Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 19:43
Behavioral task
behavioral1
Sample
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
150 seconds
General
-
Target
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe
-
Size
332KB
-
MD5
718282396c93a1b834a49a61ec1caeac
-
SHA1
6c5a47a597ecf7d48d3244e2fe5a22387231fe21
-
SHA256
105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87
-
SHA512
6b76f7361a43683237ea7d052a45266ab2c6dc246246db230563b4dc9d9e2560a245b99c137a222909291042512d33fa844b68c05963e7d2fc846535d4aee91d
-
SSDEEP
6144:Lcm4FmowdHoSHt251UriZFwfsDX2UznsaFVNJCMKAbel:R4wFHoSHYHUrAwfMp3CDl
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 64 IoCs
resource yara_rule behavioral2/memory/1764-5-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4080-10-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3260-15-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1068-20-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4844-25-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5056-34-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4300-41-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/460-49-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1392-55-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4976-58-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1896-71-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4604-70-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2268-77-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5076-89-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2260-90-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3456-100-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3504-99-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3744-107-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2288-120-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4812-125-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1384-133-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4380-136-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1780-147-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4840-158-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3408-161-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4040-164-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4452-167-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/532-172-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/448-175-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4856-178-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2612-183-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/744-187-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4384-192-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2648-215-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/380-218-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1744-221-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4528-224-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2432-237-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1748-240-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3288-245-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3624-258-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2896-261-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2924-264-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1632-267-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4636-286-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/552-303-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2480-308-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3784-315-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/5012-336-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4564-353-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4700-356-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4836-359-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/732-362-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2436-375-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2736-392-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2440-399-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4616-412-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/2948-417-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4072-528-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/4208-601-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/3848-970-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1116-1022-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/1196-1081-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon behavioral2/memory/640-1129-0x0000000000400000-0x0000000000427000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 4080 llfxrlf.exe 3260 bbbtnh.exe 1068 pdddp.exe 4844 djjdv.exe 5056 xxxxffl.exe 380 pjpjj.exe 4300 xflfxxr.exe 3316 rfrllll.exe 460 pppjj.exe 1392 1nhhbh.exe 4976 djddv.exe 1044 bbhbbb.exe 1896 vdddd.exe 4604 htnhhb.exe 2268 nhnhhh.exe 2800 rllllll.exe 2260 nbhbbb.exe 5076 rlrllll.exe 3504 lxrrrfx.exe 3456 3pvjv.exe 3744 xlrlffx.exe 3468 pppjj.exe 1400 lfxxxll.exe 2288 htbtnn.exe 4812 djpvp.exe 664 pdvvp.exe 1384 xrllfrr.exe 4380 xxlfxxr.exe 3236 9pvvv.exe 1780 fxfflxf.exe 1704 thhhhh.exe 4884 xlxrrrf.exe 4840 lrrllrr.exe 3408 vvvdv.exe 4040 xrrrlll.exe 4452 3djdd.exe 4572 xlrlfff.exe 532 nbbbtb.exe 448 bthbhn.exe 4856 rrrrlrl.exe 2044 5tttnt.exe 2612 9lrrrrr.exe 744 nhnbtt.exe 4516 tnnnhh.exe 4384 jjjdd.exe 4344 frllfxx.exe 1764 tttnnh.exe 1224 vvppv.exe 1968 7pvvd.exe 4072 xlrlffx.exe 4236 hbbbtb.exe 212 bbhhbb.exe 2436 vjdvp.exe 3052 7rlfxfx.exe 400 nhnhhn.exe 2648 bhtttn.exe 380 dvjdv.exe 1744 pjvpv.exe 4528 5rxrrll.exe 2528 3httnn.exe 3844 bttnnn.exe 5096 7pdvv.exe 408 5xfxrrl.exe 3104 bnnnnn.exe -
resource yara_rule behavioral2/memory/1764-0-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000c000000023b35-3.dat upx behavioral2/memory/4080-6-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/1764-5-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8e-9.dat upx behavioral2/memory/4080-10-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b92-12.dat upx behavioral2/memory/3260-15-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b94-19.dat upx behavioral2/memory/1068-20-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b95-24.dat upx behavioral2/memory/4844-25-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b96-29.dat upx behavioral2/memory/380-31-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b97-35.dat upx behavioral2/memory/5056-34-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b98-40.dat upx behavioral2/memory/4300-41-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-44.dat upx behavioral2/files/0x000a000000023b9a-48.dat upx behavioral2/memory/460-49-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9b-53.dat upx behavioral2/memory/1392-55-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4976-58-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b9d-60.dat upx behavioral2/files/0x000a000000023b9e-63.dat upx behavioral2/files/0x000a000000023b9f-68.dat upx behavioral2/memory/1896-71-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4604-70-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba0-73.dat upx behavioral2/memory/2268-77-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023b8f-78.dat upx behavioral2/files/0x000a000000023ba1-82.dat upx behavioral2/files/0x000a000000023ba2-87.dat upx behavioral2/memory/5076-89-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/2260-90-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba3-93.dat upx behavioral2/files/0x000a000000023ba4-97.dat upx behavioral2/files/0x000a000000023ba5-102.dat upx behavioral2/memory/3456-100-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3504-99-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3744-107-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023b99-106.dat upx behavioral2/files/0x000a000000023ba6-111.dat upx behavioral2/files/0x000a000000023ba7-115.dat upx behavioral2/files/0x000a000000023ba8-118.dat upx behavioral2/memory/2288-120-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4812-125-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023ba9-124.dat upx behavioral2/memory/1384-133-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023bab-135.dat upx behavioral2/memory/4380-136-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000a000000023baa-130.dat upx behavioral2/files/0x000a000000023bac-139.dat upx behavioral2/files/0x000a000000023bad-143.dat upx behavioral2/memory/1780-147-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/files/0x000b000000023bae-148.dat upx behavioral2/files/0x000b000000023baf-152.dat upx behavioral2/memory/4840-158-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/3408-161-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4040-164-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4452-167-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/532-172-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/448-175-0x0000000000400000-0x0000000000427000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbttt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rrffxll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3djdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrxrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnnnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xxllrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ffffxrr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbbth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntntt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lrfxlfr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bthhhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 4080 1764 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 83 PID 1764 wrote to memory of 4080 1764 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 83 PID 1764 wrote to memory of 4080 1764 105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe 83 PID 4080 wrote to memory of 3260 4080 llfxrlf.exe 84 PID 4080 wrote to memory of 3260 4080 llfxrlf.exe 84 PID 4080 wrote to memory of 3260 4080 llfxrlf.exe 84 PID 3260 wrote to memory of 1068 3260 bbbtnh.exe 85 PID 3260 wrote to memory of 1068 3260 bbbtnh.exe 85 PID 3260 wrote to memory of 1068 3260 bbbtnh.exe 85 PID 1068 wrote to memory of 4844 1068 pdddp.exe 86 PID 1068 wrote to memory of 4844 1068 pdddp.exe 86 PID 1068 wrote to memory of 4844 1068 pdddp.exe 86 PID 4844 wrote to memory of 5056 4844 djjdv.exe 87 PID 4844 wrote to memory of 5056 4844 djjdv.exe 87 PID 4844 wrote to memory of 5056 4844 djjdv.exe 87 PID 5056 wrote to memory of 380 5056 xxxxffl.exe 88 PID 5056 wrote to memory of 380 5056 xxxxffl.exe 88 PID 5056 wrote to memory of 380 5056 xxxxffl.exe 88 PID 380 wrote to memory of 4300 380 pjpjj.exe 89 PID 380 wrote to memory of 4300 380 pjpjj.exe 89 PID 380 wrote to memory of 4300 380 pjpjj.exe 89 PID 4300 wrote to memory of 3316 4300 xflfxxr.exe 90 PID 4300 wrote to memory of 3316 4300 xflfxxr.exe 90 PID 4300 wrote to memory of 3316 4300 xflfxxr.exe 90 PID 3316 wrote to memory of 460 3316 rfrllll.exe 91 PID 3316 wrote to memory of 460 3316 rfrllll.exe 91 PID 3316 wrote to memory of 460 3316 rfrllll.exe 91 PID 460 wrote to memory of 1392 460 pppjj.exe 92 PID 460 wrote to memory of 1392 460 pppjj.exe 92 PID 460 wrote to memory of 1392 460 pppjj.exe 92 PID 1392 wrote to memory of 4976 1392 1nhhbh.exe 93 PID 1392 wrote to memory of 4976 1392 1nhhbh.exe 93 PID 1392 wrote to memory of 4976 1392 1nhhbh.exe 93 PID 4976 wrote to memory of 1044 4976 djddv.exe 94 PID 4976 wrote to memory of 1044 4976 djddv.exe 94 PID 4976 wrote to memory of 1044 4976 djddv.exe 94 PID 1044 wrote to memory of 1896 1044 bbhbbb.exe 95 PID 1044 wrote to memory of 1896 1044 bbhbbb.exe 95 PID 1044 wrote to memory of 1896 1044 bbhbbb.exe 95 PID 1896 wrote to memory of 4604 1896 vdddd.exe 96 PID 1896 wrote to memory of 4604 1896 vdddd.exe 96 PID 1896 wrote to memory of 4604 1896 vdddd.exe 96 PID 4604 wrote to memory of 2268 4604 htnhhb.exe 97 PID 4604 wrote to memory of 2268 4604 htnhhb.exe 97 PID 4604 wrote to memory of 2268 4604 htnhhb.exe 97 PID 2268 wrote to memory of 2800 2268 nhnhhh.exe 98 PID 2268 wrote to memory of 2800 2268 nhnhhh.exe 98 PID 2268 wrote to memory of 2800 2268 nhnhhh.exe 98 PID 2800 wrote to memory of 2260 2800 rllllll.exe 99 PID 2800 wrote to memory of 2260 2800 rllllll.exe 99 PID 2800 wrote to memory of 2260 2800 rllllll.exe 99 PID 2260 wrote to memory of 5076 2260 nbhbbb.exe 100 PID 2260 wrote to memory of 5076 2260 nbhbbb.exe 100 PID 2260 wrote to memory of 5076 2260 nbhbbb.exe 100 PID 5076 wrote to memory of 3504 5076 rlrllll.exe 101 PID 5076 wrote to memory of 3504 5076 rlrllll.exe 101 PID 5076 wrote to memory of 3504 5076 rlrllll.exe 101 PID 3504 wrote to memory of 3456 3504 lxrrrfx.exe 102 PID 3504 wrote to memory of 3456 3504 lxrrrfx.exe 102 PID 3504 wrote to memory of 3456 3504 lxrrrfx.exe 102 PID 3456 wrote to memory of 3744 3456 3pvjv.exe 103 PID 3456 wrote to memory of 3744 3456 3pvjv.exe 103 PID 3456 wrote to memory of 3744 3456 3pvjv.exe 103 PID 3744 wrote to memory of 3468 3744 xlrlffx.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"C:\Users\Admin\AppData\Local\Temp\105b3cd7c45a69eba8b2b2509059e303bd969cb279d5eecfc3cba8449dc40f87.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
\??\c:\llfxrlf.exec:\llfxrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
\??\c:\bbbtnh.exec:\bbbtnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3260 -
\??\c:\pdddp.exec:\pdddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\djjdv.exec:\djjdv.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
\??\c:\xxxxffl.exec:\xxxxffl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
\??\c:\pjpjj.exec:\pjpjj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:380 -
\??\c:\xflfxxr.exec:\xflfxxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4300 -
\??\c:\rfrllll.exec:\rfrllll.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
\??\c:\pppjj.exec:\pppjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:460 -
\??\c:\1nhhbh.exec:\1nhhbh.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
\??\c:\djddv.exec:\djddv.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
\??\c:\bbhbbb.exec:\bbhbbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
\??\c:\vdddd.exec:\vdddd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
\??\c:\htnhhb.exec:\htnhhb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
\??\c:\nhnhhh.exec:\nhnhhh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
\??\c:\rllllll.exec:\rllllll.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
\??\c:\nbhbbb.exec:\nbhbbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2260 -
\??\c:\rlrllll.exec:\rlrllll.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076 -
\??\c:\lxrrrfx.exec:\lxrrrfx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
\??\c:\3pvjv.exec:\3pvjv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456 -
\??\c:\xlrlffx.exec:\xlrlffx.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
\??\c:\pppjj.exec:\pppjj.exe23⤵
- Executes dropped EXE
PID:3468 -
\??\c:\lfxxxll.exec:\lfxxxll.exe24⤵
- Executes dropped EXE
PID:1400 -
\??\c:\htbtnn.exec:\htbtnn.exe25⤵
- Executes dropped EXE
PID:2288 -
\??\c:\djpvp.exec:\djpvp.exe26⤵
- Executes dropped EXE
PID:4812 -
\??\c:\pdvvp.exec:\pdvvp.exe27⤵
- Executes dropped EXE
PID:664 -
\??\c:\xrllfrr.exec:\xrllfrr.exe28⤵
- Executes dropped EXE
PID:1384 -
\??\c:\xxlfxxr.exec:\xxlfxxr.exe29⤵
- Executes dropped EXE
PID:4380 -
\??\c:\9pvvv.exec:\9pvvv.exe30⤵
- Executes dropped EXE
PID:3236 -
\??\c:\fxfflxf.exec:\fxfflxf.exe31⤵
- Executes dropped EXE
PID:1780 -
\??\c:\thhhhh.exec:\thhhhh.exe32⤵
- Executes dropped EXE
PID:1704 -
\??\c:\xlxrrrf.exec:\xlxrrrf.exe33⤵
- Executes dropped EXE
PID:4884 -
\??\c:\lrrllrr.exec:\lrrllrr.exe34⤵
- Executes dropped EXE
PID:4840 -
\??\c:\vvvdv.exec:\vvvdv.exe35⤵
- Executes dropped EXE
PID:3408 -
\??\c:\xrrrlll.exec:\xrrrlll.exe36⤵
- Executes dropped EXE
PID:4040 -
\??\c:\3djdd.exec:\3djdd.exe37⤵
- Executes dropped EXE
PID:4452 -
\??\c:\xlrlfff.exec:\xlrlfff.exe38⤵
- Executes dropped EXE
PID:4572 -
\??\c:\nbbbtb.exec:\nbbbtb.exe39⤵
- Executes dropped EXE
PID:532 -
\??\c:\bthbhn.exec:\bthbhn.exe40⤵
- Executes dropped EXE
PID:448 -
\??\c:\rrrrlrl.exec:\rrrrlrl.exe41⤵
- Executes dropped EXE
PID:4856 -
\??\c:\5tttnt.exec:\5tttnt.exe42⤵
- Executes dropped EXE
PID:2044 -
\??\c:\9lrrrrr.exec:\9lrrrrr.exe43⤵
- Executes dropped EXE
PID:2612 -
\??\c:\nhnbtt.exec:\nhnbtt.exe44⤵
- Executes dropped EXE
PID:744 -
\??\c:\tnnnhh.exec:\tnnnhh.exe45⤵
- Executes dropped EXE
PID:4516 -
\??\c:\jjjdd.exec:\jjjdd.exe46⤵
- Executes dropped EXE
PID:4384 -
\??\c:\frllfxx.exec:\frllfxx.exe47⤵
- Executes dropped EXE
PID:4344 -
\??\c:\tttnnh.exec:\tttnnh.exe48⤵
- Executes dropped EXE
PID:1764 -
\??\c:\vvppv.exec:\vvppv.exe49⤵
- Executes dropped EXE
PID:1224 -
\??\c:\7pvvd.exec:\7pvvd.exe50⤵
- Executes dropped EXE
PID:1968 -
\??\c:\xlrlffx.exec:\xlrlffx.exe51⤵
- Executes dropped EXE
PID:4072 -
\??\c:\hbbbtb.exec:\hbbbtb.exe52⤵
- Executes dropped EXE
PID:4236 -
\??\c:\bbhhbb.exec:\bbhhbb.exe53⤵
- Executes dropped EXE
PID:212 -
\??\c:\vjdvp.exec:\vjdvp.exe54⤵
- Executes dropped EXE
PID:2436 -
\??\c:\7rlfxfx.exec:\7rlfxfx.exe55⤵
- Executes dropped EXE
PID:3052 -
\??\c:\nhnhhn.exec:\nhnhhn.exe56⤵
- Executes dropped EXE
PID:400 -
\??\c:\bhtttn.exec:\bhtttn.exe57⤵
- Executes dropped EXE
PID:2648 -
\??\c:\dvjdv.exec:\dvjdv.exe58⤵
- Executes dropped EXE
PID:380 -
\??\c:\pjvpv.exec:\pjvpv.exe59⤵
- Executes dropped EXE
PID:1744 -
\??\c:\5rxrrll.exec:\5rxrrll.exe60⤵
- Executes dropped EXE
PID:4528 -
\??\c:\3httnn.exec:\3httnn.exe61⤵
- Executes dropped EXE
PID:2528 -
\??\c:\bttnnn.exec:\bttnnn.exe62⤵
- Executes dropped EXE
PID:3844 -
\??\c:\7pdvv.exec:\7pdvv.exe63⤵
- Executes dropped EXE
PID:5096 -
\??\c:\5xfxrrl.exec:\5xfxrrl.exe64⤵
- Executes dropped EXE
PID:408 -
\??\c:\bnnnnn.exec:\bnnnnn.exe65⤵
- Executes dropped EXE
PID:3104 -
\??\c:\7bhbbh.exec:\7bhbbh.exe66⤵PID:2432
-
\??\c:\vdppp.exec:\vdppp.exe67⤵PID:1748
-
\??\c:\9xlfxxx.exec:\9xlfxxx.exe68⤵PID:828
-
\??\c:\xllrrrr.exec:\xllrrrr.exe69⤵PID:3288
-
\??\c:\hnbntt.exec:\hnbntt.exe70⤵PID:3956
-
\??\c:\pjvpj.exec:\pjvpj.exe71⤵PID:1876
-
\??\c:\ddjdd.exec:\ddjdd.exe72⤵PID:1572
-
\??\c:\xlxxxxf.exec:\xlxxxxf.exe73⤵PID:2012
-
\??\c:\frxfxxx.exec:\frxfxxx.exe74⤵PID:384
-
\??\c:\btbtnn.exec:\btbtnn.exe75⤵PID:3624
-
\??\c:\hthbbh.exec:\hthbbh.exe76⤵PID:2896
-
\??\c:\vpddd.exec:\vpddd.exe77⤵PID:2924
-
\??\c:\lfrrrlr.exec:\lfrrrlr.exe78⤵PID:1632
-
\??\c:\httnht.exec:\httnht.exe79⤵PID:1640
-
\??\c:\vdjdv.exec:\vdjdv.exe80⤵PID:4356
-
\??\c:\lxlfxxx.exec:\lxlfxxx.exe81⤵PID:4492
-
\??\c:\rrfxrrr.exec:\rrfxrrr.exe82⤵PID:4208
-
\??\c:\1ttbbh.exec:\1ttbbh.exe83⤵PID:3136
-
\??\c:\ttnhhh.exec:\ttnhhh.exe84⤵PID:4540
-
\??\c:\1ppjd.exec:\1ppjd.exe85⤵PID:1028
-
\??\c:\vpjdv.exec:\vpjdv.exe86⤵PID:1436
-
\??\c:\lfxfxlf.exec:\lfxfxlf.exe87⤵PID:4636
-
\??\c:\bbttnn.exec:\bbttnn.exe88⤵PID:3540
-
\??\c:\httnth.exec:\httnth.exe89⤵PID:4076
-
\??\c:\jdppv.exec:\jdppv.exe90⤵PID:4816
-
\??\c:\7rrlffx.exec:\7rrlffx.exe91⤵PID:4972
-
\??\c:\tnttnb.exec:\tnttnb.exe92⤵PID:4812
-
\??\c:\pjjdp.exec:\pjjdp.exe93⤵PID:664
-
\??\c:\jpdjj.exec:\jpdjj.exe94⤵PID:1760
-
\??\c:\frlfrrr.exec:\frlfrrr.exe95⤵PID:552
-
\??\c:\xrffrrf.exec:\xrffrrf.exe96⤵PID:1884
-
\??\c:\nnhhbb.exec:\nnhhbb.exe97⤵PID:2480
-
\??\c:\pdjdv.exec:\pdjdv.exe98⤵PID:4924
-
\??\c:\xlrlxrr.exec:\xlrlxrr.exe99⤵PID:5052
-
\??\c:\xlfxxxx.exec:\xlfxxxx.exe100⤵PID:3784
-
\??\c:\nhhnnt.exec:\nhhnnt.exe101⤵PID:4408
-
\??\c:\jjpjd.exec:\jjpjd.exe102⤵PID:2248
-
\??\c:\xrrrllf.exec:\xrrrllf.exe103⤵PID:4944
-
\??\c:\xrrrllf.exec:\xrrrllf.exe104⤵PID:4016
-
\??\c:\1bbnnn.exec:\1bbnnn.exe105⤵PID:2088
-
\??\c:\nhtnhh.exec:\nhtnhh.exe106⤵PID:376
-
\??\c:\djppp.exec:\djppp.exe107⤵PID:2448
-
\??\c:\xrfxrrf.exec:\xrfxrrf.exe108⤵PID:3960
-
\??\c:\rflfffl.exec:\rflfffl.exe109⤵PID:4572
-
\??\c:\btbttt.exec:\btbttt.exe110⤵
- System Location Discovery: System Language Discovery
PID:1992 -
\??\c:\jdvpj.exec:\jdvpj.exe111⤵PID:5012
-
\??\c:\llfxxxr.exec:\llfxxxr.exe112⤵PID:3608
-
\??\c:\rrfffxr.exec:\rrfffxr.exe113⤵PID:3312
-
\??\c:\thtnnt.exec:\thtnnt.exe114⤵PID:4756
-
\??\c:\ddppj.exec:\ddppj.exe115⤵PID:2612
-
\??\c:\3xflffx.exec:\3xflffx.exe116⤵PID:3280
-
\??\c:\7ffxrrr.exec:\7ffxrrr.exe117⤵PID:1864
-
\??\c:\7hhbtt.exec:\7hhbtt.exe118⤵PID:4368
-
\??\c:\dvjjj.exec:\dvjjj.exe119⤵PID:452
-
\??\c:\frrlffx.exec:\frrlffx.exe120⤵PID:4564
-
\??\c:\lxffffx.exec:\lxffffx.exe121⤵PID:4700
-
\??\c:\nnhhbh.exec:\nnhhbh.exe122⤵PID:4836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-