Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 17:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe
Resource
win7-20241010-en
windows7-x64
7 signatures
120 seconds
General
-
Target
7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe
-
Size
453KB
-
MD5
7098dbe2ef6c59ef2a0c1b1becb1f380
-
SHA1
d5be4270426b90cafb62356f87bddcd2e01567f5
-
SHA256
7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7d
-
SHA512
f18bc72b77035f89640fd6864274e71b920f2e36d6a53f42d80968a22358c02b5266f4735205512a54214bc5b39efcffb34377b120a2b397f9fbe325bd94b73e
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbec:q7Tc2NYHUrAwfMp3CDc
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/1328-13-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-21-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-26-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1960-15-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1528-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1056-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4568-41-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4932-53-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-61-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4756-67-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1892-72-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-80-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4224-79-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2532-90-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4856-95-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2988-103-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4028-127-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4196-125-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3204-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4348-105-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1012-137-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4828-139-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1384-150-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2712-158-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2600-156-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4888-163-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2116-178-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2136-196-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3588-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-223-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4540-226-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-242-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2592-246-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3696-256-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1620-263-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4488-270-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1940-283-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1760-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2668-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2972-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4672-344-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3692-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/920-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2684-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/540-411-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1468-433-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1784-527-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/232-540-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/624-553-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-566-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1464-576-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3172-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3944-596-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4132-705-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3556-724-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4812-752-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4728-798-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3312-862-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2536-926-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2968-963-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4684-1057-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2812-1564-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1328 dvvjv.exe 1960 rlllflf.exe 3668 xxrlfxr.exe 3696 hhbtnh.exe 1056 3dvpd.exe 4568 tbbtbb.exe 1388 7xxrfff.exe 4932 ttnbnh.exe 1940 bttttt.exe 4756 vdjjd.exe 1892 nnnnnn.exe 4224 dppdv.exe 1732 nhtnbn.exe 2532 frxxxxx.exe 4856 bhbbnn.exe 2988 vvvvp.exe 4348 hbhhhh.exe 3204 vjjjv.exe 2288 vppjj.exe 4028 9xfffll.exe 4196 bbtnnn.exe 4828 vvddv.exe 1012 llxrrrr.exe 1384 5hbthh.exe 2600 5bhbbb.exe 2712 3dvdv.exe 4888 rlfxrxx.exe 1768 1nbthh.exe 2116 hhbbnt.exe 3708 pvvvd.exe 4588 3btnnn.exe 3348 hhhbbb.exe 2136 rfllllf.exe 3740 7pvvd.exe 4480 lflffff.exe 540 thtttn.exe 436 flxxffl.exe 3588 hnhbtt.exe 4156 bhnntn.exe 1052 ddvvp.exe 4304 5lfxxfx.exe 4540 btthtt.exe 1528 djjdd.exe 1612 3rrllll.exe 4544 htbtnb.exe 2908 dvpjd.exe 2588 lfflllf.exe 2592 rrrrrrr.exe 4908 bbhbbb.exe 2044 jjppv.exe 3696 5xxrrrr.exe 932 1btntn.exe 1620 1jjdv.exe 1984 pppjj.exe 4488 rrrlllf.exe 2180 flrrllf.exe 3428 1nhnnn.exe 3528 5dvpd.exe 1940 xxxxrrr.exe 1152 5bbbhh.exe 4376 jdvpd.exe 1760 jpppj.exe 4388 llrlfrr.exe 3856 7nhbbb.exe -
resource yara_rule behavioral2/memory/1328-13-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-21-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-26-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1960-15-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1528-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1056-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-41-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4932-53-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-54-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-59-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-61-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4756-67-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1892-72-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4224-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2532-90-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4856-95-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2988-103-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4028-127-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4196-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3204-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4348-105-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1012-137-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4828-139-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1384-150-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2712-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2600-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4888-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2116-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2136-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3588-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4540-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-242-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2592-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3696-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1620-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4488-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1940-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1760-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2668-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2972-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4672-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3692-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/920-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2684-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/540-411-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1468-433-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1784-527-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/232-540-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/624-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1536-566-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1464-576-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3172-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3944-596-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4132-705-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3556-724-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4812-752-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4728-798-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-862-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2536-926-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2968-963-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4684-1057-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddvdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7jjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdvpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbnhhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3flfrrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hbbnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7dppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfllfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlrlfxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rlfxrxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language httnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5bbbhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvpjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3vppj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7xlfxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xrrrfff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nhhtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1528 wrote to memory of 1328 1528 7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe 83 PID 1528 wrote to memory of 1328 1528 7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe 83 PID 1528 wrote to memory of 1328 1528 7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe 83 PID 1328 wrote to memory of 1960 1328 dvvjv.exe 84 PID 1328 wrote to memory of 1960 1328 dvvjv.exe 84 PID 1328 wrote to memory of 1960 1328 dvvjv.exe 84 PID 1960 wrote to memory of 3668 1960 rlllflf.exe 85 PID 1960 wrote to memory of 3668 1960 rlllflf.exe 85 PID 1960 wrote to memory of 3668 1960 rlllflf.exe 85 PID 3668 wrote to memory of 3696 3668 xxrlfxr.exe 86 PID 3668 wrote to memory of 3696 3668 xxrlfxr.exe 86 PID 3668 wrote to memory of 3696 3668 xxrlfxr.exe 86 PID 3696 wrote to memory of 1056 3696 hhbtnh.exe 87 PID 3696 wrote to memory of 1056 3696 hhbtnh.exe 87 PID 3696 wrote to memory of 1056 3696 hhbtnh.exe 87 PID 1056 wrote to memory of 4568 1056 3dvpd.exe 88 PID 1056 wrote to memory of 4568 1056 3dvpd.exe 88 PID 1056 wrote to memory of 4568 1056 3dvpd.exe 88 PID 4568 wrote to memory of 1388 4568 tbbtbb.exe 89 PID 4568 wrote to memory of 1388 4568 tbbtbb.exe 89 PID 4568 wrote to memory of 1388 4568 tbbtbb.exe 89 PID 1388 wrote to memory of 4932 1388 7xxrfff.exe 90 PID 1388 wrote to memory of 4932 1388 7xxrfff.exe 90 PID 1388 wrote to memory of 4932 1388 7xxrfff.exe 90 PID 4932 wrote to memory of 1940 4932 ttnbnh.exe 91 PID 4932 wrote to memory of 1940 4932 ttnbnh.exe 91 PID 4932 wrote to memory of 1940 4932 ttnbnh.exe 91 PID 1940 wrote to memory of 4756 1940 bttttt.exe 92 PID 1940 wrote to memory of 4756 1940 bttttt.exe 92 PID 1940 wrote to memory of 4756 1940 bttttt.exe 92 PID 4756 wrote to memory of 1892 4756 vdjjd.exe 93 PID 4756 wrote to memory of 1892 4756 vdjjd.exe 93 PID 4756 wrote to memory of 1892 4756 vdjjd.exe 93 PID 1892 wrote to memory of 4224 1892 nnnnnn.exe 94 PID 1892 wrote to memory of 4224 1892 nnnnnn.exe 94 PID 1892 wrote to memory of 4224 1892 nnnnnn.exe 94 PID 4224 wrote to memory of 1732 4224 dppdv.exe 95 PID 4224 wrote to memory of 1732 4224 dppdv.exe 95 PID 4224 wrote to memory of 1732 4224 dppdv.exe 95 PID 1732 wrote to memory of 2532 1732 nhtnbn.exe 96 PID 1732 wrote to memory of 2532 1732 nhtnbn.exe 96 PID 1732 wrote to memory of 2532 1732 nhtnbn.exe 96 PID 2532 wrote to memory of 4856 2532 frxxxxx.exe 97 PID 2532 wrote to memory of 4856 2532 frxxxxx.exe 97 PID 2532 wrote to memory of 4856 2532 frxxxxx.exe 97 PID 4856 wrote to memory of 2988 4856 bhbbnn.exe 98 PID 4856 wrote to memory of 2988 4856 bhbbnn.exe 98 PID 4856 wrote to memory of 2988 4856 bhbbnn.exe 98 PID 2988 wrote to memory of 4348 2988 vvvvp.exe 99 PID 2988 wrote to memory of 4348 2988 vvvvp.exe 99 PID 2988 wrote to memory of 4348 2988 vvvvp.exe 99 PID 4348 wrote to memory of 3204 4348 hbhhhh.exe 100 PID 4348 wrote to memory of 3204 4348 hbhhhh.exe 100 PID 4348 wrote to memory of 3204 4348 hbhhhh.exe 100 PID 3204 wrote to memory of 2288 3204 vjjjv.exe 101 PID 3204 wrote to memory of 2288 3204 vjjjv.exe 101 PID 3204 wrote to memory of 2288 3204 vjjjv.exe 101 PID 2288 wrote to memory of 4028 2288 vppjj.exe 102 PID 2288 wrote to memory of 4028 2288 vppjj.exe 102 PID 2288 wrote to memory of 4028 2288 vppjj.exe 102 PID 4028 wrote to memory of 4196 4028 9xfffll.exe 103 PID 4028 wrote to memory of 4196 4028 9xfffll.exe 103 PID 4028 wrote to memory of 4196 4028 9xfffll.exe 103 PID 4196 wrote to memory of 4828 4196 bbtnnn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe"C:\Users\Admin\AppData\Local\Temp\7a3d36a7076da01bde816c9c8f4b2761d7b8253c637044414371361fbec90d7dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
\??\c:\dvvjv.exec:\dvvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1328 -
\??\c:\rlllflf.exec:\rlllflf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1960 -
\??\c:\xxrlfxr.exec:\xxrlfxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3668 -
\??\c:\hhbtnh.exec:\hhbtnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3696 -
\??\c:\3dvpd.exec:\3dvpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1056 -
\??\c:\tbbtbb.exec:\tbbtbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4568 -
\??\c:\7xxrfff.exec:\7xxrfff.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1388 -
\??\c:\ttnbnh.exec:\ttnbnh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
\??\c:\bttttt.exec:\bttttt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
\??\c:\vdjjd.exec:\vdjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756 -
\??\c:\nnnnnn.exec:\nnnnnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1892 -
\??\c:\dppdv.exec:\dppdv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
\??\c:\nhtnbn.exec:\nhtnbn.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\frxxxxx.exec:\frxxxxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\bhbbnn.exec:\bhbbnn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\vvvvp.exec:\vvvvp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988 -
\??\c:\hbhhhh.exec:\hbhhhh.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
\??\c:\vjjjv.exec:\vjjjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3204 -
\??\c:\vppjj.exec:\vppjj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
\??\c:\9xfffll.exec:\9xfffll.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
\??\c:\bbtnnn.exec:\bbtnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4196 -
\??\c:\vvddv.exec:\vvddv.exe23⤵
- Executes dropped EXE
PID:4828 -
\??\c:\llxrrrr.exec:\llxrrrr.exe24⤵
- Executes dropped EXE
PID:1012 -
\??\c:\5hbthh.exec:\5hbthh.exe25⤵
- Executes dropped EXE
PID:1384 -
\??\c:\5bhbbb.exec:\5bhbbb.exe26⤵
- Executes dropped EXE
PID:2600 -
\??\c:\3dvdv.exec:\3dvdv.exe27⤵
- Executes dropped EXE
PID:2712 -
\??\c:\rlfxrxx.exec:\rlfxrxx.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4888 -
\??\c:\1nbthh.exec:\1nbthh.exe29⤵
- Executes dropped EXE
PID:1768 -
\??\c:\hhbbnt.exec:\hhbbnt.exe30⤵
- Executes dropped EXE
PID:2116 -
\??\c:\pvvvd.exec:\pvvvd.exe31⤵
- Executes dropped EXE
PID:3708 -
\??\c:\3btnnn.exec:\3btnnn.exe32⤵
- Executes dropped EXE
PID:4588 -
\??\c:\hhhbbb.exec:\hhhbbb.exe33⤵
- Executes dropped EXE
PID:3348 -
\??\c:\rfllllf.exec:\rfllllf.exe34⤵
- Executes dropped EXE
PID:2136 -
\??\c:\7pvvd.exec:\7pvvd.exe35⤵
- Executes dropped EXE
PID:3740 -
\??\c:\lflffff.exec:\lflffff.exe36⤵
- Executes dropped EXE
PID:4480 -
\??\c:\thtttn.exec:\thtttn.exe37⤵
- Executes dropped EXE
PID:540 -
\??\c:\flxxffl.exec:\flxxffl.exe38⤵
- Executes dropped EXE
PID:436 -
\??\c:\hnhbtt.exec:\hnhbtt.exe39⤵
- Executes dropped EXE
PID:3588 -
\??\c:\bhnntn.exec:\bhnntn.exe40⤵
- Executes dropped EXE
PID:4156 -
\??\c:\ddvvp.exec:\ddvvp.exe41⤵
- Executes dropped EXE
PID:1052 -
\??\c:\5lfxxfx.exec:\5lfxxfx.exe42⤵
- Executes dropped EXE
PID:4304 -
\??\c:\btthtt.exec:\btthtt.exe43⤵
- Executes dropped EXE
PID:4540 -
\??\c:\djjdd.exec:\djjdd.exe44⤵
- Executes dropped EXE
PID:1528 -
\??\c:\3rrllll.exec:\3rrllll.exe45⤵
- Executes dropped EXE
PID:1612 -
\??\c:\htbtnb.exec:\htbtnb.exe46⤵
- Executes dropped EXE
PID:4544 -
\??\c:\dvpjd.exec:\dvpjd.exe47⤵
- Executes dropped EXE
PID:2908 -
\??\c:\lfflllf.exec:\lfflllf.exe48⤵
- Executes dropped EXE
PID:2588 -
\??\c:\rrrrrrr.exec:\rrrrrrr.exe49⤵
- Executes dropped EXE
PID:2592 -
\??\c:\bbhbbb.exec:\bbhbbb.exe50⤵
- Executes dropped EXE
PID:4908 -
\??\c:\jjppv.exec:\jjppv.exe51⤵
- Executes dropped EXE
PID:2044 -
\??\c:\5xxrrrr.exec:\5xxrrrr.exe52⤵
- Executes dropped EXE
PID:3696 -
\??\c:\1btntn.exec:\1btntn.exe53⤵
- Executes dropped EXE
PID:932 -
\??\c:\1jjdv.exec:\1jjdv.exe54⤵
- Executes dropped EXE
PID:1620 -
\??\c:\pppjj.exec:\pppjj.exe55⤵
- Executes dropped EXE
PID:1984 -
\??\c:\rrrlllf.exec:\rrrlllf.exe56⤵
- Executes dropped EXE
PID:4488 -
\??\c:\flrrllf.exec:\flrrllf.exe57⤵
- Executes dropped EXE
PID:2180 -
\??\c:\1nhnnn.exec:\1nhnnn.exe58⤵
- Executes dropped EXE
PID:3428 -
\??\c:\5dvpd.exec:\5dvpd.exe59⤵
- Executes dropped EXE
PID:3528 -
\??\c:\xxxxrrr.exec:\xxxxrrr.exe60⤵
- Executes dropped EXE
PID:1940 -
\??\c:\5bbbhh.exec:\5bbbhh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
\??\c:\jdvpd.exec:\jdvpd.exe62⤵
- Executes dropped EXE
PID:4376 -
\??\c:\jpppj.exec:\jpppj.exe63⤵
- Executes dropped EXE
PID:1760 -
\??\c:\llrlfrr.exec:\llrlfrr.exe64⤵
- Executes dropped EXE
PID:4388 -
\??\c:\7nhbbb.exec:\7nhbbb.exe65⤵
- Executes dropped EXE
PID:3856 -
\??\c:\hnhbnt.exec:\hnhbnt.exe66⤵PID:2356
-
\??\c:\9ppjd.exec:\9ppjd.exe67⤵PID:2668
-
\??\c:\3frllfx.exec:\3frllfx.exe68⤵PID:444
-
\??\c:\bthbnh.exec:\bthbnh.exe69⤵PID:2972
-
\??\c:\vdvjd.exec:\vdvjd.exe70⤵PID:4552
-
\??\c:\xfrrllf.exec:\xfrrllf.exe71⤵PID:4348
-
\??\c:\rrrrlrl.exec:\rrrrlrl.exe72⤵PID:3148
-
\??\c:\nhhtnh.exec:\nhhtnh.exe73⤵PID:736
-
\??\c:\1jpjv.exec:\1jpjv.exe74⤵PID:1488
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe75⤵PID:2616
-
\??\c:\nbtbnh.exec:\nbtbnh.exe76⤵PID:1664
-
\??\c:\ppddj.exec:\ppddj.exe77⤵PID:3736
-
\??\c:\9vdvd.exec:\9vdvd.exe78⤵PID:3764
-
\??\c:\7fxlfrl.exec:\7fxlfrl.exe79⤵PID:4672
-
\??\c:\thhbnn.exec:\thhbnn.exe80⤵PID:452
-
\??\c:\ddjdp.exec:\ddjdp.exe81⤵PID:3332
-
\??\c:\vpvvv.exec:\vpvvv.exe82⤵PID:2272
-
\??\c:\xxxrrlf.exec:\xxxrrlf.exe83⤵PID:2420
-
\??\c:\7bbbtt.exec:\7bbbtt.exe84⤵PID:2600
-
\??\c:\dvppj.exec:\dvppj.exe85⤵PID:1148
-
\??\c:\vpdvj.exec:\vpdvj.exe86⤵PID:2252
-
\??\c:\fxrfxrl.exec:\fxrfxrl.exe87⤵PID:3692
-
\??\c:\hbnhnh.exec:\hbnhnh.exe88⤵PID:4888
-
\??\c:\1jdvp.exec:\1jdvp.exe89⤵PID:3776
-
\??\c:\7vjvp.exec:\7vjvp.exe90⤵PID:920
-
\??\c:\xxxllll.exec:\xxxllll.exe91⤵PID:2380
-
\??\c:\7bhbtb.exec:\7bhbtb.exe92⤵PID:2684
-
\??\c:\jvjjd.exec:\jvjjd.exe93⤵PID:4228
-
\??\c:\xllfrll.exec:\xllfrll.exe94⤵PID:4384
-
\??\c:\ttttnh.exec:\ttttnh.exe95⤵PID:4916
-
\??\c:\7ntnhh.exec:\7ntnhh.exe96⤵PID:3560
-
\??\c:\pvvpj.exec:\pvvpj.exe97⤵PID:1696
-
\??\c:\lllffxr.exec:\lllffxr.exe98⤵PID:992
-
\??\c:\hbbtnh.exec:\hbbtnh.exe99⤵PID:4240
-
\??\c:\tnhbtn.exec:\tnhbtn.exe100⤵PID:540
-
\??\c:\ddjdv.exec:\ddjdv.exe101⤵PID:3760
-
\??\c:\fxrfrlx.exec:\fxrfrlx.exe102⤵PID:1560
-
\??\c:\bbnhtn.exec:\bbnhtn.exe103⤵PID:4816
-
\??\c:\hhtnnh.exec:\hhtnnh.exe104⤵PID:4560
-
\??\c:\dvdpd.exec:\dvdpd.exe105⤵PID:4400
-
\??\c:\rfrlllr.exec:\rfrlllr.exe106⤵PID:3256
-
\??\c:\lxfrlff.exec:\lxfrlff.exe107⤵PID:1468
-
\??\c:\hhbthb.exec:\hhbthb.exe108⤵PID:1692
-
\??\c:\jjdvj.exec:\jjdvj.exe109⤵PID:672
-
\??\c:\vdddp.exec:\vdddp.exe110⤵PID:2052
-
\??\c:\llrlffx.exec:\llrlffx.exe111⤵PID:3724
-
\??\c:\nttnnn.exec:\nttnnn.exe112⤵PID:3112
-
\??\c:\djddv.exec:\djddv.exe113⤵PID:2592
-
\??\c:\rxllfff.exec:\rxllfff.exe114⤵PID:2248
-
\??\c:\xrffrxr.exec:\xrffrxr.exe115⤵PID:2044
-
\??\c:\nbbbtb.exec:\nbbbtb.exe116⤵PID:332
-
\??\c:\djjpv.exec:\djjpv.exe117⤵PID:2112
-
\??\c:\flxrllf.exec:\flxrllf.exe118⤵PID:4472
-
\??\c:\1fllfff.exec:\1fllfff.exe119⤵PID:2768
-
\??\c:\htntnh.exec:\htntnh.exe120⤵PID:1388
-
\??\c:\1ppjj.exec:\1ppjj.exe121⤵PID:3280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-