfxxr.exe92⤵PID:1112
-
\??\c:\bhhhbb.exec:\bhhhbb.exe93⤵PID:2952
-
\??\c:\3bbbnt.exec:\3bbbnt.exe94⤵PID:1740
-
\??\c:\ppdvd.exec:\ppdvd.exe95⤵PID:2704
-
\??\c:\vjvpj.exec:\vjvpj.exe96⤵PID:4840
-
\??\c:\3rxxrff.exec:\3rxxrff.exe97⤵PID:220
-
\??\c:\llrlfrl.exec:\llrlfrl.exe98⤵PID:1300
-
\??\c:\bthhbb.exec:\bthhbb.exe99⤵PID:1864
-
\??\c:\bthhbb.exec:\bthhbb.exe100⤵PID:4948
-
\??\c:\nnttnn.exec:\nnttnn.exe101⤵PID:4404
-
\??\c:\rflrfll.exec:\rflrfll.exe102⤵PID:2968
-
\??\c:\pvvvv.exec:\pvvvv.exe103⤵PID:4724
-
\??\c:\vpjjj.exec:\vpjjj.exe104⤵PID:2160
-
\??\c:\fxxrllf.exec:\fxxrllf.exe105⤵PID:3872
-
\??\c:\5rrlffx.exec:\5rrlffx.exe106⤵PID:2660
-
\??\c:\nhthbn.exec:\nhthbn.exe107⤵PID:928
-
\??\c:\jpvpj.exec:\jpvpj.exe108⤵PID:4276
-
\??\c:\1lrlfff.exec:\1lrlfff.exe109⤵PID:1936
-
\??\c:\xrlfrrl.exec:\xrlfrrl.exe110⤵PID:3500
-
\??\c:\hbhbht.exec:\hbhbht.exe111⤵PID:3604
-
\??\c:\1pppd.exec:\1pppd.exe112⤵PID:404
-
\??\c:\dpvpj.exec:\dpvpj.exe113⤵PID:4472
-
\??\c:\xrrlxxx.exec:\xrrlxxx.exe114⤵PID:312
-
\??\c:\rflfffx.exec:\rflfffx.exe115⤵PID:1524
-
\??\c:\tbhhhn.exec:\tbhhhn.exe116⤵PID:3096
-
\??\c:\jjdvv.exec:\jjdvv.exe117⤵PID:2332
-
\??\c:\3xxrllf.exec:\3xxrllf.exe118⤵PID:1940
-
\??\c:\ttttnn.exec:\ttttnn.exe119⤵PID:1920
-
\??\c:\bhnbbh.exec:\bhnbbh.exe120⤵PID:8
-
\??\c:\jdddd.exec:\jdddd.exe121⤵PID:620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-