Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 21:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20.exe
-
Size
454KB
-
MD5
4c7a1c25cc056cf4390e19bfa9c7d4a3
-
SHA1
1009b13a7d06f0e97f715b4b9d815bf817edf091
-
SHA256
3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20
-
SHA512
4746cd0db84cd140104ce6836c6f75c1cf38302cf7f44e17edb9c359116c8ca39420f6ad97dff426bc5caf9815c528509dc19d7c1f4b5fca497fcde80d7bef2b
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeTK:q7Tc2NYHUrAwfMp3CDG
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/2884-4-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4724-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2504-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3856-17-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4084-30-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3896-27-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2372-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2368-47-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/548-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1680-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2928-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4876-76-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/860-84-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1540-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3756-100-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4292-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/384-117-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-123-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-129-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1656-135-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1028-152-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4020-157-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3184-160-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2640-165-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1372-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4680-201-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4508-205-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1828-224-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4140-231-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2516-260-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3488-264-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-284-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3952-297-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/840-301-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-305-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/244-336-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/584-343-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2300-350-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2348-357-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5112-391-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1744-404-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3104-423-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4340-427-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3712-440-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2312-474-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3148-484-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2332-506-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-541-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2432-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-557-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/452-561-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/856-568-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5024-578-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3528-585-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/456-628-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1312-641-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2336-755-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3088-834-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-934-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/584-1091-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 2504 2820486.exe 4724 402260.exe 3856 rrlxxlf.exe 3896 bnbnnb.exe 4084 6664082.exe 2372 620600.exe 2368 s8482.exe 548 462644.exe 1680 nhbnnn.exe 1572 82226.exe 2928 2648040.exe 4876 pvdvv.exe 860 028884.exe 4392 rlrllll.exe 1540 84488.exe 3756 46286.exe 4292 2826600.exe 2264 hhnnhb.exe 384 tnnbnh.exe 2456 fxfrffr.exe 2336 tbthbt.exe 1656 44482.exe 1412 20000.exe 4324 82442.exe 1028 hththn.exe 3184 8440062.exe 4020 8804484.exe 2640 djjdv.exe 1416 a4042.exe 116 xfrlfxr.exe 1560 62804.exe 3444 vddpj.exe 1372 640426.exe 2252 ddpdd.exe 4420 lflfxlx.exe 4680 282082.exe 4508 6404860.exe 5116 6882004.exe 4428 vjpdd.exe 3012 bnhbtn.exe 4340 4460826.exe 3360 jpjdv.exe 1828 2066062.exe 1312 nnbnbt.exe 4140 6686088.exe 436 jjjdp.exe 1124 rlrlxrl.exe 2188 lflflfl.exe 3868 tbbthh.exe 4284 7jppv.exe 2680 nhtnhh.exe 3720 xffrllx.exe 1768 26082.exe 2516 bhhbhb.exe 3488 6282428.exe 904 jdvpj.exe 184 nbnbtn.exe 4440 2604440.exe 2524 4226204.exe 4388 a6868.exe 4512 vvvpj.exe 2672 80220.exe 4416 5hbhtn.exe 1168 u460040.exe -
resource yara_rule behavioral2/memory/2884-4-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4724-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2504-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3856-17-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4084-30-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3896-27-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2372-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2368-47-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/548-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-60-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1680-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1572-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2928-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4876-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/860-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1540-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3756-100-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4292-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/384-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-129-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1656-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1028-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4020-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3184-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2640-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1372-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4680-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4508-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1828-224-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4140-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2516-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3488-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3952-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/840-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/244-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/584-343-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2300-350-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2348-357-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-391-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1744-404-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3104-423-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4340-427-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3712-440-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2312-474-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3148-484-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-506-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4892-541-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2432-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-557-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/452-561-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/856-568-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5024-578-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3528-585-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/456-628-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1312-641-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4764-694-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2336-755-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3088-834-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-934-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2620048.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2884642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfllrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60444.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language thbbtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxfrffr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 08264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8006604.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2064606.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8060840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06264.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flxrrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2504 2884 3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20.exe 83 PID 2884 wrote to memory of 2504 2884 3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20.exe 83 PID 2884 wrote to memory of 2504 2884 3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20.exe 83 PID 2504 wrote to memory of 4724 2504 2820486.exe 84 PID 2504 wrote to memory of 4724 2504 2820486.exe 84 PID 2504 wrote to memory of 4724 2504 2820486.exe 84 PID 4724 wrote to memory of 3856 4724 402260.exe 85 PID 4724 wrote to memory of 3856 4724 402260.exe 85 PID 4724 wrote to memory of 3856 4724 402260.exe 85 PID 3856 wrote to memory of 3896 3856 rrlxxlf.exe 86 PID 3856 wrote to memory of 3896 3856 rrlxxlf.exe 86 PID 3856 wrote to memory of 3896 3856 rrlxxlf.exe 86 PID 3896 wrote to memory of 4084 3896 bnbnnb.exe 87 PID 3896 wrote to memory of 4084 3896 bnbnnb.exe 87 PID 3896 wrote to memory of 4084 3896 bnbnnb.exe 87 PID 4084 wrote to memory of 2372 4084 6664082.exe 88 PID 4084 wrote to memory of 2372 4084 6664082.exe 88 PID 4084 wrote to memory of 2372 4084 6664082.exe 88 PID 2372 wrote to memory of 2368 2372 620600.exe 89 PID 2372 wrote to memory of 2368 2372 620600.exe 89 PID 2372 wrote to memory of 2368 2372 620600.exe 89 PID 2368 wrote to memory of 548 2368 s8482.exe 90 PID 2368 wrote to memory of 548 2368 s8482.exe 90 PID 2368 wrote to memory of 548 2368 s8482.exe 90 PID 548 wrote to memory of 1680 548 462644.exe 91 PID 548 wrote to memory of 1680 548 462644.exe 91 PID 548 wrote to memory of 1680 548 462644.exe 91 PID 1680 wrote to memory of 1572 1680 nhbnnn.exe 92 PID 1680 wrote to memory of 1572 1680 nhbnnn.exe 92 PID 1680 wrote to memory of 1572 1680 nhbnnn.exe 92 PID 1572 wrote to memory of 2928 1572 82226.exe 93 PID 1572 wrote to memory of 2928 1572 82226.exe 93 PID 1572 wrote to memory of 2928 1572 82226.exe 93 PID 2928 wrote to memory of 4876 2928 2648040.exe 94 PID 2928 wrote to memory of 4876 2928 2648040.exe 94 PID 2928 wrote to memory of 4876 2928 2648040.exe 94 PID 4876 wrote to memory of 860 4876 pvdvv.exe 95 PID 4876 wrote to memory of 860 4876 pvdvv.exe 95 PID 4876 wrote to memory of 860 4876 pvdvv.exe 95 PID 860 wrote to memory of 4392 860 028884.exe 96 PID 860 wrote to memory of 4392 860 028884.exe 96 PID 860 wrote to memory of 4392 860 028884.exe 96 PID 4392 wrote to memory of 1540 4392 rlrllll.exe 97 PID 4392 wrote to memory of 1540 4392 rlrllll.exe 97 PID 4392 wrote to memory of 1540 4392 rlrllll.exe 97 PID 1540 wrote to memory of 3756 1540 84488.exe 98 PID 1540 wrote to memory of 3756 1540 84488.exe 98 PID 1540 wrote to memory of 3756 1540 84488.exe 98 PID 3756 wrote to memory of 4292 3756 46286.exe 99 PID 3756 wrote to memory of 4292 3756 46286.exe 99 PID 3756 wrote to memory of 4292 3756 46286.exe 99 PID 4292 wrote to memory of 2264 4292 2826600.exe 100 PID 4292 wrote to memory of 2264 4292 2826600.exe 100 PID 4292 wrote to memory of 2264 4292 2826600.exe 100 PID 2264 wrote to memory of 384 2264 hhnnhb.exe 101 PID 2264 wrote to memory of 384 2264 hhnnhb.exe 101 PID 2264 wrote to memory of 384 2264 hhnnhb.exe 101 PID 384 wrote to memory of 2456 384 tnnbnh.exe 102 PID 384 wrote to memory of 2456 384 tnnbnh.exe 102 PID 384 wrote to memory of 2456 384 tnnbnh.exe 102 PID 2456 wrote to memory of 2336 2456 fxfrffr.exe 103 PID 2456 wrote to memory of 2336 2456 fxfrffr.exe 103 PID 2456 wrote to memory of 2336 2456 fxfrffr.exe 103 PID 2336 wrote to memory of 1656 2336 tbthbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20.exe"C:\Users\Admin\AppData\Local\Temp\3a1f3d7fc6e901266ecbb70f1dda13d61a339f157bba41b945f134d5b5a82d20.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
\??\c:\2820486.exec:\2820486.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504 -
\??\c:\402260.exec:\402260.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
\??\c:\rrlxxlf.exec:\rrlxxlf.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3856 -
\??\c:\bnbnnb.exec:\bnbnnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3896 -
\??\c:\6664082.exec:\6664082.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
\??\c:\620600.exec:\620600.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2372 -
\??\c:\s8482.exec:\s8482.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
\??\c:\462644.exec:\462644.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
\??\c:\nhbnnn.exec:\nhbnnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1680 -
\??\c:\82226.exec:\82226.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
\??\c:\2648040.exec:\2648040.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
\??\c:\pvdvv.exec:\pvdvv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
\??\c:\028884.exec:\028884.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
\??\c:\rlrllll.exec:\rlrllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
\??\c:\84488.exec:\84488.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
\??\c:\46286.exec:\46286.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
\??\c:\2826600.exec:\2826600.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4292 -
\??\c:\hhnnhb.exec:\hhnnhb.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2264 -
\??\c:\tnnbnh.exec:\tnnbnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:384 -
\??\c:\fxfrffr.exec:\fxfrffr.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
\??\c:\tbthbt.exec:\tbthbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
\??\c:\44482.exec:\44482.exe23⤵
- Executes dropped EXE
PID:1656 -
\??\c:\20000.exec:\20000.exe24⤵
- Executes dropped EXE
PID:1412 -
\??\c:\82442.exec:\82442.exe25⤵
- Executes dropped EXE
PID:4324 -
\??\c:\hththn.exec:\hththn.exe26⤵
- Executes dropped EXE
PID:1028 -
\??\c:\8440062.exec:\8440062.exe27⤵
- Executes dropped EXE
PID:3184 -
\??\c:\8804484.exec:\8804484.exe28⤵
- Executes dropped EXE
PID:4020 -
\??\c:\djjdv.exec:\djjdv.exe29⤵
- Executes dropped EXE
PID:2640 -
\??\c:\a4042.exec:\a4042.exe30⤵
- Executes dropped EXE
PID:1416 -
\??\c:\xfrlfxr.exec:\xfrlfxr.exe31⤵
- Executes dropped EXE
PID:116 -
\??\c:\62804.exec:\62804.exe32⤵
- Executes dropped EXE
PID:1560 -
\??\c:\vddpj.exec:\vddpj.exe33⤵
- Executes dropped EXE
PID:3444 -
\??\c:\640426.exec:\640426.exe34⤵
- Executes dropped EXE
PID:1372 -
\??\c:\ddpdd.exec:\ddpdd.exe35⤵
- Executes dropped EXE
PID:2252 -
\??\c:\lflfxlx.exec:\lflfxlx.exe36⤵
- Executes dropped EXE
PID:4420 -
\??\c:\282082.exec:\282082.exe37⤵
- Executes dropped EXE
PID:4680 -
\??\c:\6404860.exec:\6404860.exe38⤵
- Executes dropped EXE
PID:4508 -
\??\c:\6882004.exec:\6882004.exe39⤵
- Executes dropped EXE
PID:5116 -
\??\c:\vjpdd.exec:\vjpdd.exe40⤵
- Executes dropped EXE
PID:4428 -
\??\c:\bnhbtn.exec:\bnhbtn.exe41⤵
- Executes dropped EXE
PID:3012 -
\??\c:\4460826.exec:\4460826.exe42⤵
- Executes dropped EXE
PID:4340 -
\??\c:\jpjdv.exec:\jpjdv.exe43⤵
- Executes dropped EXE
PID:3360 -
\??\c:\2066062.exec:\2066062.exe44⤵
- Executes dropped EXE
PID:1828 -
\??\c:\nnbnbt.exec:\nnbnbt.exe45⤵
- Executes dropped EXE
PID:1312 -
\??\c:\6686088.exec:\6686088.exe46⤵
- Executes dropped EXE
PID:4140 -
\??\c:\jjjdp.exec:\jjjdp.exe47⤵
- Executes dropped EXE
PID:436 -
\??\c:\rlrlxrl.exec:\rlrlxrl.exe48⤵
- Executes dropped EXE
PID:1124 -
\??\c:\lflflfl.exec:\lflflfl.exe49⤵
- Executes dropped EXE
PID:2188 -
\??\c:\tbbthh.exec:\tbbthh.exe50⤵
- Executes dropped EXE
PID:3868 -
\??\c:\7jppv.exec:\7jppv.exe51⤵
- Executes dropped EXE
PID:4284 -
\??\c:\nhtnhh.exec:\nhtnhh.exe52⤵
- Executes dropped EXE
PID:2680 -
\??\c:\xffrllx.exec:\xffrllx.exe53⤵
- Executes dropped EXE
PID:3720 -
\??\c:\26082.exec:\26082.exe54⤵
- Executes dropped EXE
PID:1768 -
\??\c:\bhhbhb.exec:\bhhbhb.exe55⤵
- Executes dropped EXE
PID:2516 -
\??\c:\6282428.exec:\6282428.exe56⤵
- Executes dropped EXE
PID:3488 -
\??\c:\jdvpj.exec:\jdvpj.exe57⤵
- Executes dropped EXE
PID:904 -
\??\c:\nbnbtn.exec:\nbnbtn.exe58⤵
- Executes dropped EXE
PID:184 -
\??\c:\2604440.exec:\2604440.exe59⤵
- Executes dropped EXE
PID:4440 -
\??\c:\4226204.exec:\4226204.exe60⤵
- Executes dropped EXE
PID:2524 -
\??\c:\a6868.exec:\a6868.exe61⤵
- Executes dropped EXE
PID:4388 -
\??\c:\vvvpj.exec:\vvvpj.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512 -
\??\c:\80220.exec:\80220.exe63⤵
- Executes dropped EXE
PID:2672 -
\??\c:\5hbhtn.exec:\5hbhtn.exe64⤵
- Executes dropped EXE
PID:4416 -
\??\c:\u460040.exec:\u460040.exe65⤵
- Executes dropped EXE
PID:1168 -
\??\c:\xffrxrl.exec:\xffrxrl.exe66⤵PID:3952
-
\??\c:\3xrfxxl.exec:\3xrfxxl.exe67⤵PID:840
-
\??\c:\pvpjd.exec:\pvpjd.exe68⤵PID:4660
-
\??\c:\64486.exec:\64486.exe69⤵PID:4924
-
\??\c:\djvpj.exec:\djvpj.exe70⤵PID:3780
-
\??\c:\066084.exec:\066084.exe71⤵PID:3812
-
\??\c:\0804406.exec:\0804406.exe72⤵PID:1268
-
\??\c:\20684.exec:\20684.exe73⤵PID:1392
-
\??\c:\800826.exec:\800826.exe74⤵PID:4672
-
\??\c:\tnhtnb.exec:\tnhtnb.exe75⤵PID:3680
-
\??\c:\nnnhnt.exec:\nnnhnt.exe76⤵PID:3168
-
\??\c:\g0086.exec:\g0086.exe77⤵PID:3084
-
\??\c:\024220.exec:\024220.exe78⤵PID:244
-
\??\c:\6648826.exec:\6648826.exe79⤵PID:3008
-
\??\c:\rfxflrf.exec:\rfxflrf.exe80⤵PID:584
-
\??\c:\jjpdv.exec:\jjpdv.exe81⤵PID:4888
-
\??\c:\fxrxlfr.exec:\fxrxlfr.exe82⤵PID:2300
-
\??\c:\btbthb.exec:\btbthb.exe83⤵PID:640
-
\??\c:\tnhnbn.exec:\tnhnbn.exe84⤵PID:2348
-
\??\c:\rflxlfx.exec:\rflxlfx.exe85⤵PID:1412
-
\??\c:\222284.exec:\222284.exe86⤵PID:2944
-
\??\c:\hbbnhb.exec:\hbbnhb.exe87⤵PID:5024
-
\??\c:\hthbnh.exec:\hthbnh.exe88⤵PID:1348
-
\??\c:\llxlrrf.exec:\llxlrrf.exe89⤵PID:408
-
\??\c:\frxxlfx.exec:\frxxlfx.exe90⤵PID:4148
-
\??\c:\0220426.exec:\0220426.exe91⤵PID:536
-
\??\c:\ddpdv.exec:\ddpdv.exe92⤵PID:3020
-
\??\c:\006082.exec:\006082.exe93⤵PID:740
-
\??\c:\426082.exec:\426082.exe94⤵PID:4516
-
\??\c:\vvjjv.exec:\vvjjv.exe95⤵PID:5112
-
\??\c:\q24220.exec:\q24220.exe96⤵PID:748
-
\??\c:\8006604.exec:\8006604.exe97⤵
- System Location Discovery: System Language Discovery
PID:2444 -
\??\c:\thhtht.exec:\thhtht.exe98⤵PID:1180
-
\??\c:\bbbnnh.exec:\bbbnnh.exe99⤵PID:1744
-
\??\c:\282260.exec:\282260.exe100⤵PID:376
-
\??\c:\frffrlf.exec:\frffrlf.exe101⤵PID:396
-
\??\c:\24664.exec:\24664.exe102⤵PID:2260
-
\??\c:\8886082.exec:\8886082.exe103⤵PID:456
-
\??\c:\nhbntn.exec:\nhbntn.exe104⤵PID:3396
-
\??\c:\rllflfx.exec:\rllflfx.exe105⤵PID:3104
-
\??\c:\2246082.exec:\2246082.exe106⤵PID:4340
-
\??\c:\88224.exec:\88224.exe107⤵PID:3360
-
\??\c:\08042.exec:\08042.exe108⤵PID:2056
-
\??\c:\9tnhbb.exec:\9tnhbb.exe109⤵PID:4560
-
\??\c:\lxffxxx.exec:\lxffxxx.exe110⤵PID:3712
-
\??\c:\frxxxxx.exec:\frxxxxx.exe111⤵PID:4952
-
\??\c:\jdjvv.exec:\jdjvv.exe112⤵PID:1032
-
\??\c:\flfrlfx.exec:\flfrlfx.exe113⤵PID:1344
-
\??\c:\vvvpp.exec:\vvvpp.exe114⤵PID:4344
-
\??\c:\nhhbnb.exec:\nhhbnb.exe115⤵PID:792
-
\??\c:\jvjvj.exec:\jvjvj.exe116⤵PID:1256
-
\??\c:\fllxlfx.exec:\fllxlfx.exe117⤵PID:3560
-
\??\c:\fxxllfx.exec:\fxxllfx.exe118⤵PID:2144
-
\??\c:\lxrrxfx.exec:\lxrrxfx.exe119⤵PID:5056
-
\??\c:\ntbnhb.exec:\ntbnhb.exe120⤵PID:1736
-
\??\c:\bhhhtt.exec:\bhhhtt.exe121⤵PID:2312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-