Analysis
-
max time kernel
120s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2024 18:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
120 seconds
General
-
Target
3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe
-
Size
454KB
-
MD5
528f84480d653807a0f2394988ef0b00
-
SHA1
096ce2e11ffa53ce35075caad39f4ba11c76e820
-
SHA256
3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54
-
SHA512
eed86ae51c72f36a54c2ac4f7443dc070ba94d834d491db0d768bda66dd60064ced7873fa9c25c4f5d9b07d9f0461e97bf964f800bd2b83a901a85082c4ae874
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbeN:q7Tc2NYHUrAwfMp3CDN
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4924-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/436-11-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3388-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2256-29-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4692-34-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4628-40-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2920-46-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1048-52-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5064-64-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5000-89-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3064-101-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1456-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2328-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1140-203-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1180-207-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/216-217-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4304-228-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4924-239-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-277-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3508-287-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3308-306-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2476-313-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/808-342-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4460-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/744-369-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-386-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3668-408-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2268-415-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2012-422-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4064-379-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3788-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-317-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3216-261-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4312-252-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1568-235-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1812-221-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1128-191-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/956-187-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2236-180-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4504-153-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2456-147-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/740-136-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5044-120-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3376-113-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/868-107-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4384-96-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2276-77-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/640-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4880-58-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1708-459-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5116-463-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3176-468-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4500-508-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4836-545-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1684-555-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1668-571-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1612-587-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/372-621-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1712-647-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2624-744-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1536-833-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3976-879-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1236-1332-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 436 fxllrll.exe 3388 7hhhbt.exe 2704 5jjdv.exe 2256 lrrlffl.exe 4692 3jpjd.exe 4628 rxxlrfx.exe 2920 1ttnnn.exe 1048 vjpjp.exe 4880 rffxxxr.exe 5064 vpppj.exe 640 xxxrllf.exe 2276 nhnnhn.exe 2104 vppjp.exe 5000 1rxrlll.exe 4384 tnbntn.exe 3064 vvdpv.exe 868 ffrrlll.exe 3376 ttbtnn.exe 5044 ddjdv.exe 4472 5llrrrl.exe 1456 bthbbt.exe 740 tthbbh.exe 3480 dddvd.exe 2456 bnnhbb.exe 4504 bntthh.exe 1152 jdvdj.exe 744 lfxrllf.exe 2328 5rlfxlf.exe 996 bnnttt.exe 2236 djjdv.exe 956 9ddvv.exe 1128 lfrlrrl.exe 1876 fxfxrlf.exe 4336 hbbbtt.exe 116 jppjj.exe 1140 pjvvv.exe 1180 lfxrllf.exe 3008 7hnhhh.exe 448 bntttt.exe 216 ddddv.exe 1812 jdvpv.exe 3624 flrlfff.exe 4304 1nbtnn.exe 4992 btnhtn.exe 1568 vjjvv.exe 4924 7lffrxx.exe 540 rxfxrrl.exe 2656 btnhhh.exe 2352 pjdvd.exe 4312 vdjdv.exe 5116 5xxrlrl.exe 3176 fxrlfxr.exe 3216 nbhhbh.exe 4936 jvpdp.exe 4912 1ppjj.exe 2684 frxrlll.exe 4220 httbtt.exe 4660 nthhbb.exe 2756 vjvdp.exe 2176 vvpjj.exe 3508 9fxlffx.exe 412 bbtttn.exe 2036 5hnhtt.exe 1156 vvvpj.exe -
resource yara_rule behavioral2/memory/4924-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/436-11-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3388-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2256-29-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4692-34-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4628-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2920-46-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1048-52-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5064-64-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2104-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-84-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5000-89-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3064-101-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1456-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2328-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1140-203-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1180-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/216-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4304-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4924-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3508-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3308-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2476-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/808-342-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4460-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/744-369-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-386-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3668-408-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2268-415-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2012-422-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4064-379-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3788-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3216-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4312-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1568-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1812-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1128-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/956-187-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2236-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4504-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2456-147-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/740-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5044-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3376-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/868-107-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4384-96-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2276-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/640-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-58-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1708-459-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-464-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5116-463-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3176-468-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4500-508-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4836-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1684-555-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1668-571-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1612-587-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/372-621-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1712-647-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2624-744-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-760-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrxrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxrxffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1frlxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxfxrrl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vvjdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language flrlrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjvjv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hnbthh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhhbhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lflfrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5hhbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lffxllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vjpdv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fxxrrll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ttbhtb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dppdv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4924 wrote to memory of 436 4924 3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe 191 PID 4924 wrote to memory of 436 4924 3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe 191 PID 4924 wrote to memory of 436 4924 3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe 191 PID 436 wrote to memory of 3388 436 fxllrll.exe 84 PID 436 wrote to memory of 3388 436 fxllrll.exe 84 PID 436 wrote to memory of 3388 436 fxllrll.exe 84 PID 3388 wrote to memory of 2704 3388 7hhhbt.exe 85 PID 3388 wrote to memory of 2704 3388 7hhhbt.exe 85 PID 3388 wrote to memory of 2704 3388 7hhhbt.exe 85 PID 2704 wrote to memory of 2256 2704 5jjdv.exe 86 PID 2704 wrote to memory of 2256 2704 5jjdv.exe 86 PID 2704 wrote to memory of 2256 2704 5jjdv.exe 86 PID 2256 wrote to memory of 4692 2256 lrrlffl.exe 87 PID 2256 wrote to memory of 4692 2256 lrrlffl.exe 87 PID 2256 wrote to memory of 4692 2256 lrrlffl.exe 87 PID 4692 wrote to memory of 4628 4692 3jpjd.exe 88 PID 4692 wrote to memory of 4628 4692 3jpjd.exe 88 PID 4692 wrote to memory of 4628 4692 3jpjd.exe 88 PID 4628 wrote to memory of 2920 4628 rxxlrfx.exe 89 PID 4628 wrote to memory of 2920 4628 rxxlrfx.exe 89 PID 4628 wrote to memory of 2920 4628 rxxlrfx.exe 89 PID 2920 wrote to memory of 1048 2920 1ttnnn.exe 90 PID 2920 wrote to memory of 1048 2920 1ttnnn.exe 90 PID 2920 wrote to memory of 1048 2920 1ttnnn.exe 90 PID 1048 wrote to memory of 4880 1048 vjpjp.exe 91 PID 1048 wrote to memory of 4880 1048 vjpjp.exe 91 PID 1048 wrote to memory of 4880 1048 vjpjp.exe 91 PID 4880 wrote to memory of 5064 4880 rffxxxr.exe 92 PID 4880 wrote to memory of 5064 4880 rffxxxr.exe 92 PID 4880 wrote to memory of 5064 4880 rffxxxr.exe 92 PID 5064 wrote to memory of 640 5064 vpppj.exe 93 PID 5064 wrote to memory of 640 5064 vpppj.exe 93 PID 5064 wrote to memory of 640 5064 vpppj.exe 93 PID 640 wrote to memory of 2276 640 xxxrllf.exe 94 PID 640 wrote to memory of 2276 640 xxxrllf.exe 94 PID 640 wrote to memory of 2276 640 xxxrllf.exe 94 PID 2276 wrote to memory of 2104 2276 nhnnhn.exe 95 PID 2276 wrote to memory of 2104 2276 nhnnhn.exe 95 PID 2276 wrote to memory of 2104 2276 nhnnhn.exe 95 PID 2104 wrote to memory of 5000 2104 vppjp.exe 96 PID 2104 wrote to memory of 5000 2104 vppjp.exe 96 PID 2104 wrote to memory of 5000 2104 vppjp.exe 96 PID 5000 wrote to memory of 4384 5000 1rxrlll.exe 97 PID 5000 wrote to memory of 4384 5000 1rxrlll.exe 97 PID 5000 wrote to memory of 4384 5000 1rxrlll.exe 97 PID 4384 wrote to memory of 3064 4384 tnbntn.exe 98 PID 4384 wrote to memory of 3064 4384 tnbntn.exe 98 PID 4384 wrote to memory of 3064 4384 tnbntn.exe 98 PID 3064 wrote to memory of 868 3064 vvdpv.exe 99 PID 3064 wrote to memory of 868 3064 vvdpv.exe 99 PID 3064 wrote to memory of 868 3064 vvdpv.exe 99 PID 868 wrote to memory of 3376 868 ffrrlll.exe 100 PID 868 wrote to memory of 3376 868 ffrrlll.exe 100 PID 868 wrote to memory of 3376 868 ffrrlll.exe 100 PID 3376 wrote to memory of 5044 3376 ttbtnn.exe 101 PID 3376 wrote to memory of 5044 3376 ttbtnn.exe 101 PID 3376 wrote to memory of 5044 3376 ttbtnn.exe 101 PID 5044 wrote to memory of 4472 5044 ddjdv.exe 102 PID 5044 wrote to memory of 4472 5044 ddjdv.exe 102 PID 5044 wrote to memory of 4472 5044 ddjdv.exe 102 PID 4472 wrote to memory of 1456 4472 5llrrrl.exe 103 PID 4472 wrote to memory of 1456 4472 5llrrrl.exe 103 PID 4472 wrote to memory of 1456 4472 5llrrrl.exe 103 PID 1456 wrote to memory of 740 1456 bthbbt.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe"C:\Users\Admin\AppData\Local\Temp\3810c3edcd59f3d1a4555d1a2890d7035192a4a9e9629075c0e79f545ed12a54N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
\??\c:\fxllrll.exec:\fxllrll.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
\??\c:\7hhhbt.exec:\7hhhbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
\??\c:\5jjdv.exec:\5jjdv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
\??\c:\lrrlffl.exec:\lrrlffl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256 -
\??\c:\3jpjd.exec:\3jpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4692 -
\??\c:\rxxlrfx.exec:\rxxlrfx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
\??\c:\1ttnnn.exec:\1ttnnn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
\??\c:\vjpjp.exec:\vjpjp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1048 -
\??\c:\rffxxxr.exec:\rffxxxr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880 -
\??\c:\vpppj.exec:\vpppj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
\??\c:\xxxrllf.exec:\xxxrllf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:640 -
\??\c:\nhnnhn.exec:\nhnnhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
\??\c:\vppjp.exec:\vppjp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
\??\c:\1rxrlll.exec:\1rxrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000 -
\??\c:\tnbntn.exec:\tnbntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
\??\c:\vvdpv.exec:\vvdpv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
\??\c:\ffrrlll.exec:\ffrrlll.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
\??\c:\ttbtnn.exec:\ttbtnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
\??\c:\ddjdv.exec:\ddjdv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
\??\c:\5llrrrl.exec:\5llrrrl.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
\??\c:\bthbbt.exec:\bthbbt.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\tthbbh.exec:\tthbbh.exe23⤵
- Executes dropped EXE
PID:740 -
\??\c:\dddvd.exec:\dddvd.exe24⤵
- Executes dropped EXE
PID:3480 -
\??\c:\bnnhbb.exec:\bnnhbb.exe25⤵
- Executes dropped EXE
PID:2456 -
\??\c:\bntthh.exec:\bntthh.exe26⤵
- Executes dropped EXE
PID:4504 -
\??\c:\jdvdj.exec:\jdvdj.exe27⤵
- Executes dropped EXE
PID:1152 -
\??\c:\lfxrllf.exec:\lfxrllf.exe28⤵
- Executes dropped EXE
PID:744 -
\??\c:\5rlfxlf.exec:\5rlfxlf.exe29⤵
- Executes dropped EXE
PID:2328 -
\??\c:\bnnttt.exec:\bnnttt.exe30⤵
- Executes dropped EXE
PID:996 -
\??\c:\djjdv.exec:\djjdv.exe31⤵
- Executes dropped EXE
PID:2236 -
\??\c:\9ddvv.exec:\9ddvv.exe32⤵
- Executes dropped EXE
PID:956 -
\??\c:\lfrlrrl.exec:\lfrlrrl.exe33⤵
- Executes dropped EXE
PID:1128 -
\??\c:\fxfxrlf.exec:\fxfxrlf.exe34⤵
- Executes dropped EXE
PID:1876 -
\??\c:\hbbbtt.exec:\hbbbtt.exe35⤵
- Executes dropped EXE
PID:4336 -
\??\c:\jppjj.exec:\jppjj.exe36⤵
- Executes dropped EXE
PID:116 -
\??\c:\pjvvv.exec:\pjvvv.exe37⤵
- Executes dropped EXE
PID:1140 -
\??\c:\lfxrllf.exec:\lfxrllf.exe38⤵
- Executes dropped EXE
PID:1180 -
\??\c:\7hnhhh.exec:\7hnhhh.exe39⤵
- Executes dropped EXE
PID:3008 -
\??\c:\bntttt.exec:\bntttt.exe40⤵
- Executes dropped EXE
PID:448 -
\??\c:\ddddv.exec:\ddddv.exe41⤵
- Executes dropped EXE
PID:216 -
\??\c:\jdvpv.exec:\jdvpv.exe42⤵
- Executes dropped EXE
PID:1812 -
\??\c:\flrlfff.exec:\flrlfff.exe43⤵
- Executes dropped EXE
PID:3624 -
\??\c:\1nbtnn.exec:\1nbtnn.exe44⤵
- Executes dropped EXE
PID:4304 -
\??\c:\btnhtn.exec:\btnhtn.exe45⤵
- Executes dropped EXE
PID:4992 -
\??\c:\vjjvv.exec:\vjjvv.exe46⤵
- Executes dropped EXE
PID:1568 -
\??\c:\7lffrxx.exec:\7lffrxx.exe47⤵
- Executes dropped EXE
PID:4924 -
\??\c:\rxfxrrl.exec:\rxfxrrl.exe48⤵
- Executes dropped EXE
PID:540 -
\??\c:\btnhhh.exec:\btnhhh.exe49⤵
- Executes dropped EXE
PID:2656 -
\??\c:\pjdvd.exec:\pjdvd.exe50⤵
- Executes dropped EXE
PID:2352 -
\??\c:\vdjdv.exec:\vdjdv.exe51⤵
- Executes dropped EXE
PID:4312 -
\??\c:\5xxrlrl.exec:\5xxrlrl.exe52⤵
- Executes dropped EXE
PID:5116 -
\??\c:\fxrlfxr.exec:\fxrlfxr.exe53⤵
- Executes dropped EXE
PID:3176 -
\??\c:\nbhhbh.exec:\nbhhbh.exe54⤵
- Executes dropped EXE
PID:3216 -
\??\c:\jvpdp.exec:\jvpdp.exe55⤵
- Executes dropped EXE
PID:4936 -
\??\c:\1ppjj.exec:\1ppjj.exe56⤵
- Executes dropped EXE
PID:4912 -
\??\c:\frxrlll.exec:\frxrlll.exe57⤵
- Executes dropped EXE
PID:2684 -
\??\c:\httbtt.exec:\httbtt.exe58⤵
- Executes dropped EXE
PID:4220 -
\??\c:\nthhbb.exec:\nthhbb.exe59⤵
- Executes dropped EXE
PID:4660 -
\??\c:\vjvdp.exec:\vjvdp.exe60⤵
- Executes dropped EXE
PID:2756 -
\??\c:\vvpjj.exec:\vvpjj.exe61⤵
- Executes dropped EXE
PID:2176 -
\??\c:\9fxlffx.exec:\9fxlffx.exe62⤵
- Executes dropped EXE
PID:3508 -
\??\c:\bbtttn.exec:\bbtttn.exe63⤵
- Executes dropped EXE
PID:412 -
\??\c:\5hnhtt.exec:\5hnhtt.exe64⤵
- Executes dropped EXE
PID:2036 -
\??\c:\vvvpj.exec:\vvvpj.exe65⤵
- Executes dropped EXE
PID:1156 -
\??\c:\rlrlffl.exec:\rlrlffl.exe66⤵PID:5016
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe67⤵PID:556
-
\??\c:\bhtntt.exec:\bhtntt.exe68⤵PID:3308
-
\??\c:\hhhbbb.exec:\hhhbbb.exe69⤵PID:4976
-
\??\c:\1jppv.exec:\1jppv.exe70⤵PID:2476
-
\??\c:\xffxrfx.exec:\xffxrfx.exe71⤵PID:4384
-
\??\c:\btttbb.exec:\btttbb.exe72⤵PID:3004
-
\??\c:\ttnnnn.exec:\ttnnnn.exe73⤵PID:4720
-
\??\c:\vvdpj.exec:\vvdpj.exe74⤵PID:3652
-
\??\c:\rfffxxr.exec:\rfffxxr.exe75⤵PID:4816
-
\??\c:\fxfxrrl.exec:\fxfxrrl.exe76⤵PID:3376
-
\??\c:\3hnbtb.exec:\3hnbtb.exe77⤵PID:4300
-
\??\c:\bntnbb.exec:\bntnbb.exe78⤵PID:2008
-
\??\c:\jvddd.exec:\jvddd.exe79⤵PID:808
-
\??\c:\jppjd.exec:\jppjd.exe80⤵PID:5112
-
\??\c:\7xllrrl.exec:\7xllrrl.exe81⤵PID:3788
-
\??\c:\htbtnh.exec:\htbtnh.exe82⤵PID:2876
-
\??\c:\nhnhnb.exec:\nhnhnb.exe83⤵PID:4460
-
\??\c:\jddjj.exec:\jddjj.exe84⤵PID:1736
-
\??\c:\dvvpd.exec:\dvvpd.exe85⤵PID:1744
-
\??\c:\lxxrlff.exec:\lxxrlff.exe86⤵PID:4908
-
\??\c:\ntbtnn.exec:\ntbtnn.exe87⤵PID:744
-
\??\c:\btbtbt.exec:\btbtbt.exe88⤵PID:2328
-
\??\c:\5jvjj.exec:\5jvjj.exe89⤵PID:1600
-
\??\c:\vdvdv.exec:\vdvdv.exe90⤵PID:4064
-
\??\c:\7flfxff.exec:\7flfxff.exe91⤵PID:876
-
\??\c:\ffxxfxf.exec:\ffxxfxf.exe92⤵PID:2236
-
\??\c:\nhnntn.exec:\nhnntn.exe93⤵PID:2436
-
\??\c:\1djdp.exec:\1djdp.exe94⤵PID:1976
-
\??\c:\dpdvj.exec:\dpdvj.exe95⤵PID:3648
-
\??\c:\frxlxxr.exec:\frxlxxr.exe96⤵PID:1828
-
\??\c:\lflflff.exec:\lflflff.exe97⤵PID:2200
-
\??\c:\hhhbtt.exec:\hhhbtt.exe98⤵PID:4876
-
\??\c:\9dvpv.exec:\9dvpv.exe99⤵PID:3668
-
\??\c:\dppdv.exec:\dppdv.exe100⤵PID:2512
-
\??\c:\flxrffx.exec:\flxrffx.exe101⤵PID:2268
-
\??\c:\xrrllff.exec:\xrrllff.exe102⤵PID:980
-
\??\c:\tbbnhb.exec:\tbbnhb.exe103⤵PID:2012
-
\??\c:\tbttnn.exec:\tbttnn.exe104⤵PID:4712
-
\??\c:\pjpjd.exec:\pjpjd.exe105⤵PID:4344
-
\??\c:\frrlxrl.exec:\frrlxrl.exe106⤵PID:4292
-
\??\c:\xlrlfff.exec:\xlrlfff.exe107⤵PID:2144
-
\??\c:\7tbnhb.exec:\7tbnhb.exe108⤵PID:4992
-
\??\c:\9ppvj.exec:\9ppvj.exe109⤵PID:2616
-
\??\c:\9ppdp.exec:\9ppdp.exe110⤵PID:436
-
\??\c:\fxrllll.exec:\fxrllll.exe111⤵PID:4348
-
\??\c:\xrffffl.exec:\xrffffl.exe112⤵PID:540
-
\??\c:\bnhbtt.exec:\bnhbtt.exe113⤵PID:2656
-
\??\c:\nhhbnh.exec:\nhhbnh.exe114⤵PID:2744
-
\??\c:\pjjvv.exec:\pjjvv.exe115⤵PID:1708
-
\??\c:\lrrrlll.exec:\lrrrlll.exe116⤵PID:5116
-
\??\c:\bbhttn.exec:\bbhttn.exe117⤵PID:3176
-
\??\c:\tbnhtt.exec:\tbnhtt.exe118⤵PID:4824
-
\??\c:\pvddv.exec:\pvddv.exe119⤵PID:812
-
\??\c:\lfrrxrl.exec:\lfrrxrl.exe120⤵PID:3912
-
\??\c:\tttbtb.exec:\tttbtb.exe121⤵PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-